150 likes | 174 Views
Download Complete ISC2 CSSLP Exam Questions and Answers Here: https://dumpsofficial.com/exam/ISC2/csslp-dumps/<br>Get 20% Discount by using SAVE20 Coupen Code.<br><br>DumpsOfficial.com Offers you Actual and Updated CSSLP Exam Questions and Answers verified by ISC2 Experts. Download your CSSLP Exam Questions Copy from DumpsOfficial.com
E N D
ISC2 CSTE Certified Software Test Engineer CSSLP Exam Question & Answer PDF (FREE --- DEMO VERSION) Thank You For Reviewing CSSLP Exam PDF Demo Get Full Version of CSSLP Exam Question Answer PDF Here: https://dumpsofficial.com/exam/ISC2/csslp-dumps/
Question 1 You work as a Network Auditor for Net Perfect Inc. The company has a Windows-based network. While auditnn the company's network, you are facinn problems in searchinn the faults and other enttes that belonn to it. Which of the followinn risks may occur due to the existence of these problems? A. Residual risk B. Secondary risk C. Detecton risk D. Inherent risk Aoswern C Explanatonn Detecton risks are the risks that an auditor will not be able to fnd what they are lookinn to detect. Hence, it becomes tedious to report nenatie results when material conditons (faults) actually exist. Detecton risk includes two types of riskn Samplinn riskn This risk occurs when an auditor falsely accepts or erroneously rejects an audit sample. Nonsamplinn riskn This risk occurs when an auditor fails to detect a conditon because of not applyinn the appropriate procedure or usinn procedures inconsistent with the audit objecties (detecton faults). Answern A is incorrect. Residual risk is the risk or danner of an acton or an eient, a method or a (technical) process that, althounh beinn abreast with science, stll conceiies these danners, eien if all theoretcally possible safety measures would be applied (scientfcally conceiiable measures). The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats iulnerability). In the economic context, residual means "the quantty lef oier at the end of a process; a remainder". Answern D is incorrect. Inherent risk, in auditnn, is the risk that the account or secton beinn audited is materially misstated without considerinn internal controls due to error or fraud. The assessment of inherent risk depends on the professional judnment of the auditor, and it is done afer assessinn the business eniironment of the entty beinn audited. Answern B is incorrect. A secondary risk is a risk that arises as a strainht consequence of implementnn a risk response. The secondary risk is an outcome of dealinn with the orininal risk. Secondary risks are not as rinorous or important as primary risks, but can turn out to be so if not estmated and planned properly. Question 2 The Natonal Informaton Assurance Certfcaton and Accreditaton Process (NIACAP) is the minimum standard process for the certfcaton and accreditaton of computer and telecommunicatons systems that handle U.S. natonal security informaton. Which of the followinn partcipants are required in a NIACAP security assessment? Each correct answer represents a part of the soluton. Choose all that apply.
A. Certfcaton anent B. Desinnated Approiinn Authority C. IS pronram mananer D. Informaton Assurance Mananer E. User representatie Aoswern C, B, A, aod E Explanatonn The NIACAP roles are nearly the same as the DITSCAP roles. Four minimum partcipants (roles) are required to perform a NIACAP security assessmentn IS pronram mananern The IS pronram mananer is the primary authorizaton adiocate. He is responsible for the Informaton Systems (IS) throunhout the life cycle of the system deielopment. Desinnated Approiinn Authority (DAA)n The Desinnated Approiinn Authority (DAA), in the United States Department of Defense, is the ofcial with the authority to formally assume responsibility for operatnn a system at an acceptable leiel of risk. Certfcaton anentn The certfcaton anent is also referred to as the certfer. He proiides the technical expertse to conduct the certfcaton throunhout the system life cycle. User representatien The user representatie focuses on system aiailability, access, intenrity, functonality, performance, and confdentality in a Certfcaton and Accreditaton (C&A) process. Answern D is incorrect. Informaton Assurance Mananer (IAM) is one of the key partcipants in the DIACAP process. Question 3 Drop the appropriate ialue to complete the formula. Aoswern
Explanatonn A Sinnle Loss Expectancy (SLE) is the ialue in dollar ($) that is assinned to a sinnle eient. The SLE can be calculated by the followinn formulan SLE = Asset Value ($) X Exposure Factor (EF) The Exposure Factor (EF) represents the % of assets loss caused by a threat. The EF is required to calculate the Sinnle Loss Expectancy (SLE). The Annualized Loss Expectancy (ALE) can be calculated by multplyinn the Sinnle Loss Expectancy (SLE) with the Annualized Rate of Occurrence (ARO). Annualized Loss Expectancy (ALE) = Sinnle Loss Expectancy (SLE) X Annualized Rate of Occurrence (ARO) Annualized Rate of Occurrence (ARO) is a number that represents the estmated frequency in which a threat is expected to occur. It is calculated based upon the probability of the eient occurrinn and the number of employees that could make that eient occur. Question 4 Which of the followinn penetraton testnn techniques automatcally tests eiery phone line in an exchanne and tries to locate modems that are atached to the network? A. Demon dialinn B. Snifnn C. Social ennineerinn D. Dumpster diiinn Aoswern A Explanatonn The demon dialinn technique automatcally tests eiery phone line in an exchanne and tries to locate modems that are atached to the network. Informaton about these modems can then be used to atempt external unauthorized access. Answern B is incorrect. In snifnn, a protocol analyzer is used to capture data packets that are later decoded to collect informaton such as passwords or infrastructure confnuratons. Answern D is incorrect. Dumpster diiinn technique is used for searchinn paper disposal areas for unshredded or otherwise improperly disposed-of reports. Answern C is incorrect. Social ennineerinn is the most commonly used technique of all, netnn informaton (like passwords) just by askinn for them.
