Was :
$81
Today :
$45
Was :
$99
Today :
$55
Was :
$117
Today :
$65
Why Should You Prepare For Your Certified Secure Software Lifecycle Professional With MyCertsHub?
At MyCertsHub, we go beyond standard study material. Our platform provides authentic ISC2 CSSLP Exam Dumps, detailed exam guides, and reliable practice exams that mirror the actual Certified Secure Software Lifecycle Professional test. Whether you’re targeting ISC2 certifications or expanding your professional portfolio, MyCertsHub gives you the tools to succeed on your first attempt.
Verified CSSLP Exam Dumps
Every set of exam dumps is carefully reviewed by certified experts to ensure accuracy. For the CSSLP Certified Secure Software Lifecycle Professional , you’ll receive updated practice questions designed to reflect real-world exam conditions. This approach saves time, builds confidence, and focuses your preparation on the most important exam areas.
Realistic Test Prep For The CSSLP
You can instantly access downloadable PDFs of CSSLP practice exams with MyCertsHub. These include authentic practice questions paired with explanations, making our exam guide a complete preparation tool. By testing yourself before exam day, you’ll walk into the ISC2 Exam with confidence.
Smart Learning With Exam Guides
Our structured CSSLP exam guide focuses on the Certified Secure Software Lifecycle Professional's core topics and question patterns. You will be able to concentrate on what really matters for passing the test rather than wasting time on irrelevant content. Pass the CSSLP Exam – Guaranteed
We Offer A 100% Money-Back Guarantee On Our Products.
After using MyCertsHub's exam dumps to prepare for the Certified Secure Software Lifecycle Professional exam, we will issue a full refund. That’s how confident we are in the effectiveness of our study resources.
Try Before You Buy – Free Demo
Still undecided? See for yourself how MyCertsHub has helped thousands of candidates achieve success by downloading a free demo of the CSSLP exam dumps.
MyCertsHub – Your Trusted Partner For ISC2 Exams
Whether you’re preparing for Certified Secure Software Lifecycle Professional or any other professional credential, MyCertsHub provides everything you need: exam dumps, practice exams, practice questions, and exam guides. Passing your CSSLP exam has never been easier thanks to our tried-and-true resources.
ISC2 CSSLP Sample Question Answers
Question # 1
A part of a project deals with the hardware work. As a project manager, you have decidedto hire a company to deal with all hardware work on the project. Which type of riskresponse is this?
A. Exploit B. Mitigation C. Transference D. Avoidance
Answer: C
Explanation: When you are hiring a third party to own risk, it is known as transference risk
response. Transference is a strategy to mitigate negative risks or threats. In this strategy,
consequences and the ownership of a risk is transferred to a third party. This strategy does
not eliminate the risk but transfers responsibility of managing the risk to another party.
Insurance is an example of transference. Answer: B is incorrect. The act of spending
money to reduce a risk probability and impact is known as mitigation. Answer: A is
incorrect. Exploit is a strategy that may be selected for risks with positive impacts where
the organization wishes to ensure that the opportunity is realized. Answer: D is incorrect.
When extra activities are introduced into the project to avoid the risk, this is an example of
avoidance.
Question # 2
Which of the following statements about the integrity concept of information securitymanagement are true? Each correct answer represents a complete solution. Choose three.
A. It ensures that unauthorized modifications are not made to data by authorized personnelor processes. B. It determines the actions and behaviors of a single individual within a system C. It ensures that internal information is consistent among all subentities and alsoconsistent with the real-world, external situation. D. It ensures that modifications are not made to data by unauthorized personnel orprocesses.
Answer: A,C,D
Explanation: The following statements about the integrity concept of information security
management are true: It ensures that modifications are not made to data by unauthorized
personnel or processes. It ensures that unauthorized modifications are not made to data by
authorized personnel or processes. It ensures that internal information is consistent among
all subentities and also consistent with the real-world, external situation. Answer: B is
incorrect. Accountability determines the actions and behaviors of an individual within a
system, and identifies that particular individual. Audit trails and logs support accountability.
