Question # 1
Audit trail or audit log is a chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function. Under which of the following controls does audit control come? |
A. Reactive controls
| B. Detective controls
| C. Protective controls
| D. Preventive controls |
Explanation: Audit trail or audit log comes under detective controls. Detective controls are the audit controls that are not needed to be restricted. Any control that performs a monitoring activity can likely be defined as a Detective Control. For example, it is possible that mistakes, either intentional or unintentional, can be made. Therefore, an additional Protective control is that these companies must have their financial results audited by an independent Certified Public Accountant. The role of this accountant is to act as an auditor. In fact, any auditor acts as a Detective control. If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency which indicates that some control somewhere has failed. Answer: A is incorrect. Reactive or corrective controls typically work in response to a detective control, responding in such a way as to alert or otherwise correct an unacceptable condition. Using the example of account rules, either the internal Audit Committee or the SEC itself, based on the report generated by the external auditor, will take some corrective action. In this way, they are acting as a Corrective or Reactive control. Answer: C and D are incorrect. Protective or preventative controls serve to proactively define and possibly enforce acceptable behaviors. As an example, a set of common accounting rules are defined and must be followed by any publicly traded company. Each quarter, any particular company must publicly state its current financial standing and accounting as reflected by an application of these rules. These accounting rules and the SEC requirements serve as protective or preventative controls.
Question # 2
A number of security patterns for Web applications under the DARPA contract have been developed by Kienzle, Elder, Tyree, and Edwards-Hewitt. Which of the following patterns are applicable to aspects of authentication in Web applications?b Each correct answer represents a complete solution. Choose all that apply |
A. Authenticated session
| B. Secure assertion
| C. Partitioned application
| D. Password authentication
| E. Account lockout
|
A.
Authenticated session
D. Password authentication
E. Account lockout
Explanation: The various patterns applicable to aspects of authentication in the Web applications are as follows: Account lockout: It implements a limit on the incorrect password attempts to protect an account from automated password-guessing attacks. Authenticated session: It allows a user to access more than one access-restricted Web page without re- authenticating every page. It also integrates user authentication into the basic session model. Password authentication: It provides protection against weak passwords, automated password-guessing attacks, and mishandling of passwords. Password propagation: It offers a choice by requiring that a user's authentication credentials be verified by the database before providing access to that user's data. Answer: B and C are incorrect. Secure assertion and partitioned application patterns are applicable to software assurance in general.
Question # 3
You work as the Senior Project manager in Dotcoiss Inc. Your company has started a software project using configuration management and has completed 70% of it. You need to ensure that the network infrastructure devices and networking standards used in this project are installed in accordance with the requirements of its detailed project design documentation. Which of the following procedures will you employ to accomplish the task? |
A. Configuration identification | B. Configuration control
| C. Functional configuration audit
| D. Physical configuration audit |
D.
Physical configuration audit
Explanation: Physical Configuration Audit (PCA) is one of the practices used in Software Configuration Management for Software Configuration Auditing. The purpose of the software PCA is to ensure that the design and reference documentation is consistent with the as-built software product. PCA checks and matches the really implemented layout with the documented layout. Answer: C is incorrect. Functional Configuration Audit or FCA is one of the practices used in Software Configuration Management for Software Configuration Auditing. FCA occurs either at delivery or at the moment of effecting the change. A Functional Configuration Audit ensures that functional and performance attributes of a configuration item are achieved. Answer: B is incorrect. Configuration control is a procedure of the Configuration management. Configuration control is a set of processes and approval stages required to change a configuration item's attributes and to re-baseline them. It supports the change of the functional and physical attributes of software at various points in time, and performs systematic control of changes to the identified attributes. Answer: A is incorrect. Configuration identification is the process of identifying the attributes that define every aspect of a configuration item. A configuration item is a product (hardware and/or software) that has an end-user purpose. These attributes are recorded in configuration documentation and baselined. Baselining an attribute forces formal configuration change control processes to be effected in the event that these attributes are changed.
Question # 4
Which of the following are the tasks performed by the owner in the information classification schemes? Each correct answer represents a part of the solution. Choose three. |
A. To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data.
| B. To review the classification assignments from time to time and make alterations as the business requirements alter.
| C. To perform data restoration from the backups whenever required.
| D. To delegate the responsibility of the data safeguard duties to the custodian. |
A.
To make original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data.
B. To review the classification assignments from time to time and make alterations as the business requirements alter.
D. To delegate the responsibility of the data safeguard duties to the custodian.
Explanation: The different tasks performed by the owner are as follows: He makes the original determination to decide what level of classification the information requires, which is based on the business requirements for the safety of the data. He reviews the classification assignments from time to time and makes alterations as the business needs change. He delegates the responsibility of the data safeguard duties to the custodian. He specifies controls to ensure confidentiality, integrity and availability. Answer: C is incorrect. This task is performed by the custodian and not by the owner.
