100% Free ISC Certification SSCP Dumps PDF Demo Cert Guide Cover [Q61-Q86]

100% Free ISC Certification SSCP Dumps PDF Demo Cert Guide Cover

PDF Exam Material 2023 Realistic SSCP Dumps Questions

What are the needs required to maintain this certification

The validity of the SSCP certification is three years. Recertify within three years of receiving it and every three years after that by taking the appropriate SSCP exam for your level. Ensure you meet eligibility requirements, such as holding a qualifying job or maintaining certification sponsorship. You can also concern SSCP Dumps for getting help in maintaining the certification. Log 70 total learning units (LUs) every year. Unless otherwise noted on an individual certificate, each LU counts toward recertification. Maintain certain scoring levels on the exams. Submit a completed Annual Maintenance Request Form before the due date in order to be eligible for recertification. Pay the $75 recertification fee by the due date, so you can register for and take your recertification exam. Pay the $150 late fee if you submit your Annual Maintenance Request Form after the due date.

If you do not meet these requirements, you will be certified on the last day of the month in which you fail to meet any of them. You must then re-apply for certification and go through all of the steps involved in obtaining the designation again.

How to Plan For ISC SSCP Certification Exam

Preparation Guide for ISC SSCP Certification Exam

Full Overview of ISC SSCP Certification Exam

Are you eager to learn, have more & polished skills, become famous in the company, earn more, and have career growth in the field of System security? Do you want to know, how will we do it? Are you excited? If YES, then let's start.

The ISC SSCP certification exam is a computer security exam which is being offered by the International Information Systems Security Certification Consortium or ISC2. This exam is related to system security. In this article, we will discuss the exam ISC SSCP and the best resources for the preparation of the exam, including SSCP Dumps. We will also discuss the advantages, costs, and topics of the ISC SSCP certification exam.

 

NEW QUESTION 61
What would BEST define risk management?

• A. The process of eliminating the risk
• B. The process of transferring risk
• C. The process of reducing risk to an acceptable level
• D. The process of assessing the risks

Answer: C

Explanation:
This is the basic process of risk management.
Risk is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree.
The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable.
Proper risk management requires a strong commitment from senior management, a documented process that supports the organization's mission, an information risk management (IRM) policy and a delegated IRM team. Once you've identified your company's acceptable level of risk, you need to develop an information risk management policy.
The IRM policy should be a subset of the organization's overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies, which lay out the acceptable risk and the role of security as a whole in the organization. The IRM policy is focused on risk management while the security policy is very high-level and addresses all aspects of security. The IRM policy should address the following items:
Objectives of IRM team Level of risk the company will accept and what is considered an acceptable risk (as defined in the previous article) Formal processes of risk identification Connection between the IRM policy and the organization's strategic planning processes Responsibilities that fall under IRM and the roles that are to fulfill them Mapping of risk to internal controls Approach for changing staff behaviors and resource allocation in response to risk analysis Mapping of risks to performance targets and budgets Key indicators to monitor the effectiveness of controls Shon Harris provides a 10,000-foot view of the risk management process below: A big question that companies have to deal with is, "What is enough security?" This can be restated as, "What is our acceptable risk level?" These two questions have an inverse relationship. You can't know what constitutes enough security unless you know your necessary baseline risk level.
To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its federal and state legal requirements, its regulatory requirements, its business drivers and objectives, and it must carry out a risk and threat analysis. (I will dig deeper into formalized risk analysis processes in a later article, but for now we will take a broad approach.) The result of these findings is then used to define the company's acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures.
Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following:
Identify company assets Assign a value to each asset Identify each asset's vulnerabilities and associated threats Calculate the risk for the identified assets
Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings.
When we look at information security, there are several types of risk a corporation needs to be aware of and address properly. The following items touch on the major categories: Physical damage Fire, water, vandalism, power loss, and natural disasters
Human interaction Accidental or intentional action or inaction that can disrupt productivity
Equipment malfunction Failure of systems and peripheral devices
Inside and outside attacks Hacking, cracking, and attacking
Misuse of data Sharing trade secrets, fraud, espionage, and theft
Loss of data Intentional or unintentional loss of information through destructive means
Application error Computation errors, input errors, and buffer overflows
The following answers are incorrect:
The process of eliminating the risk is not the best answer as risk cannot be totally
eliminated.
The process of assessing the risks is also not the best answer.
The process of transferring risk is also not the best answer and is one of the ways of
handling a risk after a risk analysis has been performed.
References:
Shon Harris , AIO v3 , Chapter 3: Security Management Practices , Page: 66-68
and
http://searchsecurity.techtarget.com/tip/Understanding-risk

 

NEW QUESTION 62
Which of the following statements pertaining to Secure Sockets Layer (SSL) is false?