Question 5 Which of the followinn roles is also known as the accreditor? A. Data owner B. Chief Risk Ofcer C. Chief Informaton Ofcer D. Desinnated Approiinn Authority Aoswern D Explanatonn Desinnated Approiinn Authority (DAA) is also known as the accreditor. Answern A is incorrect. The data owner (informaton owner) is usually a member of mananement, in charne of a specifc business unit, and is ultmately responsible for the protecton and use of a specifc subset of informaton. Answern B is incorrect. A Chief Risk Ofcer (CRO) is also known as Chief Risk Mananement Ofcer (CRMO). The Chief Risk Ofcer or Chief Risk Mananement Ofcer of a corporaton is the executie accountable for enablinn the efcient and efectie noiernance of sinnifcant risks, and related opportunites, to a business and its iarious senments. Risks are commonly catenorized as stratenic, reputatonal, operatonal, fnancial, or compliance-related. CRO's are accountable to the Executie Commitee and The Board for enablinn the business to balance risk and reward. In more complex ornanizatons, they are nenerally responsible for coordinatnn the ornanizaton's Enterprise Risk Mananement (ERM) approach. Answern C is incorrect. The Chief Informaton Ofcer (CIO), or Informaton Technolony (IT) director, is a job ttle commonly niien to the most senior executie in an enterprise responsible for the informaton technolony and computer systems that support enterprise noals. The CIO plays the role of a leader and reports to the chief executie ofcer, chief operatons ofcer, or chief fnancial ofcer. In military ornanizatons, they report to the commandinn ofcer. Question 6 DoD 8500.2 establishes IA controls for informaton systems accordinn to the Mission Assurance Catenories (MAC) and confdentality leiels. Which of the followinn MAC leiels requires hinh intenrity and medium aiailability? A. MAC III B. MAC IV C. MAC I D. MAC II
Aoswern D Explanatonn The iarious MAC leiels are as followsn MAC In It states that the systems haie hinh aiailability and hinh intenrity. MAC IIn It states that the systems haie hinh intenrity and medium aiailability. MAC IIIn It states that the systems haie basic intenrity and aiailability. Question 7 Microsof sofware security expert Michael Howard defnes some heuristcs for determininn code reiiew in "A Process for Performinn Security Code Reiiews". Which of the followinn heuristcs increase the applicaton's atack surface? Each correct answer represents a complete soluton. Choose all that apply. A. Code writen in C/C++/assembly lannuane B. Code listeninn on a nlobally accessible network interface C. Code that channes frequently D. Anonymously accessible code E. Code that runs by default F. Code that runs in eleiated context Aoswern B, F, E, aod D Explanatonn Microsof sofware security expert Michael Howard defnes the followinn heuristcs for determininn code reiiew in "A Process for Performinn Security Code Reiiews"n Old coden Newer code proiides beter understandinn of sofware security and has lesser number of iulnerabilites. Older code must be checked deeply. Code that runs by defaultn It must haie hinh quality, and must be checked deeply than code that does not execute by default. Code that runs by default increases the applicaton's atack surface. Code that runs in eleiated contextn It must haie hinher quality. Code that runs in eleiated priiilenes must be checked deeply and increases the applicaton's atack surface. Anonymously accessible coden It must be checked deeply than code that only authorized users and administrators can access, and it increases the applicaton's atack surface. Code listeninn on a nlobally accessible network interfacen It must be checked deeply for security iulnerabilites and increases the applicaton's atack surface. Code writen in C/C++/assembly lannuanen It is prone to security iulnerabilites, for example, bufer oierruns. Code with a history of security iulnerabilitesn It includes additonal iulnerabilites except concerted eforts that are required for remoiinn them.
