Most Recent ISC2 CSSLP Exam Questions & Answers

Designated Approving Authority (DAA) is also known as the accreditor.

Answer A is incorrect. The data owner (information owner) is usually a member of management, in charge of a specific business unit,

and is ultimately responsible for the protection and use of a specific subset of information.

Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief

Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,

and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,

financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk

and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management

(ERM) approach.

Answer C is incorrect. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the

most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals. The

CIO plays the role of a leader and reports to the chief executive officer, chief operations officer, or chief financial officer. In military

organizations, they report to the commanding officer.

The areas of information system, as separated by Information Assurance Framework, are as follows:

Local Computing Environments: This area includes servers, client workstations, operating system, and applications.

Enclave Boundaries: This area consists of collection of local computing devices, regardless of physical location, that are interconnected

via local area networks (LANs) and governed by a single security policy.

Networks and Infrastructures: This area provides the network connectivity between enclaves. It includes operational area networks

(OANs), metropolitan area networks (MANs), and campus area networks (CANs).

Supporting Infrastructures: This area provides security services for networks, client workstations, Web servers, operating systems,

applications, files, and single-use infrastructure machines.

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic

requirements for assessing the effectiveness of computer security controls built into a computer system. TCSEC was used to evaluate, classify,

and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information. It was replaced

with the development of the Common Criteria international standard originally published in 2005. The TCSEC, frequently referred to as the

Orange Book, is the centerpiece of the DoD Rainbow Series publications.

Answer D is incorrect. System Security Authorization Agreement (SSAA) is an information security document used in the United States

Department of Defense (DoD) to describe and accredit networks and systems. The SSAA is part of the Department of Defense Information

Technology Security Certification and Accreditation Process, or DITSCAP (superseded by DIACAP). The DoD instruction (issues in December

1997, that describes DITSCAP and provides an outline for the SSAA document is DODI 5200.40. The DITSCAP application manual (DoD 8510.1-

M), published in July 2000, provides additional details.

Answer A is incorrect. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for

assessing the security of information systems. It provides an approach for federal agencies. It determines how federal agencies are meeting

existing policy and establish goals. The main advantage of FITSAF is that it addresses the requirements of Office of Management and Budget

(OMB). It also addresses the guidelines provided by the National Institute of Standards and Technology (NIsT).

Answer B is incorrect. The Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United

States federal government for use by all non-military government agencies and by government contractors. Many FIPS standards are modified

Some FIPS standards were originally developed by the U.S. government. For instance, standards for encoding data (e.g., country codes), but

more significantly some encryption standards, such as the Data Encryption Standard (FIPS 46-3) and the Advanced Encryption Standard (FIPS

197). In 1994, NOAA (Noaa) began broadcasting coded signals called FIPS (Federal Information Processing System) codes along with their

standard weather broadcasts from local stations. These codes identify the type of emergency and the specific geographic area (such as a

county) affected by the emergency.

Non repudiation refers to mechanisms that prevent a party from falsely denying involvement in some data transaction.

In the pipes and filters architecture style, a device receives input from connectors and generates transformed outputs. A pipeline has a series

of processing elements in which the output of each element works as an input of the next element. A little amount of buffering is provided

between the two successive elements.