Free SSCP Exam Braindumps (page: 96)

Page 95 of 269

Which of the following should be performed by an operator?

  1. Changing profiles
  2. Approving changes
  3. Adding and removal of users
  4. Installing system software

Answer(s): D

Explanation:

Of the listed tasks, installing system software is the only task that should normally be performed by an operator in a properly segregated environment.


Reference:

MOSHER, Richard & ROTHKE, Ben, CISSP CBK Review presentation on domain 7.



Which of the following is not appropriate in addressing object reuse?

  1. Degaussing magnetic tapes when they're no longer needed.
  2. Deleting files on disk before reusing the space.
  3. Clearing memory blocks before they are allocated to a program or data.
  4. Clearing buffered pages, documents, or screens from the local memory of a terminal or printer.

Answer(s): B

Explanation:

Object reuse requirements, applying to systems rated TCSEC C2 and above, are used to protect files, memory, and other objects in a trusted system from being accidentally accessed by users who are not authorized to access them. Deleting files on disk merely erases file headers in a directory structure. It does not clear data from the disk surface, thus making files still recoverable. All other options involve clearing used space, preventing any unauthorized access.


Reference:

RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 119).



Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data?

  1. Business and functional managers
  2. IT Security practitioners
  3. System and information owners
  4. Chief information officer

Answer(s): C

Explanation:

The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own. IT security practitioners are responsible for proper implementation of security requirements in their IT systems.


Reference:

STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 6).



An effective information security policy should not have which of the following characteristic?

  1. Include separation of duties
  2. Be designed with a short- to mid-term focus
  3. Be understandable and supported by all stakeholders
  4. Specify areas of responsibility and authority

Answer(s): B

Explanation:

An effective information security policy should be designed with a long-term focus.
All other characteristics apply.


Reference:

ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison- Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 397).






Post your Comments and Discuss ISC SSCP exam with other Community members:

SSCP Exam Discussions & Posts