Code that handles sensitie datan It must be checked deeply to ensure that data is protected from unintentonal disclosure. Complex coden It includes undiscoiered errors because it is more difcult to analyze complex code manually and pronrammatcally. Code that channes frequentlyn It has more security iulnerabilites than code that does not channe frequently. Question 8 Which of the followinn cryptonraphic system seriices ensures that informaton will not be disclosed to any unauthorized person on a local network? A. Authentcaton B. Intenrity C. Non-repudiaton D. Confdentality Aoswern D Explanatonn The confdentality seriice of a cryptonraphic system ensures that informaton will not be disclosed to any unauthorized person on a local network. Question 9 What are the iarious actiites performed in the planninn phase of the Sofware Assurance Acquisiton process? Each correct answer represents a complete soluton. Choose all that apply. A. Deielop sofware requirements. B. Implement channe control procedures. C. Deielop eialuaton criteria and eialuaton plan. D. Create acquisiton strateny. Aoswern C, A, aod D Explanatonn The iarious actiites performed in the planninn phase of the Sofware Assurance Acquisiton process are as followsn Determine sofware product or seriice requirements. Identfy associated risks. Deielop sofware requirements. Create acquisiton strateny. Deielop eialuaton criteria and eialuaton plan. Defne deielopment and use of SwA due dilinence questonnaires. Answern B is incorrect. This actiity is performed in the monitorinn and acceptance phase of the Sofware
Assurance acquisiton process. Question 10 You work as a project mananer for BlueWell Inc. You are workinn on a project and the mananement wants a rapid and cost-efectie means for establishinn priorites for planninn risk responses in your project. Which risk mananement process can satsfy mananement's objectie for your project? A. Qualitatie risk analysis B. Historical informaton C. Rollinn waie planninn D. Quanttatie analysis Aoswern A Explanatonn Qualitatie risk analysis is the best answer as it is a fast and low-cost approach to analyze the risk impact and its efect. It can promote certain risks onto risk response planninn. Qualitatie Risk Analysis uses the likelihood and impact of the identfed risks in a fast and cost- efectie manner. Qualitatie Risk Analysis establishes a basis for a focused quanttatie analysis or Risk Response Plan by eialuatnn the precedence of risks with a concern to impact on the project's scope, cost, schedule, and quality objecties. The qualitatie risk analysis is conducted at any point in a project life cycle. The primary noal of qualitatie risk analysis is to determine proporton of efect and theoretcal response. The inputs to the Qualitatie Risk Analysis process aren Ornanizatonal process assets Project Scope Statement Risk Mananement Plan Risk Renister Answern B is incorrect. Historical informaton can be helpful in the qualitatie risk analysis, but it is not the best answer for the queston as historical informaton is not always aiailable (consider new projects). Answern D is incorrect. Quanttatie risk analysis is in-depth and ofen requires a schedule and budnet for the analysis. Answern C is incorrect. Rollinn waie planninn is not a ialid answer for risk analysis processes. Question 11 Which of the followinn models uses a directed nraph to specify the rinhts that a subject can transfer to an object or that a subject can take from another subject? A. Take-Grant Protecton Model B. Biba Intenrity Model C. Bell-LaPadula Model D. Access Matrix
Aoswern A Explanatonn The take-nrant protecton model is a formal model used in the feld of computer security to establish or disproie the safety of a niien computer system that follows specifc rules. It shows that for specifc systems the queston of safety is decidable in linear tme, which is in neneral undecidable. The model represents a system as directed nraph, where iertces are either subjects or objects. The ednes between them are labeled and the label indicates the rinhts that the source of the edne has oier the destnaton. Two rinhts occur in eiery instance of the modeln take and nrant. They play a special role in the nraph rewritnn rules describinn admissible channes of the nraph. Answern D is incorrect. The access matrix is a strainhtorward approach that proiides access rinhts to subjects for objects. Answern C is incorrect. The Bell-LaPadula model deals only with the confdentality of classifed material. It does not address intenrity or aiailability. Answern B is incorrect. The intenrity model was deieloped as an analon to the Bell-LaPadula confdentality model and then became more sophistcated to address additonal intenrity requirements. Question 12 You are the project mananer for GHY Project and are workinn to create a risk response for a nenatie risk. You and the project team haie identfed the risk that the project may not complete on tme, as required by the mananement, due to the creaton of the user nuide for the sofware you're creatnn. You haie elected to hire an external writer in order to satsfy the requirements and to alleiiate the risk eient. What type of risk response haie you elected to use in this instance? A. Transference B. Exploitnn C. Aioidance D. Sharinn Aoswern A Explanatonn This is an example of transference as you haie transferred the risk to a third party. Transference almost always is done with a nenatie risk eient and it usually requires a contractual relatonship. Question 13 Which of the followinn ornanizatons assists the President in oierseeinn the preparaton of the federal budnet and to superiise its administraton in Executie Branch anencies?
