Which jurisdiction lacks specific and comprehensive privacy laws at a national or top level of legal authority?
Answer(s): D
The United States lacks a single comprehensive law at the federal level addressing data security and privacy, but there are multiple federal laws that deal with different industries.
Which United States law is focused on PII as it relates to the financial industry?
The GLBA, as it is commonly called based on the lead sponsors and authors of the act, is officially known as "The Financial Modernization Act of 1999." It is specifically focused on PII as it relates to financial institutions. There are three specific components of it, covering various areas and use, on top of a general requirement that all financial institutions must provide all users and customers with a written copy of their privacy policies and practices, including with whom and for what reasons their information may be shared with other entities.
Which of the following threat types can occur when encryption is not properly applied or insecure transport mechanisms are used?
Answer(s): C
Sensitive data exposure occurs when information is not properly secured through encryption and secure transport mechanisms; it can quickly become an easy and broad method for attackers to compromise information. Web applications must enforce strong encryption and security controls on the application side, but secure methods of communications with browsers or other clients used to access the information are also required. Security misconfiguration occurs when applications and systems are not properly configured for security, often a result of misapplied or inadequate baselines. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, thus allowing spoofing for malware or phishing attacks.
What is the best approach for dealing with services or utilities that are installed on a system but not needed to perform their desired function?
Answer(s): A
The best practice is to totally remove any unneeded services and utilities on a system to prevent any chance of compromise or use. If they are just disabled, it is possible for them to be inadvertently started again at any point, or another exploit could be used to start them again. Removing also negates the need to patch and maintain them going forward.
Post your Comments and Discuss ISC CCSP exam with other Community members:
Eric Commented on April 15, 2025 Most of these questions are in the exam. Over all gives you a good idea of what comes in the exam. Exam is hard so good luck guys. UNITED STATES
Mohammad Commented on March 04, 2025 helpful, but i think it should be updated Anonymous
Manoj Commented on March 01, 2025 helpful but some of the answers are debatable. not sure what to accept for exam passing. UNITED STATES
Bini Commented on January 21, 2025 I would like to see more questions related to CCSP Anonymous
SSSR Commented on December 11, 2024 Great stuff and nicely formatted content. PDF is version is what I highly recommend as it has double the amount of questions. UNITED KINGDOM
MP Commented on December 05, 2024 Still Preparing Hopefully these are helpful UNITED STATES