Question # 3
You work as a security manager for BlueWell Inc. You are performing the externalvulnerability testing, or penetration testing to get a better snapshot of your organization'ssecurity posture. Which of the following penetration testing techniques will you use forsearching paper disposal areas for unshredded or otherwise improperly disposed-ofreports?
A. Sniffing B. Scanning and probing C. Dumpster diving D. Demon dialing
Answer: C
Explanation: Dumpster diving technique is used for searching paper disposal areas for
unshredded or otherwise improperly disposed-of reports. Answer: B is incorrect. In
scanning and probing technique, various scanners, like a port scanner, can reveal
information about a network's infrastructure and enable an intruder to access the network's
unsecured ports. Answer: D is incorrect. Demon dialing technique automatically tests every
phone line in an exchange to try to locate modems that are attached to the network.
Answer: A is incorrect. In sniffing technique, protocol analyzer can be used to capture data
packets that are later decoded to collect information such as passwords or infrastructure
configurations.
Question # 4
Which of the following models manages the software development process if thedevelopers are limited to go back only one stage to rework?
A. Waterfall model B. Spiral model C. RAD model D. Prototyping model
Answer: A
Explanation: In the waterfall model, software development can be managed if the
developers are limited to go back only one stage to rework. If this limitation is not imposed
mainly on a large project with several team members, then any developer can be working
on any phase at any time, and the required rework might be accomplished several times.
Answer: B is incorrect. The spiral model is a software development process combining
elements of both design and prototyping-in- stages, in an effort to combine advantages of
top-down and bottom-up concepts. The basic principles of the spiral model are as follows:
The focus is on risk assessment and minimizing project risks by breaking a project into
smaller segments and providing more ease-of- change during the development process, as
well as providing the opportunity to evaluate risks and weigh consideration of project
continuation throughout the life cycle. Each cycle involves a progression through the same
sequence of steps, for each portion of the product and for each of its levels of elaboration,
from an overall concept-of-operation document down to the coding of each individual
program. Each trip around the spiral traverses the following four basic quadrants:
Determine objectives, alternatives, and constraints of the iteration. Evaluate alternatives,
and identify and resolve risks. Develop and verify deliverables from the iteration. Plan the
next iteration.
Begin each cycle with an identification of stakeholders and their win conditions, and end
each cycle with review and commitment. Answer: D is incorrect. The Prototyping model is a
systems development method (SDM). In this model, a prototype is created, tested, and
then reworked as necessary until an adequate prototype is finally achieved from which the
complete system or product can now be developed. Answer: C is incorrect. Rapid
Application Development (RAD) refers to a type of software development methodology that
uses minimal planning in favor of rapid prototyping.
Question # 5
Which of the following is NOT a responsibility of a data owner?
A. Approving access requests B. Ensuring that the necessary security controls are in place C. Delegating responsibility of the day-to-day maintenance of the data protectionmechanisms to the data custodian D. Maintaining and protecting data
Answer: D
Explanation: It is not a responsibility of a data owner. The data custodian (information
custodian) is responsible for maintaining and protecting the data.
Answer: B, A, and C are incorrect. All of these are responsibilities of a data owner. The
roles and responsibilities of a data owner are as follows: The data owner (information
owner) is usually a member of management, in charge of a specific business unit, and is
ultimately responsible for the protection and use of a specific subset of information. The
data owner decides upon the classification of the data that he is responsible for and alters
that classification if the business needs arise. This person is also responsible for ensuring
that the necessary security controls are in place, ensuring that proper access rights are
being used, defining security requirements per classification and backup requirements,
approving any disclosure activities, and defining user access criteria. The data owner
approves access requests or may choose to delegate this function to business unit
managers. And it is the data owner who will deal with security violations pertaining to the
data he is responsible for protecting. The data owner, who obviously has enough on his
plate, delegates responsibility of the day-to-day maintenance of the data protection
mechanisms to the data custodian.
Question # 6
Mark works as a Network Administrator for NetTech Inc. He wants users to access onlythose resources that are required for them. Which of the following access control modelswill he use?
