(ISC)2 – SSCP EXAM QUESTIONS AND
ANSWERS (GRADED A+)
1. Prevention: something like a lock on the door
2. Detection: something like an alarm system
3. Recovery: actions taken after an unwanted occurrence - ANSWER-What are the
three security categories?
1. Identification: user provides identification
2. Authentication: second type of identification proving the user is who they claim to be
3. Authorization: assigns rights & privileges based on user's profile after they are
authenticated
4. Accounting: tracing and recording the use of assets. - ANSWER-What are the four
steps of Access Control?
Auditing - ANSWER-What is the act of reviewing or monitoring data obtained during the
Accounting process?
- Prudent Man
- Due Dilligence
- Due Care - ANSWER-- This concept refers to actions that may be reasonably taken
(or are obvious) to safeguard corporate assets and data, as well as following best
practices from similar organizations
- This is verifying that a control or process is performing as intended
- This refers to taking actions that are prudent and reasonable to protect the assets of
the organization
- M of N requirement
- Two-Man Rule
- Transparency - ANSWER-- This process allows multiple people out of a group to be
able to take a certain action, and can also require a certain number of individuals to
agree prior to action being taken
- This is a procedure popular in very high-security locations and situations. It features
two individuals who must agree upon action yet are physically separated and must
therefore take action independent of the other
- This principle allows anyone to access, view, and test hardware or software systems.
For example: testing a new cryptographic algorithm
- Privilege Management or Privilege Lifecycle
- Rights and Privilege Audit
- Account Deactivation
- Orphan account - ANSWER-- These are events related to things like an employee
getting promoted, getting fired, leaving the company, or retiring
,- This ensures that a user's permissions match the minimum required to do their job and
do not exceed it
- This ensures that access rights are taken away immediately upon a user getting fired,
leaving, or retiring.
- What is an account called when an employee has been gone for a long time but it is
still active?
- Deniability
- Disclosure - ANSWER-- What is the term used to describe the violation of non-
repudiation?
- What term is used to describe the violation of confidentiality?
1. New Hire Orientation: the individual is typically made aware of the dos and don'ts of
the company's security policies and may sign an AUP
2. Mandatory Security Training: required under various regulations such as HIPAA in
the medical field as well as various privacy regulations with respect to financial,
banking, and credit card industry information
3. Specialty Security Training: includes training programs made available for vendors,
customers, extranet users, senior executives, and department managers or offered in
special situations
4. Corporate-wide Security Training: generally required at least once a year by most
corporations - ANSWER-What are four types of security awareness training?
1. Physical: locks, doors, fences, etc
2. Logical: ACLs, IDS, firewalls, routers, etc
3. Administrative Controls: banners, signs, company policies, log-on screen stating
appropriate use, etc - ANSWER-What are three types of controls?
1. Physical: tangible things like the building and hardware
2. Digital: data stored in IT systems
3. Information: what is stored inside the data
- People
- Assurance Procedures - ANSWER-- What are three types of assets?
- What is the most important asset to protect?
- What are procedures that ensure the access control mechanisms correctly implement
the security policy?
- Subjects are always active (like requesting a resource) while objects are passive (they
are the resource waiting to be accessed). They can exchanges places depending on
what's happening.
- If a user requests information from a web server, the web server is an object, but it
may also request information from a back end database. When making a request to the
database, the web server would also be a subject - ANSWER-- How can you tell a
subject from an object?
- When can an object also be a subject?
, 1. Software
2. Hardware - ANSWER-What are two categories of Logical Access Controls?
1. Enrollment Time: setting up the device with user's information
2. Error Rate: biometric devices compare a current reading with a recorded reading and
are not always accurate, e.g. when your finger is wet and fails a fingerprint scan
3. Acquire Time: time is takes to perform various biometric scans when a user wants
access
4. Throughput Time: how long it takes to compare the current sample from the user to
historical sample for authenticaion
5. One-to-one Search: errors can occur when data points do not match - ANSWER-
What are five challenging aspects to using biometrics?
1. False Rejection Rate (FRR): aka a Type I error; how often a biometric system rejects
a good user
2. False Acceptance Rate (FAR): aka a Type 2 error; how often a biometric system
incorrectly IDs a bad user as a good user
3. Crossover Error Rate (CER): Where the FAR and FRR cross over. The lower the
CER, the better the system. - ANSWER-What are the three error rates for biometrics?
OPIE: One-time Password In Everything - ANSWER-This is a type of one-time
password based on S/Key in Unix systems. Usually a user's password combined with
other data, then hashed with MD4 or MD5
1. Value of the information: this is subjective depending on the organization
2. Method of accessing the information: how the information is made available -
ANSWER-What two requirements do System-Level Access Controls address?
- DAC (Discretionary Access Control)
- Non-DAC (Non-Discretionary Access Control)
- MAC (Mandatory Access Control) - ANSWER-- This type of access control is
determined by the data owner. For example: the owner assigns specific permissions to
different user accounts. These permissions are recorded in an ACL
- This type of access control is when a system administrator, management, or an
information tagging/labeling system controls access to objects by subjects. In this case,
the access might be granted by policy to a specific group of users. The system
administrator is carrying out policy administration.
- Under this type of access control, subjects and objects are assigned labels or tags
- SCI (Sensitive Compartmented Information)
- SAP (Special Access Program) - ANSWER-- This is an added layer of security for
information that is classified as top-secret. With this information, top secret clearance is
not enough protection and the information must be certified "need to know." This level of
classification is given to sensitive material that may have special access categories.
