Most Recent ISC2 CSSLP Exam Questions & Answers

An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information System Security Officer

(ISSO) are as follows:

Manages the security of the information system that is slated for Certification & Accreditation (C&A).

Insures the information systems configuration with the agency's information security policy.

Supports the information system owner/information owner for the completion of security-related responsibilities.

Takes part in the formal configuration management process.

Prepares Certification & Accreditation (C&A) packages.

An Information System Security Engineer (ISSE) plays the role of an advisor. The responsibilities of an Information System Security Engineer

are as follows:

Provides view on the continuous monitoring of the information system.

Provides advice on the impacts of system changes.

Takes part in the configuration management process.

Takes part in the development activities that are required to implement system changes.

Follows approved system changes.

Risk management is an ongoing project activity. It should be an agenda item at every project status meeting.

Answer A is incorrect. Milestones are good times to do reviews, but risk management should happen frequently.

Answer C is incorrect. This answer would only be correct if the project has a status meeting just once per month in the project.

Answer B is incorrect. Risk management happens throughout the project as does project planning.

Penetration testing (also called pen testing) is the practice of testing a computer system, network, or Web application to find vulnerabilities

that an attacker could exploit. Following are the areas that can be exploited in a penetration test:

Kernel flaws: Kernel flaws refer to the exploitation of kernel code flaws in the operating system.

Buffer overflows: Buffer overflows refer to the exploitation of a software failure to properly check for the length of input data. This

overflow can cause malicious behavior on the system.

Race conditions: A race condition is a situation in which an attacker can gain access to a system as a privileged user.

File and directory permissions: In this area, an attacker exploits weak permissions restrictions to gain unauthorized access of

documents.

Trojan horses: These are malicious programs that can exploit an information system by attaching themselves in valid programs and

files.

Social engineering: In this technique, an attacker uses his social skills and persuasion to acquire valuable information that can be used

to conduct an attack against a system.

The authorizing official is the senior manager responsible for approving the working of the information system. He is responsible for the risks

of operating the information system within a known environment through the security accreditation phase. In many organizations, the

authorizing official is also referred as approving/accrediting authority (DAA) or the Principal Approving Authority (PAA).

Answer C is incorrect. The system owner has the responsibility of informing the key officials within the organization of the requirements

for a security C&A of the information system. He makes the resources available, and provides the relevant documents to support the process.

Answer A is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information

System Security Officer (ISSO) are as follows:

Manages the security of the information system that is slated for Certification & Accreditation (C&A).

Insures the information systems configuration with the agency's information security policy.

Supports the information system owner/information owner for the completion of security-related responsibilities.

Takes part in the formal configuration management process.

Prepares Certification & Accreditation (C&A) packages.

Answer D is incorrect. The CISO has the responsibility of carrying out the CIO's FISMA responsibilities. He manages the information

security program functions.

You will most probably find this information in the Service Level Agreement document. Amongst other information, SLA contains information

about the agreed Service Hours and maintenance slots for any particular Service.

Service Level Agreement (frequently abbreviated as SLA) is a part of a service contract where the level of service is formally defined. In

practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service) or performance.

Service Level Agreement (SLA) is a negotiated agreement between two parties where one is the customer and the other is the service

provider. This can be a legally binding formal or informal 'contract'. Contracts between the Service Provider and other third parties are often

(incorrectly) called SLAs, as the level of service has been set by the (principal) customer there can be no 'agreement' between third parties

(these agreements are simply a 'contract'). Operating Level Agreements or OLA(s) however, may be used by internal groups to support SLA

(s).

Answer B is incorrect. Release Policy is a set of rules for deploying releases into the live operational environment, defining different

approaches for releases depending on their urgency and impact.

Answer C is incorrect. The Service Level Requirements document contains the requirements for a service from the client viewpoint,

defining detailed service level targets, mutual responsibilities, and other requirements specific to a certain group of customers.

Answer D is incorrect. Underpinning Contract (UC) is a contract between an IT service provider and a third party. In another way, it is

an agreement between the IT organization and an external provider about the delivery of one or more services. The third party provides

services that support the delivery of a service to a customer. The Underpinning Contract defines targets and responsibilities that are required

to meet agreed Service Level targets in an SLA.