SSCP UC EXAM QUESTIONS AND ANSWERS
CBK - Correct Answers -Common Body of Knowledge- SSCP has 7 Domains
Domain 1: Access Controls - Correct Answers -Domain 1: Access Controls: Policies,
standards, and procedures that define who users are, what they can do, which
resources and information they can access, and what operations they can perform on a
system, such as:
1.1 Implement and maintain authentication methods
1.2 Support internetwork trust architectures
1.3 Participate in the identity management lifecycle
1.4 Implement access controls
Domain 2: Security Operations and Administration: - Correct Answers -Domain 2:
Security Operations and Administration: Identification of information assets and
documentation of policies, standards, procedures, and guidelines that ensure
confidentiality, integrity, and availability, such as:
2.1 Comply with codes of ethics
2.2 Understand security concepts
2.3 Document, implement, and maintain functional security controls
2.4 Participate in asset management
2.5 Implement security controls and assess compliance
2.6 Participate in change management
2.7 Participate in security awareness and training
2.8 Participate in physical security operations (e.g., data center assessment, badging)
Domain 3: Risk Identification, Monitoring, and Analysis - Correct Answers -Domain 3:
Risk Identification, Monitoring, and Analysis: Risk identification is the review, analysis,
and implementation of processes essential to the identification, measurement, and
control of loss associated with unplanned adverse events. Monitoring and analysis are
determining system implementation and access in accordance with defined IT criteria.
This involves collecting information for identification of, and response to, security
breaches or events, such as:
3.1 Understand the risk management process
3.2 Perform security assessment activities
3.3 Operate and maintain monitoring systems (e.g., continuous monitoring)
3.4 Analyze monitoring results
Domain 4: Incident Response and Recovery - Correct Answers -Domain 4: Incident
Response and Recovery: "The show must go on" is a well-known saying that means
even if there are problems or difficulties, an event or activity must continue. Incident
,response and recovery ensures the work of the organization will continue. In this
domain, the SSCP gains an understanding of how to handle incidents using consistent,
applied approaches like business continuity planning (BCP) and disaster recovery
planning (DRP). These approaches are utilized to mitigate damages, recover business
operations, and avoid critical business interruption:
4.1 Support incident lifecycle
4.2 Understand and support forensic investigations
4.3 Understand and support business continuity plan (BCP) and disaster recovery plan
(DRP) activities
Domain 5: Cryptography - Correct Answers -Domain 5: Cryptography: The protection of
information using techniques that ensure its integrity, confidentiality, authenticity, and
nonrepudiation, and the recovery of encrypted information in its original form:
5.1 Understand fundamental concepts of cryptography
5.2 Understand reasons and requirements for cryptography
5.2 Understand and support secure protocols
5.2 Understand public key infrastructure (PKI) systems
Domain 6: Network and Communications Security - Correct Answers -Domain 6:
Network and Communications Security: The network structure, transmission methods
and techniques, transport formats, and security measures used to operate both private
and public communication networks:
6.1 Understand and apply fundamental concepts of networking
6.2 Understand network attacks and countermeasures (e.g., DDoS, man-in-the-middle,
DNS poisoning)
6.3 Manage network access controls
6.4 Manage network security
6.5 Operate and configure network-based security devices
6.6 Operate and configure wireless technologies (e.g., Bluetooth, NFC, Wi-Fi)
Domain 7: Systems and Application Security: - Correct Answers -Domain 7: Systems
and Application Security: Countermeasures and prevention techniques for dealing with
viruses, worms, logic bombs, Trojan horses, and other related forms of intentionally
created damaging code:
7.1 Identify and analyze malicious code and activity
7.2 Implement and operate endpoint device security
7.3 Operate and configure cloud security
7.4 Operate and secure virtual environments
Which of the following are the individual facts, observations, or elements of
measurement?
This task contains the radio buttons and checkboxes for options. The shortcut keys to
perform this task are A to H and alt+1 to alt+9.
A
Wisdom
B
,Information
C
Data
D
Knowledge - Correct Answers -C
As the IT security director, Paul does not have anybody looking at systems monitoring
or event logging data. Which set of responsibilities is Paul in violation of?
