[Dec-2023] CSSLP exam torrent ISC study guide [Q22-Q39]

Rate this post

[Dec-2023] CSSLP exam torrent ISC study guide

Use Valid New CSSLP Test Notes & CSSLP Valid Exam Guide

Exam Topics

This certification exam measures your knowledge and skills in a broad range of topics covered in the CSSLP CBK. These subject areas include the following information that you should know to pass this test on the first try:

Secure Software Concepts (10%):

Understand core concepts – This section requires an understanding of confidentiality, authorization, integrity, accountability, availability, authentication, and non-repudiation;
Know the principles of security design – This domain covers the knowledge of least privilege, defense-in-depth, separation of duties, resiliency, open design, the economy of mechanism, least common mechanism, complete mediation, component reuse, psychological acceptability, and diversity of defense.

NEW QUESTION 22
Which of the following terms ensures that no intentional or unintentional unauthorized modification is made to data?

Non-repudiation

Integrity

Authentication

Confidentiality

NEW QUESTION 23
The Phase 3 of DITSCAP C&A is known as Validation. The goal of Phase 3 is to validate that the preceding work has produced an IS that operates in a specified computing environment. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

Certification and accreditation decision

Continue to review and refine the SSAA

Perform certification evaluation of the integrated system

System development

Develop recommendation to the DAA

NEW QUESTION 24
You work as a project manager for a company. The company has started a new security software project.
The software configuration management will be used throughout the lifecycle of the project. You are tasked to modify the functional features and the basic logic of the software and then make them compatible to the initial design of the project. Which of the following procedures of the configuration management will you follow to accomplish the task?

Configuration status accounting

Configuration control

Configuration audits

Configuration identification

NEW QUESTION 25
Maria has been recently appointed as a Network Administrator in Gentech Inc. She has been tasked to perform network security testing to find out the vulnerabilities and shortcomings of the present network infrastructure. Which of the following testing approaches will she apply to accomplish this task?

Gray-box testing

White-box testing

Black-box testing

Unit testing

Explanation/Reference:
Explanation: Maria is new for this organization and she does not have any idea regarding the present infrastructure. Therefore, black box testing is best suited for her. Blackbox testing is a technique in which the testing team has no knowledge about the infrastructure of the organization. The testers must first determine the location and extent of the systems before commencing their analysis. This testing technique is costly and time consuming. AnswerB is incorrect. White box testing, also known as Clear box or Glass box testing, takes into account the internal mechanism of a system or application. The connotations of
“Clear box” and “Glass box” indicate that a tester has full visibility of the internal workings of the system. It uses knowledge of the internal structure of an application. It is applicable at the unit, integration, and system levels of the software testing process. It consists of the following testing methods: Control flow- based testing Create a graph from source code. Describe the flow of control through the control flow graph. Design test cases to cover certain elements of the graph. Data flow-based testing Test connections between variable definitions. Check variation of the control flow graph. Set DEF (n) contains variables that are defined at node n. Set USE (n) are variables that are read. AnswerA is incorrect. Graybox testing is a combination of whitebox testing and blackbox testing. In graybox testing, the test engineer is equipped with the knowledge of system and designs test cases or test data based on system knowledge. The security tester typically performs graybox testing to find vulnerabilities in software and network system. Answer D is incorrect. Unit testing is a type of testing in which each independent unit of an application is tested separately. During unit testing, a developer takes the smallest unit of an application, isolates it from the rest of the application code, and tests it to determine whether it works as expected. Unit testing is performed before integrating these independent units into modules. The most common approach to unit testing requires drivers and stubs to be written. Drivers and stubs are programs. A driver simulates a calling unit, and a stub simulates a called unit.

NEW QUESTION 26
What are the differences between managed and unmanaged code technologies? Each correct answer represents a complete solution. Choose two.

Managed code is referred to as Hex code, whereas unmanaged code is referred to as byte code.

C and C++ are the examples of managed code, whereas Java EE and Microsoft.NET are the examples of unmanaged code.

Managed code executes under management of a runtime environment, whereas unmanaged code is executed by the CPU of a computer system.

Managed code is compiled into an intermediate code format, whereas unmanaged code is compiled into machine code.

NEW QUESTION 27
In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199? Each correct answer represents a complete solution. Choose all that apply.

Moderate

Medium

High

Low

NEW QUESTION 28
The Phase 3 of DITSCAP C&A is known as Validation. The goal of Phase 3 is to validate that the preceding work has produced an IS that operates in a specified computing environment. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

Certification and accreditation decision

Continue to review and refine the SSAA

Perform certification evaluation of the integrated system

System development

Develop recommendation to the DAA

NEW QUESTION 29
The NIST ITL Cloud Research Team defines some primary and secondary technologies as the fundamental elements of cloud computing in its “Effectively and Securely Using the Cloud Computing Paradigm” presentation. Which of the following technologies are included in the primary technologies?
Each correct answer represents a complete solution. Choose all that apply.

Web application framework

Free and open source software

SOA

Virtualization

NEW QUESTION 30
Which of the following elements of BCP process includes the areas of plan implementation, plan testing, and ongoing plan maintenance, and also involves defining and documenting the continuity strategy?

Business continuity plan development

Business impact assessment

Scope and plan initiation

Plan approval and implementation

NEW QUESTION 31
The IAM/CA makes certification accreditation recommendations to the DAA. The DAA issues accreditation determinations. Which of the following are the accreditation determinations issued by the DAA? Each correct answer represents a complete solution. Choose all that apply.

