(ISC)2 – SSCP EXAM QUESTIONS AND
ANSWERS
1. Prevention: something like a lock on the door
2. Detection: something like an alarm system
3. Recovery: actions taken after an unwanted occurrence - Correct Answers -What are
the three security categories?
1. Identification: user provides identification
2. Authentication: second type of identification proving the user is who they claim to be
3. Authorization: assigns rights & privileges based on user's profile after they are
authenticated
4. Accounting: tracing and recording the use of assets. - Correct Answers -What are the
four steps of Access Control?
Auditing - Correct Answers -What is the act of reviewing or monitoring data obtained
during the Accounting process?
- Prudent Man
- Due Dilligence
- Due Care - Correct Answers -- This concept refers to actions that may be reasonably
taken (or are obvious) to safeguard corporate assets and data, as well as following best
practices from similar organizations
- This is verifying that a control or process is performing as intended
- This refers to taking actions that are prudent and reasonable to protect the assets of
the organization
- M of N requirement
- Two-Man Rule
- Transparency - Correct Answers -- This process allows multiple people out of a group
to be able to take a certain action, and can also require a certain number of individuals
to agree prior to action being taken
- This is a procedure popular in very high-security locations and situations. It features
two individuals who must agree upon action yet are physically separated and must
therefore take action independent of the other
- This principle allows anyone to access, view, and test hardware or software systems.
For example: testing a new cryptographic algorithm
- Privilege Management or Privilege Lifecycle
- Rights and Privilege Audit
,- Account Deactivation
- Orphan account - Correct Answers -- These are events related to things like an
employee getting promoted, getting fired, leaving the company, or retiring
- This ensures that a user's permissions match the minimum required to do their job and
do not exceed it
- This ensures that access rights are taken away immediately upon a user getting fired,
leaving, or retiring.
- What is an account called when an employee has been gone for a long time but it is
still active?
- Deniability
- Disclosure - Correct Answers -- What is the term used to describe the violation of non-
repudiation?
- What term is used to describe the violation of confidentiality?
1. New Hire Orientation: the individual is typically made aware of the dos and don'ts of
the company's security policies and may sign an AUP
2. Mandatory Security Training: required under various regulations such as HIPAA in
the medical field as well as various privacy regulations with respect to financial,
banking, and credit card industry information
3. Specialty Security Training: includes training programs made available for vendors,
customers, extranet users, senior executives, and department managers or offered in
special situations
4. Corporate-wide Security Training: generally required at least once a year by most
corporations - Correct Answers -What are four types of security awareness training?
1. Physical: locks, doors, fences, etc
2. Logical: ACLs, IDS, firewalls, routers, etc
3. Administrative Controls: banners, signs, company policies, log-on screen stating
appropriate use, etc - Correct Answers -What are three types of controls?
1. Physical: tangible things like the building and hardware
2. Digital: data stored in IT systems
3. Information: what is stored inside the data
- People
- Assurance Procedures - Correct Answers -- What are three types of assets?
- What is the most important asset to protect?
- What are procedures that ensure the access control mechanisms correctly implement
the security policy?
- Subjects are always active (like requesting a resource) while objects are passive (they
are the resource waiting to be accessed). They can exchanges places depending on
what's happening.
- If a user requests information from a web server, the web server is an object, but it
may also request information from a back end database. When making a request to the
, database, the web server would also be a subject - Correct Answers -- How can you tell
a subject from an object?
- When can an object also be a subject?
1. Software
2. Hardware - Correct Answers -What are two categories of Logical Access Controls?
1. Enrollment Time: setting up the device with user's information
2. Error Rate: biometric devices compare a current reading with a recorded reading and
are not always accurate, e.g. when your finger is wet and fails a fingerprint scan
3. Acquire Time: time is takes to perform various biometric scans when a user wants
access
4. Throughput Time: how long it takes to compare the current sample from the user to
historical sample for authenticaion
5. One-to-one Search: errors can occur when data points do not match - Correct
Answers -What are five challenging aspects to using biometrics?
1. False Rejection Rate (FRR): aka a Type I error; how often a biometric system rejects
a good user
2. False Acceptance Rate (FAR): aka a Type 2 error; how often a biometric system
incorrectly IDs a bad user as a good user
3. Crossover Error Rate (CER): Where the FAR and FRR cross over. The lower the
CER, the better the system. - Correct Answers -What are the three error rates for
biometrics?
OPIE: One-time Password In Everything - Correct Answers -This is a type of one-time
password based on S/Key in Unix systems. Usually a user's password combined with
other data, then hashed with MD4 or MD5
1. Value of the information: this is subjective depending on the organization
2. Method of accessing the information: how the information is made available - Correct
Answers -What two requirements do System-Level Access Controls address?
- DAC (Discretionary Access Control)
- Non-DAC (Non-Discretionary Access Control)
- MAC (Mandatory Access Control) - Correct Answers -- This type of access control is
determined by the data owner. For example: the owner assigns specific permissions to
different user accounts. These permissions are recorded in an ACL
- This type of access control is when a system administrator, management, or an
information tagging/labeling system controls access to objects by subjects. In this case,
the access might be granted by policy to a specific group of users. The system
administrator is carrying out policy administration.
