• Home
  • Articles
  • 2023 SSCP exam torrent SSCP Study Guide [Q26-Q49]

2023 SSCP exam torrent SSCP Study Guide [Q26-Q49]

Share

2023 SSCP exam torrent SSCP Study Guide

Easily pass SSCP Exam with our Dumps & PDF Test Engine


The SSCP certification exam covers seven domains of security operations and administration, including access controls, security operations and administration, risk identification, monitoring and analysis, cryptography, network and communications security, and security assessment and testing. SSCP exam is intended for professionals with one year of experience in one or more of these domains.


Career Prospects

Obtaining the (ISC)2 SSCP certification means following the path that will change your career. The candidates with this certificate can take up the job titles of Database Administrators, Security Analysts, Security Administrators, Security Specialists/Consultants, Network Security Engineers, System Engineers, System Administrators, and Network/Systems Analysts, among others. The salary outlook for this certification is an average of $86,000 per annum.

 

NEW QUESTION # 26
Which of the following statements is NOT true of IPSec Transport mode?

  • A. Set-up when end-point is host or communications terminates at end-points
  • B. When ESP is used for the security protocol, the hash is only applied to the upper layer protocols contained in the packet
  • C. It is required for gateways providing access to internal systems
  • D. If used in gateway-to-host communication, gateway must act as host

Answer: C

Explanation:
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Pages 166-167.


NEW QUESTION # 27
The general philosophy for DMZ's is that:

  • A. any system on the DMZ can be compromized because it's accessible from the Internet.
  • B. any system on the DMZ cannot be compromized because it's not accessible from the Internet.
  • C. some systems on the DMZ can be compromized because they are accessible from the Internet.
  • D. any system on the DMZ cannot be compromized because it's by definition 100 percent safe and not accessible from the Internet.

Answer: A

Explanation:
Because the DMZ systems are accessible from the Internet, they are more at risk for attacka nd compromise and must be hardened appropriately.
"Any system on the DMZ cannot be compromised because it's not accessible from the Internet" is incorrect. The reason a system is placed in the DMZ is so it can be accessible from the Internet.
"Some systems on the DMZ can be compromised because they are accessible from the Internet" is incorrect. All systems in the DMZ face an increased risk of attack and compromise because they are accessible from the Internet.
"Any system on the DMZ cannot be compromised because it's by definition 100 percent safe and not accessible from the Internet" is incorrect. Again, a system is placed in the DMZ because it must be accessible from the Internet.
References:
CBK, p. 434 AIO3, p. 483


NEW QUESTION # 28
What can a packet filtering firewall also be called?

  • A. a sniffing router
  • B. a scanning router
  • C. a screening router
  • D. a shielding router

Answer: C

Explanation:
Section: Network and Telecommunications
Explanation/Reference:
While neither CBK nor AIO3 use the term "screening router," they both discuss how the packet filtering capabilities of a router can be used to block traffic much like a packet filtering firewall. Krutz and Vine use this term on p. 90.
"A scanning router" is incorrect. This is a nonsense term to distract you.
"A shielding router" is incorrect. This is a nonsense term to distract you.
"A sniffing router" is incorrect. This is a nonsense term to distract you.
References:
CBK, p. 433
AIO3, pp.484 - 485


NEW QUESTION # 29
Whose role is it to assign classification level to information?

  • A. Auditor
  • B. Security Administrator
  • C. Owner
  • D. User

Answer: C

Explanation:
The Data/Information Owner is ultimately responsible for the protection of the data. It is the Data/Information Owner that decides upon the classifications of that data they are responsible for.
The data owner decides upon the classification of the data he is responsible for and alters
that classification if the business need arises.
The following answers are incorrect:
Security Administrator. Is incorrect because this individual is responsible for ensuring that
the access right granted are correct and support the polices and directives that the
Data/Information Owner defines.
User. Is Incorrect because the user uses/access the data according to how the
Data/Information Owner defined their access.
Auditor. Is incorrect because the Auditor is responsible for ensuring that the access levels
are appropriate. The Auditor would verify that the Owner classified the data properly.
References:
CISSP All In One Third Edition, Shon Harris, Page 121


NEW QUESTION # 30
Which of the following service is not provided by a public key infrastructure (PKI)?