• A. The SSL protocol's primary use is to authenticate the client to the server using public key cryptography and digital certificates.
• B. SSL can be used with applications such as Telnet, FTP and email protocols.
• C. Web pages using the SSL protocol start with HTTPS
• D. The SSL protocol was developed by Netscape to secure Internet client-server transactions.

Answer: A

Explanation:
Section: Cryptography
Explanation/Reference:
All of these statements pertaining to SSL are true except that it is primary use is to authenticate the client to the server using public key cryptography and digital certificates. It is the opposite, Its primary use is to authenticate the server to the client.
The following reference(s) were used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 170).

 

NEW QUESTION 63
In Synchronous dynamic password tokens:

• A. The authentication entity in a system or workstation knows an owner's secret key and PIN, and the entity verifies that the entered password is invalid and that it was entered during the invalid time window.
• B. The token generates a new password value at fixed time intervals (this password could be based on the time of day encrypted with a secret key).
• C. The token generates a new non-unique password value at fixed time intervals (this password could be based on the time of day encrypted with a secret key).
• D. The unique password is not entered into a system or workstation along with an owner's PIN.

Answer: B

Explanation:
Section: Access Control
Explanation/Reference:
Synchronous dynamic password tokens:
- The token generates a new password value at fixed time intervals (this password could be the time of day encrypted with a secret key).
- the unique password is entered into a system or workstation along with an owner's PIN.
- The authentication entity in a system or workstation knows an owner's secret key and PIN, and the entity verifies that the entered password is valid and that it was entered during the valid time window.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

 

NEW QUESTION 64
In response to Access-request from a client such as a Network Access Server (NAS), which of the following is not one of the response from a RADIUS Server?

• A. Access-Accept
• B. Access-Granted
• C. Access-Challenge
• D. Access-Reject

Answer: B

Explanation:
In response to an access-request from a client, a RADIUS server returns one of three authentication responses: access-accept, access-reject, or access-challenge, the latter being a request for additional authentication information such as a one-time password from a token or a callback identifier. Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, page 36.

 

NEW QUESTION 65
How often should tests and disaster recovery drills be performed?

• A. At least once every 2 years
• B. At least once a quarter
• C. At least once every 6 months
• D. At least once a year

Answer: D

Explanation:
Section: Risk, Response and Recovery
Explanation/Reference:
Tests and disaster recovery drills should be performed at least once a year. The company should have no confidence in an untested plan. Since systems and processes can change, frequent testing will aid in ensuring a plan will succeed.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9:
Disaster Recovery and Business continuity (page 621).

 

NEW QUESTION 66
Which one of the following represents an ALE calculation?

• A. asset value x loss expectancy.
• B. single loss expectancy x annualized rate of occurrence.
• C. actual replacement cost - proceeds of salvage.
• D. gross loss expectancy x loss frequency.

Answer: B

Explanation:
Section: Risk, Response and Recovery
Explanation
Explanation/Reference:
Single Loss Expectancy (SLE) is the dollar amount that would be lost if there was a loss of an asset.
Annualized Rate of Occurrence (ARO) is an estimated possibility of a threat to an asset taking place in one year (for example if there is a change of a flood occuring once in 10 years the ARO would be .1, and if there was a chance of a flood occuring once in 100 years then the ARO would be .01).
The following answers are incorrect:
gross loss expectancy x loss frequency. Is incorrect because this is a distractor.
actual replacement cost - proceeds of salvage. Is incorrect because this is a distractor.
asset value x loss expectancy. Is incorrect because this is a distractor.

 

NEW QUESTION 67
Which of the following is NOT a part of a risk analysis?

• A. Quantify the impact of potential threats
• B. Identify risks
• C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure
• D. Choose the best countermeasure

Answer: D

Explanation:
Section: Risk, Response and Recovery
Explanation/Reference:
This step is not a part of RISK ANALYSIS.
A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the associated countermeasure. Choosing the best countermeasure is not part of the risk analysis.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3:
Security Management Practices (page 73).
HARRIS, Shon, Mike Meyers' CISSP(R) Certification Passport, 2002, McGraw-Hill, page 12.

