CSSLP Final Exam Study Questions and Answers Latest 2023 (Already Graded A+)

CSSLP - Certified Secure Software Lifecycle Professional CSSLP Final Exam Study Questions and Answers Latest 2023 (Already Graded A+) The security principle of fail-safe is related to: a. Session management b. Exception management c. Least privilege d. Single point of failure - correct answer Exception management Using the principle of keeping things simple is related to: a. Layered security b. simple Security Rule c. Economy of mechanism d. Implementing least privilege for access control - correct answer Economy of mechanism Of the following, which is not a class of controls? a. Physical b. Informative c. Technical d. Administrative - correct answer Informative Log file analysis is a form of what type of control? a. Preventive b. Detective c. Corrective d. Compensating - correct answer Detective To calculate ALE, you need? a. SLE, asset value b. ARO, asset value c. SLE, ARO d. Asset value, exposure factor - correct answer SLE, ARO Risk that remains after the application of control is referred to as: a. Acceptable risk b. Business risk c. Systematic risk d. Residual risk - correct answer Residual risk Calculate ALE for asset value = $1000, exposure factor = .75, ARO = 2 a. $1500 b. $15,000 c. $375 d. cannot be determined with additional information - correct answer $1500 Single loss expectancy (SLE) can best be defined by which of the following equations? a. SLE = asset value * exposure factor b. SLE = asset value * annualized rate of occurrence (ALE) c. SLE = annualized loss expectancy (ALE) * annualized rate of occurrence (ARO) d. SLE = annualized loss expectancy (ALE) * exposure factor - correct answer SLE = asset value * exposure factpr Which of the following describes qualitative risk management? a. The process of using equations to determine impacts of risks to an enterprise b. The use of experience and knowledge in the determination of single loss expectancies c. the process of objectively determining the impact of an event that affects a project, program or business d. The process of subjectively determining the impact of an event that affects a project, program or business - correct answer The process of subjectively determining the impact of an event that affects a project, program or business Risk is defined as: a. Any characteristic of an asset that can be exploited by a threat to cause harm b. Any circumstance or event with the potential to cause harm to an asset c. The overall decision-making process of identifying threats and vulnerabilities and their potential impacts d. The possibility of suffering a loss - correct answer The possibility of suffering a loss A measure of magnitude of loss of an asset is: a. Impact level b. Exposure factor c. Residual risk d. Loss factor - correct answer Exposure factor A well-formed risk statement includes all except: a. Asset b. Impact c. Frequency d. Mitigation - correct answer Frequency Backups are an example of what type of control? a. Preventive b. Detective c. Corrective d. Operational - correct answer Corrective Two controls, each 60 percent effective in series, are placed to mitigate risk in a system work $100,000. What is the value of residual risk? a. $60,000 b. $36,000 c. $40,000 d. $16,000 - correct answer $16,000 Quantitative risk management depends upon: a. Expert judgement and experience b. Historical loss data c. Impact factor definition d. Exposure ratio - correct answer Historical loss data the following are all examples of technological risk except: a. Regulatory b. Security c. Change management d. Privacy - correct answer Regulatory Which of the following is measure in dollars? a. Exposure factor b. SLE c. ARO d. Impact factor - correct answer SLE The primary governing law for federal computer systems is: a. NIST b. Sarbanes-Oxley c. FISMA d. Gramm-Leach-Bliley - correct answer FISMA Which of the following is a security standard associated with the collection, processing and storing of credit card data? a. Gramm-Leach-bliley B. PCI DSS c. HIPPA d. HITECH - correct answer PCI DSS To protect a novel or non obvious tangible item that will be sold to the public, one can use which of the following? a. Patent b. Trademark c. Trade secret d. Licensing - correct answer Patent The organization responsible for the Top Ten list of web application vulnerabilities is: a. DHS b. OCTAVE c. Microsoft d. OWASP - correct answer OWASP When using customer data as test data for production testing, what process is used to ensure privacy? a. Data anonymization b. Delinking c. Safe Harbor principles d. Data disambiguation - correct answer Data Anonymization Which of the following is not a common PII element? a. Full name b. Order number c. IP address d. Date of birth - correct answer Order Number Which of the following is an important element in preventing data breach when backup tapes are lost in transit? a. Service level agreements with backup storage company b. Use of split tapes to separate records c. Proprietary backup systems d. Data encryption - correct answer Data Encryption To interface data sharing between U.S. and European firms, one would invoke: a. Safe Harbor principles b. Data anonymization c. Onward transfer protocol d. Data protection regulation - correct answer Safe Harbor Principles Which standard is characterized by Target of Evaluations and Security Targets? a. ISO 9126 Software Quality Assurance b. ISO 15288 Systems and Software Engineering c. ISO 2700X series d. ISO 15408 Common Criteria - correct answer ISO 15408 Common Criteria Which of the following are mandatory for use in federal systems? a. NIST SP 800 series b. FIPS c. NISTIRs d. ITL security bulletins - correct