CSSLP Exam Questions

Total 348 Questions

Last Updated Exam : 16-Dec-2024

Topic 1: Volume A

A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark's financial and personal details to another company. Which of the following Internet laws has the credit card issuing company violated?


A.

Trademark law 


B.

Security law


C.

Privacy law 


D.

Copyright law 





C.
  

Privacy law 



Explanation: The credit card issuing company has violated the Privacy law. According to the Internet Privacy law, a company cannot provide their customer's financial and personal details to other companies. Answer: A is incorrect. Trademark laws facilitate the protection of trademarks around the world. Answer: B is incorrect. There is no law such as Security law. Answer: D is incorrect. The Copyright law protects original works or creations of authorship including literary, dramatic, musical, artistic, and certain other intellectual works

Which of the following coding practices are helpful in simplifying code? Each correct answer represents a complete solution. Choose all that apply.


A.

Programmers should use multiple small and simple functions rather than a single complex function.


B.

Software should avoid ambiguities and hidden assumptions, recursions, and GoTo statements. C. Programmers should implement high-consequence functions in minimum required lines of code and follow proper coding standards.


C.

Processes should have multiple entry and exit points.





A.
  

Programmers should use multiple small and simple functions rather than a single complex function.



B.
  

Software should avoid ambiguities and hidden assumptions, recursions, and GoTo statements. C. Programmers should implement high-consequence functions in minimum required lines of code and follow proper coding standards.



C.
  

Processes should have multiple entry and exit points.



The various coding practices that are helpful in simplifying the code are as follows: Programmers should implement high-consequence functions in minimum required lines of code and follow the proper coding standards. Software should implement the functions that are defined in the software specification. Software should avoid ambiguities and hidden assumptions, recursion, and GoTo statements. Programmers should use multiple small and simple functions rather than a complex function. The processes should have only one entry point and minimum exit points. Interdependencies should be minimum so that a process module or component can be disabled when it is not needed, or replaced when it is found insecure or a better alternative is available, without disturbing the software operations. Programmers should use object-oriented techniques to keep the code simple and small. Some of the object-oriented techniques are object inheritance, encapsulation, and polymorphism. Answer: D is incorrect. Processes should have only one entry point and the minimum number of exit points

Which of the following processes culminates in an agreement between key players that a system in its current configuration and operation provides adequate protection controls? 


A.

Information Assurance (IA)  


B.

Information systems security engineering (ISSE) 


C.

Certification and accreditation (C&A) 


D.

Risk Management





C.
  

Certification and accreditation (C&A) 



Explanation: Certification and accreditation (C&A) is a set of processes that culminate in an agreement between key players that a system in its current configuration and operation provides adequate protection controls. Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, and DCID 6/3. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. 

Answer: D is incorrect. Risk management is a set of processes that ensures a risk-based approach is used to determine adequate, cost- effective security for a system. Answer: A is incorrect. Information assurance (IA) is the process of organizing and monitoring information-related risks. It ensures that only the approved users have access to the approved information at the approved time. IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. These objectives are applicable whether the information is in storage, processing, or transit, and whether threatened by an attack. Answer: B is incorrect. ISSE is a set of processes and solutions used during all phases of a system's life cycle to meet the system's information protection needs

The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.


A.

Security operations 


B.

Maintenance of the SSAA


C.

Compliance validation


D.

Change management 


E.

System operations 


F.

Continue to review and refine the SSAA





A.
  

Security operations 



B.
  

Maintenance of the SSAA



C.
  

Compliance validation



D.
  

Change management 



E.
  

System operations 



Explanation: The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in the Phase 3. The goal of this phase is to continue to operate and manage the system and to ensure that it will maintain an acceptable level of residual risk. The process activities of this phase are as follows: System operations Security operations Maintenance of the SSAA Change management Compliance validation Answer: F is incorrect. It is a Phase 3 activity. 

Which of the following is an example of over-the-air (OTA) provisioning in digital rights management?


A.

Use of shared secrets to initiate or rebuild trust.  


B.

Use of software to meet the deployment goals. 


C.

Use of concealment to avoid tampering attacks. 


D.

Use of device properties for unique identification.





A.
  

Use of shared secrets to initiate or rebuild trust.  



Explanation: Over- the- air provisioning is a mechanism to deploy MIDlet suites over a network. It is a method of distributing MIDlet suites. MIDlet suite providers install their MIDlet suites on Web servers and provide a hypertext link for downloading. A user can use this link to download the MIDlet suite either through the Internet microbrowser or through WAP on his device. Over-the-air provisioning is required for end-to-end encryption or other security purposes in order to deliver copyrighted software to a mobile device. For example, use of shared secrets to initiate or rebuild trust. Answer: D and C are incorrect. The use of device properties for unique identification and the use of concealment to avoid tampering attacks are the security challenges in digital rights management (DRM). Answer: B is incorrect. The use of software and hardware to meet the deployment goals is a distracter.