This task contains the radio buttons and checkboxes for options. The shortcut keys to
perform this task are A to H and alt+1 to alt+9.
A
Integrity
B
Due diligence
C
Due care
D
Availability - Correct Answers -B
Paul is violating the responsibilities of due diligence. The fact that systems monitoring
and event data is collected at all indicates that Paul or his staff determined it was a
necessary part of keeping the organization's information systems secure—they took
(due) care of those responsibilities. But by not reviewing the data to verify proper
systems behavior and use, or to look for potential intrusions or compromises, Paul has
not been diligent. Integrity and availability do not relate to the given scenario.
Tradesecrets - Correct Answers -Trade secrets are those parts of a company's business
logic that it believes are unique, not widely known or understood in the marketplace,
and not easily deduced or inferred from the products themselves. Declaring part of its
business logic as a trade secret allows a company to claim unique use of it—in effect,
declare that it has a monopoly on doing business i
Patents - Correct Answers -Patents are legal recognition by governments that someone
has created a new and unique way of doing something. The patent grants a legal
monopoly right in that idea, for a fixed length of time. Since the patent is a published
document, anyone can learn how to do what the patent describes. If they start to use it
in a business, they either must license its use from the patent holder (typically involving
payment of fees) or risk being found guilty of patent infringement by patents and
trademarks tribunal or court of law.
Privacy - Correct Answers -Privacy, which refers to a person (or a business), is the
freedom from intrusion by others into one's own life, place of residence or work, or
relationships with others. Privacy means that you have the freedom to choose who can
come into these aspects of your life and what they can know about you. Privacy is an
element of common law, or the body of unwritten legal principles that are just as
enforceable by the courts as the written laws are in many countries. It starts with the
privacy rights and needs of one person and grows to treat families, other organizations,
, and other relationships (personal, professional, or social) as being free from
unwarranted intrusion.
company confidential or proprietary information - Correct Answers -company
confidential or proprietary information almost every day. Both terms declare that the
business owns this information; the company has paid the costs to develop this
information (such as the salaries of the people who thought up these ideas or wrote
them down in useful form for the company), which represents part of the business's
competitive advantage over its competitors. Both terms reflect the legitimate business
need to keep some data and ideas private to the business.
An unwarranted action is one that is either (regarding Privacy): - Correct Answers -An
unwarranted action is one that is either:
Without a warrant, a court order, or other due process of law that allows the action to
take place
Has no reasonable cause; serves no reasonable purpose; or exceeds the common
sense of what is right and proper
This is key: privacy can be enforced both by contracts and by law. - Correct Answers -
Privacy: In Law, in Practice, in Information Systems - Correct Answers -Public law
enforces these principles. Laws such as the Fourth and Fifth Amendments to the U.S.
Constitution, for example, address the first three, whereas the Privacy Act of 1974
created restrictions on how the government could share with others what it knew about
its citizens (and even limited sharing of such information within government). Medical
codes of practice and the laws that reflect them encourage data sharing to help health
professionals detect a potential new disease epidemic, but they also require that
personally identifiable information in the clinical data be removed or anonymized to
protect individual patients.
The European Union has enacted a series of policies and laws designed to protect
individual privacy as businesses and governments exchange data about people,
transactions, and themselves. The latest of these, General Data Protection Regulation
2016/679 (GDPR), is a law that applies to all persons, businesses, or organizations
doing anything involving the data related to an EU person. The GDPR's requirements
meant that by May 2018, businesses had to change the ways that they collected, used,
stored, and shared information about anyone who contacted them (such as by browsing
to their website); they also had to notify such users about the changes and gain their
informed consent to such use. Many news and infotainment sites hosted in the United
States could not serve EU persons until they implemented changes to become GDPR
compliant
Public places - Correct Answers -Public places are areas or spaces in which anyone
and everyone can see, hear, or notice the presence of other people, and observe what
they are doing, intentionally or unintentionally. There is little to no degree of control as to
who can be in a public place. A city park is a public place.