  • A. Reliability
  • B. Authentication
  • C. Access control
  • D. Integrity

Answer: A

Explanation:
Explanation/Reference:
A Public Key Infrastructure (PKI) provides confidentiality, access control, integrity, authentication and non- repudiation.
It does not provide reliability services.
Reference(s) used for this question:
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.


NEW QUESTION # 31
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?

  • A. confidentiality and availability.
  • B. none of the above.
  • C. integrity and confidentiality.
  • D. integrity and availability.

Answer: D

Explanation:
TCSEC focused on confidentiality while ITSEC added integrity and availability as security goals.
The following answers are incorrect:
integrity and confidentiality. Is incorrect because TCSEC addressed confidentiality. confidentiality and availability. Is incorrect because TCSEC addressed confidentiality. none of the above. Is incorrect because ITSEC added integrity and availability as security goals.


NEW QUESTION # 32
CORRECT TEXT
An attempt to break an encryption algorithm is called _____________.

Answer:


NEW QUESTION # 33
How can an individual/person best be identified or authenticated to prevent local masquarading attacks?

  • A. Smart card and PIN code
  • B. Biometrics
  • C. UserId and password
  • D. Two-factor authentication

Answer: B

Explanation:
The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor.
Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism. Spoofing is another term used to describe this type of attack as well.
A UserId only provides for identification.
A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.
A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card.
Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person.
Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN. This is because these systems control only pieces of plastic (and sometimes information), rather than people. Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, the
cards are an expensive and recurring cost.
NOTE FROM CLEMENT:
This question has been generating lots of interest. The keyword in the question is:
Individual (the person) and also the authenticated portion as well.
I totally agree with you that Two Factors or Strong Authentication would be the strongest
means of authentication. However the question is not asking what is the strongest mean of
authentication, it is asking what is the best way to identify the user (individual) behind the
technology. When answering questions do not make assumptions to facts not presented in
the question or answers.
Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to
someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan.
This is why it is the best method to authenticate the user.
I think the reference is playing with semantics and that makes it a bit confusing. I have
improved the question to make it a lot clearer and I have also improve the explanations
attached with the question.
The reference mentioned above refers to authenticating the identity for access. So the
distinction is being made that there is identity and there is authentication. In the case of
physical security the enrollment process is where the identity of the user would be validated
and then the biometrics features provided by the user would authenticate the user on a one
to one matching basis (for authentication) with the reference contained in the database of
biometrics templates. In the case of system access, the user might have to provide a
username, a pin, a passphrase, a smart card, and then provide his biometric attributes.
Biometric can also be used for Identification purpose where you do a one to many match.
You take a facial scan of someone within an airport and you attempt to match it with a large
database of known criminal and terrorists. This is how you could use biometric for
Identification.
There are always THREE means of authentication, they are:
Something you know (Type 1) Something you have (Type 2) Something you are (Type 3)
Reference(s) used for this question:
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7). and Search Security at http://searchsecurity.techtarget.com/definition/masquerade


NEW QUESTION # 34
Address Resolution Protocol (ARP) interrogates the network by sending out a?

  • A. unicast.
  • B. semicast.
  • C. broadcast.
  • D. multicast.

Answer: C

Explanation:
ARP interrogates the network by sending out a broadcast seeking a network node that has a specific IP address, and asks it to reply with its hardware address. A broadcast message is sent to everyone whether or not the message was requested. A traditional unicast is a "one-to-one" or "narrowcast" message. A multicast is a "one-tomany" message that is traditionally only sent to those machine that requested the information. Semicast is an imposter answer. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87.


NEW QUESTION # 35
What is the MOST critical piece to disaster recovery and continuity planning?