 

NEW QUESTION 68
What is the main issue with media reuse?

• A. Purging
• B. Data remanence
• C. Media destruction
• D. Degaussing

Answer: B

Explanation:
Section: Security Operation Adimnistration
Explanation/Reference:
The main issue with media reuse is data remanence, where residual information still resides on a media that has been erased. Degaussing, purging and destruction are ways to handle media that contains data that is no longer needed or used.
Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 5).

 

NEW QUESTION 69
Which of the following steps should be one of the first step performed in a Business Impact Analysis (BIA)?

• A. Estimate the Recovery Time Objectives (RTO).
• B. Identify all CRITICAL business units within the organization.
• C. Evaluate the impact of disruptive events.
• D. Identify and Prioritize Critical Organization Functions

Answer: D

Explanation:
Project Initiation and Management
This is the first step in building the Business Continuity program is project initiation and management. During this phase, the following activities will occur:
Obtain senior management support to go forward with the project Define a project scope, the objectives to be achieved, and the planning assumptions Estimate the project resources needed to be successful, both human resources and financial resources Define a timeline and major deliverables of the project In this phase, the program will be managed like a project, and a project manager should be assigned to the BC and DR domain.
The next step in the planning process is to have the planning team perform a BIA. The BIA will help the company decide what needs to be recovered, and how quickly. Mission functions are typically designated with terms such as critical, essential, supporting and nonessential to help determine the appropriate prioritization.
One of the first steps of a BIA is to Identify and Prioritize Critical Organization Functions. All organizational functions and the technology that supports them need to be classified based on their recovery priority. Recovery time frames for organization operations are driven by the consequences of not performing the function. The consequences may be the result of organization lost during the down period; contractual commitments not met resulting in fines or lawsuits, lost goodwill with customers.
All other answers are incorrect.
Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 21073-21075). Auerbach Publications. Kindle Edition. Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20697-20710). Auerbach Publications. Kindle Edition.

 

NEW QUESTION 70
What assesses potential loss that could be caused by a disaster?

• A. The Business Impact Analysis (BIA)
• B. The Business Assessment (BA)
• C. The Risk Assessment (RA)
• D. The Business Continuity Plan (BCP)

Answer: A

Explanation:
Section: Risk, Response and Recovery
Explanation/Reference:
The Business Assessment is divided into two components. Risk Assessment (RA) and Business Impact Analysis (BIA). Risk Assessment is designed to evaluate existing exposures from the organization's environment, whereas the BIA assesses potential loss that could be caused by a disaster. The Business Continuity Plan's goal is to reduce the risk of financial loss by improving the ability to recover and restore operations efficiently and effectively.
Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 57).
And: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 276).

 

NEW QUESTION 71
What is the main problem of the renewal of a root CA certificate?

• A. It requires key recovery of all end user keys
• B. It requires issuance of the new root CA certificate
• C. It requires the authentic distribution of the new root CA certificate to all PKI participants
• D. It requires the collection of the old root CA certificates from all the users

Answer: C

Explanation:
Explanation/Reference:
The main task here is the authentic distribution of the new root CA certificate as new trust anchor to all the PKI participants (e.g. the users).
In some of the rollover-scenarios there is no automatic way, often explicit assignment of trust from each user is needed, which could be very costly.
Other methods make use of the old root CA certificate for automatic trust establishment (see PKIX- reference), but these solutions works only well for scenarios with currently valid root CA certificates (and not for emergency cases e.g. compromise of the current root CA certificate).
The rollover of the root CA certificate is a specific and delicate problem and therefore are often ignored during PKI deployment.
Reference: Camphausen, I.; Petersen, H.; Stark, C.: Konzepte zum Root CA Zertifikatswechsel, conference Enterprise Security 2002, March 26-27, 2002, Paderborn; RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

 

NEW QUESTION 72
The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated up to?