A. Discretionary Access Control B. Mandatory Access Control C. Policy Access Control D. Role-Based Access Control
Answer: D
Explanation: Role-based access control (RBAC) is an access control model. In this model,
a user can access resources according to his role in the organization. For example, a
backup administrator is responsible for taking backups of important data. Therefore, he is
only authorized to access this data for backing it up. However, sometimes users with
different roles need to access the same resources. This situation can also be handled
using the RBAC model. Answer: B is incorrect. Mandatory Access Control (MAC) is a
model that uses a predefined set of access privileges for an object of the system. Access to
an object is restricted on the basis of the sensitivity of the object and granted through
authorization. Sensitivity of an object is defined by the label assigned to it. For example, if a
user receives a copy of an object that is marked as "secret", he cannot grant permission to
other users to see this object unless they have the appropriate permission. Answer: A is
incorrect. DAC is an access control model. In this model, the data owner has the right to
decide who can access the data. This model is commonly used in PC environment. The
basis of this model is the use of Access Control List (ACL). Answer: C is incorrect. There is
no such access control model as Policy Access Control.
Question # 7
Which of the following refers to the ability to ensure that the data is not modified ortampered with?
A. Integrity B. Availability C. Non-repudiation D. Confidentiality
Answer: A
Explanation: Integrity refers to the ability to ensure that the data is not modified or
tampered with. Integrity means that data cannot be modified without authorization. Integrity
is violated when an employee accidentally or with malicious intent deletes important data
files, when a computer virus infects a computer, when an employee is able to modify his
own salary in a payroll database, when an unauthorized user vandalizes a Web site, when
someone is able to cast a very large number of votes in an online poll, and so on. Answer:
D is incorrect. Confidentiality is the property of preventing disclosure of information to
unauthorized individuals or systems. Breaches of confidentiality take many forms.
Permitting someone to look over your shoulder at your computer screen while you have
confidential data displayed on it could be a breach of confidentiality. If a laptop computer
containing sensitive information about a company's employees is stolen or sold, it could
result in a breach of confidentiality. Answer: B is incorrect. Availability means that data
must be available whenever it is needed. Answer: C is incorrect. Non-repudiation is the
concept of ensuring that a party in a dispute cannot refuse to acknowledge, or refute the
validity of a statement or contract. As a service, it provides proof of the integrity and origin
of data. Although this concept can be applied to any transmission, including television and
radio, by far the most common application is in the verification and trust of signatures.
Question # 8
Which of the following are Service Level Agreement (SLA) structures as defined by ITIL?Each correct answer represents a complete solution. Choose all that apply.
A. Component Based B. Service Based C. Segment Based D. Customer Based E. Multi-Level
Answer: B,D,E
Explanation: ITIL defines 3 types of Service Level Agreement (SLA) structures, which are
as follows: 1.Customer Based: It covers all services used by an individual customer group.
2.Service Based: It is one service for all customers. 3.Multi-Level: Some examples of MultiLevel SLA are 3 Tier SLA encompassing Corporate and Customer & Service Layers.
Answer: C and A are incorrect. There are no such SLA structures as Segment Based and
Component Based.
Question # 9
Which of the following test methods has the objective to test the IT system from theviewpoint of a threat-source and to identify potential failures in the IT system protectionschemes?
A. Security Test and Evaluation (ST&E) B. Penetration testing C. Automated vulnerability scanning tool D. On-site interviews
Answer: B
Explanation: The goal of penetration testing is to examine the IT system from the
perspective of a threat-source, and to identify potential failures in the IT system protection
schemes. Penetration testing, when performed in the risk assessment process, is used to
assess an IT system's capability to survive with the intended attempts to thwart system
security. Answer: A is incorrect. The objective of ST&E is to ensure that the applied
controls meet the approved security specification for the software and hardware and
implement the organization's security policy or meet industry standards.
