CSSLP Exam Dumps [Valid] Updates Useful CSSLP Exam Questions And Answers
If you are a CSSLP exam participant and consider the ISC Certified CSSLP exam to be one of the hardest tasks to complete. Then you’ve come to the right place. We’ve just updated the CSSLP exam dumps to provide you with the latest CSSLP exam Q& which will be very helpful for you to pass the exam.
Following the PassITDump CSSLP exam dumps is your smartest choice.
CSSLP free dumps are shared with you, which you can view below
Question 1:
Part of your change management plan details what should happen in the change control system for your project. Theresa, a junior project manager, asks what the configuration management activities are for scope changes. You tell her that all of the following are valid configuration management activities except for which one?
A. Configuration Identification
B. Configuration Verification and Auditing
C. Configuration Status Accounting
D. Configuration Item Costing
Correct Answer: D
Configuration item cost is not a valid activity for configuration management. Cost changes are managed by the cost change control system; configuration management is concerned with changes to the features and functions of the project deliverables.
Question 2:
Which of the following is a variant with regard to Configuration Management?
A. A CI that has the same name as another CI but shares no relationship.
B. A CI that particularly refers to a software version.
C. A CI that has the same essential functionality as another CI but a bit different in some small manner.
D. A CI that particularly refers to a hardware specification.
Correct Answer: C
A CI that has the same essential functionality as another CI but a bit different in some small manner, and therefore, might be required to be analyzed along with its generic group. A Configuration item (CI) is an IT asset or a combination of IT assets that may depend and have relationships with other IT processes. A CI will have attributes which may be hierarchical and relationships that will be assigned by the configuration manager in the CM database. The Configuration Item (CI) attributes are as follows: 1.Technical: It is data that describes the CI\’s capabilities which include software version and model numbers, hardware and manufacturer specifications, and other technical details like networking speeds, and data storage size. Keyboards, mice and cables are considered consumables. 2.Ownership: It is part of financial asset management, ownership attributes, warranty, location, and responsible person for the CI. 3.Relationship: It is the relationship among hardware items, software, and users. Answer: B, D, and A are incorrect. These are incorrect definitions of a variant with regard to Configuration Management.
Question 3:
You have a storage media with some data and you make efforts to remove this data. After performing this, you analyze that the data remains present on the media. Which of the following refers to the above mentioned condition?
A. Object reuse
B. Degaussing
C. Residual
D. Data remanence
Correct Answer: D
Data remanence refers to the data that remains even after the efforts have been made for removing or erasing the data. This event occurs because of data being left intact by an insignificant file deletion operation, by storage media reformatting, or through physical properties of the storage medium. Data remanence can make unintentional disclosure of sensitive information possible. So, it is required that the storage media is released into an uncontrolled environment. Answer: C and B are incorrect. These are the made-up disasters. Answer: A is incorrect. Object reuse refers to reassigning some other object of a storage media that has one or more objects.
Question 4:
Which of the following statements is true about residual risks?
A. It is the probabilistic risk after implementing all security measures.
B. It can be considered as an indicator of threats coupled with vulnerability.
C. It is a weakness or lack of safeguard that can be exploited by a threat.
D. It is the probabilistic risk before implementing all security measures.
Correct Answer: A
The residual risk is the risk or danger of an action or an event, a method or a (technical) process that still conceives these dangers even if all theoretically possible safety measures would be applied. The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability). Answer: B is incorrect. In information security, security risks are considered as an indicator of threats coupled with vulnerability. In other words, security risk is a probabilistic function of a given threat agent exercising a particular vulnerability and the impact of that risk on the organization. Security risks can be mitigated by reviewing and taking responsible actions based on possible risks. Answer: C is incorrect. Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware , operating systems, firmware, applications, and configuration files. Vulnerability has been variously defined in the current context as follows: 1.A security weakness in a Target of Evaluation due to failures in analysis, design, implementation, or operation and such. 2.Weakness in an information system or components (e.g. system security procedures, hardware design, or internal controls that could be exploited to produce an information-related misfortune.) 3.The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.