• A. Illiminated at eight feet high with at least two foot-candles
• B. Illiminated at nine feet high with at least three foot-candles
• C. Illuminated at nine feet high with at least two foot-candles
• D. Illiminated at eight feet high with at least three foot-candles

Answer: A

Explanation:
Explanation/Reference:
The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high with at least two foot-candles.
It can also be referred to as illuminating to a height of eight feet, with a BRIGHTNESS of two foot-candles.
One footcandle ≈ 10.764 lux. The footcandle (or lumen per square foot) is a non-SI unit of illuminance. Like the BTU, it is obsolete but it is still in fairly common use in the United States, particularly in construction- related engineering and in building codes. Because lux and footcandles are different units of the same quantity, it is perfectly valid to convert footcandles to lux and vice versa.
The name "footcandle" conveys "the illuminance cast on a surface by a one-candela source one foot away." As natural as this sounds, this style of name is now frowned upon, because the dimensional formula for the unit is not foot * candela, but lumens per square foot.
Some sources do however note that the "lux" can be thought of as a "metre-candle" (i.e. the illuminance cast on a surface by a one-candela source one meter away). A source that is farther away casts less illumination than one that is close, so one lux is less illuminance than one footcandle. Since illuminance follows the inverse-square law, and since one foot = 0.3048 m, one lux = 0.30482 footcandle ≈ 1/10.764 footcandle.
TIPS FROM CLEMENT:
Illuminance (light level) - The amount of light, measured in foot-candles (US unit), that falls n a surface, either horizontal or vertical.
Parking lots lighting needs to be an average of 2 foot candles; uniformity of not more than 3:1, no area less than 1 fc.
All illuminance measurements are to be made on the horizontal plane with a certified light meter calibrated to NIST standards using traceable light sources.
The CISSP Exam Cram 2 from Michael Gregg says:
Lighting is a commonly used form of perimeter protection.
Some studies have found that up to 80% of criminal acts at businesses and shopping centers happen in adjacent parking lots. Therefore, it's easy to see why lighting can be such an important concern.
Outside lighting discourages prowlers and thieves.
The National Institute of Standards and Technologies (NIST) states that, for effective perimeter control, buildings should be illuminated 8 feet high, with 2-foot candle power.
Reference used for this question:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 325.
and
Shon's AIO v5 pg 459
and
http://en.wikipedia.org/wiki/Foot-candle

 

NEW QUESTION 73
An Architecture where there are more than two execution domains or privilege levels is called:

• A. Network Environment.
• B. Ring Architecture.
• C. Security Models
• D. Ring Layering

Answer: B

Explanation:
In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security.
Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.
Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring. Ring Architecture Ring Architecture

All of the other answers are incorrect because they are detractors.
References:
OIG CBK Security Architecture and Models (page 311) and https://en.wikipedia.org/wiki/Ring_%28computer_security%29

 

NEW QUESTION 74
Which backup method is additive because the time and tape space required for each night's backup grows during the week as it copies the day's changed files and the previous days' changed files up to the last full backup?

• A. full backup method
• B. tape backup method.
• C. incremental backup method
• D. differential backup method

Answer: D

Explanation:
Explanation/Reference:
The Differential Backup Method is additive because the time and tape space required for each night's backup grows during the week as it copies the day's changed files and the previous days' changed files up to the last full backup.
Archive Bits
Unless you've done a lot of backups in your time you've probably never heard of an Archive Bit. An archive bit is, essentially, a tag that is attached to every file. In actuality, it is a binary digit that is set on or off in the file, but that's crummy technical jargon that doesn't really tell us anything. For the sake of our discussion, just think of it as the flag on a mail box. If the flag is up, it means the file has been changed. If it's down, then the file is unchanged.
Archive bits let the backup software know what needs to be backed up. The differential and incremental backup types rely on the archive bit to direct them.
Backup Types
Full or Normal
The "Full" or "normal" backup type is the most standard. This is the backup type that you would use if you wanted to backup every file in a given folder or drive. It backs up everything you direct it to regardless of what the archive bit says. It also resets all archive bits (puts the flags down). Most backup software, including the built-in Windows backup software, lets you select down to the individual file that you want backed up. You can also choose to backup things like the "system state".
Incremental
When you schedule an incremental backup, you are in essence instructing the software to only backup files that have been changed, or files that have their flag up. After the incremental backup of that file has occured, that flag will go back down. If you perform a normal backup on Monday, then an incremental backup on Wednesday, the only files that will be backed up are those that have changed since Monday. If on Thursday someone deletes a file by accident, in order to get it back you will have to restore the full backup from Monday, followed by the Incremental backup from Wednesday.
Differential
Differential backups are similar to incremental backups in that they only backup files with their archive bit, or flag, up. However, when a differential backup occurs it does not reset those archive bits which means, if the following day, another differential backup occurs, it will back up that file again regardless of whether that file has been changed or not.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.
And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9:
Disaster Recovery and Business continuity (pages 617-619).
And: http://www.brighthub.com/computing/windows-platform/articles/24531.aspx

 

NEW QUESTION 75
Which of the following can be defined as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences?

