Master ISC2 CSSLP Exam with Reliable Practice Questions

Correct : A

The CIA (Confidentiality, Integrity, and Availability) triangle is concerned with three facets of security. Confidentiality is the concern that data

be secure from unauthorized access.

Answer B and C are incorrect. The CIA (Confidentiality, Integrity, and Availability) triangle is concerned with three facets of security.

Integrity is the concern that data not be altered without it being traceable. Availability is the concern that the data, while being secured, is

readily accessible.

Answer D is incorrect. Confidentiality may be implemented with encryption but encryption is just a technique to obtain confidentiality.

Correct : C

C&A consists of four phases in a DITSCAP assessment. These phases are the same as NIACAP phases. The order of these phases is as

follows:

1.Definition: The definition phase is focused on understanding the IS business case, the mission, environment, and architecture. This

phase determines the security requirements and level of effort necessary to achieve Certification & Accreditation (C&A).

2.Verification: The second phase confirms the evolving or modified system's compliance with the information. The verification phase

ensures that the fully integrated system will be ready for certification testing.

3.Validation: The third phase confirms abidance of the fully integrated system with the security policy. This phase follows the

requirements slated in the SSAA. The objective of the validation phase is to show the required evidence to support the DAA in

accreditation process.

4.Post Accreditation: The Post Accreditation is the final phase of DITSCAP assessment and it starts after the system has been certified

and accredited for operations. This phase ensures secure system management, operation, and maintenance to save an acceptable

level of residual risk.

Correct : D

It is not a responsibility of a data owner. The data custodian (information custodian) is responsible for maintaining and protecting the data.

Answer B, A, and C are incorrect. All of these are responsibilities of a data owner.

The roles and responsibilities of a data owner are as follows:

The data owner (information owner) is usually a member of management, in charge of a specific business unit, and is ultimately

responsible for the protection and use of a specific subset of information.

The data owner decides upon the classification of the data that he is responsible for and alters that classification if the business needs

arise.

This person is also responsible for ensuring that the necessary security controls are in place, ensuring that proper access rights are

being used, defining security requirements per classification and backup requirements, approving any disclosure activities, and defining

user access criteria.

The data owner approves access requests or may choose to delegate this function to business unit managers. And it is the data owner

who will deal with security violations pertaining to the data he is responsible for protecting.

The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-day maintenance of the data protection

mechanisms to the data custodian.

Correct : A, C, E, F

ISO 27003 is an information security standard published by the International Organization for Standardization (ISO) and the International

Electrotechnical Commission (IEC). It is entitled as 'Information Technology - Security techniques - Information security management system

implementation guidance'. The ISO 27003 standard provides guidelines for implementing an ISMS (Information Security Management System).

It mainly focuses upon the PDCA method along with establishing, implementing, reviewing, and improving the ISMS itself.

The ISO 27003 standard contains the following elements:

Introduction

Scope

Terms and Definitions

CSFs (Critical success factors)

Guidance on process approach

Guidance on using PDCA

Guidance on Plan Processes

Guidance on Do Processes

Guidance on Check Processes

Guidance on Act Processes

Inter-Organization Co-operation

Answer B is incorrect. This element is included in the ISO 27005 standard.

Answer D is incorrect. This element is included in the ISO 27006 standard.

Correct : C

The structured walk-through test is also known as the table-top exercise. In structured walk-through test, the team members walkthrough

the plan to identify and correct weaknesses and how they will respond to the emergency scenarios by stepping in the course of the plan. It is

the most effective and competent way to identify the areas of overlap in the plan before conducting more challenging training exercises.

Answer A is incorrect. In full-scale exercise, the critical systems run at an alternate site.

Answer B is incorrect. The emergency management group and response teams actually perform their emergency response functions by

walking through the test, without actually initiating recovery procedures. But it is not much cost effective.

Answer D is incorrect. It is a test performed when personnel walks through the evacuation route to a designated area where

procedures for accounting for the personnel are tested.