CBK - Correct Answers -Common Body of Knowledge- SSCP has 7 Domains
Domain 1: Access Controls - Correct Answers -Domain 1: Access Controls: Policies,
standards, and procedures that define who users are, what they can do, which
resources and information they can access, and what operations they can perform on a
system, such as:
1.1 Implement and maintain authentication methods
1.2 Support internetwork trust architectures
1.3 Participate in the identity management lifecycle
1.4 Implement access controls
Domain 2: Security Operations and Administration: - Correct Answers -Domain 2:
Security Operations and Administration: Identification of information assets and
documentation of policies, standards, procedures, and guidelines that ensure
confidentiality, integrity, and availability, such as:
2.1 Comply with codes of ethics
2.2 Understand security concepts
2.3 Document, implement, and maintain functional security controls
2.4 Participate in asset management
2.5 Implement security controls and assess compliance
2.6 Participate in change management
2.7 Participate in security awareness and training
2.8 Participate in physical security operations (e.g., data center assessment, badging)
Domain 3: Risk Identification, Monitoring, and Analysis - Correct Answers -Domain 3:
Risk Identification, Monitoring, and Analysis: Risk identification is the review, analysis,
and implementation of processes essential to the identification, measurement, and
control of loss associated with unplanned adverse events. Monitoring and analysis are
determining system implementation and access in accordance with defined IT criteria.
This involves collecting information for identification of, and response to, security
breaches or events, such as:
3.1 Understand the risk management process
3.2 Perform security assessment activities
3.3 Operate and maintain monitoring systems (e.g., continuous monitoring)
3.4 Analyze monitoring results
Domain 4: Incident Response and Recovery - Correct Answers -Domain 4: Incident
Response and Recovery: "The show must go on" is a well-known saying that means
even if there are problems or difficulties, an event or activity must continue. Incident
,response and recovery ensures the work of the organization will continue. In this
domain, the SSCP gains an understanding of how to handle incidents using consistent,
applied approaches like business continuity planning (BCP) and disaster recovery
planning (DRP). These approaches are utilized to mitigate damages, recover business
operations, and avoid critical business interruption:
4.1 Support incident lifecycle
4.2 Understand and support forensic investigations
4.3 Understand and support business continuity plan (BCP) and disaster recovery plan
(DRP) activities
Domain 5: Cryptography - Correct Answers -Domain 5: Cryptography: The protection of
information using techniques that ensure its integrity, confidentiality, authenticity, and
nonrepudiation, and the recovery of encrypted information in its original form:
5.1 Understand fundamental concepts of cryptography
5.2 Understand reasons and requirements for cryptography
5.2 Understand and support secure protocols
5.2 Understand public key infrastructure (PKI) systems
Domain 6: Network and Communications Security - Correct Answers -Domain 6:
Network and Communications Security: The network structure, transmission methods
and techniques, transport formats, and security measures used to operate both private
and public communication networks:
6.1 Understand and apply fundamental concepts of networking
6.2 Understand network attacks and countermeasures (e.g., DDoS, man-in-the-middle,
DNS poisoning)
6.3 Manage network access controls
6.4 Manage network security
6.5 Operate and configure network-based security devices
6.6 Operate and configure wireless technologies (e.g., Bluetooth, NFC, Wi-Fi)
Domain 7: Systems and Application Security: - Correct Answers -Domain 7: Systems
and Application Security: Countermeasures and prevention techniques for dealing with
viruses, worms, logic bombs, Trojan horses, and other related forms of intentionally
created damaging code:
7.1 Identify and analyze malicious code and activity
7.2 Implement and operate endpoint device security
7.3 Operate and configure cloud security
7.4 Operate and secure virtual environments
Which of the following are the individual facts, observations, or elements of
measurement?
This task contains the radio buttons and checkboxes for options. The shortcut keys to
perform this task are A to H and alt+1 to alt+9.
A
Wisdom
B
,Information
C
Data
D
Knowledge - Correct Answers -C
As the IT security director, Paul does not have anybody looking at systems monitoring
or event logging data. Which set of responsibilities is Paul in violation of?
