CSSLP Flashcards
Cert
Confidentiality is used to
a) protect information from destruction
b) protect information from disclosure
c) protect information from modification
d) all of the above
b) protect information from disclosure
Integrity is used to
a) protect information from destruction
b) protect information from disclosure
c) protect information from modification
d) both a and c
d) both a and c
Integrity can be ensured by
a) redundancy
b) failover
c) clusters
d) none of the above
d) none of the above
Availability can be ensured by
a) encryption
b) revocation
c) clusters
d) hashing
c) clusters
Failover is applied
a) automatically
b) manually
c) never
d) none of the above
a) automatically
Separation of duties
a) breaks work into manageable parts
b) improves quality control
c) requires multiple parties
d) reduces the work week
c) requires multiple parties
An audit is
a) a single point in time event
b) a continuous event
c) a subset of monitoring
d) an accounting task
a) a single point in time event
The KISS principle is demonstrated by
a) nonrepudiation
b) least privilege
c) defense in depth
d) economy of mechanism
d) economy of mechanism
Secure configuration management (CM) is most useful for
a) organizing meetings
b) reviewing documentation
c) preventing integrity breaches
d) secure data repositories
c) Configuration management ensures against the unauthorized modification or destruction of data items
Which is not a secure configuration management and version control (CM/VC) process?
a) Planning
b) Identifying file security
c) Controlling configuration changes
d) Monitoring
b) CM/VC deals with monitoring data items, it does not implement file security
Which methodology uses a security best practices approach whereby the best practices are mapped to each phase of a generic software development lifecycle (SDLC)?
a) Microsoft SDL
b) S-Scrum
c) CLASP
d) SALSA
c) CLASP is designed to insert security into SDLC phases, regardless of methodology
A disadvantage of agile methods is that
a) they map all requirements to a generic SDLC
b) they require fast computers for execution of the code
c) they do not work with older code
d) they do not allow sufficient time for detailed security planning or analysis
d) Agile is based on identifying just enough requirements for the next sprint, and executing those quickly
What is the difference between standards and frameworks?
a) Standards are accepted as best practices, whereas frameworks are practices that are generally employed
b) Standards are locality specific, whereas frameworks are international
c) Standards are specific while frameworks are general
d) Both A and C
d) both A and C
Attack surface analysis will
a) identify what functions and what parts of the system you need to review/test for security vulnerabilities
b) identify high-risk areas of code that require defense in depth protection - what parts of the system that you need to defend
c) identify when you have changed the attack surface and need to do some kind of threat assessment
d) do all of the above
d) do all of the above
End-of-life policies apply when
a) users are retiring from the organization
b) users are transitioning to a newer platform
c) users need to update their policies and procedures
d) none of the above happens
b) users are transitioning to a newer platform
Which is not a risk management strategy?
a) Mitigate
b) Accept
c) Transfer
d) Amend
d) Amend
Which of the following regulations include provisions to protect consumers’ personal financial information held by financial institutions?
a) Sarbanes-Oxley Act (SOX)
b) Payment Card Industry Data Security Standard (PCI-DSS)
c) Gramm-Leach-Bliley Act (GLBA)
d) Electronic Fund Transfer Act, Regulation E (EFTA)
c) GLBA deals with privacy requirements for financial information
Which type of requirement is used to describe long-term goals?
a) Cosmic
b) Mission
c) Business
d) Technical
b) Mission requirements describe long term goals, business requirements describe mid-term goals, technical requirements describe short term goals
Which of the following is not a classification criterion for data?
a) usefulness of data
b) value of data
c) age of data
d) format of data
d) Classification deals with labeling data according to sensitivity; data format does not affect this
Which of the following is not a mandatory document?
a) Standards
b) Baselines
c) Procedures
d) Guidelines
d) Guidelines are optional. Standards, baselines and procedures are mandatory
Which of the following is an anonymization approach for relational data?
a) Socialization
b) Perturbation
c) Derivation
d) Elicitation
b) There are 4 approaches to data anonymization; Generalization, Perturbation, Replacement and Suppression
Which of the following are used in the development of abuse cases?
a) Case Reports
b) Use Cases
c) Risk Results
d) Complaints
b) Abuse cases can be developed from the inverse of use cases
The requirements for a software security standard are comprised of which two subsets to enhance system protection and reduce the risk to the system?
a) Operational System and Organization
b) Operational System and Environment
c) Operational System and Development Process
d) none of the above
a) The requirements for a software security standard are drawn from operational system and organization requirements and development process and environment requirements
Why is this not all of the above?
Which testing process is most commonly performed at the end of the SDLC?
a) Source Code Static Security Analysis
b) Binary Code Security Scanning
c) Byte Code Security Analysis
d) Source Code Security Fault Injection
c) Byte code security analysis can be performed in tandem with source code analysis at the end of the SDLC to improve overall accuracy of results