Question # 10
Elizabeth is a project manager for her organization and she finds risk management to bevery difficult for her to manage. She asks you, a lead project manager, at what stage in theproject will risk management become easier. What answer best resolves the difficulty ofrisk management practices and the effort required?
A. Risk management only becomes easier when the project moves into project execution. B. Risk management only becomes easier when the project is closed. C. Risk management is an iterative process and never becomes easier. D. Risk management only becomes easier the more often it is practiced.
Answer: D
Explanation: According to the PMBOK, "Like many things in project management, the
more it is done the easier the practice becomes." Answer: B is incorrect. This answer is not
the best choice for the project. Answer: A is incorrect. Risk management likely becomes
more difficult in project execution that in other stages of the project. Answer: C is incorrect.
Risk management does become easier the more often it is done.
Question # 11
A service provider guarantees for end-to-end network traffic performance to a customer.Which of the following types of agreement is this?
A. SLA B. VPN C. NDA D. LA
Answer: A
Explanation: This is a type of service-level agreement. A service-level agreement (SLA) is
a negotiated agreement between two parties where one is the customer and the other is
the service provider. It records a common understanding about services, priorities,
responsibilities, guarantees, and warranties. Each area of service scope should have the
'level of service' defined. The SLA may specify the levels of availability, serviceability,
performance, operation, or other attributes of the service, such as billing. Answer: C is
incorrect. Non-disclosure agreements (NDAs) are often used to protect the confidentiality of
an invention as it is being evaluated by potential licensees. Answer: D is incorrect. License
agreements (LA) describe the rights and responsibilities of a party related to the use and
exploitation of intellectual property. Answer: B is incorrect. There is no such type of
agreement as VPN.
Question # 12
You work as a system engineer for BlueWell Inc. You want to verify that the build meets itsdata requirements, and correctly generates each expected display and report. Which of thefollowing tests will help you to perform the above task?
A. Performance test B. Functional test C. Reliability test D. Regression test
Answer: B
Explanation: The various types of internal tests performed on builds are as follows:
Regression tests: It is also known as the verification testing. These tests are developed to
confirm that capabilities in earlier builds continue to work correctly in the subsequent builds.
Functional test: These tests emphasizes on verifying that the build meets its functional and
data requirements and correctly generates each expected display and report. Performance
tests: These tests are used to identify the performance thresholds of each build. Reliability
tests: These tests are used to identify the reliability thresholds of each build.
Question # 13
Which of the following characteristics are described by the DIAP Information ReadinessAssessment function? Each correct answer represents a complete solution. Choose all thatapply.
A. It provides for entry and storage of individual system data. B. It performs vulnerability/threat analysis assessment. C. It provides data needed to accurately assess IA readiness. D. It identifies and generates IA requirements.
Answer: B,C,D
Explanation: The characteristics of the DIAP Information Readiness Assessment function
are as follows: It provides data needed to accurately assess IA readiness. It identifies and
generates IA requirements. It performs vulnerability/threat analysis assessment. Answer: A
is incorrect. It is a function performed by the ASSET system.
Question # 14
You are the project manager for a construction project. The project involves casting of acolumn in a very narrow space. Because of lack of space, casting it is highly dangerous.High technical skill will be required for casting that column. You decide to hire a local expertteam for casting that column. Which of the following types of risk response are youfollowing?
A. Avoidance B. Acceptance C. Mitigation D. Transference
Answer: D
Explanation: According to the question, you are hiring a local expert team for casting the
column. As you have transferred your risk to a third party, this is the transference risk
response that you have adopted. Transference is a strategy to mitigate negative risks or
threats. In this strategy, consequences and the ownership of a risk is transferred to a third
party. This strategy does not eliminate the risk but transfers responsibility of managing the
risk to another party. Insurance is an example of transference. Answer: C is incorrect.
Mitigation is a risk response planning technique associated with threats that seeks to
reduce the probability of occurrence or impact of a risk to below an acceptable threshold.
Risk mitigation involves taking early action to reduce the probability and impact of a risk
occurring on the project. Adopting less complex processes, conducting more tests, or
choosing a more stable supplier are examples of mitigation actions. Answer: A is incorrect.
