Free CSSLP Exam Files Verified & Correct Answers Downloaded Instantly [Q113-Q137]

Rate this post

Free CSSLP Exam Files Verified & Correct Answers Downloaded Instantly

Instant Download CSSLP Dumps Q&As Provide PDF&Test Engine

Secure Software Testing (14%):

Track and classify security errors;
Establish security test cases;
Secure test data;
Validate documentations;
Develop a strategy and plan for security testing;

Career Opportunities

(ISC)2 CSSLP is an ideal option for the security professionals and software development specialists because it helps fortify and validate their skills to perform the required tasks efficiently. The individuals with this certificate can explore numerous career opportunities and take up the job titles as a Security Manager, a Cybersecurity Engineer, and a Security Consultant. They can also work as Information Managers, Information Security Consultants, Testing Managers, Information Security Managers, and IT Security Analysts. Their income will depend on their role, but looking at a possible average salary, they can expect about $98,000 per year.

QUESTION 113
Which of the following intrusion detection systems (IDS) monitors network traffic and compares it against an established baseline?

File-based

Network-based

Anomaly-based

Signature-based

QUESTION 114
In which of the following types of tests are the disaster recovery checklists distributed to the members of disaster recovery team and asked to review the assigned checklist?

Parallel test

Simulation test

Full-interruption test

Checklist test

Explanation/Reference:
Explanation: A checklist test is a test in which the disaster recovery checklists are distributed to the members of the disaster recovery team. All members are asked to review the assigned checklist. The checklist test is a simple test and it is easy to conduct this test. It allows to accomplish the following three goals: It ensures that the employees are aware of their responsibilities and they have the refreshed knowledge. It provides an individual with an opportunity to review the checklists for obsolete information and update any items that require modification during the changes in the organization. It ensures that the assigned members of disaster recovery team are still working for the organization. Answer: B is incorrect.
A simulation test is a method used to test the disaster recovery plans. It operates just like a structured walk- through test. In the simulation test, the members of a disaster recovery team present with a disaster scenario and then, discuss on appropriate responses. These suggested responses are measured and some of them are taken by the team. The range of the simulation test should be defined carefully for avoiding excessive disruption of normal business activities. Answer: A is incorrect. A parallel test includes the next level in the testing procedure, and relocates the employees to an alternate recovery site and implements site activation procedures. These employees present with their disaster recovery responsibilities as they would for an actual disaster. The disaster recovery sites have full responsibilities to conduct the day-to-day organization’s business. Answer: C is incorrect. A full-interruption test includes the operations that shut down at the primary site and are shifted to the recovery site according to the disaster recovery plan. It operates just like a parallel test. The full-interruption test is very expensive and difficult to arrange. Sometimes, it causes a major disruption of operations if the test fails.

QUESTION 115
Which of the following tiers addresses risks from an information system perspective?

Tier 0

Tier 3

Tier 2

Tier 1

QUESTION 116
Which of the following scanning techniques helps to ensure that the standard software configuration is currently with the latest security patches and software, and helps to locate uncontrolled or unauthorized software?

Port Scanning

Discovery Scanning

Server Scanning

Workstation Scanning

QUESTION 117
The organization level is the Tier 1 and it addresses risks from an organizational perspective. What are the various Tier 1 activities? Each correct answer represents a complete solution. Choose all that apply.

The organization plans to use the degree and type of oversight, to ensure that the risk management strategy is being effectively carried out.

The level of risk tolerance.

The techniques and methodologies an organization plans to employ, to evaluate information system-related security risks.

The RMF primarily operates at Tier 1.

QUESTION 118
Which of the following processes culminates in an agreement between key players that a system in its current configuration and operation provides adequate protection controls?

