OFFICIAL (ISC)² SSCP
OFFICIAL (ISC)² SSCP
QUESTIONS AND ANSWERS
2024/2025
Authorization - ANS >>Determines whether a user is permitted to access a particular resource.
Connected Tokens - ANS >>Must be physically connected to the computer to which the user is
authenticating.
Contactless Tokens - ANS >>Form a logical connection to the client computer but do not require a
physical connection.
Disconnected Tokens - ANS >>Have neither a physical nor logical connection to the client computer.
Entitlement - ANS >>A set of rules, defined by the resource owner, for managing access to a resource
(asset, service, or entity) and for what purpose.
Identity Management - ANS >>The task of controlling information about users on computers.
Proof of Identity - ANS >>Verify people's identities before the enterprise issues them accounts and
credentials.
Kerberos - ANS >>A popular network authentication protocol for indirect (third-party) authentication
services.
Access Control Object - ANS >>A passive entity that typically receives or contains some form of data.
Lightweight Directory Access Protocol (LDAP) - ANS >>A client/server-based directory query protocol
loosely based on X.500, commonly used to manage user information. LDAP is a front end and not used to
manage or synchronize data per se as opposed to DNS.
1
,OFFICIAL (ISC)² SSCP
Single Sign-On (SSO) - ANS >>Designed to provide strong authentication using secret-key cryptography,
allowing a single identity to be shared across multiple applications.
Static Password Token - ANS >>The device contains a password that is physically hidden (not visible to
the possessor) but that is transmitted for each authentication.
Synchronous Dynamic Password Token - ANS >>A timer is used to rotate through various combinations
produced by a cryptographic algorithm.
Trust Path - ANS >>A series of trust relationships that authentication requests must follow between
domains
6to4 - ANS >>Transition mechanism for migrating from IPv4 to IPv6. It allows systems to use IPv6 to
communicate if their traffic has to transverse an IPv4 network.
Absolute addresses - ANS >>Hardware addresses used by the CPU.
Abstraction - ANS >>The capability to suppress unnecessary details so the important, inherent properties
can be examined and reviewed.
Accepted ways for handling risk - ANS >>Accept, transfer, mitigate, avoid.
Access - ANS >>The flow of information between a subject and an object.
Access control matrix - ANS >>A table of subjects and objects indicating what actions individual subjects
can take upon individual objects.
Access control model - ANS >>An access control model is a framework that dictates how subjects access
objects.
2
,OFFICIAL (ISC)² SSCP
Access controls - ANS >>Are security features that control how users and systems communicate and
interact with other systems and resources.
Accreditation - ANS >>Formal acceptance of the adequacy of a system's overall security by management.
Active attack - ANS >>Attack where the attacker does interact with processing or communication
activities.
ActiveX - ANS >>A Microsoft technology composed of a set of OOP technologies and tools based on COM
and DCOM. It is a framework for defining reusable software components in a programming language-
independent manner
Address bus - ANS >>Physical connections between processing components and memory segments used
to communicate the physical memory addresses being used during processing procedures.
Address resolution protocol (ARP) - ANS >>A networking protocol used for resolution of network layer IP
addresses into link layer MAC addresses.
Address space layout randomization (ASLR) - ANS >>Memory protection mechanism used by some
operating systems. The addresses used by components of a process are randomized so that it is harder
for an attacker to exploit specific memory vulnerabilities.
Algebraic attack - ANS >>Cryptanalysis attack that exploits vulnerabilities within the intrinsic algebraic
structure of mathematical functions.
Algorithm - ANS >>Set of mathematical and logic rules used in cryptographic functions.
Analog signals - ANS >>Continuously varying electromagnetic wave that represents and transmits data.
Analytic attack - ANS >>Cryptanalysis attack that exploits vulnerabilities within the algorithm structure.
3
, OFFICIAL (ISC)² SSCP
Annualized loss expectancy (ALE) - ANS >>Annual expected loss if a specific vulnerability is exploited and
how it affects a single asset. SLE × ARO = ALE.
Application programming interface (API) - ANS >>Software interface that enables process-to-
process interaction. Common way to provide access to standard routines to a set of software programs.
Arithmetic logic unit (ALU) - ANS >>A component of the computer's processing unit, in which arithmetic
and matching operations are performed.
AS/NZS 4360 - ANS >>Australia and New Zealand business risk management assessment approach.
Assemblers - ANS >>Tools that convert assembly code into the necessary machine-compatible binary
language for processing activities to take place.
Assembly language - ANS >>A low-level programming language that is the mnemonic representation of
machine-level instructions.
Assurance evaluation criteria - ANS >>Check-list and process of examining the security-relevant parts of a
system (TCB, reference monitor, security kernel) and assigning the system an assurance rating.
Asymmetric algorithm - ANS >>Encryption method that uses two different key types, public and private.
Also called public key cryptography.
Asymmetric mode multiprocessing - ANS >>When a computer has two or more CPUs and one CPU is
dedicated to a specific program while the other CPUs carry out general processing procedures
Asynchronous communication - ANS >>Transmission sequencing technology that uses start and stop bits
or similar encoding mechanism. Used in environments that transmit a variable amount of data in a
periodic fashion.
Asynchronous token generating method - ANS >>Employs a challenge/response scheme to authenticate
the user.