Avoidance involves changing the project management plan to eliminate the threat entirely.
Answer: B is incorrect. Acceptance response is a part of Risk Response planning process.
Acceptance response delineates that the project plan will not be changed to deal with the
risk. Management may develop a contingency plan if the risk does occur. Acceptance
response to a risk event is a strategy that can be used for risks that pose either threats or
opportunities. Acceptance response can be of two types: Passive acceptance: It is a
strategy in which no plans are made to try or avoid or mitigate the risk. Active acceptance:
Such responses include developing contingency reserves to deal with risks, in case they
occur. Acceptance is the only response for both threats and opportunities.
Question # 15
Samantha works as an Ethical Hacker for we-are-secure Inc. She wants to test the securityof the we-are-secure server for DoS attacks. She sends large number of ICMP ECHOpackets to the target computer. Which of the following DoS attacking techniques will sheuse to accomplish the task?
A. Smurf dos attack B. Land attack C. Ping flood attack D. Teardrop attack
Answer: C
Explanation: According to the scenario, Samantha is using the ping flood attack. In a ping
flood attack, an attacker sends a large number of ICMP packets to the target computer
using the ping command, i.e., ping -f target_IP_address. When the target computer
receives these packets in large quantities, it does not respond and hangs. However, for
such an attack to take place, the attacker must have sufficient Internet bandwidth, because
if the target responds with an "ECHO reply ICMP packet" message, the attacker must have
both the incoming and outgoing bandwidths available for communication. Answer: A is
incorrect. In a smurf DoS attack, an attacker sends a large amount of ICMP echo request
traffic to the IP broadcast addresses. These ICMP requests have a spoofed source
address of the intended victim. If the routing device delivering traffic to those broadcast
addresses delivers the IP broadcast to all the hosts, most of the IP addresses send an
ECHO reply message. However, on a multi- access broadcast network, hundreds of
computers might reply to each packet when the target network is overwhelmed by all the
messages sent simultaneously. Due to this, the network becomes unable to provide
services to all the messages and crashes. Answer: D is incorrect. In a teardrop attack, a
series of data packets are sent to the target computer with overlapping offset field values.
As a result, the target computer is unable to reassemble these packets and is forced to
crash, hang, or reboot. Answer: B is incorrect. In a land attack, the attacker sends a
spoofed TCP SYN packet in which the IP address of the target is filled in both the source
and destination fields. On receiving the spoofed packet, the target system becomes
confused and goes into a fr
Question # 16
You work as a Network Administrator for uCertify Inc. You need to secure web services ofyour company in order to have secure transactions. Which of the following will yourecommend for providing security?
A. SSL B. VPN C. S/MIME D. HTTP
Answer: A
Explanation: The Secure Sockets Layer (SSL) is a commonly-used protocol for managing
the security of a message transmission on the Internet. SSL has recently been succeeded
by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer
located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control
Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape
browsers and most Web server products. URLs that require an SSL connection start with
https: instead of http:. Answer: C is incorrect. S/MIME (Secure/Multipurpose Internet Mail
Extensions) is a standard for public key encryption and signing of e- mail encapsulated in
MIME. S/MIME provides the following cryptographic security services for electronic
messaging applications: authentication, message integrity, non-repudiation of origin (using
digital signatures), privacy, and data security (using encryption). Answer: D is incorrect.
Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World
Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines
how messages are formatted and transmitted, and what actions Web servers and browsers
should take in response to various commands. For example, when a client application or
browser sends a request to the server using HTTP commands, the server responds with a
message containing the protocol version, success or failure code, server information, and
body content, depending on the request. HTTP uses TCP port 80 as the default port.
Answer: B is incorrect. A Virtual Private Network (VPN) is a computer network that is
implemented in an additional software layer (overlay) on top of an existing larger network
for the purpose of creating a private scope of computer communications or providing a
secure extension of a private network into an insecure network such as the Internet. The
links between nodes of a Virtual Private Network are formed over logical connections or
virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual
network are said to be tunneled through the underlying transport network.