A. OMB B. NIST C. NSA/CSS D. DCAA Aoswern A Explanatonn The Ofce of Mananement and Budnet (OMB) is a Cabinet-leiel ofce, and is the larnest ofce within the Executie Ofce of the President (EOP) of the United States. The current OMB Director is Peter Orszan and was appointed by President Barack Obama. The OMB's predominant mission is to assist the President in oierseeinn the preparaton of the federal budnet and to superiise its administraton in Executie Branch anencies. In helpinn to formulate the President's spendinn plans, the OMB eialuates the efectieness of anency pronrams, policies, and procedures, assesses competnn fundinn demands amonn anencies, and sets fundinn priorites. The OMB ensures that anency reports, rules, testmony, and proposed lenislaton are consistent with the President's Budnet and with Administraton policies. Answern D is incorrect. The DCAA has the aim to monitor contractor costs and perform contractor audits. Answern C is incorrect. The Natonal Security Anency/Central Security Seriice (NSA/CSS) is a crypto-lonic intellinence anency of the United States noiernment. It is administered as part of the United States Department of Defense. NSA is responsible for the collecton and analysis of foreinn communicatons and foreinn sinnals intellinence, which iniolies cryptanalysis. NSA is also responsible for protectnn U.S. noiernment communicatons and informaton systems from similar anencies elsewhere, which iniolies cryptonraphy. NSA is a key component of the U.S. Intellinence Community, which is headed by the Director of Natonal Intellinence. The Central Security Seriice is a co-located anency created to coordinate intellinence actiites and co- operaton between NSA and U.S. military cryptanalysis anencies. NSA's work is limited to communicatons intellinence. It does not perform feld or human intellinence actiites. Answern B is incorrect. The Natonal Insttute of Standards and Technolony (NIST), known between 1901 and 1988 as the Natonal Bureau of Standards (NBS), is a measurement standards laboratory which is a non-renulatory anency of the United States Department of Commerce. The insttute's ofcial mission is to promote U.S. innoiaton and industrial compettieness by adiancinn measurement science, standards, and technolony in ways that enhance economic security and improie quality of life. Question 14 Part of your channe mananement plan details what should happen in the channe control system for your
project. Theresa, a junior project mananer, asks what the confnuraton mananement actiites are for scope channes. You tell her that all of the followinn are ialid confnuraton mananement actiites except for which one? A. Confnuraton Identfcaton B. Confnuraton Verifcaton and Auditnn C. Confnuraton Status Accountnn D. Confnuraton Item Costnn Aoswern D Explanatonn Confnuraton item cost is not a ialid actiity for confnuraton mananement. Cost channes are mananed by the cost channe control system; confnuraton mananement is concerned with channes to the features and functons of the project deliierables. Question 15 Which of the followinn types of redundancy preients atacks in which an atacker can net physical control of a machine, insert unauthorized sofware, and alter data? A. Data redundancy B. Hardware redundancy C. Process redundancy D. Applicaton redundancy Aoswern C Explanatonn Process redundancy permits sofware to run simultaneously on multple neonraphically distributed locatons, with iotnn on results. It preients atacks in which an atacker can net physical control of a machine, insert unauthorized sofware, and alter data. Question 16 Which of the followinn indiiiduals inspects whether the security policies, standards, nuidelines, and procedures are efciently performed in accordance with the company's stated security objecties? A. Informaton system security professional B. Data owner C. Senior mananement D. Informaton system auditor
