



























































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
A comprehensive guide to the csslp exam, covering key concepts and principles related to information security. It includes a series of multiple-choice questions and answers, designed to help students prepare for the exam. The questions cover a wide range of topics, including access control, security models, risk management, and legal and regulatory frameworks. This resource is valuable for individuals seeking to gain a deeper understanding of information security principles and prepare for the csslp certification.
Typology: Exams
1 / 67
This page cannot be seen from the preview
Don't miss anything!
Which access control mechanism provides the owner of an object the opportunity to determine the access control permissions for other subjects? a. Mandatory b. Role-based c. Discretionary d. Token-based - ✔✔Discretionary The elements UDI and CDI are associated with which access control model? a. Mandatory access control b. Clark-Wilson c. Biba integrity d. Bell-LaPadula confidentiality - ✔✔Clark-Wilson The concept of separating elements of a system to prevent inadvertent information sharing is? a. Leverage existing components b. separation of duties c. weakest link d. least common mechanism - ✔✔Least Common Mechanism Which of the following is true about the Biba Integrity Model? a. No write up, no read down b. No read up, no write down c. It is described by the simple security rule d. It uses the high-water-mark principle - ✔✔No write up, no read down
The concept of preventing a subject from denying a previous action with an object in a system is a description of? a. Simple security rule b. Non-repudiation c. Defense in depth d. Constrained data item (CDI) - ✔✔Non-repudiation What was described as being essential in order to implement discretionary access controls? a. Object owner-defined security access b. Certificates c. Labels d. Security classifications - ✔✔Object owner-defined security access The CIA of security includes: a. Confidentiality, integrity, authentication b. Certificates, integrity, availability c. Confidentiality, inspection, authentication d. Confidentiality, integrity, availability - ✔✔Confidentiality, integrity, availability Complete mediation is an approach to security that includes: a. Protect systems and networks by using defense in depth b. A security design that cannot be bypassed or circumvented c. The use of interlocking rings of trust to ensure protection to data elements d. The use of access control lists to enforce security rules - ✔✔A security design that cannot be bypassed or circumvented (Complete Mediation) The fundamental approach to security in which an object has only the necessary rights and privilege to perform its task with no additional permissions is a description of: a. Layered security b. Least privilege
The security principle of fail-safe is related to: a. Session management b. Exception management c. Least privilege d. Single point of failure - ✔✔Exception management Using the principle of keeping things simple is related to: a. Layered security b. simple Security Rule c. Economy of mechanism d. Implementing least privilege for access control - ✔✔Economy of mechanism Of the following, which is not a class of controls? a. Physical b. Informative c. Technical d. Administrative - ✔✔Informative Log file analysis is a form of what type of control? a. Preventive b. Detective c. Corrective d. Compensating - ✔✔Detective To calculate ALE, you need? a. SLE, asset value b. ARO, asset value
c. SLE, ARO d. Asset value, exposure factor - ✔✔SLE, ARO Risk that remains after the application of control is referred to as: a. Acceptable risk b. Business risk c. Systematic risk d. Residual risk - ✔✔Residual risk Calculate ALE for asset value = $1000, exposure factor = .75, ARO = 2 a. $ b. $15, c. $ d. cannot be determined with additional information - ✔✔$ Single loss expectancy (SLE) can best be defined by which of the following equations? a. SLE = asset value * exposure factor b. SLE = asset value * annualized rate of occurrence (ALE) c. SLE = annualized loss expectancy (ALE) * annualized rate of occurrence (ARO) d. SLE = annualized loss expectancy (ALE) * exposure factor - ✔✔SLE = asset value * exposure factpr Which of the following describes qualitative risk management? a. The process of using equations to determine impacts of risks to an enterprise b. The use of experience and knowledge in the determination of single loss expectancies c. the process of objectively determining the impact of an event that affects a project, program or business d. The process of subjectively determining the impact of an event that affects a project, program or business - ✔✔The process of subjectively determining the impact of an event that affects a project, program or business
b. $36, c. $40, d. $16,000 - ✔✔$16, Quantitative risk management depends upon: a. Expert judgement and experience b. Historical loss data c. Impact factor definition d. Exposure ratio - ✔✔Historical loss data the following are all examples of technological risk except: a. Regulatory b. Security c. Change management d. Privacy - ✔✔Regulatory Which of the following is measure in dollars? a. Exposure factor b. SLE c. ARO d. Impact factor - ✔✔SLE The primary governing law for federal computer systems is: a. NIST b. Sarbanes-Oxley c. FISMA d. Gramm-Leach-Bliley - ✔✔FISMA
Which of the following is a security standard associated with the collection, processing and storing of credit card data? a. Gramm-Leach-bliley B. PCI DSS c. HIPPA d. HITECH - ✔✔PCI DSS To protect a novel or non obvious tangible item that will be sold to the public, one can use which of the following? a. Patent b. Trademark c. Trade secret d. Licensing - ✔✔Patent The organization responsible for the Top Ten list of web application vulnerabilities is: a. DHS b. OCTAVE c. Microsoft d. OWASP - ✔✔OWASP When using customer data as test data for production testing, what process is used to ensure privacy? a. Data anonymization b. Delinking c. Safe Harbor principles d. Data disambiguation - ✔✔Data Anonymization Which of the following is not a common PII element? a. Full name b. Order number
a. ITIL b. COBIT c. COSO d. OWASP - ✔✔OWASP The third level of the CMMI model is called: a. Quantified b. Managed c. Defined d. Optimizing - ✔✔Defined
Safe Harbor principles include: a. Notice, choice, security b. Non-repudiations, notice, integrity c. Enforcement, onward transfer, verifiable d. Impact factor, security, access - ✔✔Notice, Choice, security Creating a secure development lifecycle involves: a. Adding security features to the software b. Including threat modeling c. Training coders to find and remove security errors d. Modifying the development process, not the software product - ✔✔Modifying the development process, not the software product A software product that has security but lacks quality can result in: a. Exploitable vulnerabilities b. Undocumented features that result in undesired behaviors c. Poor maintainability d. Missing security elements - ✔✔Undocumented features that result in undesired behaviors Which of the following is not an attribute of an SDL process? a. Fuzz testing b. Bug bars c. Authentication d. Developer security awareness - ✔✔Authentication Periodic reviews to ensure that security issues are addressed as part of the development process are called: a. Security gates b. Security checklist
d. Fuzz testing framework - ✔✔Fuzz testing framework A linear model for software development is the: a. Scrum model b. Spiral model c. Waterfall model d. Agile model - ✔✔Waterfall model User stores convey high-level user requirements: a. XP model b. Prototyping model c. Spiral model d. Waterfall model - ✔✔XP model Bug bars are a. Track bugs b. Score bugs c. Manage bugs d. Attribute bugs to developers - ✔✔Score Bugs the Microsoft SD3+C model is: a. Design, Default, Directive and Concise b. Design, Development, Deployment, and Communications c. Design, Deployment, Directive and Concise d. Design, Default, Deployment and Communications - ✔✔Design, Default, Deployment and Communications What is used to ensure that all security activities are bing correctly carried out as part of the de4velopment process?