- These are established for a specific class of classified information that imposes
safeguarding and access requirements that exceed those normally required for
ANSWERS (GRADED A+)
1. Prevention: something like a lock on the door
2. Detection: something like an alarm system
3. Recovery: actions taken after an unwanted occurrence - ANSWER-What are the
three security categories?
1. Identification: user provides identification
2. Authentication: second type of identification proving the user is who they claim to be
3. Authorization: assigns rights & privileges based on user's profile after they are
authenticated
4. Accounting: tracing and recording the use of assets. - ANSWER-What are the four
steps of Access Control?
Auditing - ANSWER-What is the act of reviewing or monitoring data obtained during the
Accounting process?
- Prudent Man
- Due Dilligence
- Due Care - ANSWER-- This concept refers to actions that may be reasonably taken
(or are obvious) to safeguard corporate assets and data, as well as following best
practices from similar organizations
- This is verifying that a control or process is performing as intended
- This refers to taking actions that are prudent and reasonable to protect the assets of
the organization
- M of N requirement
- Two-Man Rule
- Transparency - ANSWER-- This process allows multiple people out of a group to be
able to take a certain action, and can also require a certain number of individuals to
agree prior to action being taken
- This is a procedure popular in very high-security locations and situations. It features
two individuals who must agree upon action yet are physically separated and must
therefore take action independent of the other
- This principle allows anyone to access, view, and test hardware or software systems.
For example: testing a new cryptographic algorithm
- Privilege Management or Privilege Lifecycle
- Rights and Privilege Audit
- Account Deactivation
- Orphan account - ANSWER-- These are events related to things like an employee
getting promoted, getting fired, leaving the company, or retiring
,- This ensures that a user's permissions match the minimum required to do their job and
do not exceed it
- This ensures that access rights are taken away immediately upon a user getting fired,
leaving, or retiring.
- What is an account called when an employee has been gone for a long time but it is
still active?
- Deniability
- Disclosure - ANSWER-- What is the term used to describe the violation of non-
repudiation?
- What term is used to describe the violation of confidentiality?
1. New Hire Orientation: the individual is typically made aware of the dos and don'ts of
the company's security policies and may sign an AUP
2. Mandatory Security Training: required under various regulations such as HIPAA in
the medical field as well as various privacy regulations with respect to financial,
banking, and credit card industry information
3. Specialty Security Training: includes training programs made available for vendors,
customers, extranet users, senior executives, and department managers or offered in
special situations
4. Corporate-wide Security Training: generally required at least once a year by most
corporations - ANSWER-What are four types of security awareness training?
1. Physical: locks, doors, fences, etc
2. Logical: ACLs, IDS, firewalls, routers, etc
3. Administrative Controls: banners, signs, company policies, log-on screen stating
appropriate use, etc - ANSWER-What are three types of controls?
1. Physical: tangible things like the building and hardware
2. Digital: data stored in IT systems
3. Information: what is stored inside the data
- People
- Assurance Procedures - ANSWER-- What are three types of assets?
- What is the most important asset to protect?
- What are procedures that ensure the access control mechanisms correctly implement
the security policy?
- Subjects are always active (like requesting a resource) while objects are passive (they
are the resource waiting to be accessed). They can exchanges places depending on
what's happening.
- If a user requests information from a web server, the web server is an object, but it
may also request information from a back end database. When making a request to the
database, the web server would also be a subject - ANSWER-- How can you tell a
subject from an object?
- When can an object also be a subject?
, 1. Software
2. Hardware - ANSWER-What are two categories of Logical Access Controls?
1. Enrollment Time: setting up the device with user's information
2. Error Rate: biometric devices compare a current reading with a recorded reading and
are not always accurate, e.g. when your finger is wet and fails a fingerprint scan
3. Acquire Time: time is takes to perform various biometric scans when a user wants
access
4. Throughput Time: how long it takes to compare the current sample from the user to
historical sample for authenticaion
5. One-to-one Search: errors can occur when data points do not match - ANSWER-
What are five challenging aspects to using biometrics?
1. False Rejection Rate (FRR): aka a Type I error; how often a biometric system rejects
a good user
2. False Acceptance Rate (FAR): aka a Type 2 error; how often a biometric system
incorrectly IDs a bad user as a good user
3. Crossover Error Rate (CER): Where the FAR and FRR cross over. The lower the
CER, the better the system. - ANSWER-What are the three error rates for biometrics?
OPIE: One-time Password In Everything - ANSWER-This is a type of one-time
password based on S/Key in Unix systems. Usually a user's password combined with
other data, then hashed with MD4 or MD5
1. Value of the information: this is subjective depending on the organization
2. Method of accessing the information: how the information is made available -
ANSWER-What two requirements do System-Level Access Controls address?
- DAC (Discretionary Access Control)
- Non-DAC (Non-Discretionary Access Control)
- MAC (Mandatory Access Control) - ANSWER-- This type of access control is
determined by the data owner. For example: the owner assigns specific permissions to
different user accounts. These permissions are recorded in an ACL
- This type of access control is when a system administrator, management, or an
information tagging/labeling system controls access to objects by subjects. In this case,
the access might be granted by policy to a specific group of users. The system
administrator is carrying out policy administration.
- Under this type of access control, subjects and objects are assigned labels or tags
- SCI (Sensitive Compartmented Information)
- SAP (Special Access Program) - ANSWER-- This is an added layer of security for
information that is classified as top-secret. With this information, top secret clearance is
not enough protection and the information must be certified "need to know." This level of
classification is given to sensitive material that may have special access categories.
- These are established for a specific class of classified information that imposes
safeguarding and access requirements that exceed those normally required for
