WGU C845 SSCP EXAM QUESTIONS WITH
CORRECT ANSWERS
During what phase of the change management process does the organization conduct
peer review of the change for accuracy and completeness? - Correct Answers -
Analysis/Impact Assessment
Steve is responsible for work stations that handle proprietary information. What is the
best option for these workstations at the end of their lifecycle? - Correct Answers -
Sanitization
What is the earliest stage of a fire to use detection technology to identify it? - Correct
Answers -Incipient
What security control would provide the best defense against a threat actor trying to
execute a buffer overflow attack against a custom application? - Correct Answers -
Parameter Checking/Input Validation
Which of the following is NOT true of the ISC2 Code of Ethics?
A. Adherence to the Code of Ethics is a condition of Certification
B. The code of ethics applies to all security professionals
C. Failure to comply with the Code of Ethics could result in revocation of certification
D. Members who observe a breach of the Code of Ethics are required to report the
possible violation - Correct Answers -B.
Under what type of software license does the recipient of software have an unlimited
right to copy, modify, distribute, or resell a software package? - Correct Answers -Public
Domain
What should Steve do if a FAR/FRR diagram does not provide an acceptable
performance level for his organization's needs? - Correct Answers -Assess other
biometric systems to compare them since the CER is used to assess biometric devices.
What is the CER in biometric device measurment? - Correct Answers -Crossover Error
Rate is the number that results when a biometric device is adjusted to provide equal
false acceptance and false rejection rates.
What type of access control would be the best choice for a person that would like to
support a declaration like "Only allow access to customer service on managed devices
,on the wireless network between 8 am and 7 pm"? - Correct Answers -Attribute Based
Access Control ABAC
What is the benefit of an ABAC over a RBAC? - Correct Answers -An ABAC can be
more specific thus more flexible
What is the primary advantage of decentralized access control? - Correct Answers -It
provides control of access to people closer to the resources
How are rules set in ABAC systems? - Correct Answers -Uses boolean logic statements
which allow it to be more flexible than RBAC for temporary rules such as to allow time
limited access.
Which of the following is best described as an access control model that focuses on
subjects and identifies the objects that each subject can access?
A. Access control list
B. Capability Table
C. Implicit denial list
D. Rights Management Matrix - Correct Answers -B
Adam is accessing a standalone file server using a username and password provided
by the server administrator. Which one of the following entities is guaranteed to have
information necessary to complete the authorization process?
A. File Server
B. Adam
C. Server Administrator
D. Adam's Supervisor - Correct Answers -A. The file server has the correct information
on what activities Adam is AUTHORIZED to perform
A new member at a 24 hour gym that uses fingerprints to gain access after hours is
surprised to find out that he is registering as a different member. What type of biometric
factor error occurred? - Correct Answers -Since he was accepted as a different member
this was a Type 2 (false positive) error. If he was not accepted and the door remained
locked it would have been a Type 1 (false negative) error.
You are tasked with adjusting your organizations password requirements to make them
align with best practices from NIST. What should you set password expiration to? -
Correct Answers -NIST Special Publication 800-63b suggests that organizations should
not impose password expiration requirements on end users
What access control scheme labels subjects and objects and allows subjects to access
objects when labels match? - Correct Answers -Mandatory Access Control (MAC)
Mandatory Access Control is based on what type of model? - Correct Answers -Lattice
Based
,You need to create a trust relationship between your company and a vendor. You need
to implement the system so that it will allow users from the vendor's organization to
access your accounts payable system using the accounts created for them by the
vendor. What type of authentication do you need to implement? - Correct Answers -This
type of authentication, where one domain trusts users from another domain, is called
federation.
Users change job positions quite often at your new company. Which type of access
control would make it easier to allow administrators to adjust permissions when these
changes occur?
A. Role-Based Access Control
B. Mandatory Access Control
C. Discretionary Access Control
D. Rule-Based Access Control - Correct Answers -A Role-Based Access Control would
assign permission to roles and then the administrator would simply adjust the role of the
user when he or she changes jobs
Which of the following authenticators is appropriate to use by itself rather than in
combination with other biometric factors?
A. Voice pattern recognition
B. Hand geometry
C. Palm scans
D. Heart/pulse patterns - Correct Answers -C. Palm scans compare the vein patterns in
the palm to a database to authenticate a user.
As part of hiring a new employee, Sven's identity management team creates a new user
object and ensures that the user object is available in the directories and systems where
it is needed. What is this process called? - Correct Answers -Provisioning includes the
creation, maintenance, and removal of user objects from applications, systems, and
directories.
The Linux filesystem allows the owners of objects to determine the access rights that
subjects have to them. What type of access control does Linux use? - Correct Answers
-Discretionary Access Control
Mary's organization handles very sensitive governmental agency information. They
need to implement an access control system that allows administrators to set access
rights but does not allow the delegation of those rights to other users. What is the best
type of access control design for Mary's organization? - Correct Answers -Mandatory
Access Control (MAC) systems allow an administrator to configure access permissions
but do not allow users to delegate permission to others.