Joseph works as a Software Developer for WebTech Inc. He wants to protect the algorithms and the techniques of programming that he uses in developing an application. Which of the following laws are used to protect a part of software?


A.

Code Security law 


B.

Patent laws 


C.

Trademark laws 


D.

Copyright laws





B.
  

Patent laws 



Explanation: Patent laws are used to protect the duplication of software. Software patents cover the algorithms and techniques that are used in creating the software. It does not cover the entire program of the software. Patents give the author the right to make and sell his product. The time of the patent of a product is limited though, i.e., the author of the product has the right to use the patent for only a specific length of time. Answer: D is incorrect. Copyright laws protect original works or creations of authorship including literary, dramatic, musical, artistic, and certain other intellectual works. 

Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian? 


A.

The custodian makes the initial information classification assignments, and the operations manager implements the scheme. 


B.

The data owner implements the information classification scheme after the initial assignment by the custodian. 


C.

The custodian implements the information classification scheme after the initial assignment by the operations manager.


D.

The data custodian implements the information classification scheme after the initial assignment by the data owner. 





D.
  

The data custodian implements the information classification scheme after the initial assignment by the data owner. 



Explanation: The data owner is responsible for ensuring that the appropriate security controls are in place, for assigning the initial classification to the data to be protected, for approving access requests from other parts of the organization, and for periodically reviewing the data classifications and access rights. Data owners are primarily responsible for determining the data's sensitivity or classification levels, whereas the data custodian has the responsibility for backup, retention, and recovery of data. The data owner delegates these responsibilities to the custodian. Answer: B, A, and C are incorrect. These are not the valid answers

Which of the following models uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject?


A.

Take-Grant Protection Model 


B.

Biba Integrity Model 


C.

Bell-LaPadula Model  


D.

Access Matrix 





A.
  

Take-Grant Protection Model 



Explanation: The take-grant protection model is a formal model used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules. It shows that for specific systems the question of safety is decidable in linear time, which is in general undecidable. The model represents a system as directed graph, where vertices are either subjects or objects. The edges between them are labeled and the label indicates the rights that the source of the edge has over the destination. Two rights occur in every instance of the model: take and grant. They play a special role in the graph rewriting rules describing admissible changes of the graph. Answer: D is incorrect. The access matrix is a straightforward approach that provides access rights to subjects for objects. Answer: C is incorrect. The Bell-LaPadula model deals only with the confidentiality of classified material. It does not address integrity or availability. Answer: B is incorrect. The integrity model was developed as an analog to the Bell-LaPadula confidentiality model and then became more sophisticated to address additional integrity requirements.

Which of the following phases of DITSCAP includes the activities that are necessary for the continuing operation of an accredited IT system in its computing environment and for addressing the changing threats that a system faces throughout its life cycle? 


A.

Phase 3, Validation


B.

Phase 1, Definition


C.

Phase 2, Verification  


D.

Phase 4, Post Accreditation Phase





D.
  

Phase 4, Post Accreditation Phase



Explanation: Phase 4, Post Accreditation Phase of the DITSCAP includes the activities, which are necessary for the continuing operation of an accredited IT system in its computing environment and for addressing the changing threats that a system faces throughout its life cycle. Answer: B is incorrect. Phase 1, Definition, focuses on understanding the mission, the environment, and the architecture in order to determine the security requirements and level of effort necessary to achieve accreditation. Answer: C is incorrect. Phase 2, Verification, verifies the evolving or modified system's compliance with the information agreed on in the System Security Authorization Agreement (SSAA). Answer: A is incorrect. Phase 3 validates the compliance of a fully integrated system with the information stated in the SSAA

You are the project manager of the NNN project for your company. You and the project team are working together to plan the risk responses for the project. You feel that the team has successfully completed the risk response planning and now you must initiate what risk process it is. Which of the following risk processes is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased?


A.

Quantitative risk analysis 


B.

Risk identification 


C.

Risk response implementation


D.

Qualitative risk analysis





A.
  

Quantitative risk analysis 



Explanation: The quantitative risk analysis process is repeated after the plan risk responses to determine if the overall project risk has been satisfactorily decreased. Answer: D is incorrect. Qualitative risk analysis is not repeated after the plan risk response process. Answer: B is incorrect. Risk identification is an ongoing process that happens throughout the project. Answer: C is incorrect. Risk response implementation is not a project management process