• A. Remote Authentication Dial-In User Service
• B. Extensible Authentication Protocol
• C. Multilevel Authentication Protocol.
• D. Challenge Handshake Authentication Protocol

Answer: B

Explanation:
RFC 2828 (Internet Security Glossary) defines the Extensible Authentication Protocol as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. It is intended for use primarily by a host or router that connects to a PPP network server via switched circuits or dial-up lines. The Remote Authentication Dial-In User Service (RADIUS) is defined as an Internet protocol for carrying dial-in user's authentication information and configuration information between a shared, centralized authentication server and a network access server that needs to authenticate the users of its network access ports. The other option is a distracter. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

 

NEW QUESTION 76
Which of the following statements pertaining to software testing approaches is correct?

• A. A top-down approach allows errors in critical modules to be detected earlier.
• B. Black box testing is predicated on a close examination of procedural detail.
• C. A bottom-up approach allows interface errors to be detected earlier.
• D. The test plan and results should be retained as part of the system's permanent documentation.

Answer: D

Explanation:
Section: Security Operation Adimnistration
Explanation/Reference:
A bottom-up approach to testing begins testing of atomic units, such as programs or modules, and works upwards until a complete system testing has taken place. It allows errors in critical modules to be found early.
A top-down approach allows for early detection of interface errors and raises confidence in the system, as programmers and users actually see a working system. White box testing is predicated on a close examination of procedural detail. Black box testing examines some aspect of the system with little regard for the internal logical structure of the software.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 300).
Top Down Testing: An approach to integration testing where the component at the top of the component hierarchy is tested first, with lower level components being simulated by stubs. Tested components are then used to test lower level components. The process is repeated until the lowest level components have been tested.
Bottom Up Testing: An approach to integration testing where the lowest level components are tested first, then used to facilitate the testing of higher level components. The process is repeated until the component at the top of the hierarchy is tested.
Black Box Testing: Testing based on an analysis of the specification of a piece of software without reference to its internal workings. The goal is to test how well the component conforms to the published requirements for the component.

 

NEW QUESTION 77
Who can best decide what are the adequate technical security controls in a computer-based application system in regards to the protection of the data being used, the criticality of the data, and it's sensitivity level ?

• A. Data or Information user
• B. System Manager
• C. Data or Information Owner
• D. System Auditor

Answer: C

Explanation:
The data or information owner also referred to as "Data Owner" would be the best person. That is the individual or officer who is ultimately responsible for the protection of the information and can therefore decide what are the adequate security controls according to the data sensitivity and data criticality. The auditor would be the best person to determine the adequacy of controls and whether or not they are working as expected by the owner.
The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations.
Organizations can have internal auditors and/ or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. For example CobiT, which is a model that most information security auditors follow when evaluating a security program. While many security professionals fear and dread auditors, they can be valuable tools in ensuring the overall security of the organization. Their goal is to find the things you have missed and help you understand how to fix the problem.
The Official ISC2 Guide (OIG) says: IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.
Example: Bob is the head of payroll. He is therefore the individual with primary responsibility over the payroll database, and is therefore the information/data owner of the payroll database. In Bob's department, he has Sally and Richard working for him. Sally is responsible for making changes to the payroll database, for example if someone is hired or gets a raise. Richard is only responsible for printing paychecks. Given those roles, Sally requires both read and write access to the payroll database, but Richard requires only read access to it. Bob communicates these requirements to the system administrators (the "information/data custodians") and they set the file permissions for Sally's and Richard's user accounts so that Sally has read/write access, while Richard has only read access.
So in short Bob will determine what controls are required, what is the sensitivily and
criticality of the Data. Bob will communicate this to the custodians who will implement the
requirements on the systems/DB. The auditor would assess if the controls are in fact
providing the level of security the Data Owner expects within the systems/DB. The auditor
does not determine the sensitivity of the data or the crititicality of the data.
The other answers are not correct because:
A "system auditor" is never responsible for anything but auditing... not actually making
control decisions but the auditor would be the best person to determine the adequacy of
controls and then make recommendations.
A "system manager" is really just another name for a system administrator, which is
actually an information custodian as explained above.
A "Data or information user" is responsible for implementing security controls on a day-to-
day basis as they utilize the information, but not for determining what the controls should
be or if they are adequate.
References:
Official ISC2 Guide to the CISSP CBK, Third Edition , Page 477
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations
294-298). Auerbach Publications. Kindle Edition.
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
3108-3114).
Information Security Glossary
Responsibility for use of information resources

 

NEW QUESTION 78
For maximum security design, what type of fence is most effective and cost-effective method (Foot are being used as measurement unit below)?