Question 5:
To help review or design security controls, they can be classified by several criteria . One of these criteria is based on their nature. According to this criterion, which of the following controls consists of incident response processes, management oversight, security awareness, and training?
A. Compliance control
B. Physical control
C. Procedural control
D. Technical control
Correct Answer: C
Procedural controls include incident response processes, management oversight, security awareness, and training. Answer: B is incorrect. Physical controls include fences, doors, locks, and fire extinguishers. Answer: D is incorrect. Technical controls include user authentication (login) and logical access controls, antivirus software, and firewalls. Answer: A is incorrect. The legal and regulatory, or compliance controls, include privacy laws, policies, and clauses.
Question 6:
Which of the following DoD directives is referred to as the Defense Automation Resources Management Manual?
A. DoD 8910.1
B. DoD 7950.1-M
C. DoDD 8000.1
D. DoD 5200.22-M
E. DoD 5200.1-R
Correct Answer: B
The various DoD directives are as follows:
DoD 5200.1-R: This DoD directive refers to the \’Information Security Program Regulation\’. DoD 5200.22-M: This DoD directive refers the \’National Industrial Security Program Operating Manual\’. DoD 7950.1-M: This DoD directive refers to the
\’Defense Automation Resources Management Manual\’. DoDD 8000.1: This DoD directive refers to the \’Defense Information Management (IM) Program\’. DoD 8910.1: This DoD directive refers to the \’Management and Control of Information
Requirements\’.
Question 7:
The IAM/CA makes certification accreditation recommendations to the DAA. The DAA issues accreditation determinations. Which of the following are the accreditation determinations issued by the DAA? Each correct answer represents a complete solution. Choose all that apply.
A. IATT
B. IATO
C. DATO
D. ATO
E. ATT
Correct Answer: ABCD
The DAA issues one of the following four accreditation determinations: Approval to Operate (ATO): It is an authorization of a DoD information system to process, store, or transmit information. Interim Approval to Operate (IATO): It is a temporary approval to operate based on an assessment of the implementation status of the assigned IA Controls. Interim Approval to Test (IATT): It is a temporary approval to conduct system testing based on an assessment of the implementation status of the assigned IA Controls. Denial of Approval to Operate (DATO): It is a determination that a DoD information system cannot operate because of an inadequate IA design or failure to implement assigned IA Controls. Answer: E is incorrect. No such type of accreditation determination exists.
Question 8:
Which of the following authentication methods is used to access public areas of a Web site?
A. Anonymous authentication
B. Biometrics authentication
C. Mutual authentication
D. Multi-factor authentication
Correct Answer: A
Anonymous authentication is an authentication method used for Internet communication. It provides limited access to specific public folders and directory information or public areas of a Web site. It is supported by all clients and is used to access unsecured content in public folders. An administrator must create a user account in IIS to enable the user to connect anonymously. Answer: D is incorrect. Multi-factor authentication involves a combination of multiple methods of authentication. For example, an authentication method that uses smart cards as well as usernames and passwords can be referred to as multi-factor authentication. Answer: C is incorrect. Mutual authentication is a process in which a client process and server are required to prove their identities to each other before performing any application function. The client and server identities can be verified through a trusted third party and use shared secrets as in the case of Kerberos v5. The MS-CHAP v2 and EAP-TLS authentication methods support mutual authentication. Answer: B is incorrect. Biometrics authentication uses physical characteristics, such as fingerprints, scars, retinal patterns, and other forms of biophysical qualities to identify a user.
Question 9:
Which of the following phases of the DITSCAP CandA process is used to define the CandA level of effort, to identify the main CandA roles and responsibilities, and to create an agreement on the method for implementing the security requirements?
A. Phase 1
B. Phase 4
C. Phase 2
D. Phase 3
Correct Answer: A
The Phase 1 of the DITSCAP CandA process is known as Definition Phase. The goal of this phase is to define the CandA level of effort, identify the main CandA roles and responsibilities, and create an agreement on the method for implementing the security requirements. Answer: C is incorrect. The Phase 2 of the DITSCAP CandA process is known as Verification. Answer: D is incorrect. The Phase 3 of the DITSCAP CandA process is known as Validation. Answer: B is incorrect. The Phase 4 of the DITSCAP CandA process is known as Post Accreditation.
