CertBus is trying our best to keep on updating ISC Certification CSSLP exam dumps. We, CertBus, will provide our customers with the latest and the most accurate exam questions and answers that cover every ISC Certification CSSLP Certified Secure Software Lifecycle Professional Practice Test knowledge points, which will help you easily prepare yourself well for the CSSLP exam and successfully pass your exam. You just need to spend a few hours on studying the exam dumps.
We CertBus has our own expert team. They selected and published the latest CSSLP preparation materials from ISC Official Exam-Center: http://www.certgod.com/CSSLP.html
QUESTION NO: 9
What are the various activities performed in the planning phase of the Software Assurance
Acquisition process? Each correct answer represents a complete solution. Choose all that apply.
A. Develop software requirements.
B. Implement change control procedures.
C. Develop evaluation criteria and evaluation plan.
D. Create acquisition strategy.
Answer: A,C,D
Explanation: The various activities performed in the planning phase of the Software Assurance
Acquisition process are as follows: Determine software product or service requirements. Identify
associated risks. Develop software requirements. Create acquisition strategy. Develop evaluation
criteria and evaluation plan. Define development and use of SwA due diligence questionnaires.
Answer: B is incorrect. This activity is performed in the monitoring and acceptance phase of the
Software Assurance acquisition process.
QUESTION NO: 5
Which of the following roles is also known as the accreditor?
A. Data owner
B. Chief Risk Officer
C. Chief Information Officer
D. Designated Approving Authority
Answer: D
Explanation: Designated Approving Authority (DAA) is also known as the accreditor. Answer: A is
incorrect. The data owner (information owner) is usually a member of management, in charge of a
specific business unit, and is ultimately responsible for the protection and use of a specific subset
of information. Answer: B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk
Management Officer (CRMO). The Chief Risk Officer or Chief Risk Management Officer of a
corporation is the executive accountable for enabling the efficient and effective governance of
significant risks, and related opportunities, to a business and its various segments. Risks are
commonly categorized as strategic, reputational, operational, financial, or compliance-related.
CRO’s are accountable to the Executive Committee and The Board for enabling the business to
balance risk and reward. In more complex organizations, they are generally responsible for
coordinating the organization’s Enterprise Risk Management (ERM) approach. Answer: C is
incorrect. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title
commonly given to the most senior executive in an enterprise responsible for the information
technology and computer systems that support enterprise goals. The CIO plays the role of a
leader and reports to the chief executive officer, chief operations officer, or chief financial officer. In
military organizations, they report to the commanding officer.
QUESTION NO: 2
The National Information Assurance Certification and Accreditation Process (NIACAP) is the
minimum standard process for the certification and accreditation of computer and
telecommunications systems that handle U.S. national security information. Which of the following
participants are required in a NIACAP security assessment? Each correct answer represents a
part of the solution. Choose all that apply.
A. Certification agent
B. Designated Approving Authority
C. IS program manager
D. Information Assurance Manager
E. User representative
Answer: A,B,C,E
Explanation: The NIACAP roles are nearly the same as the DITSCAP roles. Four minimum
participants (roles) are required to perform a NIACAP security assessment: IS program manager:
The IS program manager is the primary authorization advocate. He is responsible for the
Information Systems (IS) throughout the life cycle of the system development. Designated
Approving Authority (DAA): The Designated Approving Authority (DAA), in the United States
Department of Defense, is the official with the authority to formally assume responsibility for
operating a system at an acceptable level of risk. Certification agent: The certification agent is also
referred to as the certifier. He provides the technical expertise to conduct the certification
throughout the system life cycle. User representative: The user representative focuses on system
availability, access, integrity, functionality, performance, and confidentiality in a Certification and
Accreditation (CandA) process. Answer: D is incorrect. Information Assurance Manager (IAM) is one
of the key participants in the DIACAP process.
QUESTION NO: 6
DoD 8500.2 establishes IA controls for information systems according to the Mission Assurance
Categories (MAC) and confidentiality levels. Which of the following MAC levels requires high
integrity and medium availability?
A. MAC III
B. MAC IV
C. MAC I
D. MAC II
Answer: D
Explanation: The various MAC levels are as follows: MAC I: It states that the systems have high
availability and high integrity. MAC II: It states that the systems have high integrity and medium
availability. MAC III: It states that the systems have basic integrity and availability.
QUESTION NO: 11
Which of the following models uses a directed graph to specify the rights that a subject can
transfer to an object or that a subject can take from another subject?
A. Take-Grant Protection Model
B. Biba Integrity Model
C. Bell-LaPadula Model
D. Access Matrix
Answer: A
Explanation: The take-grant protection model is a formal model used in the field of computer
security to establish or disprove the safety of a given computer system that follows specific rules. It
shows that for specific systems the question of safety is decidable in linear time, which is in
general undecidable. The model represents a system as directed graph, where vertices are either
subjects or objects. The edges between them are labeled and the label indicates the rights that the
source of the edge has over the destination. Two rights occur in every instance of the model: take
and grant. They play a special role in the graph rewriting rules describing admissible changes of
the graph. Answer: D is incorrect. The access matrix is a straightforward approach that provides
access rights to subjects for objects. Answer: C is incorrect. The Bell-LaPadula model deals only
with the confidentiality of classified material. It does not address integrity or availability. Answer: B
is incorrect. The integrity model was developed as an analog to the Bell-LaPadula confidentiality
model and then became more sophisticated to address additional integrity requirements.
