ISC2 CSSLP Certified Secure Software Lifecycle Professional Exam Practice Test

Answer : A, B, C, D, E

The mission and business process level is the Tier 2. It addresses risks from the mission and business process perspective. It is guided by the

risk decisions at Tier 1. The various Tier 2 activities are as follows:

It defines the core missions and business processes for the organization.

It also prioritizes missions and business processes, with respect to the goals and objectives of the organization.

It defines the types of information that an organization requires, to successfully execute the stated missions and business processes.

It helps in developing an organization-wide information protection strategy and incorporating high-level information security

requirements.

It specifies the degree of autonomy for the subordinate organizations.

Answer : A

The various phases of NIST SP 800-37 C&A are as follows:

Phase 1: Initiation- This phase includes preparation, notification and resource identification. It performs the security plan analysis,

update, and acceptance.

Phase 2: Security Certification- The Security certification phase evaluates the controls and documentation.

Phase 3: Security Accreditation- The security accreditation phase examines the residual risk for acceptability, and prepares the final

security accreditation package.

Phase 4: Continuous Monitoring-This phase monitors the configuration management and control, ongoing security control verification,

and status reporting and documentation.

Answer : A, C, D

Following are the various U.S. Federal Government information security standards:

AC Access Control

AT Awareness and Training

AU Audit and Accountability

CA Certification, Accreditation, and Security Assessments

CM Configuration Management

CP Contingency Planning

IA Identification and Authentication

IR Incident Response

MA Maintenance

MP Media Protection

PE Physical and Environmental Protection

PL Planning

PS Personnel Security

RA Risk Assessment

SA System and Services Acquisition

SC System and Communications Protection

SI System and Information Integrity

Answer B is incorrect. Information systems acquisition, development, and maintenance is an International information security

standard.

Answer : D

According to the scenario, you have searched all open ports of the we-are-secure server. Now you want to perform the next information-

gathering step, i.e., passive OS fingerprinting. For this, you will use the P0f tool to accomplish the task. P0f is a passive OS fingerprinting tool

that is used to identify the operating system of a target host simply by examining captured packets even when the device is behind a packet

firewall. It does not generate any additional direct or indirect network traffic. P0f can also be used to gather various information, such as

firewall presence, NAT use (for policy enforcement), existence of a load balancer setup, the distance to the remote system and its uptime, etc.

Answer C is incorrect. Nmap is used for active OS fingerprinting. Nmap is a free open-source utility for network exploration and security

auditing. It is used to discover computers and services on a computer network, thus creating a 'map' of the network. Just like many simple

port scanners, Nmap is capable of discovering passive services. In addition, Nmap may be able to determine various details about the remote

computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that

product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card. Nmap runs on Linux,

Microsoft Windows etc.

Answer A is incorrect. SuperScan is a TCP/UDP port scanner. It also works as a ping sweeper and hostname resolver. It can ping a

given range of IP addresses and resolve the host name of the remote system.

The features of SuperScan are as follows:

It scans any port range from a built-in list or any given range.

It performs ping scans and port scans using any IP range.

It modifies the port list and port descriptions using the built in editor.

It connects to any discovered open port using user-specified 'helper' applications.

It has the transmission speed control utility.

Answer B is incorrect. NBTscan is a scanner that scans IP networks for NetBIOS name information. It sends a NetBIOS status query to

each address in a supplied range and lists received information in human readable form. It displays IP address, NetBIOS computer name,

logged-in user name and MAC address of each responded host. NBTscan works in the same manner as nbtstat, but it operates on a range of

addresses instead of just one.

Answer : B, D, E

ITIL defines 3 types of Service Level Agreement (SLA) structures, which are as follows:

1.Customer Based: It covers all services used by an individual customer group.

2.Service Based: It is one service for all customers.

3.Multi-Level: Some examples of Multi-Level SLA are 3 Tier SLA encompassing Corporate and Customer & Service Layers.

Answer C and A are incorrect. There are no such SLA structures as Segment Based and Component Based.

Answer : D

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act

of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The

act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the

information and information systems that support the operations and assets of the agency, including those provided or managed by another

agency, contractor, or other source.

FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a 'risk-based policy for cost-effective

security'. FISMA requires agency program officials, chief information officers, and Inspectors Generals (IGs) to conduct annual reviews of the

agency's information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its

oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.

Answer B is incorrect. The Lanham Act is a piece of legislation that contains the federal statutes of trademark law in the United States.

The Act prohibits a number of activities, including trademark infringement, trademark dilution, and false advertising. It is also called Lanham

Trademark Act.

Answer A is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament which states the following statement:

Unauthorized access to the computer material is punishable by 6 months imprisonment or a fine 'not exceeding level 5 on the standard

scale' (currently 5000).

Unauthorized access with the intent to commit or facilitate commission of further offences is punishable by 6 months/maximum fine on

summary conviction or 5 years/fine on indictment.

Unauthorized modification of computer material is subject to the same sentences as section 2 offences.

Answer C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1984 intended to reduce

cracking of computer systems and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as 18 U.S.C.

1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are

involved, where the crime itself is interstate in nature, or computers used in interstate and foreign commerce. It was amended in 1986, 1994,

1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft Enforcement and Restitution Act. Section (b) of the act punishes

anyone who not just commits or attempts to commit an offense under the Computer Fraud and Abuse Act but also those who conspire to do

so.

Answer : A, B, D

The different tasks performed by the owner are as follows:

He makes the original determination to decide what level of classification the information requires, which is based on the business

requirements for the safety of the data.

He reviews the classification assignments from time to time and makes alterations as the business needs change.

He delegates the responsibility of the data safeguard duties to the custodian.

He specifies controls to ensure confidentiality, integrity and availability.

Answer C is incorrect. This task is performed by the custodian and not by the owner.