CSSLP - Latest Training Dumps

ISC CSSLP Practice Exam – 349 Unique Questions

Latest Questions CSSLP Guide to Prepare Free Practice Tests

NO.84 Which of the following federal agencies has the objective to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life?

National Security Agency (NSA)

National Institute of Standards and Technology (NIST)

United States Congress

Committee on National Security Systems (CNSS)

Explanation/Reference:
Explanation: The National Institute of Standards and Technology (NIST), known between 1901 and 1988 as the National Bureau of Standards (NBS), is a measurement standards laboratory which is a non- regulatory agency of the United States Department of Commerce. The institute’s official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life. Answer D is incorrect.
The Committee on National Security Systems (CNSS) is a United States intergovernmental organization that sets policy for the security of the US security systems. The CNSS holds discussions of policy issues, sets national policy, directions, operational procedures, and guidance for the information systems operated by the U.S. Government, its contractors, or agents that contain classified information, involve intelligence activities, involve cryptographic activities related to national security, etc. Answer A is incorrect.
The National Security Agency/Central Security Service (NSA/CSS) is a crypto-logic intelligence agency of the United States government. It is administered as part of the United States Department of Defense. NSA is responsible for the collection and analysis of foreign communications and foreign signals intelligence, which involves cryptanalysis. NSA is also responsible for protecting U.S. government communications and information systems from similar agencies elsewhere, which involves cryptography. NSA is a key component of the U.S. Intelligence Community, which is headed by the Director of National Intelligence.
The Central Security Service is a co-located agency created to coordinate intelligence activities and co- operation between NSA and U.S. military cryptanalysis agencies. NSA’s work is limited to communications intelligence. It does not perform field or human intelligence activities. Answer C is incorrect. The United States Congress is the bicameral legislature of the federal government of the United States of America. It consists of the Senate and the House of Representatives. The Congress meets in the United States Capitol in Washington, D.C. Both senators and representatives are chosen through direct election. Each of the 435 members of the House of Representatives represents a district and serves a two-year term. House seats are apportioned among the states by population. The 100 Senators serve staggered six-year terms.
Each state has two senators, regardless of population. Every two years, approximately one-third of the Senate is elected at a time. The United States Congress main function is to make laws. The Office of the Law Revision Counsel organizes and publishes the United States Code (USC). It is a consolidation and codification by subject matter of the general and permanent laws of the United States.

NO.85 Which of the following penetration testing techniques automatically tests every phone line in an exchange and tries to locate modems that are attached to the network?

Demon dialing

Sniffing

Social engineering

Dumpster diving

NO.86 Martha works as a Project Leader for BlueWell Inc. She and her team have developed accounting software. The software was performing well. Recently, the software has been modified. The users of this software are now complaining about the software not working properly. Which of the following actions will she take to test the software?

Perform integration testing

Perform regression testing

Perform unit testing

Perform acceptance testing

NO.87 NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews?

Comprehensive

Significant

Abbreviated

Substantial

NO.88 Which of the following security architectures defines how to integrate widely disparate applications for a world that is Web-based and uses multiple implementation platforms?

Sherwood Applied Business Security Architecture

Enterprise architecture

Service-oriented architecture

Service-oriented modeling and architecture

Explanation/Reference:
Explanation: In computing, a service-oriented architecture (SOA) is a flexible set of design principles used during the phases of systems development and integration. A deployed SOA-based architecture will provide a loosely-integrated suite of services that can be used within multiple business domains. SOA also generally provides a way for consumers of services, such as web-based applications, to be aware of available SOA-based services. For example, several disparate departments within a company may develop and deploy SOA services in different implementation languages; their respective clients will benefit from a well understood, well defined interface to access them. XML is commonly used for interfacing with SOA services, though this is not required. SOA defines how to integrate widely disparate applications for a world that is Web-based and uses multiple implementation platforms. Rather than defining an API, SOA defines the interface in terms of protocols and functionality. An endpoint is the entry point for such an SOA implementation.

(Layer interaction in Service-oriented architecture) AnswerA is incorrect. SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology for Enterprise Security Architecture and Service Management. SABSA is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering security infrastructure solutions that support critical business initiatives. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited. AnswerD is incorrect. The service-oriented modeling and architecture (SOMA) includes an analysis and design method that extends traditional object-oriented and component-based analysis and design methods to include concerns relevant to and supporting SOA. AnswerB is incorrect. Enterprise architecture describes the terminology, the composition of subsystems, and their relationships with the external environment, and the guiding principles for the design and evolution of an enterprise.

NO.89 What are the various phases of the Software Assurance Acquisition process according to the U.S. Department of Defense (DoD) and Department of Homeland Security (DHS) Acquisition and Outsourcing Working Group?

Implementing, contracting, auditing, monitoring

Requirements, planning, monitoring, auditing

Planning, contracting, monitoring and acceptance, follow-on

Designing, implementing, contracting, monitoring

NO.90 Which of the following statements describe the main purposes of a Regulatory policy? Each correct answer represents a complete solution. Choose all that apply.

It acknowledges the importance of the computing resources to the business model

It provides a statement of support for information security throughout the enterprise

It ensures that an organization is following the standard procedures or base practices of operation in its specific industry.

It gives an organization the confidence that it is following the standard and accepted industry policy.

NO.91 Which of the following phases of DITSCAP includes the activities that are necessary for the continuing operation of an accredited IT system in its computing environment and for addressing the changing threats that a system faces throughout its life cycle?

Phase 2, Verification

Phase 3, Validation

Phase 1, Definition

Phase 4, Post Accreditation Phase

NO.92 Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in. What are the different categories of penetration testing? Each correct
answer represents a complete solution. Choose all that apply.