What term is used to describe the default set of privileges assigned to a user when a
new account is created?
A. Aggregation
B. Transitivity
, C. Baseline
D. Entitlement - Correct Answers -D. Entitlement refers to the privileges granted to
useres when an account is first provisioned.
Steve is the risk manager for a company on the east coast of the United States. He
recently undertook a replacement cost analysis and determined that rebuilding and
reconfiguring the data center would cost $20 million. Steve consulted with hurricane
experts, data center specialists, and structural engineers and they determined that a
typical CAT 3 hurricane that successfully hits the east coast would cause approximately
$5 million in damages. The meteorologists determined that Steve's facility lies in an
area where they are likely to experience a CAT 3 hurricane once every 10 years.
Based upon the information in this scenario, what is the exposure factor for the effect of
a CAT 3 hurricane on Steve's data center? - Correct Answers -The exposure factor is
the percentage of the facility that risk managers expect will be damaged if a risk
materializes. It is calculated by dividing the amount of damage by the asset value. In
this case, that is $5 million in damage divided by the $20 million facility value, or 25
percent.
Steve is the risk manager for a company on the east coast of the United States. He
recently undertook a replacement cost analysis and determined that rebuilding and
reconfiguring the data center would cost $20 million. Steve consulted with hurricane
experts, data center specialists, and structural engineers and they determined that a
typical CAT 3 hurricane that successfully hits the east coast would cause approximately
$5 million in damages. The meteorologists determined that Steve's facility lies in an
area where they are likely to experience a CAT 3 hurricane once every 10 years.
What is the annualized loss expectancy for a hurricane at Steve's data center? - Correct
Answers -The annualized loss expectancy (ALE) is calculated by multiplying the single
loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case the SLE
is $5 million and the ARO is .10. Multiplying those numbers together gives you the ALE
of $500,00.
Earlier this year, the information security team at Jeff's company identified a
vulnerability in a server that he is responsible for. He immediately applied the patch and
is sure that it installed properly, but after running the vulnerability scanner has continued
to incorrectly flag the system as vulnerable because of the version number it is finding
even though Jeff is sure the patch is installed. Which of the following options is Jim's
best choice to deal with the issue?
A. Uninstall and reinstall the patch
B. Ask the information security team to flag the system as patched and not vulnerable.
C. Update the version information in the web server's configuration.
D. Review the vulnerability report and use alternate remediation options. - Correct
Answers -B. Jeff should ask the information security team to flag the issue as resolved if
he is sure the patch was installed. Many vulnerability scanners rely on version
CORRECT ANSWERS
During what phase of the change management process does the organization conduct
peer review of the change for accuracy and completeness? - Correct Answers -
Analysis/Impact Assessment
Steve is responsible for work stations that handle proprietary information. What is the
best option for these workstations at the end of their lifecycle? - Correct Answers -
Sanitization
What is the earliest stage of a fire to use detection technology to identify it? - Correct
Answers -Incipient
What security control would provide the best defense against a threat actor trying to
execute a buffer overflow attack against a custom application? - Correct Answers -
Parameter Checking/Input Validation
Which of the following is NOT true of the ISC2 Code of Ethics?
A. Adherence to the Code of Ethics is a condition of Certification
B. The code of ethics applies to all security professionals
C. Failure to comply with the Code of Ethics could result in revocation of certification
D. Members who observe a breach of the Code of Ethics are required to report the
possible violation - Correct Answers -B.
Under what type of software license does the recipient of software have an unlimited
right to copy, modify, distribute, or resell a software package? - Correct Answers -Public
Domain
What should Steve do if a FAR/FRR diagram does not provide an acceptable
performance level for his organization's needs? - Correct Answers -Assess other
biometric systems to compare them since the CER is used to assess biometric devices.
What is the CER in biometric device measurment? - Correct Answers -Crossover Error
Rate is the number that results when a biometric device is adjusted to provide equal
false acceptance and false rejection rates.
What type of access control would be the best choice for a person that would like to
support a declaration like "Only allow access to customer service on managed devices
,on the wireless network between 8 am and 7 pm"? - Correct Answers -Attribute Based
Access Control ABAC
What is the benefit of an ABAC over a RBAC? - Correct Answers -An ABAC can be
more specific thus more flexible
What is the primary advantage of decentralized access control? - Correct Answers -It
provides control of access to people closer to the resources
How are rules set in ABAC systems? - Correct Answers -Uses boolean logic statements
which allow it to be more flexible than RBAC for temporary rules such as to allow time
limited access.
Which of the following is best described as an access control model that focuses on
subjects and identifies the objects that each subject can access?
A. Access control list
B. Capability Table
C. Implicit denial list
D. Rights Management Matrix - Correct Answers -B
Adam is accessing a standalone file server using a username and password provided
by the server administrator. Which one of the following entities is guaranteed to have
information necessary to complete the authorization process?
