CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISC
  5. SSCP

Free SSCP Exam Braindumps (page: 90)

Page 89 of 269
PDF with 1074 Questions

What can best be defined as high-level statements, beliefs, goals and objectives?

  1. Standards
  2. Policies
  3. Guidelines
  4. Procedures

Answer(s): B

Explanation:

Policies are high-level statements, beliefs, goals and objectives and the general means for their attainment for a specific subject area. Standards are mandatory activities, action, rules or regulations designed to provide policies with the support structure and specific direction they require to be effective. Guidelines are more general statements of how to achieve the policies objectives by providing a framework within which to implement procedures. Procedures spell out the specific steps of how the policy and supporting standards and how guidelines will be implemented.


Reference:

HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.



In an organization, an Information Technology security function should:

  1. Be a function within the information systems function of an organization.
  2. Report directly to a specialized business unit such as legal, corporate security or insurance.
  3. Be lead by a Chief Security Officer and report directly to the CEO.
  4. Be independent but report to the Information Systems function.

Answer(s): C

Explanation:

In order to offer more independence and get more attention from management, an IT security function should be independent from IT and report directly to the CEO. Having it report to a specialized business unit (e.g. legal) is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else's problem.


Reference:

HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.



IT security measures should:

  1. Be complex
  2. Be tailored to meet organizational security goals.
  3. Make sure that every asset of the organization is well protected.
  4. Not be developed in a layered fashion.

Answer(s): B

Explanation:

In general, IT security measures are tailored according to an organization's unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT security- related, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains. Recognizing the uniqueness of each system allows a layered security strategy to be used - implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.
The more complex the mechanism, the more likely it may possess exploitable flaws. Simple mechanisms tend to have fewer exploitable flaws and require less maintenance. Further, because configuration management issues are simplified, updating or replacing a simple mechanism becomes a less intensive process.
Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding good password controls and adequate user training improves the system's security posture even more.
The need for layered protections is especially important when commercial-off-the-shelf (COTS) products are used. Practical experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in series, requiring additional work by attackers to accomplish their goals.


Reference:

STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A
Baseline for Achieving Security), June 2001 (pages 9-10).



Which of the following does not address Database Management Systems (DBMS) Security?

  1. Perturbation
  2. Cell suppression
  3. Padded cells
  4. Partitioning

Answer(s): C

Explanation:

Padded cells complement Intrusion Detection Systems (IDSs) and are not related to DBMS security. Padded cells are simulated environments to which IDSs seamlessly transfer detected attackers and are designed to convince an attacker that the attack is going according to the plan. Cell suppression is a technique used against inference attacks by not revealing information in the case where a statistical query produces a very small result set. Perturbation also addresses inference attacks but involves making minor modifications to the results to a query. Partitioning involves splitting a database into two or more physical or logical parts; especially relevant for multilevel secure databases.


Reference:

LaROSA, Jeanette (domain leader), Application and System Development Security CISSP Open Study Guide, version 3.0, January 2002.






Post your Comments and Discuss ISC SSCP exam with other Community members:

SSCP Exam Discussions & Posts