Information Assurance (IA)

Information systems security engineering (ISSE)

Certification and accreditation (C&A)

Risk Management

Explanation/Reference:
Explanation: Certification and accreditation (C&A) is a set of processes that culminate in an agreement between key players that a system in its current configuration and operation provides adequate protection controls. Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, and DCID 6/3. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed- upon set of security controls. Answer: D is incorrect. Risk management is a set of processes that ensures a risk-based approach is used to determine adequate, cost- effective security for a system. Answer: A is incorrect. Information assurance (IA) is the process of organizing and monitoring information-related risks.
It ensures that only the approved users have access to the approved information at the approved time. IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. These objectives are applicable whether the information is in storage, processing, or transit, and whether threatened by an attack. Answer: B is incorrect. ISSE is a set of processes and solutions used during all phases of a system’s life cycle to meet the system’s information protection needs.

QUESTION 119
Digital rights management (DRM) consists of compliance and robustness rules. Which of the following features does the robustness rule have? Each correct answer represents a complete solution. Choose three.

It specifies the various levels of robustness that are needed for asset security.

It specifies minimum techniques for asset security.

It specifies the behaviors of the DRM implementation and applications accessing the implementation.

It contains assets, such as device key, content key, algorithm, and profiling data.

QUESTION 120
An assistant from the HR Department calls you to ask the Service Hours & Maintenance Slots for your ERP system. In which document will you most probably find this information?

Service Level Agreement

Release Policy

Service Level Requirements

Underpinning Contract

QUESTION 121
You work as a Security Manager for Tech Perfect Inc. You have set up a SIEM server for the following purposes: Analyze the data from different log sources Correlate the events among the log entries Identify and prioritize significant events Initiate responses to events if required One of your log monitoring staff wants to know the features of SIEM product that will help them in these purposes. What features will you recommend? Each correct answer represents a complete solution. Choose all that apply.

Asset information storage and correlation

Transmission confidentiality protection

Incident tracking and reporting

Security knowledge base

Graphical user interface

QUESTION 122
There are seven risks responses that a project manager can choose from. Which risk response is appropriate for both positive and negative risk events?

Acceptance

Transference

Sharing

Mitigation

QUESTION 123
In digital rights management, the level of robustness depends on the various types of tools and attacks to which they must be resistant or immune. Which of the following types of tools are expensive, require skill, and are not easily available?

Hand tools

Widely available tools

Specialized tools

Professional tools

QUESTION 124
Which of the following types of attacks is targeting a Web server with multiple compromised computers that are simultaneously sending hundreds of FIN packets with spoofed IP source IP addresses?

DDoS attack

Evasion attack

Insertion attack

Dictionary attack

QUESTION 125
The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?
Each correct answer represents a complete solution. Choose all that apply.

Facilitating the sharing of security risk-related information among authorizing officials

Preserving high-level communications and working group relationships in an organization

Establishing effective continuous monitoring program for the organization

Proposing the information technology needed by an enterprise to achieve its goals and then working within a budget to implement the plan

QUESTION 126
Which of the following is an attack with IP fragments that cannot be reassembled?

Password guessing attack

Teardrop attack

Dictionary attack

Smurf attack

QUESTION 127
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed?

Level 4

Level 5

Level 2

Level 3

Level 1

QUESTION 128
You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems?

NIST Special Publication 800-60

NIST Special Publication 800-53

NIST Special Publication 800-37

NIST Special Publication 800-59

QUESTION 129
You are the project manager for a construction project. The project involves casting of a column in a very narrow space. Because of lack of space, casting it is highly dangerous. High technical skill will be required for casting that column. You decide to hire a local expert team for casting that column. Which of the following types of risk response are you following?

Avoidance

Acceptance

Mitigation

Transference

QUESTION 130
John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. In order to do so, he performs the following steps of the pre-attack phase successfully: Information gathering Determination of network range Identification of active systems Location of open ports and applications Now, which of the following tasks should he perform next?

Perform OS fingerprinting on the We-are-secure network.

Map the network of We-are-secure Inc.

Install a backdoor to log in remotely on the We-are-secure server.

Fingerprint the services running on the we-are-secure network.

QUESTION 131
In which of the following DIACAP phases is residual risk analyzed?

Phase 1

Phase 5

Phase 2

Phase 4

Phase 3

QUESTION 132
The Project Risk Management knowledge area focuses on which of the following processes? Each correct answer represents a complete solution. Choose all that apply.