QUESTION NO: 7
Microsoft software security expert Michael Howard defines some heuristics for determining code
review in “A Process for Performing Security Code Reviews”. Which of the following heuristics
increase the application’s attack surface? Each correct answer represents a complete solution.
Choose all that apply.
A. Code written in C/C /assembly language
B. Code listening on a globally accessible network interface
C. Code that changes frequently
D. Anonymously accessible code
E. Code that runs by default
F. Code that runs in elevated context
Answer: B,D,E,F
Explanation: Microsoft software security expert Michael Howard defines the following heuristics
for determining code review in “A Process for Performing Security Code Reviews”: Old code:
Newer code provides better understanding of software security and has lesser number of
vulnerabilities. Older code must be checked deeply. Code that runs by default: It must have high
quality, and must be checked deeply than code that does not execute by default. Code that runs
by default increases the application’s attack surface.
Code that runs in elevated context: It must have higher quality. Code that runs in elevated
privileges must be checked deeply and increases the application’s attack surface. Anonymously
accessible code: It must be checked deeply than code that only authorized users and
administrators can access, and it increases the application’s attack surface. Code listening on a
globally accessible network interface: It must be checked deeply for security vulnerabilities and
increases the application’s attack surface. Code written in C/C /assembly language: It is prone to
security vulnerabilities, for example, buffer overruns. Code with a history of security vulnerabilities:
It includes additional vulnerabilities except concerted efforts that are required for removing them.
Code that handles sensitive data: It must be checked deeply to ensure that data is protected from
unintentional disclosure. Complex code: It includes undiscovered errors because it is more difficult
to analyze complex code manually and programmatically. Code that changes frequently: It has
more security vulnerabilities than code that does not change frequently.
QUESTION NO: 8
Which of the following cryptographic system services ensures that information will not be disclosed
to any unauthorized person on a local network?
A. Authentication
B. Integrity
C. Non-repudiation
D. Confidentiality
Answer: D
Explanation: The confidentiality service of a cryptographic system ensures that information will
not be disclosed to any unauthorized person on a local network.
QUESTION NO: 3 DRAG DROP
Drop the appropriate value to complete the formula.
Answer:
Explanation:
A Single Loss Expectancy (SLE) is the value in dollar ($) that is assigned to a single event. The
SLE can be calculated by the following formula: SLE = Asset Value ($) X Exposure Factor (EF)
The Exposure Factor (EF) represents the % of assets loss caused by a threat. The EF is required
to calculate the Single Loss Expectancy (SLE). The Annualized Loss Expectancy (ALE) can be
calculated by multiplying the Single Loss Expectancy (SLE) with the Annualized Rate of
Occurrence (ARO). Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) X
Annualized Rate of Occurrence (ARO) Annualized Rate of Occurrence (ARO) is a number that
represents the estimated frequency in which a threat is expected to occur. It is calculated based
upon the probability of the event occurring and the number of employees that could make that
event occur.
QUESTION NO: 12
You are the project manager for GHY Project and are working to create a risk response for a
negative risk. You and the project team have identified the risk that the project may not complete
on time, as required by the management, due to the creation of the user guide for the software
you’re creating. You have elected to hire an external writer in order to satisfy the requirements and
to alleviate the risk event. What type of risk response have you elected to use in this instance?
A. Transference
B. Exploiting
C. Avoidance
D. Sharing
Answer: A
Explanation: This is an example of transference as you have transferred the risk to a third party.
Transference almost always is done with a negative risk event and it usually requires a contractual
relationship.
QUESTION NO: 4
Which of the following penetration testing techniques automatically tests every phone line in an
exchange and tries to locate modems that are attached to the network?
A. Demon dialing
B. Sniffing
C. Social engineering
D. Dumpster diving
Answer: A
Explanation: The demon dialing technique automatically tests every phone line in an exchange
and tries to locate modems that are attached to the network. Information about these modems can
then be used to attempt external unauthorized access. Answer: B is incorrect. In sniffing, a
protocol analyzer is used to capture data packets that are later decoded to collect information such
as passwords or infrastructure configurations. Answer: D is incorrect. Dumpster diving technique is
used for searching paper disposal areas for unshredded or otherwise improperly disposed-of
reports. Answer: C is incorrect. Social engineering is the most commonly used technique of all,
getting information (like passwords) just by asking for them.
CertBus exam braindumps are pass guaranteed. We guarantee your pass for the CSSLP exam successfully with our ISC materials. CertBus Certified Secure Software Lifecycle Professional Practice Test exam PDF and VCE are the latest and most accurate. We have the best ISC in our team to make sure CertBus Certified Secure Software Lifecycle Professional Practice Test exam questions and answers are the most valid. CertBus exam Certified Secure Software Lifecycle Professional Practice Test exam dumps will help you to be the ISC specialist, clear your CSSLP exam and get the final success.
CSSLP Latest questions and answers on Google Drive(100% Free Download): https://drive.google.com/file/d/0B_3QX8HGRR1mcUhLNzJoOTBCeGM/view?usp=sharing
CSSLP ISC exam dumps (100% Pass Guaranteed) from CertBus: http://www.certgod.com/CSSLP.html [100% Exam Pass Guaranteed]
Why select/choose CertBus?
Millions of interested professionals can touch the destination of success in exams by certgod.com. products which would be available, affordable, updated and of really best quality to overcome the difficulties of any course outlines. Questions and Answers material is updated in highly outclass manner on regular basis and material is released periodically and is available in testing centers with whom we are maintaining our relationship to get latest material.