Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. ISC
  5. CSSLP

Free ISC CSSLP Exam Braindumps (page: 15)

Page 15 of 88
PDF with 349 Questions

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

  1. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
  2. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
  3. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
  4. Certification is the official management decision given by a senior agency official to authorize operation of an information system.

Answer(s): A,C

Explanation:

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, and DCID 6/3. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.



The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.

  1. Negotiation
  2. Registration
  3. Document mission need
  4. Initial Certification Analysis

Answer(s): A,B,C

Explanation:

The Phase 1 of DITSCAP C&A is known as Definition Phase. The goal of this phase is to define the C&A level of effort, identify the main C&A roles and responsibilities, and create an agreement on the method for implementing the security requirements. The Phase 1 starts with the input of the mission need. This phase comprises three process activities: Document mission need Registration Negotiation Answer D is incorrect. Initial Certification Analysis is a Phase 2 activity.



Which of the following NIST Special Publication documents provides a guideline on network security testing?

  1. NIST SP 800-42
  2. NIST SP 800-53A
  3. NIST SP 800-60
  4. NIST SP 800-53
  5. NIST SP 800-37
  6. NIST SP 800-59

Answer(s): A

Explanation:

NIST SP 800-42 provides a guideline on network security testing.
Answers E, D, B, F, and C are incorrect. NIST has developed a suite of documents for conducting Certification & Accreditation (C&A). These documents are as follows: NIST Special Publication 800-37: This document is a guide for the security certification and accreditation of Federal Information Systems. NIST Special Publication 800-53: This document provides a guideline for security controls for Federal Information Systems. NIST Special Publication 800-53A. This document consists of techniques and procedures for verifying the effectiveness of security controls in Federal Information System. NIST Special Publication 800-59: This document is a guideline for identifying an information system as a National Security System. NIST Special Publication 800-60: This document is a guide for mapping types of information and information systems to security objectives and risk levels.



Which of the following tools is used to attack the Digital Watermarking?

  1. Steg-Only Attack
  2. Active Attacks
  3. 2Mosaic
  4. Gifshuffle

Answer(s): C

Explanation:

2Mosaic is a tool used for watermark breaking. It is an attack against a digital watermarking system. In this type of attack, an image is chopped into small pieces and then placed together. When this image is embedded into a web page, the web browser renders the small pieces into one image. This image looks like a real image with no watermark in it. This attack is successful, as it is impossible to read watermark in very small pieces. Answer D is incorrect. Gifshuffle is used to hide message or information inside GIF images. It is done by shuffling the colormap. This tool also provides compression and encryption.
Answers B and A are incorrect. Active Attacks and Steg-Only Attacks are used to attack Steganography.






Post your Comments and Discuss ISC CSSLP exam prep with other Community members:

CSSLP Exam Discussions & Posts