Question # 5
Which of the following security architectures defines how to integrate widely disparate applications for a world that is Web-based and uses multiple implementation platforms? |
A. Sherwood Applied Business Security Architecture
| B. Enterprise architecture
| C. Service-oriented architecture
| D. Service-oriented modeling and architecture |
C.
Service-oriented architecture
Explanation: In computing, a service-oriented architecture (SOA) is a flexible set of design principles used during the phases of systems development and integration. A deployed SOA-based architecture will provide a loosely-integrated suite of services that can be used within multiple business domains. SOA also generally provides a way for consumers of services, such as web-based applications, to be aware of available SOA-based services.
For example, several disparate departments within a company may develop and deploy SOA services in different implementation languages; their respective clients will benefit from a well understood, well defined interface to access them. XML is commonly used for interfacing with SOA services, though this is not required. SOA defines how to integrate widely disparate applications for a world that is Web-based and uses multiple implementation platforms. Rather than defining an API, SOA defines the interface in terms of protocols and functionality. An endpoint is the entry point for such an SOA implementation.
Question # 6
Which of the following DoD policies establishes policies and assigns responsibilities to achieve DoD IA through a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network-centric warfare? |
A. DoDI 5200.40
| B. DoD 8500.1 Information Assurance (IA)
| C. DoD 8510.1-M DITSCAP
| D. DoD 8500.2 Information Assurance Implementation |
B.
DoD 8500.1 Information Assurance (IA)
Explanation: DoD 8500.1 Information Assurance (IA) sets up policies and allots responsibilities to achieve DoD IA through a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network-centric warfare. DoD 8500.1 also summarizes the roles and responsibilities for the persons responsible for carrying out the IA policies. Answer: D is incorrect. The DoD 8500.2 Information Assurance Implementation pursues 8500.1. It provides assistance on how to implement policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DoD information systems and networks. DoD Instruction 8500.2 allots tasks and sets procedures for applying integrated layered protection of the DOD information systems and networks in accordance with the DoD 8500.1 policy. It also provides some important guidelines on how to implement an IA program. Answer: A is incorrect. DoDI 5200.40 executes the policy, assigns responsibilities, and recommends procedures under reference for Certification and Accreditation(C&A) of information technology (IT). Answer: C is incorrect. DoD 8510.1-M DITSCAP provides standardized activities leading to accreditation, and establishes a process and management baseline.
Question # 7
The Phase 3 of DITSCAP C&A is known as Validation. The goal of Phase 3 is to validate that the preceding work has produced an IS that operates in a specified computing environment. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply. |
A. Certification and accreditation decision
| B. Continue to review and refine the SSAA
| C. Perform certification evaluation of the integrated system
| D. System development
| E. Develop recommendation to the DAA |
A.
Certification and accreditation decision
B. Continue to review and refine the SSAA
C. Perform certification evaluation of the integrated system
E. Develop recommendation to the DAA
Explanation: The Phase 3 of DITSCAP C&A is known as Validation. The goal of Phase 3 is to validate that the preceding work has produced an IS that operates in a specified computing environment. The process activities of this phase are as follows: Continue to review and refine the SSAA Perform certification evaluation of the integrated system Develop recommendation to the DAA Certification and accreditation decision Answer: D is incorrect. System development is a Phase 2 activity.
Question # 8
Which of the following are the types of intellectual property? Each correct answer represents a complete solution. Choose all that apply. |
A. Patent
| B. Copyright
| C. Standard
| D. Trademark |
A.
Patent
B. Copyright
D. Trademark
Explanation: Common types of intellectual property include copyrights, trademarks, patents, industrial design rights, and trade secrets. A copyright is a form of intellectual property, which secures to its holder the exclusive right to produce copies of his or her works of original expression, such as a literary work, movie, musical work or sound recording, painting, photograph, computer program, or industrial design, for a defined, yet extendable, period of time. It does not cover ideas or facts. Copyright laws protect intellectual property from misuse by other individuals. A trademark is a distinctive sign used by an individual, business organization, or other legal entity to identify that the products or services to consumers with which the trademark appears originate from a unique source, and to distinguish its products or services from those of other entities. A trademark is designated by the following symbols: : It is for an unregistered trade mark and it is used to promote or brand goods. : It is for an unregistered service mark and it is used to promote or brand services. : It is for a registered trademark. A patent is a set of exclusive rights granted by a state to an inventor or their assignee for a limited period of time in exchange for a public disclosure of an invention. Answer: C is incorrect. It is not a type of intellectual property.