Question 10:
Which of the following activities are performed by the \’Do\’ cycle component of PDCA (plan- do- check-act)? Each correct answer represents a complete solution. Choose all that apply.
A. It detects and responds to incidents properly.
B. It determines controls and their objectives.
C. It manages resources that are required to achieve a goal.
D. It performs security awareness training.
E. It operates the selected controls.
Correct Answer: ACDE
The \’Do\’ cycle component performs the following activities: It operates the selected controls. It detects and responds to incidents properly. It performs security awareness training. It manages resources that are required to achieve a goal. Answer: B is incorrect. This activity is performed by the \’Plan\’ cycle component of PDCA.
Question 11:
The Data and Analysis Center for Software (DACS) specifies three general principles for software assurance which work as a framework in order to categorize various secure design principles. Which of the following principles and practices does the General Principle 1 include? Each correct answer represents a complete solution. Choose two.
A. Principle of separation of privileges, duties, and roles
B. Assume environment data is not trustworthy
C. Simplify the design
D. Principle of least privilege
Correct Answer: AD
General Principle 1- Minimize the number of high-consequence targets includes the following principles and practices:
Principle of least privilege Principle of separation of privileges, duties, and roles Principle of separation of domains Answer: B is incorrect. Assume environment data is not trustworthy principle is included in the General Principle 2. Answer: C
is incorrect. Simplify the design principle is included in the General Principle 3.
Question 12:
In which of the following DIACAP phases is residual risk analyzed?
A. Phase 1
B. Phase 5
C. Phase 2
D. Phase 4
E. Phase 3
Correct Answer: D
The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is a process defined by the United States Department of Defense (DoD) for managing risk. The Certification Determination and Accreditation phase is the third phase in the DIACAP process. Its subordinate tasks are as follows: Analyze residual risk. Issue certification determination. Make accreditation decision. Answer: A is incorrect. Phase 1 is known as Initiate and Plan IA CandA. Answer: C is incorrect. Phase 2 is used to implement and validate assigned IA controls. Answer: E is incorrect. Phase 3 is used to make certification determination and accreditation decisions. Answer: B is incorrect. Phase 5 is known as decommission system and is used to conduct activities related to the disposition of the system data and objects.
Question 13:
Which of the following are the goals of risk management? Each correct answer represents a complete solution. Choose three.
A. Identifying the risk
B. Assessing the impact of potential threats
C. Identifying the accused
D. Finding an economic balance between the impact of the risk and the cost of the countermeasure
Correct Answer: ABD
There are three goals of risk management as follows: Identifying the risk Assessing the impact of potential threats Finding an economic balance between the impact of the risk and the cost of the countermeasure Answer: C is incorrect. Identifying the accused does not come under the scope of risk management.
Question 14:
In which of the following deployment models of cloud is the cloud infrastructure operated exclusively for an organization?
A. Public cloud
B. Community cloud
C. Private cloud
D. Hybrid cloud
Correct Answer: C
In private cloud, the cloud infrastructure is operated exclusively for an organization.
The private cloud infrastructure is administered by the organization or a third party, and exists on premise and off premise.
Question 15:
What are the subordinate tasks of the Implement and Validate Assigned IA Control phase in the DIACAP process? Each correct answer represents a complete solution. Choose all that apply.
A. Conduct validation activities.
B. Execute and update IA implementation plan.
C. Combine validation results in DIACAP scorecard.
D. Conduct activities related to the disposition of the system data and objects.
Correct Answer: ABC
The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is a process defined by the United States Department of Defense (DoD) for managing risk. The subordinate tasks of the Implement and Validate Assigned IA Control phase in the DIACAP process are as follows: Execute and update IA implementation plan. Conduct validation activities. Combine validation results in the DIACAP scorecard. Answer: D is incorrect. The activities related to the disposition of the system data and objects are conducted in the fifth phase of the DIACAP process. The fifth phase of the DIACAP process is known as Decommission System.