  • A. Staff training
  • B. Management support
  • C. Availability of backup information processing facilities
  • D. Security policy

Answer: B

Explanation:
Explanation/Reference:
The keyword is ' MOST CRITICAL ' and the correct answer is ' Management Support ' as the management must be convinced of its necessity and that's why a business case must be made. The decision of how a company should recover from any disaster is purely a business decision and should be treated as so.
The other answers are incorrect because :
Security policy is incorrect as it is not the MOST CRITICAL piece.
Availability of backup information processing facilities is incorrect as this comes once the organization has BCP Plans in place and for a BCP Plan , management support must be there.
Staff training comes after the plans are in place with the support from management.
Reference : Shon Harris , AIO v3 , Chapter-9: Business Continuity Planning , Page : 697.


NEW QUESTION # 36
Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS) ?

  • A. signature-based IDS
  • B. event-based IDS
  • C. inferent-based IDS
  • D. statistical anomaly-based IDS

Answer: A

Explanation:
Explanation/Reference:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.


NEW QUESTION # 37
What are the three FUNDAMENTAL principles of security?

  • A. Confidentiality, integrity and availability
  • B. Accountability, confidentiality and integrity
  • C. Integrity, availability and accountability
  • D. Availability, accountability and confidentiality

Answer: A

Explanation:
Section: Security Operation Adimnistration
Explanation/Reference:
The following answers are incorrect because:
Accountability, confidentiality and integrity is not the correct answer as Accountability is not one of the fundamental principle of security.
Integrity, availability and accountability is not the correct answer as Accountability is not one of the fundamental principle of security.
Availability, accountability and confidentiality is not the correct answer as Accountability is not one of the fundamental objective of security.
References : Shon Harris AIO v3 , Chapter - 3: Security Management Practices , Pages : 49-52


NEW QUESTION # 38
In what way can violation clipping levels assist in violation tracking and analysis?

  • A. Clipping levels enable a security administrator to view all reductions in security levels which have been made to user accounts which have incurred violations.
  • B. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to user accounts with a privileged status.
  • C. Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant.
  • D. Clipping levels set a baseline for acceptable normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred.

Answer: D

Explanation:
Explanation/Reference:
Companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious. The threshold is a baseline for violation activities that may be normal for a user to commit before alarms are raised. This baseline is referred to as a clipping level.
The following are incorrect answers:
Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant. This is not the best answer, you would not record ONLY security relevant violations, all violations would be recorded as well as all actions performed by authorized users which may not trigger a violation. This could allow you to indentify abnormal activities or fraud after the fact.
Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to user accounts with a privileged status. It could record all security violations whether the user is a normal user or a privileged user.
Clipping levels enable a security administrator to view all reductions in security levels which have been made to user accounts which have incurred violations. The keyword "ALL" makes this question wrong. It may detect SOME but not all of violations. For example, application level attacks may not be detected.
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1239). McGraw-Hill. Kindle Edition.
and
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.


NEW QUESTION # 39
Which of the following is NOT a factor related to Access Control?

  • A. integrity
  • B. confidentiality
  • C. authenticity
  • D. availability

Answer: C

Explanation:
Explanation/Reference:
These factors cover the integrity, confidentiality, and availability components of information system security.
Integrity is important in access control as it relates to ensuring only authorized subjects can make changes to objects.
Authenticity is different from authentication. Authenticity pertains to something being authentic, not necessarily having a direct correlation to access control.
Confidentiality is pertinent to access control in that the access to sensitive information is controlled to protect confidentiality.
vailability is protected by access controls in that if an attacket attempts to disrupt availability they would first need access.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.


NEW QUESTION # 40
Which access model is most appropriate for companies with a high employee turnover?

  • A. Lattice-based access control
  • B. Discretionary access control
  • C. Role-based access control
  • D. Mandatory access control