Question # 17
You work as a Network Administrator for uCertify Inc. You need to secure web services ofyour company in order to have secure transactions. Which of the following will yourecommend for providing security?
A. SSL B. VPN C. S/MIME D. HTTP
Answer: A
Explanation: The Secure Sockets Layer (SSL) is a commonly-used protocol for managing
the security of a message transmission on the Internet. SSL has recently been succeeded
by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer
located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control
Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape
browsers and most Web server products. URLs that require an SSL connection start with
https: instead of http:. Answer: C is incorrect. S/MIME (Secure/Multipurpose Internet Mail
Extensions) is a standard for public key encryption and signing of e- mail encapsulated in
MIME. S/MIME provides the following cryptographic security services for electronic
messaging applications: authentication, message integrity, non-repudiation of origin (using
digital signatures), privacy, and data security (using encryption). Answer: D is incorrect.
Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World
Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines
how messages are formatted and transmitted, and what actions Web servers and browsers
should take in response to various commands. For example, when a client application or
browser sends a request to the server using HTTP commands, the server responds with a
message containing the protocol version, success or failure code, server information, and
body content, depending on the request. HTTP uses TCP port 80 as the default port.
Answer: B is incorrect. A Virtual Private Network (VPN) is a computer network that is
implemented in an additional software layer (overlay) on top of an existing larger network
for the purpose of creating a private scope of computer communications or providing a
secure extension of a private network into an insecure network such as the Internet. The
links between nodes of a Virtual Private Network are formed over logical connections or
virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual
network are said to be tunneled through the underlying transport network.
Question # 18
You work as the Senior Project manager in Dotcoiss Inc. Your company has started asoftware project using configuration management and has completed 70% of it. You needto ensure that the network infrastructure devices and networking standards used in thisproject are installed in accordance with the requirements of its detailed project designdocumentation. Which of the following procedures will you employ to accomplish the task?
A. Configuration identification B. Configuration control C. Functional configuration audit . D. Physical configuration audit
Answer: D
Explanation: Physical Configuration Audit (PCA) is one of the practices used in Software
Configuration Management for Software Configuration Auditing. The purpose of the
software PCA is to ensure that the design and reference documentation is consistent with
the as-built software product. PCA checks and matches the really implemented layout with
the documented layout. Answer: C is incorrect. Functional Configuration Audit or FCA is
one of the practices used in Software Configuration Management for Software
Configuration Auditing. FCA occurs either at delivery or at the moment of effecting the
change. A Functional Configuration Audit ensures that functional and performance
attributes of a configuration item are achieved. Answer: B is incorrect. Configuration control
is a procedure of the Configuration management. Configuration control is a set of
processes and approval stages required to change a configuration item's attributes and to
re-baseline them. It supports the change of the functional and physical attributes of
software at various points in time, and performs systematic control of changes to the
identified attributes. Answer: A is incorrect. Configuration identification is the process of
identifying the attributes that define every aspect of a configuration item. A configuration
item is a product (hardware and/or software) that has an end-user purpose. These
attributes are recorded in configuration documentation and baselined. Baselining an
attribute forces formal configuration change control processes to be effected in the event
that these attributes are changed
Question # 19
What NIACAP certification levels are recommended by the certifier? Each correct answerrepresents a complete solution. Choose all that apply.
A. Comprehensive Analysis B. Maximum Analysis C. Detailed Analysis D. Minimum Analysis E. Basic Security Review F. Basic System Review
Answer: A,C,D,E
Explanation: NIACAP has four levels of certification. These levels ensure that the
appropriate C&A are performed for varying schedule and budget limitations. The certifier
must analyze the system's business functions. The certifier determines the degree of
confidentiality, integrity, availability, and accountability, and then recommends one of the
Analysis Level 3 - Detailed Analysis Level 4 - Comprehensive Analysis Answer: B and F
are incorrect. No such types of levels exist.
Question # 20
The mission and business process level is the Tier 2. What are the various Tier 2activities? Each correct answer represents a complete solution. Choose all that apply.