Question # 9
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer? Each correct answer represents a complete solution.
Choose all that apply. |
A. Facilitating the sharing of security risk-related information among authorizing officials
| B. Preserving high-level communications and working group relationships in an organization
| C. Establishing effective continuous monitoring program for the organization
| D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan |
B.
Preserving high-level communications and working group relationships in an organization
C. Establishing effective continuous monitoring program for the organization
D. Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan
Explanation: A Chief Information Officer (CIO) plays the role of a leader. The responsibilities of a Chief Information Officer are as follows: Establishes effective continuous monitoring program for the organization. Facilitates continuous monitoring process for the organizations. Preserves high-level communications and working group relationships in an organization.
Confirms that information systems are covered by a permitted security plan and monitored throughout the System Development Life Cycle (SDLC). Manages and delegates decisions to employees in large enterprises. Proposes the information technology needed by an enterprise to achieve its goals and then works within a budget to implement the plan.
Answer: A is incorrect. A Risk Executive facilitates the sharing of security risk-related information among authorizing officials.
Question # 10
You are the project manager of the GHY project for your organization. You are about to start the qualitative risk analysis process for the project and you need to determine the roles and responsibilities for conducting risk management. Where can you find this information? |
A. Risk register
| B. Staffing management plan
| C. Risk management plan
| D. Enterprise environmental factors |
Explanation: The risk management plan defines the roles and responsibilities for conducting risk management. A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix. Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution. Answer: A is incorrect. The risk register does not define the risk management roles and responsibilities. Answer: D is incorrect. Enterprise environmental factors may define the roles that risk management officials or departments play in the project, but the best answer for all projects is the risk management plan.
Get 349 Certified Secure Software Lifecycle Professional questions Access in less then $0.12 per day.
ISC Bundle 1: 1 Month PDF Access For All ISC Exams with Updates $100
$400
Buy Bundle 1
ISC Bundle 2: 3 Months PDF Access For All ISC Exams with Updates $200
$800
Buy Bundle 2
ISC Bundle 3: 6 Months PDF Access For All ISC Exams with Updates $300
$1200
Buy Bundle 3
ISC Bundle 4: 12 Months PDF Access For All ISC Exams with Updates $400
$1600
Buy Bundle 4
Disclaimer: Fair Usage Policy - Daily 5 Downloads
Certified Secure Software Lifecycle Professional Exam Dumps
Exam Code: CSSLP
Exam Name: Certified Secure Software Lifecycle Professional
- 90 Days Free Updates
- ISC Experts Verified Answers
- Printable PDF File Format
- CSSLP Exam Passing Assurance
Get 100% Real CSSLP Exam Dumps With Verified Answers As Seen in the Real Exam. Certified Secure Software Lifecycle Professional Exam Questions are Updated Frequently and Reviewed by Industry TOP Experts for Passing ISC2 Certification Exam Quickly and Hassle Free.
ISC CSSLP Test Dumps
Struggling with Certified Secure Software Lifecycle Professional preparation? Get the edge you need! Our carefully created CSSLP test dumps give you the confidence to pass the exam. We offer:
1. Up-to-date ISC2 Certification practice questions: Stay current with the latest exam content.
2. PDF and test engine formats: Choose the study tools that work best for you. 3. Realistic ISC CSSLP practice exam: Simulate the real exam experience and boost your readiness.
Pass your ISC2 Certification exam with ease. Try our study materials today!
Prepare your ISC2 Certification exam with confidence!We provide top-quality CSSLP exam dumps materials that are:
1. Accurate and up-to-date: Reflect the latest ISC exam changes and ensure you are studying the right content.
2. Comprehensive Cover all exam topics so you do not need to rely on multiple sources.
3. Convenient formats: Choose between PDF files and online Certified Secure Software Lifecycle Professional practice questions for easy studying on any device.
Do not waste time on unreliable CSSLP practice test. Choose our proven ISC2 Certification study materials and pass with flying colors. Try Dumps4free Certified Secure Software Lifecycle Professional 2024 material today!
-
Assurance
Certified Secure Software Lifecycle Professional practice exam has been updated to reflect the most recent questions from the ISC CSSLP Exam.
-
Demo
Try before you buy! Get a free demo of our ISC2 Certification exam dumps and see the quality for yourself. Need help? Chat with our support team.
-
Validity
Our ISC CSSLP PDF contains expert-verified questions and answers, ensuring you're studying the most accurate and relevant material.
-
Success
Achieve CSSLP success! Our Certified Secure Software Lifecycle Professional exam questions give you the preparation edge.
If you have any question then contact our customer support at live chat or email us at support@dumps4free.com.
|