Open-box

Closed-box

Zero-knowledge test

Full-box

Full-knowledge test

Partial-knowledge test

NO.93 Security controls are safeguards or countermeasures to avoid, counteract, or minimize security risks.
Which of the following are types of security controls? Each correct answer represents a complete solution.
Choose all that apply.

Common controls

Hybrid controls

Storage controls

System-specific controls

NO.94 DRAG DROP
RCA (root cause analysis) is an iterative and reactive method that identifies the root cause of various incidents, and the actions required to prevent these incidents from reoccurring. RCA is classified in various categories. Choose appropriate categories and drop them in front of their respective functions.
Select and Place:

NO.95 In which of the following phases of the DITSCAP process does Security Test and Evaluation (ST&E) occur?

Phase 2

Phase 4

Phase 3

Phase 1

NO.96 Which of the following is the most secure method of authentication?

Biometrics

Username and password

Anonymous

Smart card

NO.97 Continuous Monitoring is the fourth phase of the security certification and accreditation process. What activities are performed in the Continuous Monitoring process? Each correct answer represents a complete solution. Choose all that apply.

Security accreditation decision

Security control monitoring and impact analyses of changes to the information system

Security accreditation documentation

Configuration management and control

Status reporting and documentation

NO.98 You have a storage media with some data and you make efforts to remove this data. After performing this, you analyze that the data remains present on the media. Which of the following refers to the above mentioned condition?

Object reuse

Degaussing

Residual

Data remanence

NO.99 Della work as a project manager for BlueWell Inc. A threat with a dollar value of $250,000 is expected to happen in her project and the frequency of threat occurrence per year is 0.01. What will be the annualized loss expectancy in her project?

$2,000

$2,500

$3,510

$3,500

NO.100 Which of the following are the types of intellectual property? Each correct answer represents a complete solution. Choose all that apply.

Patent

Standard

Trademark

NO.101 Which of the following techniques is used when a system performs the penetration testing with the objective of accessing unauthorized information residing inside a computer?

Biometrician

Van Eck Phreaking

Port scanning

Phreaking

NO.102 In which of the following cryptographic attacking techniques does an attacker obtain encrypted messages that have been encrypted using the same encryption algorithm?

Chosen plaintext attack

Chosen ciphertext attack

Ciphertext only attack

Known plaintext attack

NO.103 In which of the following phases of the SDLC does the software and other components of the system faithfully incorporate the design specifications and provide proper documentation and training?

Design

Evaluation and acceptance

Programming and training

Initiation

NO.104 In which of the following alternative processing sites is the backup facility maintained in a constant order, with a full complement of servers, workstations, and communication links ready to assume the primary operations responsibility?

Cold Site

Hot Site

Warm Site

Mobile Site

NO.105 What are the various benefits of a software interface according to the “Enhancing the Development Life Cycle to Produce Secure Software” document? Each correct answer represents a complete solution.
Choose three.

It modifies the implementation of a component without affecting the specifications of the interface.

It controls the accessing of a component.

It displays the implementation details of a component.

It provides a programmatic way of communication between the components that are working with different programming languages.

NO.106 Which of the following is a standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system?

FITSAF

FIPS

TCSEC

SSAA

Explanation/Reference:
Explanation: Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information. It was replaced with the development of the Common Criteria international standard originally published in 2005. The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. AnswerD is incorrect. System Security Authorization Agreement (SSAA) is an information security document used in the United States Department of Defense (DoD) to describe and accredit networks and systems. The SSAA is part of the Department of Defense Information Technology Security Certification and Accreditation Process, or DITSCAP (superseded by DIACAP). The DoD instruction (issues in December 1997, that describes DITSCAP and provides an outline for the SSAA document is DODI 5200.40. The DITSCAP application manual (DoD 8510.1- M), published in July 2000, provides additional details. Answer: A is incorrect. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. It provides an approach for federal agencies. It determines how federal agencies are meeting existing policy and establish goals. The main advantage of FITSAF is that it addresses the requirements of Office of Management and Budget (OMB). It also addresses the guidelines provided by the National Institute of Standards and Technology (NIsT). Answer: B is incorrect. The Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States federal government for use by all non-military government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, ISO, etc.). Some FIPS standards were originally developed by the U.S. government. For instance, standards for encoding data (e.g., country codes), but more significantly some encryption standards, such as the Data Encryption Standard (FIPS 46-
3) and the Advanced Encryption Standard (FIPS 197). In 1994, NOAA (Noaa) began broadcasting coded signals called FIPS (Federal Information Processing System) codes along with their standard weather broadcasts from local stations. These codes identify the type of emergency and the specific geographic area (such as a county) affected by the emergency.

Exam Difficulty

When preparing for the CSSLP certification exam, the real world experience is required to stand a reasonable chance of passing the CSSLP exam. ISC recommended study material does not replace the requirement for experience. So, It is very difficult for the candidate to pass the CSSLP exam without experience.

Career Opportunities

(ISC)2 CSSLP is an ideal option for the security professionals and software development specialists because it helps fortify and validate their skills to perform the required tasks efficiently. The individuals with this certificate can explore numerous career opportunities and take up the job titles as a Security Manager, a Cybersecurity Engineer, and a Security Consultant. They can also work as Information Managers, Information Security Consultants, Testing Managers, Information Security Managers, and IT Security Analysts. Their income will depend on their role, but looking at a possible average salary, they can expect about $98,000 per year.

Correct and Up-to-date ISC CSSLP BrainDumps: https://www.trainingdump.com/ISC/CSSLP-practice-exam-dumps.html

Category CSSLP

ISC CSSLP Practice Exam – 349 Unique Questions [Q84-Q106]

Exam Difficulty

Career Opportunities