Concepts

Question 1

When should security requirements be addressed in systems development?

• From the very beginning
• When budget and business priorities permit
• When the risk assessment effort is completed
• At the time of implementation

Answer 1

From the very beginning

Question 2

Which term is often associated with the precision of data?

• Integrity
• Availability
• Non-disclosure
• Confidentiality

Answer 2

Integrity

Question 3

What is the primary method of enforcing security concepts?

• Through strict firewall rules
• Through risk management
• Through the use of controls
• By regular or continuous audit

Answer 3

Through the use of controls

Question 4

A security concept that protects against repudiation threats?

• Confidentiality
• Authentication
• Availability
• Accountability

Answer 4

Accountability

Question 5

A security concept that addresses the logging of transactions so that at a later time a history of transactions can be built, if needed.

• Authorization
• Availability
• Non-repudiation
• Auditing

Answer 5

Auditing

Question 6

A security concept that verifies and validates identity information that is supplied.

• Confidentiality
• Non-repudiation
• Authentication
• Authorization

Answer 6

Authentication

Question 7

A security concept that has to do with the checking of a subject’s rights and privileges before granting access to the objects that the subject requests.

• Non-repudiation
• Authentication
• Authorization
• Availability

Answer 7

Authorization

Question 8

A security concept that assures protection against destruction of the data or system or denial of service. It addresses the accessibility of the
software and/or the data it handles.
- Availability
- Confidentiality
- Accountability
- Authorization

Answer 8

Availability

Question 9

A security concept that assures the protection of data against unauthorized disclosure. It ensures the secrecy and privacy of data.

• Non-repudiation
• Confidentiality
• Availability
• Authentication

Answer 9

Confidentiality

Question 10

The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.

• Separation of Duties
• Defense in Depth
• Data anonymization
• Complete Mediation

Answer 10

Data anonymization

Question 11

A security concept that addresses the deniability of actions taken by the software or the user. It ensures that the actions taken by the software on behalf of the user (intentionally or unintentionally) cannot be refuted or denied.

• Confidentiality
• Authentication
• Authorization
• Non-repudiation

Answer 11

Non-repudiation

Question 12

The secure disposal of software and the data the software processes, transmits, and stores.

• Disposition
• Integrity
• Authorization
• Open Design

Answer 12

Disposition

Question 13

A security concept that assures protection against unauthorized alterations (or modifications).

• Integrity
• Authorization
• Confidentiality
• Accountability

Answer 13

Integrity

Question 14

Which type of control will proactively stop a threat from successfully attacking a system?

• Preventative
• Compensating
• Detective
• Corrective

Answer 14

Preventative

Question 15

In addition to restricting a user to the minimum level of access they require to perform their job, least privilege may also restrict access based on which factor?

• Hashing
• Encryption
• Authentication
• Time

Answer 15

Time

Question 16

Which term is often used to define a security requirement?

• Clearance
• Protocols
• Escrow
• Availability

Answer 16

Availability

Question 17

What is the result of encrypting a hash of a message with the private key of the sender?

• Digital algorithm
• Digital signature
• Digital envelope
• Digitized signature

Answer 17

Digital signature

Question 18

What is the secruity control used when displaying an asterix as a user enters a password?

• Encryption
• Masking
• Context-dependent access control
• Content-dependent access control

Answer 18

Masking

Question 19

What is the core security concept addressed through “need to know”?

• Non-repudiation
• Confidentiality
• Integrity
• Availability

Answer 19

Confidentiality

Question 20

What security concept provides trust in a cryptographic algorithm?

• Propietart software
• Symmetric key escrow
• Open design
• Publishing public keys as certificates

Answer 20

Open design

Question 21

When is the best time to involve security into systems development?

• As early as possible in the project lifecycle
• Once the system requirements are known
• During the deployment phase of the project
• Upon completion of the risk management

Answer 21

As early as possible in the project lifecycle

Question 22

Which of the following statements about the availability concept of Information security management is true?

• Ensures that modifications are not made to data by unauthorized personnel or processes
• Determines actions and behaviours of a single individual within a system
• Ensures reliable and timely access to resources
• Ensure that unauthorized modifications are not made to data by authorized personnel or processes

Answer 22

Ensures reliable and timely access to resources

Question 23

The concept of preventing a subject from denying a previous action with an object in a system is a description of?

• Simple security rule
• Non-repudiation
• Defense in depth
• Constrained data item (CDI)

Answer 23

Non-repudiation

Question 24

The CIA of security includes:

• Confidentiality, integrity, authentication
• Certificates, integrity, availability
• Confidentiality, inspection, authentication
• Confidentiality, integrity, availability

Answer 24

Confidentiality, integrity, availability

Question 25

What is the most important place to address security requirements?

• At the network layer to prevent attacks
• Within the application code for greatest precision
• At all levels including network, application, and host
• On the host since a compromise of the host is most dangerous

Answer 25

At all levels including network, application, and host

Question 26

Which security concept is often associated with criticality?

• Availability
• Integrity
• Non-repudiation
• Authorization

Answer 26

Availability

Question 27

What security concept is in use if a system requires a user to authenticate with a password and a biometric value?

• Strong authentication
• Accountability and audit
• Dynamic authentication
• Node authentication

Answer 27

Strong authentication

Question 28

What is the goal of the CSSLP?

• To integrate security into the entire SDLC
• To develop security solutions for software projects
• To ensure that security requirements are correct
• To promote the deployment of quality software

Answer 28

To integrate security into the entire SDLC

Question 29

What concept is being used when a user account is locked out after three invalid password entries?

• Logging
• Filtering
• Static
• Clipping

Answer 29

Clipping

Question 30

What is the primary purpose of logging all activity on a system?

• To prosecute illegal activity
• To establish an audit trail
• To deter any suspicious actions
• To support the concept of identification

Answer 30

To establish an audit trail

Question 31

What technique is used to restrict the amount of data in a customer record that is visible to a user of an application that accesses a database?

• Input validation
• View-based controls
• Strong passwords
• Single sign-on

Answer 31

View-based controls

Question 32

What is the primary method of enforcing security concepts?

• Through the use of controls
• Through risk management
• By regular or continuous audit
• Through strict firewall rules

Answer 32

Through the use of controls