IATT

IATO

DATO

ATO

ATT

NEW QUESTION 32
Which of the following specifies access privileges to a collection of resources by using the URL mapping?

Code Access Security

Security constraint

Configuration Management

Access Management

Explanation:
Security constraint is a type of declarative security, which specifies the protection of web content. It also specifies access privileges to a collection of resources by using the URL mapping. A deployment descriptor is used to define the security constraint. Security constraint includes the following elements: Web resource collection Authorization constraint User data constraint

NEW QUESTION 33
The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE? Each correct answer represents a complete solution. Choose all that apply.

An ISSE manages the security of the information system that is slated for Certification & Accreditation (C&A).

An ISSE provides advice on the continuous monitoring of the information system.

An ISSO manages the security of the information system that is slated for Certification & Accreditation (C&A).

An ISSE provides advice on the impacts of system changes.

An ISSO takes part in the development activities that are required to implement system changes.

NEW QUESTION 34
Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose two.

Biba model

Clark-Biba model

Clark-Wilson model

Bell-LaPadula model

NEW QUESTION 35
The service-oriented modeling framework (SOMF) provides a common modeling notation to address alignment between business and IT organizations. Which of the following principles does the SOMF concentrate on? Each correct answer represents a part of the solution. Choose all that apply.

Architectural components abstraction

SOA value proposition

Business traceability

Disaster recovery planning

Software assets reuse

NEW QUESTION 36
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national security information. Which of the following participants are required in a NIACAP security assessment? Each correct answer represents a part of the solution. Choose all that apply.

Certification agent

Designated Approving Authority

IS program manager

Information Assurance Manager

User representative

NEW QUESTION 37
FIPS 199 defines the three levels of potential impact on organizations: low, moderate, and high. Which of the following are the effects of loss of confidentiality, integrity, or availability in a high level potential impact?

The loss of confidentiality, integrity, or availability might result in a major damage to organizational assets.

The loss of confidentiality, integrity, or availability might result in severe damages like life threatening injuries or loss of life.

The loss of confidentiality, integrity, or availability might result in major financial losses.

The loss of confidentiality, integrity, or availability might cause severe degradation in or loss of mission capability to an extent.

NEW QUESTION 38
Which of the following strategies is used to minimize the effects of a disruptive event on a company, and is created to prevent interruptions to normal business activity?

Continuity of Operations Plan

Contingency Plan

Disaster Recovery Plan

Business Continuity Plan

Explanation/Reference:
Explanation:
BCP is a strategy to minimize the consequence of the instability and to allow for the continuation of business processes. The goal of BCP is to minimize the effects of a disruptive event on a company, and is formed to avoid interruptions to normal business activity. Business Continuity Planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan. Answer: B is incorrect. A contingency plan is a plan devised for a specific situation when things could go wrong. Contingency plans are often devised by governments or businesses who want to be prepared for anything that could happen.
Contingency plans include specific strategies and actions to deal with specific variances to assumptions resulting in a particular problem, emergency, or state of affairs. They also include a monitoring process and
“triggers” for initiating planned actions. They are required to help governments, businesses, or individuals to recover from serious incidents in the minimum time with minimum cost and disruption. Answer: C is incorrect. Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking), and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication, and reputation protection, and should refer to the disaster recovery plan (DRP) for IT-related infrastructure recovery/continuity. Answer: A is incorrect. The Continuity Of Operation Plan (COOP) refers to the preparations and institutions maintained by the United States government, providing survival of federal government operations in the case of catastrophic events. It provides procedures and capabilities to sustain an organization’s essential.
COOP is the procedure documented to ensure persistent critical operations throughout any period where normal operations are unattainable.

NEW QUESTION 39
Which of the following plans is designed to protect critical business processes from natural or man-made failures or disasters and the resultant loss of capital due to the unavailability of normal business processes?

Contingency plan

Business continuity plan

Crisis communication plan

Disaster recovery plan

The business continuity plan is designed to protect critical business processes from natural or man-made failures or disasters and the resultant loss of capital due to the unavailability of normal business processes. Business Continuity Planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan. Answer C is incorrect. The crisis communication plan can be broadly defined as the plan for the exchange of information before, during, or after a crisis event. It is considered as a sub-specialty of the public relations profession that is designed to protect and defend an individual, company, or organization facing a public challenge to its reputation. The aim of crisis communication plan is to assist organizations to achieve continuity of critical business processes and information flows under crisis, disaster or event driven circumstances. Answer A is incorrect. A contingency plan is a plan devised for a specific situation when things could go wrong. Contingency plans are often devised by governments or businesses who want to be prepared for anything that could happen. Contingency plans include specific strategies and actions to deal with specific variances to assumptions resulting in a particular problem, emergency, or state of affairs. They also include a monitoring process and “triggers” for initiating planned actions. They are required to help governments, businesses, or individuals to recover from serious incidents in the minimum time with minimum cost and disruption. Answer D is incorrect. A disaster recovery plan should contain data, hardware, and software that can be critical for a business. It should also include the plan for sudden loss such as hard disc crash. The business should use backup and data recovery utilities to limit the loss of data.

CSSLP Exam questions and answers: https://www.prepawaytest.com/ISC/CSSLP-practice-exam-dumps.html

Exam Topics

Leave a Reply Cancel reply