A. File Server
B. Adam
C. Server Administrator
D. Adam's Supervisor - Correct Answers -A. The file server has the correct information
on what activities Adam is AUTHORIZED to perform
A new member at a 24 hour gym that uses fingerprints to gain access after hours is
surprised to find out that he is registering as a different member. What type of biometric
factor error occurred? - Correct Answers -Since he was accepted as a different member
this was a Type 2 (false positive) error. If he was not accepted and the door remained
locked it would have been a Type 1 (false negative) error.
You are tasked with adjusting your organizations password requirements to make them
align with best practices from NIST. What should you set password expiration to? -
Correct Answers -NIST Special Publication 800-63b suggests that organizations should
not impose password expiration requirements on end users
What access control scheme labels subjects and objects and allows subjects to access
objects when labels match? - Correct Answers -Mandatory Access Control (MAC)
Mandatory Access Control is based on what type of model? - Correct Answers -Lattice
Based
,You need to create a trust relationship between your company and a vendor. You need
to implement the system so that it will allow users from the vendor's organization to
access your accounts payable system using the accounts created for them by the
vendor. What type of authentication do you need to implement? - Correct Answers -This
type of authentication, where one domain trusts users from another domain, is called
federation.
Users change job positions quite often at your new company. Which type of access
control would make it easier to allow administrators to adjust permissions when these
changes occur?
A. Role-Based Access Control
B. Mandatory Access Control
C. Discretionary Access Control
D. Rule-Based Access Control - Correct Answers -A Role-Based Access Control would
assign permission to roles and then the administrator would simply adjust the role of the
user when he or she changes jobs
Which of the following authenticators is appropriate to use by itself rather than in
combination with other biometric factors?
A. Voice pattern recognition
B. Hand geometry
C. Palm scans
D. Heart/pulse patterns - Correct Answers -C. Palm scans compare the vein patterns in
the palm to a database to authenticate a user.
As part of hiring a new employee, Sven's identity management team creates a new user
object and ensures that the user object is available in the directories and systems where
it is needed. What is this process called? - Correct Answers -Provisioning includes the
creation, maintenance, and removal of user objects from applications, systems, and
directories.
The Linux filesystem allows the owners of objects to determine the access rights that
subjects have to them. What type of access control does Linux use? - Correct Answers
-Discretionary Access Control
Mary's organization handles very sensitive governmental agency information. They
need to implement an access control system that allows administrators to set access
rights but does not allow the delegation of those rights to other users. What is the best
type of access control design for Mary's organization? - Correct Answers -Mandatory
Access Control (MAC) systems allow an administrator to configure access permissions
but do not allow users to delegate permission to others.
What term is used to describe the default set of privileges assigned to a user when a
new account is created?
A. Aggregation
B. Transitivity
, C. Baseline
D. Entitlement - Correct Answers -D. Entitlement refers to the privileges granted to
useres when an account is first provisioned.
Steve is the risk manager for a company on the east coast of the United States. He
recently undertook a replacement cost analysis and determined that rebuilding and
reconfiguring the data center would cost $20 million. Steve consulted with hurricane
experts, data center specialists, and structural engineers and they determined that a
typical CAT 3 hurricane that successfully hits the east coast would cause approximately
$5 million in damages. The meteorologists determined that Steve's facility lies in an
area where they are likely to experience a CAT 3 hurricane once every 10 years.
Based upon the information in this scenario, what is the exposure factor for the effect of
a CAT 3 hurricane on Steve's data center? - Correct Answers -The exposure factor is
the percentage of the facility that risk managers expect will be damaged if a risk
materializes. It is calculated by dividing the amount of damage by the asset value. In
this case, that is $5 million in damage divided by the $20 million facility value, or 25
percent.
Steve is the risk manager for a company on the east coast of the United States. He
recently undertook a replacement cost analysis and determined that rebuilding and
reconfiguring the data center would cost $20 million. Steve consulted with hurricane
experts, data center specialists, and structural engineers and they determined that a
typical CAT 3 hurricane that successfully hits the east coast would cause approximately
$5 million in damages. The meteorologists determined that Steve's facility lies in an
area where they are likely to experience a CAT 3 hurricane once every 10 years.
What is the annualized loss expectancy for a hurricane at Steve's data center? - Correct
Answers -The annualized loss expectancy (ALE) is calculated by multiplying the single
loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case the SLE
is $5 million and the ARO is .10. Multiplying those numbers together gives you the ALE
of $500,00.
Earlier this year, the information security team at Jeff's company identified a
vulnerability in a server that he is responsible for. He immediately applied the patch and
is sure that it installed properly, but after running the vulnerability scanner has continued
to incorrectly flag the system as vulnerable because of the version number it is finding
even though Jeff is sure the patch is installed. Which of the following options is Jim's
best choice to deal with the issue?
A. Uninstall and reinstall the patch
B. Ask the information security team to flag the system as patched and not vulnerable.
C. Update the version information in the web server's configuration.
D. Review the vulnerability report and use alternate remediation options. - Correct
Answers -B. Jeff should ask the information security team to flag the issue as resolved if
he is sure the patch was installed. Many vulnerability scanners rely on version
