SSCP NOTES EXAM QUESTIONS AND
ANSWERS
Four canons of ISC2 code of ethics - Correct Answers -1. Protect society, the common
good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.
Deterrent Controls - Correct Answers -Goal is to dissuade an attacker from attempting
to break a security policy. EX. Warning signs
Preventative Controls - Correct Answers -Attempt to block a security breach from
happening. EX firewall, ACL, man traps, fences
Detective Controls - Correct Answers -Security controls that attempt to detect security
incidents that do occur. EX system alarms, IDS
Corrective Controls - Correct Answers -Security controls that attempt to reverse the
impact of a security incident. EX system backups
Compensating Controls - Correct Answers -Controls that substitute for the loss of
primary controls and mitigate risk down to an acceptable level.
Technical Controls - Correct Answers -Smart cards, encryption, access control lists
(ACLs), intrusion detection systems, network authentication, and password aging
Administrative controls - Correct Answers -Procedures implemented to define the roles,
responsibilities, policies, and administrative functions needed to manage the control
environment.
Request control (change management process) - Correct Answers -manage, evaluate,
and prioritize requests from users.
Change Control - Correct Answers -the procedures used to identify, document, approve,
and control changes to the project baselines
Release Control - Correct Answers -Moves the code from the development environment
into production
, Stages of asset management - Correct Answers -1. Process, planning, design, and
initiation
2. Development or acquisition of the asset
3. Inventory and licensing
4. Implementation and assessment
5. Operation and maintenance
6. Archiving and retention
7. Disposal and destruction
Due care - Correct Answers -taking reasonable steps to protect the interest of the
organization
Due diligence - Correct Answers -ensuring due care is carried out (steps within the due
care process)
Security Governance - Correct Answers -Practices that help support, define, and direct
security efforts of an organization
Policies - Correct Answers -Mandatory compliance, high level objectives
Standards - Correct Answers -Mandatory compliance, detailed technical requirements
Procedures - Correct Answers -Mandatory compliance step-by-step instructions for
completing a task
Guidelines - Correct Answers -Optional compliance, offer advice and best pratice
Objects - Correct Answers -Information assets (or people or processes) that a subject
interacts with. Can include files, databases, networks, devices, or any element that
needs protection or control. Objects are protected by defining access controls
Subjects - Correct Answers -users, applications, processes that interact with assets.
Typically are an entity that requires access to specific resources. Usually assigned roles
or permissions that determine the level of access they have.
false positive - Correct Answers -Occur when a system accepts an invalid user,
measured using the false acceptance rate (FAR)
false negative - Correct Answers -occurs when a system rejects a valid user, measured
by false rejection rate (FRR)
Crossover Error Rate (CER) - Correct Answers -Also called the equal error rate, the
point at which the rate of false rejections equals the rate of false acceptances.
ANSWERS
Four canons of ISC2 code of ethics - Correct Answers -1. Protect society, the common
good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.
Deterrent Controls - Correct Answers -Goal is to dissuade an attacker from attempting
to break a security policy. EX. Warning signs
Preventative Controls - Correct Answers -Attempt to block a security breach from
happening. EX firewall, ACL, man traps, fences
Detective Controls - Correct Answers -Security controls that attempt to detect security
incidents that do occur. EX system alarms, IDS
Corrective Controls - Correct Answers -Security controls that attempt to reverse the
impact of a security incident. EX system backups
Compensating Controls - Correct Answers -Controls that substitute for the loss of
primary controls and mitigate risk down to an acceptable level.
Technical Controls - Correct Answers -Smart cards, encryption, access control lists
(ACLs), intrusion detection systems, network authentication, and password aging
Administrative controls - Correct Answers -Procedures implemented to define the roles,
responsibilities, policies, and administrative functions needed to manage the control
environment.
Request control (change management process) - Correct Answers -manage, evaluate,
and prioritize requests from users.
Change Control - Correct Answers -the procedures used to identify, document, approve,
and control changes to the project baselines
Release Control - Correct Answers -Moves the code from the development environment
into production
, Stages of asset management - Correct Answers -1. Process, planning, design, and
initiation
2. Development or acquisition of the asset
3. Inventory and licensing
4. Implementation and assessment
5. Operation and maintenance
6. Archiving and retention
7. Disposal and destruction
Due care - Correct Answers -taking reasonable steps to protect the interest of the
organization
Due diligence - Correct Answers -ensuring due care is carried out (steps within the due
care process)
Security Governance - Correct Answers -Practices that help support, define, and direct
security efforts of an organization
Policies - Correct Answers -Mandatory compliance, high level objectives
Standards - Correct Answers -Mandatory compliance, detailed technical requirements
Procedures - Correct Answers -Mandatory compliance step-by-step instructions for
completing a task
Guidelines - Correct Answers -Optional compliance, offer advice and best pratice
Objects - Correct Answers -Information assets (or people or processes) that a subject
interacts with. Can include files, databases, networks, devices, or any element that
needs protection or control. Objects are protected by defining access controls
Subjects - Correct Answers -users, applications, processes that interact with assets.
Typically are an entity that requires access to specific resources. Usually assigned roles
or permissions that determine the level of access they have.
false positive - Correct Answers -Occur when a system accepts an invalid user,
measured using the false acceptance rate (FAR)
false negative - Correct Answers -occurs when a system rejects a valid user, measured
by false rejection rate (FRR)
Crossover Error Rate (CER) - Correct Answers -Also called the equal error rate, the
point at which the rate of false rejections equals the rate of false acceptances.
