Free CSSLP Exam Braindumps

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

1. A. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system.
2. B. Accreditation is a comprehensive assessment of the management, operational, and technical security controls in an information system.
3. C. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system.
4. D. Certification is the official management decision given by a senior agency official to authorize operation of an information system.

Correct Answer: AC
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, and DCID 6/3. Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Single Loss Expectancy (SLE) represents an organization's loss from a single threat. Which of the following formulas best describes the Single Loss Expectancy (SLE)?

1. A. SLE = Asset Value (AV) * Exposure Factor (EF)
2. B. SLE = Annualized Loss Expectancy (ALE) * Annualized Rate of Occurrence (ARO)
3. C. SLE = Annualized Loss Expectancy (ALE) * Exposure Factor (EF)
4. D. SLE = Asset Value (AV) * Annualized Rate of Occurrence (ARO)

Correct Answer: A
Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows: Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor is represented in the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two thirds, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed. Answer C, D, and B are incorrect. These are not valid formulas of SLE.

Which of the following is the process of finding weaknesses in cryptographic algorithms and obtaining the plaintext or key from the ciphertext?

1. A. Cryptographer
2. B. Cryptography
3. C. Kerberos
4. D. Cryptanalysis

Correct Answer: D
Cryptanalysis is the process of analyzing cipher text and finding weaknesses in cryptographic algorithms. These weaknesses can be used to decipher the cipher text without knowing the secret key. Answer B is incorrect. Kerberos is an industry standard authentication protocol used to verify user or host identity. Kerberos v5 authentication protocol is the default authentication service for Windows 2000. It is integrated into the administrative and security model, and provides secure communication between Windows 2000 Server domains and clients. Answer A is incorrect. A cryptographer is a person who is involved in cryptography.
Answer B is incorrect. Cryptography is a branch of computer science and mathematics. It is used for protecting information by encoding it into an unreadable format known as cipher text.

Which of the following security design patterns provides an alternative by requiring that a user's authentication credentials be verified by the database before providing access to that user's data?

1. A. Secure assertion
2. B. Authenticated session
3. C. Password propagation
4. D. Account lockout

Correct Answer: C
Password propagation provides an alternative by requiring that a user's authentication credentials be verified by the database before providing access to that user's datAnswer D is incorrect. Account lockout implements a limit on the incorrect password attempts to protect an account from automated password-guessing attacks. Answer B is incorrect. Authenticated session allows a user to access more than one access-restricted Web page without re-authenticating every page. It also integrates user authentication into the basic session model. Answer A is incorrect. Secure assertion distributes application-specific sanity checks throughout the system.

Which of the following activities are performed by the 'Do' cycle component of PDCA (plan- do-check-act)? Each correct answer represents a complete solution. Choose all that apply.

1. A. It detects and responds to incidents properly.
2. B. It determines controls and their objectives.
3. C. It manages resources that are required to achieve a goal.
4. D. It performs security awareness training.
5. E. It operates the selected controls.

Correct Answer: ACDE
The 'Do' cycle component performs the following activities: It operates the selected controls. It detects and responds to incidents properly. It performs security awareness training. It manages resources that are required to achieve a goal. Answer B is incorrect. This activity is performed by the 'Plan' cycle component of PDCA.