This task contains the radio buttons and checkboxes for options. The shortcut keys to
perform this task are A to H and alt+1 to alt+9.
A
Integrity
B
Due diligence
C
Due care
D
Availability - Correct Answers -B
Paul is violating the responsibilities of due diligence. The fact that systems monitoring
and event data is collected at all indicates that Paul or his staff determined it was a
necessary part of keeping the organization's information systems secure—they took
(due) care of those responsibilities. But by not reviewing the data to verify proper
systems behavior and use, or to look for potential intrusions or compromises, Paul has
not been diligent. Integrity and availability do not relate to the given scenario.
Tradesecrets - Correct Answers -Trade secrets are those parts of a company's business
logic that it believes are unique, not widely known or understood in the marketplace,
and not easily deduced or inferred from the products themselves. Declaring part of its
business logic as a trade secret allows a company to claim unique use of it—in effect,
declare that it has a monopoly on doing business i
Patents - Correct Answers -Patents are legal recognition by governments that someone
has created a new and unique way of doing something. The patent grants a legal
monopoly right in that idea, for a fixed length of time. Since the patent is a published
document, anyone can learn how to do what the patent describes. If they start to use it
in a business, they either must license its use from the patent holder (typically involving
payment of fees) or risk being found guilty of patent infringement by patents and
trademarks tribunal or court of law.
Privacy - Correct Answers -Privacy, which refers to a person (or a business), is the
freedom from intrusion by others into one's own life, place of residence or work, or
relationships with others. Privacy means that you have the freedom to choose who can
come into these aspects of your life and what they can know about you. Privacy is an
element of common law, or the body of unwritten legal principles that are just as
enforceable by the courts as the written laws are in many countries. It starts with the
privacy rights and needs of one person and grows to treat families, other organizations,
, and other relationships (personal, professional, or social) as being free from
unwarranted intrusion.
company confidential or proprietary information - Correct Answers -company
confidential or proprietary information almost every day. Both terms declare that the
business owns this information; the company has paid the costs to develop this
information (such as the salaries of the people who thought up these ideas or wrote
them down in useful form for the company), which represents part of the business's
competitive advantage over its competitors. Both terms reflect the legitimate business
need to keep some data and ideas private to the business.
An unwarranted action is one that is either (regarding Privacy): - Correct Answers -An
unwarranted action is one that is either:
Without a warrant, a court order, or other due process of law that allows the action to
take place
Has no reasonable cause; serves no reasonable purpose; or exceeds the common
sense of what is right and proper
This is key: privacy can be enforced both by contracts and by law. - Correct Answers -
Privacy: In Law, in Practice, in Information Systems - Correct Answers -Public law
enforces these principles. Laws such as the Fourth and Fifth Amendments to the U.S.
Constitution, for example, address the first three, whereas the Privacy Act of 1974
created restrictions on how the government could share with others what it knew about
its citizens (and even limited sharing of such information within government). Medical
codes of practice and the laws that reflect them encourage data sharing to help health
professionals detect a potential new disease epidemic, but they also require that
personally identifiable information in the clinical data be removed or anonymized to
protect individual patients.
The European Union has enacted a series of policies and laws designed to protect
individual privacy as businesses and governments exchange data about people,
transactions, and themselves. The latest of these, General Data Protection Regulation
2016/679 (GDPR), is a law that applies to all persons, businesses, or organizations
doing anything involving the data related to an EU person. The GDPR's requirements
meant that by May 2018, businesses had to change the ways that they collected, used,
stored, and shared information about anyone who contacted them (such as by browsing
to their website); they also had to notify such users about the changes and gain their
informed consent to such use. Many news and infotainment sites hosted in the United
States could not serve EU persons until they implemented changes to become GDPR
compliant
Public places - Correct Answers -Public places are areas or spaces in which anyone
and everyone can see, hear, or notice the presence of other people, and observe what
they are doing, intentionally or unintentionally. There is little to no degree of control as to
who can be in a public place. A city park is a public place.