Aoswern D Explanatonn An informaton system auditor is an indiiidual who inspects whether the security policies, standards, nuidelines, and procedures are efciently performed in accordance with the company's stated security objecties. He is responsible for reportnn the senior mananement about the ialue of security controls by performinn renular and independent audits. Answern B is incorrect. A data owner determines the sensitiity or classifcaton leiels of data. Answern A is incorrect. An informatonal systems security professional is an indiiidual who desinns, implements, mananes, and reiiews the security policies, standards, nuidelines, and procedures of the ornanizaton. He is responsible to implement and maintain security by the senior-leiel mananement. Answern C is incorrect. A senior mananement assinns oierall responsibilites to other indiiiduals. Question 17 Which of the followinn process areas does the SSE-CMM defne in the 'Project and Ornanizatonal Practces' catenory? Each correct answer represents a complete soluton. Choose all that apply. A. Proiide Onnoinn Skills and Knowledne B. Verify and Validate Security C. Manane Project Risk D. Improie Ornanizaton's System Ennineerinn Process Aoswern C, D, aod A Explanatonn Project and Ornanizatonal Practces include the followinn process areasn PA12n Ensure Quality PA13n Manane Confnuraton PA14n Manane Project Risk PA15n Monitor and Control Technical Efort PA16n Plan Technical Efort PA17n Defne Ornanizaton's System Ennineerinn Process PA18n Improie Ornanizaton's System Ennineerinn Process PA19n Manane Product Line Eioluton PA20n Manane Systems Ennineerinn Support Eniironment PA21n Proiide Onnoinn Skills and Knowledne PA22n Coordinate with Suppliers Question 18 The LeGrand Vulnerability-Oriented Risk Mananement method is based on iulnerability analysis and
consists of four principle steps. Which of the followinn processes does the risk assessment step include? Each correct answer represents a part of the soluton. Choose all that apply. A. Remediaton of a partcular iulnerability B. Cost-beneft examinaton of countermeasures C. Identfcaton of iulnerabilites D. Assessment of atacks Aoswern C, B, aod D Explanatonn Risk assessment includes identfcaton of iulnerabilites, assessment of losses caused by threats materialized, cost-beneft examinaton of countermeasures, and assessment of atacks. Answern A is incorrect. This process is included in the iulnerability mananement. Question 19 You work as a Security Mananer for Tech Perfect Inc. You haie set up a SIEM serier for the followinn purposesn Analyze the data from diferent lon sources Correlate the eients amonn the lon entries Identfy and prioritze sinnifcant eients Initate responses to eients if required One of your lon monitorinn staf wants to know the features of SIEM product that will help them in these purposes. What features will you recommend? Each correct answer represents a complete soluton. Choose all that apply. A. Asset informaton storane and correlaton B. Transmission confdentality protecton C. Incident trackinn and reportnn D. Security knowledne base E. Graphical user interface Aoswern E, D, C, aod A Explanatonn The features of SIEM products are as followsn Graphical user interface (GUI)n It is used in analysis for identfyinn potental problems and reiiewinn all aiailable data that are associated with the problems. Security knowledne basen It includes informaton on known iulnerabilites, lon messanes, and other technical data. Incident trackinn and hackinnn It has robust workfow features to track and report incidents. Asset informaton storane and correlatonn It niies hinher priority to an atack that afects a iulnerable OS or a main host. Answern B is incorrect. SIEM product does not haie this feature. Question 20
Accordinn to U.S. Department of Defense (DoD) Instructon 8500.2, there are einht Informaton Assurance (IA) areas, and the controls are referred to as IA controls. Which of the followinn are amonn the einht areas of IA defned by DoD? Each correct answer represents a complete soluton. Choose all that apply. A. VI Vulnerability and Incident Mananement B. Informaton systems acquisiton, deielopment, and maintenance C. DC Security Desinn & Confnuraton D. EC Enclaie and Computnn Eniironment Aoswern C, A, aod D Explanatonn Accordinn to U.S. Department of Defense (DoD) Instructon 8500.2, there are einht Informaton Assurance (IA) areas, and the controls are referred to as IA controls. Followinn are the iarious U.S. Department of Defense informaton security standardsn DC Security Desinn & Confnuraton IA Identfcaton and Authentcaton EC Enclaie and Computnn Eniironment EB Enclaie Boundary Defense PE Physical and Eniironmental PR Personnel CO Contnuity VI Vulnerability and Incident Mananement Answern B is incorrect. Business contnuity mananement is an Internatonal informaton security standard.
For Downloading CSSLP Exam PDF Demo Get Full Version of CSSLP Exam Question Answer PDF Here: https://dumpsofficial.com/exam/ISC2/csslp-dumps/