4
OFFICIAL (ISC)² SSCP
QUESTIONS AND ANSWERS
2024/2025
Authorization - ANS >>Determines whether a user is permitted to access a particular resource.
Connected Tokens - ANS >>Must be physically connected to the computer to which the user is
authenticating.
Contactless Tokens - ANS >>Form a logical connection to the client computer but do not require a
physical connection.
Disconnected Tokens - ANS >>Have neither a physical nor logical connection to the client computer.
Entitlement - ANS >>A set of rules, defined by the resource owner, for managing access to a resource
(asset, service, or entity) and for what purpose.
Identity Management - ANS >>The task of controlling information about users on computers.
Proof of Identity - ANS >>Verify people's identities before the enterprise issues them accounts and
credentials.
Kerberos - ANS >>A popular network authentication protocol for indirect (third-party) authentication
services.
Access Control Object - ANS >>A passive entity that typically receives or contains some form of data.
Lightweight Directory Access Protocol (LDAP) - ANS >>A client/server-based directory query protocol
loosely based on X.500, commonly used to manage user information. LDAP is a front end and not used to
manage or synchronize data per se as opposed to DNS.
1
,OFFICIAL (ISC)² SSCP
Single Sign-On (SSO) - ANS >>Designed to provide strong authentication using secret-key cryptography,
allowing a single identity to be shared across multiple applications.
Static Password Token - ANS >>The device contains a password that is physically hidden (not visible to
the possessor) but that is transmitted for each authentication.
Synchronous Dynamic Password Token - ANS >>A timer is used to rotate through various combinations
produced by a cryptographic algorithm.
Trust Path - ANS >>A series of trust relationships that authentication requests must follow between
domains
6to4 - ANS >>Transition mechanism for migrating from IPv4 to IPv6. It allows systems to use IPv6 to
communicate if their traffic has to transverse an IPv4 network.
Absolute addresses - ANS >>Hardware addresses used by the CPU.
Abstraction - ANS >>The capability to suppress unnecessary details so the important, inherent properties
can be examined and reviewed.
Accepted ways for handling risk - ANS >>Accept, transfer, mitigate, avoid.
Access - ANS >>The flow of information between a subject and an object.
Access control matrix - ANS >>A table of subjects and objects indicating what actions individual subjects
can take upon individual objects.
Access control model - ANS >>An access control model is a framework that dictates how subjects access
objects.
2
,OFFICIAL (ISC)² SSCP
Access controls - ANS >>Are security features that control how users and systems communicate and
interact with other systems and resources.
Accreditation - ANS >>Formal acceptance of the adequacy of a system's overall security by management.
Active attack - ANS >>Attack where the attacker does interact with processing or communication
activities.
ActiveX - ANS >>A Microsoft technology composed of a set of OOP technologies and tools based on COM
and DCOM. It is a framework for defining reusable software components in a programming language-
independent manner
Address bus - ANS >>Physical connections between processing components and memory segments used
to communicate the physical memory addresses being used during processing procedures.
Address resolution protocol (ARP) - ANS >>A networking protocol used for resolution of network layer IP
addresses into link layer MAC addresses.
Address space layout randomization (ASLR) - ANS >>Memory protection mechanism used by some
operating systems. The addresses used by components of a process are randomized so that it is harder
for an attacker to exploit specific memory vulnerabilities.
Algebraic attack - ANS >>Cryptanalysis attack that exploits vulnerabilities within the intrinsic algebraic
structure of mathematical functions.
Algorithm - ANS >>Set of mathematical and logic rules used in cryptographic functions.
Analog signals - ANS >>Continuously varying electromagnetic wave that represents and transmits data.
Analytic attack - ANS >>Cryptanalysis attack that exploits vulnerabilities within the algorithm structure.
3
, OFFICIAL (ISC)² SSCP
Annualized loss expectancy (ALE) - ANS >>Annual expected loss if a specific vulnerability is exploited and
how it affects a single asset. SLE × ARO = ALE.
Application programming interface (API) - ANS >>Software interface that enables process-to-
process interaction. Common way to provide access to standard routines to a set of software programs.
Arithmetic logic unit (ALU) - ANS >>A component of the computer's processing unit, in which arithmetic
and matching operations are performed.
AS/NZS 4360 - ANS >>Australia and New Zealand business risk management assessment approach.
Assemblers - ANS >>Tools that convert assembly code into the necessary machine-compatible binary
language for processing activities to take place.
Assembly language - ANS >>A low-level programming language that is the mnemonic representation of
machine-level instructions.
Assurance evaluation criteria - ANS >>Check-list and process of examining the security-relevant parts of a
system (TCB, reference monitor, security kernel) and assigning the system an assurance rating.
Asymmetric algorithm - ANS >>Encryption method that uses two different key types, public and private.
Also called public key cryptography.
Asymmetric mode multiprocessing - ANS >>When a computer has two or more CPUs and one CPU is
dedicated to a specific program while the other CPUs carry out general processing procedures
Asynchronous communication - ANS >>Transmission sequencing technology that uses start and stop bits
or similar encoding mechanism. Used in environments that transmit a variable amount of data in a
periodic fashion.
Asynchronous token generating method - ANS >>Employs a challenge/response scheme to authenticate
the user.
4