Answer: C

Explanation:
Explanation/Reference:
The underlying problem for a company with a lot of turnover is assuring that new employees are assigned the correct access permissions and that those permissions are removed when they leave the company.
Selecting the best answer requires one to think about the access control options in the context of a company with a lot of flux in the employee population. RBAC simplifies the task of assigning permissions because the permissions are assigned to roles which do not change based on who belongs to them. As employees join the company, it is simply a matter of assigning them to the appropriate roles and their permissions derive from their assigned role. They will implicitely inherit the permissions of the role or roles they have been assigned to. When they leave the company or change jobs, their role assignment is revoked/changed appropriately.
Mandatory access control is incorrect. While controlling access based on the clearence level of employees and the sensitivity of obects is a better choice than some of the other incorrect answers, it is not the best choice when RBAC is an option and you are looking for the best solution for a high number of employees constantly leaving or joining the company.
Lattice-based access control is incorrect. The lattice is really a mathematical concept that is used in formally modeling information flow (Bell-Lapadula, Biba, etc). In the context of the question, an abstract model of information flow is not an appropriate choice. CBK, pp. 324-325.
Discretionary access control is incorrect. When an employee joins or leaves the company, the object owner must grant or revoke access for that employee on all the objects they own. Problems would also arise when the owner of an object leaves the company. The complexity of assuring that the permissions are added and removed correctly makes this the least desirable solution in this situation.
References
Alll in One, third edition page 165
RBAC is discussed on pp. 189 through 191 of the ISC(2) guide.


NEW QUESTION # 41
Which layer of the OSI/ISO model handles physical addressing, network topology, line discipline, error notification, orderly delivery of frames, and optional flow control?

  • A. Data link
  • B. Physical
  • C. Session
  • D. Network

Answer: A

Explanation:
Section: Network and Telecommunications
Explanation/Reference:
The Data Link layer provides data transport across a physical link. It handles physical addressing, network topology, line discipline, error notification, orderly delivery of frames, and optional flow control.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 2, August 1999.


NEW QUESTION # 42
Secure Sockets Layer (SSL) is very heavily used for protecting which of the following?

  • A. Electronic Payment transactions.
  • B. Web transactions.
  • C. EDI transactions.
  • D. Telnet transactions.

Answer: B

Explanation:
SSL was developed Netscape Communications Corporation to improve
security and privacy of HTTP transactions.
SSL is one of the most common protocols used to protect Internet traffic.
It encrypts the messages using symmetric algorithms, such as IDEA, DES, 3DES, and
Fortezza, and also calculates the MAC for the message using MD5 or SHA-1. The MAC is
appended to the message and encrypted along with the message data.
The exchange of the symmetric keys is accomplished through various versions of
Diffie-Hellmann or RSA. TLS is the Internet standard based on SSLv3. TLSv1 is backward
compatible with SSLv3. It uses the same algorithms as SSLv3; however, it computes an
HMAC instead of a MAC along with other enhancements to improve security.
The following are incorrect answers:
"EDI transactions" is incorrect. Electronic Data Interchange (EDI) is not the best answer to
this question though SSL could play a part in some EDI transactions.
"Telnet transactions" is incorrect. Telnet is a character mode protocol and is more likely to
be secured by Secure Telnet or replaced by the Secure Shell (SSH) protocols.
"Eletronic payment transactions" is incorrect. Electronic payment is not the best answer to
this question though SSL could play a part in some electronic payment transactions.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 16615-16619). Auerbach Publications. Kindle
Edition.
and
http://en.wikipedia.org/wiki/Transport_Layer_Security


NEW QUESTION # 43
In the course of responding to and handling an incident, you work on determining the root cause of the incident. In which step are you in?

  • A. Triage
  • B. Containment
  • C. Recovery
  • D. Analysis and tracking

Answer: D

Explanation:
In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident.
Recovery is incorrect as recovery is about resuming operations or bringing affected systems back into production
Containment is incorrect as containment is about reducing the potential impact of an incident.
Triage is incorrect as triage is about determining the seriousness of the incident and filtering out false positives
Reference:
Official Guide to the CISSP CBK, pages 700-704


NEW QUESTION # 44
The Trusted Computer Security Evaluation Criteria book (TCSEC) is also referred to as:

  • A. RFC 1700
  • B. The orange book
  • C. The blue book
  • D. ISO 792
  • E. BS 1412

Answer: B

Explanation:
The Trusted Computer Security Evaluation Criteria book (TCSEC) is also referred to as the Orange book.


NEW QUESTION # 45
Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI Model?