• A. Double fencing
• B. 6' to 7' high
• C. 3' to 4' high
• D. 8' high and above with strands of barbed wire

Answer: A

Explanation:
The most commonly used fence is the chain linked fence and it is the most
affordable. The standard is a six-foot high fence with two-inch mesh square openings. The
material should consist of nine-gauge vinyl or galvanized metal. Nine-gauge is a typical
fence material installed in residential areas.
Additionally, it is recommended to place barbed wire strands angled out from the top of the
fence at a 45 angle and away from the protected area with three strands running across
the top. This will provide for a seven-foot fence. There are several variations of the use of
"top guards" using V-shaped barbed wire or the use of concertina wire as an enhancement,
which has been a replacement for more traditional three strand barbed wire "top guards."
The fence should be fastened to ridged metal posts set in concrete every six feet with
additional bracing at the corners and gate openings. The bottom of the fence should be
stabilized against intruders crawling under by attaching posts along the bottom to keep the
fence from being pushed or pulled up from the bottom. If the soil is sandy, the bottom edge
of the fence should be installed below ground level.
For maximum security design, the use of double fencing with rolls of concertina wire
positioned between the two fences is the most effective deterrent and cost-efficient
method. In this design, an intruder is required to use an extensive array of ladders and
equipment to breach the fences.
Most fencing is largely a psychological deterrent and a boundary marker rather than a
barrier, because in most cases such fences can be rather easily penetrated unless added
security measures are taken to enhance the security of the fence. Sensors attached to the
fence to provide electronic monitoring of cutting or scaling the fence can be used.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 24416-24431). Auerbach Publications. Kindle
Edition.

 

NEW QUESTION 79
What uses a key of the same length as the message where each bit or character from the plaintext is encrypted by a modular addition?

• A. One-time pad
• B. Running key cipher
• C. Cipher block chaining
• D. Steganography

Answer: A

Explanation:
Explanation/Reference:
In cryptography, the one-time pad (OTP) is a type of encryption that is impossible to crack if used correctly.
Each bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key (or pad) of the same length as the plaintext, resulting in a ciphertext. If the key is truly random, at least as long as the plaintext, never reused in whole or part, and kept secret, the ciphertext will be impossible to decrypt or break without knowing the key. It has also been proven that any cipher with the perfect secrecy property must use keys with effectively the same requirements as OTP keys. However, practical problems have prevented one-time pads from being widely used.
First described by Frank Miller in 1882, the one-time pad was re-invented in 1917 and patented a couple of years later. It is derived from the Vernam cipher, named after Gilbert Vernam, one of its inventors.
Vernam's system was a cipher that combined a message with a key read from a punched tape. In its original form, Vernam's system was vulnerable because the key tape was a loop, which was reused whenever the loop made a full cycle. One-time use came a little later when Joseph Mauborgne recognized that if the key tape were totally random, cryptanalysis would be impossible.
The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so the top sheet could be easily torn off and destroyed after use. For easy concealment, the pad was sometimes reduced to such a small size that a powerful magnifying glass was required to use it.
Photos show captured KGB pads that fit in the palm of one's hand, or in a walnut shell. To increase security, one-time pads were sometimes printed onto sheets of highly flammable nitrocellulose so they could be quickly burned.
The following are incorrect answers:
A running key cipher uses articles in the physical world rather than an electronic algorithm. In classical cryptography, the running key cipher is a type of polyalphabetic substitution cipher in which a text, typically from a book, is used to provide a very long keystream. Usually, the book to be used would be agreed ahead of time, while the passage to use would be chosen randomly for each message and secretly indicated somewhere in the message.
The Running Key cipher has the same internal workings as the Vigenere cipher. The difference lies in how the key is chosen; the Vigenere cipher uses a short key that repeats, whereas the running key cipher uses a long key such as an excerpt from a book. This means the key does not repeat, making cryptanalysis more difficult. The cipher can still be broken though, as there are statistical patterns in both the key and the plaintext which can be exploited.
Steganography is a method where the very existence of the message is concealed. It is the art and science of encoding hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. it is sometimes referred to as Hiding in Plain Sight.
Cipher block chaining is a DES operating mode. IBM invented the cipher-block chaining (CBC) mode of operation in 1976. In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.
Reference(s) used for this question:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 8:
Cryptography (page 555).
and
http://en.wikipedia.org/wiki/One-time_pad
http://en.wikipedia.org/wiki/Running_key_cipher
http://en.wikipedia.org/wiki/Cipher_block_chaining#Cipher-block_chaining_.28CBC.29

 

NEW QUESTION 80
CORRECT TEXT
Intentionally embedding secret data into a picture or some form of media is known as Steganographyor data ___________.