answer FIPS (Federal Information Processing Standards) Which of the following is not a framework to improve IT operations? a. ITIL b. COBIT c. COSO d. OWASP - correct answer OWASP The third level of the CMMI model is called: a. Quantified b. Managed c. Defined d. Optimizing - correct answer Defined 1. Initial 2. Managed 3. Defined 4. Quantitatively Managed and 5. Optimizing Reference monitors must possess all of the following properties except: a. Efficient b. Complete Mediation c. Tamper-proof d. Verifiable - correct answer Efficient HIPAA and HITECH specify protection of which of the following? a. PHI b. PII c. CMMI d. PFI - correct answer PHI Safe Harbor principles include: a. Notice, choice, security b. Non-repudiations, notice, integrity c. Enforcement, onward transfer, verifiable d. Impact factor, security, access - correct answer Notice, Choice, security Creating a secure development lifecycle involves: a. Adding security features to the software b. Including threat modeling c. Training coders to find and remove security errors d. Modifying the development process, not the software product - correct answer Modifying the development process, not the software product A software product that has security but lacks quality can result in: a. Exploitable vulnerabilities b. Undocumented features that result in undesired behaviors c. Poor maintainability d. Missing security elements - correct answer Undocumented features that result in undesired behaviors Which of the following is not an attribute of an SDL process? a. Fuzz testing b. Bug bars c. Authentication d. Developer security awareness - correct answer Authentication Periodic reviews to ensure that security issues are addressed as part of the development process are called: a. Security gates b. Security checklist c. Threat model d. Attach surface area analysis - correct answer Security gates The term DREAD stands for: a. Damage potential, Recover-ability, Exploit-ability, Asset affected, and Discover-ability b. Damage potential, Reproducibility, Exploit-ability, Affected user base, and Discoverability c. Damage potential, Reproducibility, External vulnerability, asset Affected, and Discover-ability d. Design issue, Reproducibility, Exploit-ability, Asset affected and Discover-ability - correct answer Damage potential, Reproducibility, Exploit-ability, Affected user base, and Discover-ability The term STRIDE stands for: a. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege b. Spoofing, Tapering, Reproducibility, Information disclosure, Denial of service , and Elevation of privilege c. Spoofing, Tampering, Reproducibility, Information disclosure, Discover-ability, and Elevation of privilege d. Spoofing, Tampering, Repudiation, Information disclosure, Discover-ability, and Elevation of privilege - correct answer Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege Which of the following describes the purpose of threat modeling? a. Enumerate threats to the software b. Define the correct and secure data flows in a program c. Communicate testing requirements to the test team d. Communicate threat and mitigation information across the development team - correct answer Communicate threat and mitigation information across the development team A tool to examine the vulnerability of input interfaces is: a. Threat model b. Bug bar c. Attack surface analysis d. Fuzz testing framework - correct answer Fuzz testing framework A linear model for software development is the: a. Scrum model b. Spiral model c. Waterfall model d. Agile model - correct answer Waterfall model User stores convey high-level user requirements: a. XP model b. Prototyping model c. Spiral model d. Waterfall model - correct answer XP model Bug bars are a. Track bugs b. Score bugs c. Manage bugs d. Attribute bugs to developers - correct answer Score Bugs the Microsoft SD3+C model is: a. Design, Default, Directive and Concise b. Design, Development, Deployment, and Communications c. Design, Deployment, Directive and Concise d. Design, Default, Deployment and Communications - correct answer Design, Default, Deployment and Communications What is used to ensure that all security activities are bing correctly carried out as part of the de4velopment process? a. Project manager judgment b. Security leads c. Security engineers d. Security reviews - correct answer Security reviews The objectives of an SDL are to achieve all of the following excecp: a. Reduce the number of security vulnerabilities in software b. Reduce the severity of security vulnerabilities in software c. Eliminate threats to the software d. Document a complete understanding of the vulnerabilities in software - correct answer Eliminate threats to the software Which is the most common security vulnerability mitigation methodology used in design? a. Defense in depth b. Separation of duties c. Least privilege d. Audit-ability - correct answer Defense in depth When policies decompose into audit risk requirements, the following are the three types of audit-related risks: a. Requirements risk, development risk, testing risk b. Tangible risk, intangible risk, residual risk c. Inherent risk, control risk, detection risk d. Confidentiality risk, integrity risk, availability risk - correct answer Inherent risk, control risk, detection risk To what set of requirements can issues involving protecting data from unauthorized disclosure be decomposed to? a. Authorization b. Authentication c. Integrity d. Confidentiality - correct answer Confidentiality Issues related to denying illegitimate access into systems map to what kind of security requirements? a. Authorization b. Availability c. Integrity d. Confidentiality - correct answer Authorization