- Under this type of access control, subjects and objects are assigned labels or tags
- SCI (Sensitive Compartmented Information)
ANSWERS
1. Prevention: something like a lock on the door
2. Detection: something like an alarm system
3. Recovery: actions taken after an unwanted occurrence - Correct Answers -What are
the three security categories?
1. Identification: user provides identification
2. Authentication: second type of identification proving the user is who they claim to be
3. Authorization: assigns rights & privileges based on user's profile after they are
authenticated
4. Accounting: tracing and recording the use of assets. - Correct Answers -What are the
four steps of Access Control?
Auditing - Correct Answers -What is the act of reviewing or monitoring data obtained
during the Accounting process?
- Prudent Man
- Due Dilligence
- Due Care - Correct Answers -- This concept refers to actions that may be reasonably
taken (or are obvious) to safeguard corporate assets and data, as well as following best
practices from similar organizations
- This is verifying that a control or process is performing as intended
- This refers to taking actions that are prudent and reasonable to protect the assets of
the organization
- M of N requirement
- Two-Man Rule
- Transparency - Correct Answers -- This process allows multiple people out of a group
to be able to take a certain action, and can also require a certain number of individuals
to agree prior to action being taken
- This is a procedure popular in very high-security locations and situations. It features
two individuals who must agree upon action yet are physically separated and must
therefore take action independent of the other
- This principle allows anyone to access, view, and test hardware or software systems.
For example: testing a new cryptographic algorithm
- Privilege Management or Privilege Lifecycle
- Rights and Privilege Audit
,- Account Deactivation
- Orphan account - Correct Answers -- These are events related to things like an
employee getting promoted, getting fired, leaving the company, or retiring
- This ensures that a user's permissions match the minimum required to do their job and
do not exceed it
- This ensures that access rights are taken away immediately upon a user getting fired,
leaving, or retiring.
- What is an account called when an employee has been gone for a long time but it is
still active?
- Deniability
- Disclosure - Correct Answers -- What is the term used to describe the violation of non-
repudiation?
- What term is used to describe the violation of confidentiality?
1. New Hire Orientation: the individual is typically made aware of the dos and don'ts of
the company's security policies and may sign an AUP
2. Mandatory Security Training: required under various regulations such as HIPAA in
the medical field as well as various privacy regulations with respect to financial,
banking, and credit card industry information
3. Specialty Security Training: includes training programs made available for vendors,
customers, extranet users, senior executives, and department managers or offered in
special situations
4. Corporate-wide Security Training: generally required at least once a year by most
corporations - Correct Answers -What are four types of security awareness training?
1. Physical: locks, doors, fences, etc
2. Logical: ACLs, IDS, firewalls, routers, etc
3. Administrative Controls: banners, signs, company policies, log-on screen stating
appropriate use, etc - Correct Answers -What are three types of controls?
1. Physical: tangible things like the building and hardware
2. Digital: data stored in IT systems
3. Information: what is stored inside the data
- People
- Assurance Procedures - Correct Answers -- What are three types of assets?
- What is the most important asset to protect?
- What are procedures that ensure the access control mechanisms correctly implement
the security policy?
- Subjects are always active (like requesting a resource) while objects are passive (they
are the resource waiting to be accessed). They can exchanges places depending on
what's happening.
- If a user requests information from a web server, the web server is an object, but it
may also request information from a back end database. When making a request to the
, database, the web server would also be a subject - Correct Answers -- How can you tell
a subject from an object?
- When can an object also be a subject?
1. Software
2. Hardware - Correct Answers -What are two categories of Logical Access Controls?
1. Enrollment Time: setting up the device with user's information
2. Error Rate: biometric devices compare a current reading with a recorded reading and
are not always accurate, e.g. when your finger is wet and fails a fingerprint scan
3. Acquire Time: time is takes to perform various biometric scans when a user wants
access
4. Throughput Time: how long it takes to compare the current sample from the user to
historical sample for authenticaion
5. One-to-one Search: errors can occur when data points do not match - Correct
Answers -What are five challenging aspects to using biometrics?
1. False Rejection Rate (FRR): aka a Type I error; how often a biometric system rejects
a good user
2. False Acceptance Rate (FAR): aka a Type 2 error; how often a biometric system
incorrectly IDs a bad user as a good user
3. Crossover Error Rate (CER): Where the FAR and FRR cross over. The lower the
CER, the better the system. - Correct Answers -What are the three error rates for
biometrics?
OPIE: One-time Password In Everything - Correct Answers -This is a type of one-time
password based on S/Key in Unix systems. Usually a user's password combined with
other data, then hashed with MD4 or MD5
1. Value of the information: this is subjective depending on the organization
2. Method of accessing the information: how the information is made available - Correct
Answers -What two requirements do System-Level Access Controls address?
- DAC (Discretionary Access Control)
- Non-DAC (Non-Discretionary Access Control)
- MAC (Mandatory Access Control) - Correct Answers -- This type of access control is
determined by the data owner. For example: the owner assigns specific permissions to
different user accounts. These permissions are recorded in an ACL
- This type of access control is when a system administrator, management, or an
information tagging/labeling system controls access to objects by subjects. In this case,
the access might be granted by policy to a specific group of users. The system
administrator is carrying out policy administration.
- Under this type of access control, subjects and objects are assigned labels or tags
- SCI (Sensitive Compartmented Information)