Answer:

Explanation:
Hiding

 

NEW QUESTION 81
In a hierarchical PKI the highest CA is regularly called Root CA, it is also referred to by which one of the following term?

• A. Master CA
• B. Subordinate CA
• C. Top Level CA
• D. Big CA

Answer: C

Explanation:
Section: Cryptography
Explanation/Reference: Arsenault, Turner, Internet X.509 Public Key Infrastructure: Roadmap, Chapter "Terminology".
Also note that sometimes other terms such as Certification Authority Anchor (CAA) might be used within some government organization, Top level CA is another common term to indicate the top level CA, Top Level Anchor could also be used.

 

NEW QUESTION 82
What is called a system that is capable of detecting that a fault has occurred and has the ability to correct the fault or operate around it?

• A. A fault-tolerant system
• B. A fail safe system
• C. A fail soft system
• D. A failover system

Answer: A

Explanation:
Section: Security Operation Adimnistration
Explanation/Reference:
A fault-tolerant system is capable of detecting that a fault has occurred and has the ability to correct the fault or operate around it. In a fail-safe system, program execution is terminated, and the system is protected from being compromised when a hardware or software failure occurs and is detected. In a fail-soft system, when a hardware or software failure occurs and is detected, selected, non-critical processing is terminated. The term failover refers to switching to a duplicate "hot" backup component in real-time when a hardware or software failure occurs, enabling processing to continue.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architecture and Models (page 196).

 

NEW QUESTION 83
Which of the following can be defined as an Internet protocol by which a client workstation can dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server has received and is holding for the client?

• A. SMTP
• B. MIME
• C. PEM
• D. IMAP4

Answer: D

Explanation:
Explanation/Reference:
RFC 2828 (Internet Security Glossary) defines the Internet Message Access Protocol, version 4 (IMAP4) as an Internet protocol by which a client workstation can dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server has received and is holding for the client.
IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security services.
MIME is the MultiPurpose Internet Mail Extension. MIME extends the format of Internet mail to allow non- US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII information in message headers.
Simple Mail Transfer Protocol (SMTP) is a TCP-based, application-layer, Internet Standard protocol for moving electronic mail messages from one computer to another.
Privacy Enhanced Mail (PEM) is an Internet protocol to provide data confidentiality, data integrity, and data origin authentication for electronic mail.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

 

NEW QUESTION 84
In biometric identification systems, the parts of the body conveniently available for identification are:

• A. neck and mouth
• B. voice and neck
• C. feet and hair
• D. hands, face, and eyes

Answer: D

Explanation:
Explanation/Reference:
Today implementation of fast, accurate, reliable, and user-acceptable biometric identification systems are already under way. Because most identity authentication takes place when a people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes.
From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Page 7.

 

NEW QUESTION 85
Controls are implemented to:

• A. mitigate risk and eliminate the potential for loss
• B. eliminate risk and reduce the potential for loss
• C. mitigate risk and reduce the potential for loss
• D. eliminate risk and eliminate the potential for loss

Answer: C

Explanation:
Controls are implemented to mitigate risk and reduce the potential for loss.
Preventive controls are put in place to inhibit harmful occurrences; detective controls are
established to discover harmful occurrences; corrective controls are used to restore
systems that are victims of harmful attacks.
It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats
are constantly changing.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.

 

NEW QUESTION 86
......

Duration of Time

The total availability of time for the exam SSCP is 03 Hours. At this time candidates have to attempt all the given questions.

 

Updated ISC SSCP Dumps – PDF & Online Engine: https://www.topexamcollection.com/SSCP-vce-collection.html

SSCP.pdf - Questions Answers PDF Sample Questions Reliable: https://drive.google.com/open?id=1l0T9nDeFs0VUPEoEgF8-PjVKiJAlKKTy