A. Developing an organization-wide information protection strategy and incorporating highlevel information security requirements B. Defining the types of information that the organization needs, to successfully executethe stated missions and business processes C. Specifying the degree of autonomy for the subordinate organizations D. Defining the core missions and business processes for the organization E. Prioritizing missions and business processes with respect to the goals and objectives ofthe organization
Answer: A,B,C,D,E
Explanation: The mission and business process level is the Tier 2. It addresses risks from
the mission and business process perspective. It is guided by the risk decisions at Tier 1.
The various Tier 2 activities are as follows: It defines the core missions and business
processes for the organization. It also prioritizes missions and business processes, with
respect to the goals and objectives of the organization. It defines the types of information
that an organization requires, to successfully execute the stated missions and business
processes. It helps in developing an organization-wide information protection strategy and
incorporating high-level information security requirements. It specifies the degree of
autonomy for the subordinate organizations.
Question # 21
Which of the following are the basic characteristics of declarative security? Each correctanswer represents a complete solution. Choose all that apply.
A. It is a container-managed security. B. It has a runtime environment. C. All security constraints are stated in the configuration files. D. The security policies are applied at the deployment time.
Answer: A,B,C
Explanation: The following are the basic characteristics of declarative security: In
declarative security, programming is not required. All security constraints are stated in the
configuration files. It is a container-managed security. The application server manages the
enforcing process of security constraints. It has a runtime environment. The security
policies for runtime environment are represented by the deployment descriptor. It can
support different environments, such as development, testing, and production. Answer: D is
incorrect. It is the characteristic of programmatic security.
Question # 22
You are the project manager of the GHY project for your organization. You are about tostart the qualitative risk analysis process for the project and you need to determine theroles and responsibilities for conducting risk management. Where can you find thisinformation?
A. Risk register B. Staffing management plan C. Risk management plan D. Enterprise environmental factors
Answer: C
Explanation: The risk management plan defines the roles and responsibilities for
conducting risk management. A Risk management plan is a document arranged by a
project manager to estimate the effectiveness, predict risks, and build response plans to
mitigate them. It also consists of the risk assessment matrix. Risks are built in with any
project, and project managers evaluate risks repeatedly and build plans to address them.
The risk management plan consists of analysis of possible risks with both high and low
impacts, and the mitigation strategies to facilitate the project and avoid being derailed
through which the common problems arise. Risk management plans should be timely
reviewed by the project team in order to avoid having the analysis become stale and not
reflective of actual potential project risks. Most critically, risk management plans include a
risk strategy for project execution. Answer: A is incorrect. The risk register does not define
the risk management roles and responsibilities. Answer: D is incorrect. Enterprise
environmental factors may define the roles that risk management officials or departments
play in the project, but the best answer for all projects is the risk management plan.
Answer: B is incorrect. The staffing management plan does not define the risk
management roles and responsibilities.
Question # 23
Which of the following acts is used to recognize the importance of information security tothe economic and national security interests of the United States?
A. Computer Misuse Act B. Lanham Act C. Computer Fraud and Abuse Act D. FISMA
Answer: D
Explanation: The Federal Information Security Management Act of 2002 is a United States
federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act
recognized the importance of information security to the economic and national security
interests of the United States. The act requires each federal agency to develop, document,
and implement an agency-wide program to provide information security for the information
those provided or managed by another agency, contractor, or other source. FISMA has
brought attention within the federal government to cybersecurity and explicitly emphasized
a 'risk-based policy for cost-effective security'. FISMA requires agency program officials,
chief information officers, and Inspectors Generals (IGs) to conduct annual reviews of the
agency's information security program and report the results to Office of Management and
Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare
this annual report to Congress on agency compliance with the act. Answer: B is incorrect.