a. Project manager judgment b. Security leads c. Security engineers d. Security reviews - ✔✔Security reviews The objectives of an SDL are to achieve all of the following excecp: a. Reduce the number of security vulnerabilities in software b. Reduce the severity of security vulnerabilities in software c. Eliminate threats to the software d. Document a complete understanding of the vulnerabilities in software - ✔✔Eliminate threats to the software Which is the most common security vulnerability mitigation methodology used in design? a. Defense in depth b. Separation of duties c. Least privilege d. Audit-ability - ✔✔Defense in depth When policies decompose into audit risk requirements, the following are the three types of audit-related risks: a. Requirements risk, development risk, testing risk b. Tangible risk, intangible risk, residual risk c. Inherent risk, control risk, detection risk d. Confidentiality risk, integrity risk, availability risk - ✔✔Inherent risk, control risk, detection risk To what set of requirements can issues involving protecting data from unauthorized disclosure be decomposed to? a. Authorization b. Authentication c. Integrity
a. Confidentiality, integrity, authentication b. Certificates, integrity, availability c. Confidentiality, inspection, authentication d. Confidentiality, integrity, availability - ✔✔Confidentiality, integrity, availability A security policy that is associated with security PII is an example of what type of computer security policy? a. System-specific policy b. Program policy c. Organization policy d. Issue-specific policy - ✔✔Issue specific policy When an audit fails to find a specific risk during an examination of a system, this is an example of what type of risk? a. Detection risk b. Audit risk c. Inherent risk d. Control risk - ✔✔Detection Risk Which access control technique relies on a set of rules to determine whether access to an object will be grated or not? a. Role-based access control b. Object and rule instantiation access control c. Rule-based access control d. Discretionary access control - ✔✔Rule-based access control When both parties authenticate each other this is defined as: a. Mandatory access control b. Dual authentication c. Separation of duties
d. Mutual authentication - ✔✔Mutual authentication The ability of a subject to interact with an object describes: a. Authentication b. Activity c. Confidentiality d. Mutual authentication - ✔✔Activity Which of the following is not an example of something that can be used as a shared secret? a. Something you know b. Something you have c. Something you are d. Something you want - ✔✔Something you want An example of a policy element that is related to integrity is: a. Record error detection and correction b. Ensure systems are available for authorized users c. Who is authorized to see what specific data elements d. Control Risk - ✔✔Record error detection and correction Ensuring that the software security requirements address the legal and regulatory policy issues is an example of: a. System-based security policy b. Risk mitigation c. Internal requirements d. External requirements - ✔✔External requirements The party that determines which users or groups should have access to specific data elements is: a. Data custodian
To match the level of protection desired for data, which of the following elements is used? a. Data classification b. Impact analysis c. Data usage d. Security Rules - ✔✔Data classification Which of the following is not a type of data in a system? a. Security sensitive b. PII c. Hidden d. Encrypted - ✔✔Encrypted When deleting data at the end of its life, consideration should be given to copies. Which of the following copies is not necessary to specifically manage? a. Shadow copies b. Backups c. DR sites (hot sites) d. Data warehouse history - ✔✔Shadow copies Managing authorized users and access control for data is a responsibility of: a. Security analyst/technician b. Data owner c. System administrator d. Data custodian - ✔✔Data custodian The standard categories of risk associated with impact analysis include: a. Financial impact, people impact, security impact b. Time impact, people impact, financial impact c. Financial impact, people impact, customer impact
d. Time impact, customer impact, people impact - ✔✔Financial impact, people impact, customer impact Data retention is primarily driven by what? a. Business requirements b. Security requirements d. Storage space requirements d. Government regulations - ✔✔Business requirements If the loss of confidentiality of a data element would have no effect on the enterprise, this data element would be in which risk category? a. High b. Low c. Safe d. Moderate or medium - ✔✔Low Retention requirements for data in a system are determined by: a. Business requirements b. Storage space c. Data sensitivity d. Data impact - ✔✔Business requirements Data classification is performed at which state in the lifecycle model? a. Data retention b. Disposal c. Generation d. Data reduction - ✔✔Generation The party responsible for performing operational tasks associated with data retention and disposal is: a. Backup operator