  • A. Router
  • B. Bridge
  • C. Repeater
  • D. Gateway

Answer: D

Explanation:
Section: Network and Telecommunications
Explanation/Reference:
A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be at the highest level of the protocol stack.
Important Note:
For the purpose of the exam, you have to remember that a gateway is not synonymous to the term firewall.
The second thing you must remembers is the fact that a gateway act as a translation device.
It could be used to translate from IPX to TCP/IP for example. It could be used to convert different types of applications protocols and allow them to communicate together. A gateway could be at any of the OSI layers but usually tend to be higher up in the stack.
For your exam you should know the information below:
Repeaters
A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.
Repeaters can also work as line conditioners by actually cleaning up the signals. This works much better when amplifying digital signals than when amplifying analog signals, because digital signals are discrete units, which makes extraction of background noise from them much easier for the amplifier. If the device is amplifying analog signals, any accompanying noise often is amplified as well, which may further distort the signal.
A hub is a multi-port repeater. A hub is often referred to as a concentrator because it is the physical communication device that allows several computers and devices to communicate with each other. A hub does not understand or work with IP or MAC addresses. When one system sends a signal to go to another system connected to it, the signal is broadcast to all the ports, and thus to all the systems connected to the concentrator.
Repeater

Image Reference- http://www.erg.abdn.ac.uk/~gorry/course/images/repeater.gif Bridges A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.
Bridge

Image Reference- http://www.oreillynet.com/network/2001/01/30/graphics/bridge.jpg Routers Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary. Because routers have more network-level knowledge, they can perform higher-level functions, such as calculating the shortest and most economical path between the sending and receiving hosts.
Router and Switch

Image Reference- http://www.computer-networking-success.com/images/router-switch.jpg Switches Switches combine the functionality of a repeater and the functionality of a bridge. A switch amplifies the electrical signal, like a repeater, and has the built-in circuitry and intelligence of a bridge. It is a multi-port connection device that provides connections for individual computers or other hubs and switches.
Gateways
Gateway is a general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is needed when one environment speaks a different language, meaning it uses a certain protocol that the other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX) protocol packets to IP packets, accept mail from one type of mail server and format it so another type of mail server can accept and understand it, or connect and translate different data link technologies such as FDDI to Ethernet.
Gateway Server

Image Reference- http://static.howtoforge.com/images/screenshots/556af08d5e43aa768260f9e589dc547f-
3024.jpg
The following answers are incorrect:
Repeater - A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.
Bridges - A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.
Routers - Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 263
Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 and 230


NEW QUESTION # 46
What is the main purpose of Corporate Security Policy?

  • A. To communicate management's intentions in regards to information security
  • B. To transfer the responsibility for the information security to all users of the organization
  • C. To provide detailed steps for performing specific actions
  • D. To provide a common framework for all development activities

Answer: A

Explanation:
Section: Security Operation Adimnistration
Explanation
Explanation/Reference:
A Corporate Security Policy is a high level document that indicates what are management`s intentions in regard to Information Security within the organization. It is high level in purpose, it does not give you details about specific products that would be use, specific steps, etc..
The organization's requirements for access control should be defined and documented in its security policies.
Access rules and rights for each user or group of users should be clearly stated in an access policy statement.
The access control policy should minimally consider:
Statements of general security principles and their applicability to the organization Security requirements of individual enterprise applications, systems, and services Consistency between the access control and information classification policies of different systems and networks Contractual obligations or regulatory compliance regarding protection of assets Standards defining user access profiles for organizational roles Details regarding the management of the access control system As a Certified Information System Security Professional (CISSP) you would be involved directly in the drafting and coordination of security policies, standards and supporting guidelines, procedures, and baselines.
Guidance provided by the CISSP for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed by the CISSP as well.
The following are incorrect answers:
To transfer the responsibility for the information security to all users of the organization is bogus. You CANNOT transfer responsibility, you can only tranfer authority. Responsibility will also sit with upper management. The keyworks ALL and USERS is also an indication that it is the wrong choice.
To provide detailed steps for performing specific actions is also a bogus detractor. A step by step document is referred to as a procedure. It details how to accomplish a specific task.
To provide a common framework for all development activities is also an invalid choice. Security Policies are not restricted only to development activities.
Reference Used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1551-1565). Auerbach Publications. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9109-9112). Auerbach Publications. Kindle Edition.


