ISC2 Certified Secure Software Lifecycle Professional CSSLP Exam Practice Test

Answer : A, B, C, D, E

The mission and business process level is the Tier 2. It addresses risks from the mission and business process perspective. It is guided by the

risk decisions at Tier 1. The various Tier 2 activities are as follows:

It defines the core missions and business processes for the organization.

It also prioritizes missions and business processes, with respect to the goals and objectives of the organization.

It defines the types of information that an organization requires, to successfully execute the stated missions and business processes.

It helps in developing an organization-wide information protection strategy and incorporating high-level information security

requirements.

It specifies the degree of autonomy for the subordinate organizations.

Answer : D

In order to accomplish the task, you should use the software testing technique. By using this technique you can determine compatibility of

systems with custom applications or you can identify other unforeseen interactions. You can also use the software testing technique while you

are upgrading software.

Answer B is incorrect. You can use the antivirus management to save the systems from viruses, unexpected software interactions, and

the subversion of security controls.

Answer A is incorrect. You can use the safe software storage technique to ensure that the software and backup copies have not been

modified without authorization.

Answer C is incorrect. You can use the backup control to perform back up of software and data.

Answer : D

A simulation test is a method used to test the disaster recovery plans. It operates just like a structured walk-through test. In the simulation

test, the members of a disaster recovery team present with a disaster scenario and then, discuss on appropriate responses. These

suggested responses are measured and some of them are taken by the team. The range of the simulation test should be defined carefully for

avoiding excessive disruption of normal business activities.

Answer A is incorrect. The structured walk-through test is also known as the table-top exercise. In structured walk-through test, the

team members walkthrough the plan to identify and correct weaknesses and how they will respond to the emergency scenarios by stepping

in the course of the plan. It is the most effective and competent way to identify the areas of overlap in the plan before conducting more

challenging training exercises.

Answer B is incorrect. A full-interruption test includes the operations that shut down at the primary site and are shifted to the recovery

site according to the disaster recovery plan. It operates just like a parallel test. The full-interruption test is very expensive and difficult to

arrange. Sometimes, it causes a major disruption of operations if the test fails.

Answer C is incorrect. A parallel test includes the next level in the testing procedure, and relocates the employees to an alternate

recovery site and implements site activation procedures. These employees present with their disaster recovery responsibilities as they would

for an actual disaster. The disaster recovery sites have full responsibilities to conduct the day-to-day organization's business.

Answer : B

The functional requirements categorize the different functions that the system will need to perform in order to gather the documented

mission/business needs. The functional requirements describe the elements such as quantity, quality, coverage, timelines, and availability.

Answer C is incorrect. The performance requirements comprise of speed, throughput, accuracy, humidity tolerances, mechanical

stresses such as vibrations or noises.

Answer A is incorrect. Human factor consists of factors, which affect the operation of the system or component, such as design space,

eye movement, or ergonomics.

Answer D is incorrect. The operational scenarios provide assistance to the system designers and form the basis of major events in the

acquisition phases, such as testing the products for system integration. The customer classifies and defines the operational scenarios, which

indicate the range of anticipated uses of system products.

Answer : A, B, C, D, E

The minimum security requirements cover seventeen security related areas to protect the confidentiality, integrity, and availability of federal

information systems and information processed by those systems. They are as follows:

Access control

Awareness and training

Audit and accountability

Certification, accreditation, and security assessment

Configuration management

Contingency planning

Identification and authentication

Incident response

Maintenance

Media protection

Physical and environmental protection

Planning

Personnel security

Risk assessment

Systems and services acquisition

System and communications protection

System and information integrity

Answer : D

There are four risk responses available for a negative risk event.

The risk response strategies for negative risks are:

Avoid: It involves altering the project management plan to remove the threats completely.

Transfer: It requires shifting some or all of the negative effects of a threat including the ownership of response, to a third party.

Mitigate: It implies a drop in the probability and impact of an unfavorable risk event to be within suitable threshold limits.

Accept: It delineates that the project plan will not be changed to deal with the risk. Management may develop a contingency plan if the

risk occurs. It is used for both negative and positive risks.

Answer C is incorrect. There are four responses for negative risk events.

Answer A is incorrect. There are four, not three, responses for negative risk events. Do not forget that acceptance can be used for

negative risk events.

Answer B is incorrect. There are seven total risk responses, four of which can be used for negative risk events.

Answer : D

The tools used in DRM to define the level of robustness are as follows:

1.Widely available tools: These tools are easy to use and are available to everyone. For example, screw-drivers and file editors.

2.Specialized tools: These tools require skill and are available at reasonable prices. For example, debuggers, decompilers, and memory

scanners.

3.Professional tools: These tools are expensive, require skill, and are not easily available. For example, logic analyzers, circuit emulators,

and chip disassembly systems.