Risk Monitoring and Control

Risk Management Planning

Quantitative Risk Analysis

Potential Risk Monitoring

QUESTION 133
Bill is the project manager of the JKH Project. He and the project team have identified a risk event in the project with a high probability of occurrence and the risk event has a high cost impact on the project. Bill discusses the risk event with Virginia, the primary project customer, and she decides that the requirements surrounding the risk event should be removed from the project. The removal of the requirements does affect the project scope, but it can release the project from the high risk exposure. What risk response has been enacted in this project?

Mitigation

Transference

Acceptance

Avoidance

QUESTION 134
You work as a Network Auditor for Net Perfect Inc. The company has a Windows-based network. While auditing the company’s network, you are facing problems in searching the faults and other entities that belong to it. Which of the following risks may occur due to the existence of these problems?

Residual risk

Secondary risk

Detection risk

Inherent risk

QUESTION 135
Which of the following are the important areas addressed by a software system’s security policy? Each correct answer represents a complete solution. Choose all that apply.

Identification and authentication

Punctuality

Data protection

Accountability

Scalability

Access control

QUESTION 136
John works as a systems engineer for BlueWell Inc. He has modified the software, and wants to retest the application to ensure that bugs have been fixed or not. Which of the following tests should John use to accomplish the task?

Reliability test

Functional test

Performance test

Regression test

QUESTION 137
You work as a systems engineer for BlueWell Inc. Which of the following tools will you use to look outside your own organization to examine how others achieve their performance levels, and what processes they use to reach those levels?

Benchmarking

Six Sigma

ISO 9001:2000

SEI-CMM

Explanation/Reference:
Explanation: Benchmarking is the tool used by system assessment process to provide a point of reference by which performance measurements can be reviewed with respect to other organizations. Benchmarking is also recognized as Best Practice Benchmarking or Process Benchmarking. It is a process used in management and mostly useful for strategic management. It is the process of comparing the business processes and performance metrics including cost, cycle time, productivity, or quality to another that is widely considered to be an industry standard benchmark or best practice. It allows organizations to develop plans on how to implement best practice with the aim of increasing some aspect of performance.
Benchmarking might be a one-time event, although it is frequently treated as a continual process in which organizations continually seek out to challenge their practices. It allows organizations to develop plans on how to make improvements or adapt specific best practices, usually with the aim of increasing some aspect of performance. Answer: C is incorrect. The ISO 9001:2000 standard combines the three standards
9001, 9002, and 9003 into one, called 9001. Design and development procedures are required only if a company does in fact engage in the creation of new products. The 2000 version sought to make a radical change in thinking by actually placing the concept of process management front and center (“Process management” was the monitoring and optimizing of a company’s tasks and activities, instead of just inspecting the final product). The ISO 9001:2000 version also demands involvement by upper executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior administrators. Another goal is to improve effectiveness via process performance metrics numerical measurement of the effectiveness of tasks and activities. Expectations of continual process improvement and tracking customer satisfaction were made explicit. Answer: B is incorrect. Six Sigma is a business management strategy, initially implemented by Motorola. As of 2009 it enjoys widespread application in many sectors of industry, although its application is not without controversy. Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects and variability in manufacturing and business processes. It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization (“Black Belts”, “Green Belts”, etc.) who are experts in these methods. Each Six Sigma project carried out within an organization follows a defined sequence of steps and has quantified financial targets (cost reduction or profit increase).
The often used Six Sigma symbol is as follows:

Answer D is incorrect. Capability Maturity Model Integration (CMMI) was created by Software Engineering
Institute (SEI). CMMI in software engineering and organizational development is a process improvement approach that provides organizations with the essential elements for effective process improvement. It can be used to guide process improvement across a project, a division, or an entire organization. CMMI can help integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes.
CMMI is now the de facto standard for measuring the maturity of any process. Organizations can be assessed against the CMMI model using Standard CMMI Appraisal Method for Process Improvement (SCAMPI).