NEW QUESTION # 47
Attributable data should be:

  • A. always traced to individuals responsible for observing and recording the data
  • B. sometimes traced to individuals responsible for observing and recording the data
  • C. never traced to individuals responsible for observing and recording the data
  • D. often traced to individuals responsible for observing and recording the data

Answer: A

Explanation:
Explanation/Reference:
As per FDA data should be attributable, original, accurate, contemporaneous and legible. In an automated system attributability could be achieved by a computer system designed to identify individuals responsible for any input.
Source: U.S. Department of Health and Human Services, Food and Drug Administration, Guidance for Industry - Computerized Systems Used in Clinical Trials, April 1999, page 1.


NEW QUESTION # 48
What is the difference between Access Control Lists (ACLs) and Capability Tables?

  • A. They are basically the same.
  • B. Access control lists are related/attached to an object whereas capability tables are related/attached to a subject.
  • C. Access control lists are related/attached to a subject whereas capability tables are related/attached to an object.
  • D. Capability tables are used for objects whereas access control lists are used for users.

Answer: B

Explanation:
Explanation/Reference:
Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object. It is a row within the matrix.
To put it another way, A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.
CLEMENT NOTE:
If we wish to express this very simply:
Capabilities are attached to a subject and it describe what access the subject has to each of the objects on the row that matches with the subject within the matrix. It is a row within the matrix.
ACL's are attached to objects, it describe who has access to the object and what type of access they have.
It is a column within the matrix.
The following are incorrect answers:
"Access control lists are subject-based whereas capability tables are object-based" is incorrect.
"Capability tables are used for objects whereas access control lists are used for users" is incorrect.
"They are basically the same" is incorrect.
References used for this question:
CBK, pp. 191 - 192
AIO3 p. 169


NEW QUESTION # 49
......


The common mistakes made on the SSCP exam by candidates would be:

Not knowing how to respond to certain questions and guessing their responses. Guessing and guessing until it's too late, and guessing all the way up to the point where they know they are incorrect. Dressing inappropriately for the experience. The common mistakes here can be made by bringing inappropriate materials like cheat sheets and books during the exam. However, it's safe to take a copy of the syllabus and other documents that you can look at anytime you want during your exam. You can keep these in a folder and bring it with you using an organizer to avoid any trouble. Not knowing what to expect. Having anxiety and fear that they wouldn't pass because of their background especially if they've only been in IT for less than two years. Not preparing themselves physically and emotionally. By leaving the test center early before others, thus giving them less time to review their answers. Skipping questions. Not having the right training.

On the other hand, people who pass the exam by preparing themselves with SSCP Dumps would be able to answer questions confidently. Rather than having doubts about their answers; they could feel that they are right about their responses because of what they learned during training. They know what to expect and understand how difficult it is to pass these exams because of all the things they learned from their teachers who are ISC certified security professionals.

 

SSCP PDF Pass Leader, SSCP Latest Real Test: https://www.practicedump.com/SSCP_actualtests.html

Valid SSCP Test Answers & SSCP Exam PDF: https://drive.google.com/open?id=1xN21d7bvFAeh35Tlo5xwT59wSbbo-Qbp

Related Articles

more
ISC SSCP Certification Practice Exam

Copyright © 2026 PracticeDump. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimers:
PracticeDump material do not contain actual Business Architecture Guild Exam Questions or materials.
SAP, Microsoft, Google, Amazon, Certiport, Qualtrics are Registered Trade Mark.
PracticeDump website is not related to, affiliated with, endorsed or authorized by Amazon. Trademarks, certification & product names are used for reference only and belong to Amazon.
PracticeDump offers only Probable Questions and Answers. PracticeDump offer learning materials and practice tests created by subject matter experts to assist and help learner prepare for those exams.
All Certification Brands used on the website are owned by the respective brand owners. PracticeDump does not own or claim any ownership on any of the brands. The site www.practicedump.com is in no way affiliated with SAP SE.