ISC CSSLP Certified Secure Software Lifecycle Professional Online Training

Question #11

Which of the following models uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject?

A . Take-Grant Protection Model
B . Biba Integrity Model
C . Bell-LaPadula Model
D . Access Matrix

Reveal Solution Hide Solution

Question #12

You are the project manager for GHY Project and are working to create a risk response for a negative risk. You and the project team have identified the risk that the project may not complete on time, as required by the management, due to the creation of the user guide for the software you’re creating. You have elected to hire an external writer in order to satisfy the requirements and to alleviate the risk event.

What type of risk response have you elected to use in this instance?

A . Transference
B . Exploiting
C . Avoidance
D . Sharing

Reveal Solution Hide Solution

Question #13

Which of the following organizations assists the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies?

A . OMB
B . NIST
C . NSA/CSS
D . DCAA

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Office of Management and Budget (OMB) is a Cabinet-level office, and is the largest office within the Executive Office of the President (EOP) of the United States. The current OMB Director is Peter Orszag and was appointed by President Barack Obama. The OMB’s predominant mission is to assist the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies. In helping to formulate the President’s spending plans, the OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. The OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President’s Budget and with Administration policies.

ANS: D is incorrect. The DCAA has the aim to monitor contractor costs and perform contractor audits.

ANS: C is incorrect. The National Security Agency/Central Security Service (NSA/CSS) is a crypto-logic intelligence agency of the United States government. It is administered as part of the United States Department of Defense. NSA is responsible for the collection and analysis of foreign communications and foreign signals intelligence, which involves cryptanalysis. NSA is also responsible for protecting U.S. government communications and information systems from similar agencies elsewhere, which involves cryptography. NSA is a key component of the U.S. Intelligence Community, which is headed by the Director of National Intelligence. The Central Security Service is a co-located agency created to coordinate intelligence activities and co-operation between NSA and U.S. military cryptanalysis agencies. NSA’s work is limited to communications intelligence. It does not perform field or human intelligence activities.

ANS: B is incorrect. The National Institute of Standards and Technology (NIST), known between 1901 and 1988 as the National Bureau of Standards (NBS), is a measurement standards laboratory which is a non-regulatory agency of the United States Department of Commerce. The institute’s official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.

Question #14

Part of your change management plan details what should happen in the change control system for your project. Theresa, a junior project manager, asks what the configuration management activities are for scope changes.

You tell her that all of the following are valid configuration management activities except for which one?

A . Configuration Identification
B . Configuration Verification and Auditing
C . Configuration Status Accounting
D . Configuration Item Costing

Reveal Solution Hide Solution

Question #15

Which of the following types of redundancy prevents attacks in which an attacker can get physical control of a machine, insert unauthorized software, and alter data?

A . Data redundancy
B . Hardware redundancy
C . Process redundancy
D . Application redundancy

Reveal Solution Hide Solution

Question #16

Which of the following individuals inspects whether the security policies, standards, guidelines, and procedures are efficiently performed in accordance with the company’s stated security objectives?

A . Information system security professional
B . Data owner
C . Senior management
D . Information system auditor

Reveal Solution Hide Solution

Question #17

Which of the following process areas does the SSE-CMM define in the ‘Project and Organizational Practices’ category? Each correct answer represents a complete solution. Choose all that apply.

A . Provide Ongoing Skills and Knowledge
B . Verify and Validate Security
C . Manage Project Risk
D . Improve Organization’s System Engineering Process

Reveal Solution Hide Solution

Question #18

The LeGrand Vulnerability-Oriented Risk Management method is based on vulnerability analysis and consists of four principle steps.

Which of the following processes does the risk assessment step include? Each correct answer represents a part of the solution. Choose all that apply.

A . Remediation of a particular vulnerability
B . Cost-benefit examination of countermeasures
C . Identification of vulnerabilities
D . Assessment of attacks

Reveal Solution Hide Solution

Question #19

You work as a Security Manager for Tech Perfect Inc. You have set up a SIEM server for the following purposes: Analyze the data from different log sources Correlate the events among the log entries Identify and prioritize significant events Initiate responses to events if required One of your log monitoring staff wants to know the features of SIEM product that will help them in these purposes.

What features will you recommend? Each correct answer represents a complete solution. Choose all that apply.

A . Asset information storage and correlation
B . Transmission confidentiality protection
C . Incident tracking and reporting
D . Security knowledge base
E . Graphical user interface

Reveal Solution Hide Solution

Question #20

According to U.S. Department of Defense (DoD) Instruction 8500.2, there are eight Information Assurance (IA) areas, and the controls are referred to as IA controls.

Which of the following are among the eight areas of IA defined by DoD? Each correct answer represents a complete solution. Choose all that apply.

A . VI Vulnerability and Incident Management
B . Information systems acquisition, development, and maintenance
C . DC Security Design & Configuration
D . EC Enclave and Computing Environment

Reveal Solution Hide Solution