The Lanham Act is a piece of legislation that contains the federal statutes of trademark law
in the United States. The Act prohibits a number of activities, including trademark
infringement, trademark dilution, and false advertising. It is also called Lanham Trademark
Act. Answer: A is incorrect. The Computer Misuse Act 1990 is an act of the UK Parliament
which states the following statement: Unauthorized access to the computer material is
punishable by 6 months imprisonment or a fine "not exceeding level 5 on the standard
scale" (currently 5000). Unauthorized access with the intent to commit or facilitate
commission of further offences is punishable by 6 months/maximum fine on summary
conviction or 5 years/fine on indictment. Unauthorized modification of computer material is
subject to the same sentences as section 2 offences.
Answer: C is incorrect. The Computer Fraud and Abuse Act is a law passed by the United
States Congress in 1984 intended to reduce cracking of computer systems and to address
federal computer-related offenses. The Computer Fraud and Abuse Act (codified as 18
U.S.C. 1030) governs cases with a compelling federal interest, where computers of the
federal government or certain financial institutions are involved, where the crime itself is
interstate in nature, or computers used in interstate and foreign commerce. It was amended
in 1986, 1994, 1996, in 2001 by the USA PATRIOT Act, and in 2008 by the Identity Theft
Enforcement and Restitution Act. Section (b) of the act punishes anyone who not just
commits or attempts to commit an offense under the Computer Fraud and Abuse Act but
also those who conspire to do so.
Question # 24
You work as a CSO (Chief Security Officer) for Tech Perfect Inc. You have a disasterscenario and you want to discuss it with your team members for getting appropriateresponses of the disaster. In which of the following disaster recovery tests can this task beperformed?
A. Structured walk-through test B. Full-interruption test C. Parallel test D. Simulation test .
Answer: D
Explanation: A simulation test is a method used to test the disaster recovery plans. It
operates just like a structured walk-through test. In the simulation test, the members of a
disaster recovery team present with a disaster scenario and then, discuss on appropriate
responses. These suggested responses are measured and some of them are taken by the
team. The range of the simulation test should be defined carefully for avoiding excessive
disruption of normal business activities. Answer: A is incorrect. The structured walk-through
test is also known as the table-top exercise. In structured walk-through test, the team
members walkthrough the plan to identify and correct weaknesses and how they will
respond to the emergency scenarios by stepping in the course of the plan. It is the most
effective and competent way to identify the areas of overlap in the plan before conducting
more challenging training exercises. Answer: B is incorrect. A full-interruption test includes
the operations that shut down at the primary site and are shifted to the recovery site
according to the disaster recovery plan. It operates just like a parallel test. The fullinterruption test is very expensive and difficult to arrange. Sometimes, it causes a major
disruption of operations if the test fails. Answer: C is incorrect. A parallel test includes the
next level in the testing procedure, and relocates the employees to an alternate recovery
site and implements site activation procedures. These employees present with their
disaster recovery responsibilities as they would for an actual disaster. The disaster
recovery sites have full responsibilities to conduct the day-to-day organization's business
Question # 25
What are the differences between managed and unmanaged code technologies? Eachcorrect answer represents a complete solution. Choose two.
A. Managed code is referred to as Hex code, whereas unmanaged code is referred to asbyte code. B. C and C++ are the examples of managed code, whereas Java EE and Microsoft.NETare the examples of unmanaged code. C. Managed code executes under management of a runtime environment, whereasunmanaged code is executed by the CPU of a computer system. D. Managed code is compiled into an intermediate code format, whereas unmanaged codeis compiled into machine code.
Answer: C,D
Explanation: Programming languages are categorized into two technologies: 1.Managed
code: This computer program code is compiled into an intermediate code format. Managed
code is referred to as byte code. It executes under the management of a runtime
environment. Java EE and Microsoft.NET are the examples of managed code.
2.Unmanaged code: This computer code is compiled into machine code. Unmanaged code
is executed by the CPU of a computer system. C and C++ are the examples of unmanaged
code. Answer: A is incorrect. Managed code is referred to as byte code. Answer: B is
incorrect. C and C++ are the examples of unmanaged code, whereas Java EE and
Microsoft.NET are the examples of managed code.
Feedback That Matters: Reviews of Our ISC2 CSSLP Dumps
