Curious about Actual ISC2 CSSLP (CSSLP) Exam Questions?

Correct : C, D

The main purposes of a Regulatory policy are as follows:

It ensures that an organization is following the standard procedures or base practices of operation in its specific industry.

It gives an organization the confidence that it is following the standard and accepted industry policy.

Answer B and A are incorrect. These are the policy elements of Senior Management Statement of Policy.

Correct : B

Audit trail or audit log comes under detective controls. Detective controls are the audit controls that are not needed to be restricted. Any

control that performs a monitoring activity can likely be defined as a Detective Control. For example, it is possible that mistakes, either

intentional or unintentional, can be made. Therefore, an additional Protective control is that these companies must have their financial results

audited by an independent Certified Public Accountant. The role of this accountant is to act as an auditor. In fact, any auditor acts as a

Detective control. If the organization in question has not properly followed the rules, a diligent auditor should be able to detect the deficiency

which indicates that some control somewhere has failed.

Answer A is incorrect. Reactive or corrective controls typically work in response to a detective control, responding in such a way as to

alert or otherwise correct an unacceptable condition. Using the example of account rules, either the internal Audit Committee or the SEC itself,

based on the report generated by the external auditor, will take some corrective action. In this way, they are acting as a Corrective or

Reactive control.

Answer C and D are incorrect. Protective or preventative controls serve to proactively define and possibly enforce acceptable

behaviors. As an example, a set of common accounting rules are defined and must be followed by any publicly traded company. Each quarter,

any particular company must publicly state its current financial standing and accounting as reflected by an application of these rules. These

accounting rules and the SEC requirements serve as protective or preventative controls.

Correct : A

Tamper resistance is resistance tampered by the users of a product, package, or system, or the users who can physically access it. It includes

simple as well as complex devices. The complex device encrypts all the information between individual chips, or renders itself inoperable.

Tamper resistance is generally used in packages in order to determine package or product tampering.

Answer B is incorrect. Tamper evident specifies a process or device that makes unauthorized access to the protected object easily

detected.

Answer D is incorrect. Tamper proofing makes computers resistant to interference. Tamper proofing measures include automatic

removal of sensitive information, automatic shutdown, and automatic physical locking.

Answer C is incorrect. Tamper data is used to view and modify the HTTP or HTTPS headers and post parameters.

Correct : D

Graybox testing is a combination of whitebox testing and blackbox testing. In graybox testing, the test engineer is equipped with the

knowledge of system and designs test cases or test data based on system knowledge. The security tester typically performs graybox testing

to find vulnerabilities in software and network system.

Answer C is incorrect. Whitebox testing is a testing technique in which an organization provides full knowledge about the infrastructure

to the testing team. The information, provided by the organization, often includes network diagrams, source codes, and IP addressing

information of the infrastructure to be tested.

Answer A is incorrect. Integration testing is a logical extension of unit testing. It is performed to identify the problems that occur when

two or more units are combined into a component. During integration testing, a developer combines two units that have already been tested

into a component, and tests the interface between the two units. Although integration testing can be performed in various ways, the

following three approaches are generally used:

The top-down approach

The bottom-up approach

The umbrella approach

Answer B is incorrect. Regression testing can be performed any time when a program needs to be modified either to add a feature or

to fix an error. It is a process of repeating Unit testing and Integration testing whenever existing tests need to be performed again along with

the new tests. Regression testing is performed to ensure that no existing errors reappear, and no new errors are introduced.

Correct : C

The DAA, also known as Authorizing Official, makes the final accreditation decision. The Designated Approving Authority (DAA), in the United

States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level

of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation and can determine that the system's

risks are not at an acceptable level and the system is not ready to be operational.

Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information

System Security Officer (ISSO) are as follows:

Manages the security of the information system that is slated for Certification & Accreditation (C&A).

Insures the information systems configuration with the agency's information security policy.

Supports the information system owner/information owner for the completion of security-related responsibilities.

Takes part in the formal configuration management process.

Prepares Certification & Accreditation (C&A) packages.

Answer A is incorrect. An Information System Security Engineer (ISSE) plays the role of an advisor. The responsibilities of an

Information System Security Engineer are as follows:

Provides view on the continuous monitoring of the information system.

Provides advice on the impacts of system changes.

Takes part in the configuration management process.

Takes part in the development activities that are required to implement system changes.

Follows approved system changes.

Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief

Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,

and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,

financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk

and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management

(ERM) approach.