Last Updated on March 10, 2022 by Admin 3

SSCP : System Security Certified Practitioner (SSCP) : Part 08

  1. Which of the following is NOT a common category/classification of threat to an IT system?

    • Human
    • Natural
    • Technological
    • Hackers

    Explanation:

    Hackers are classified as a human threat and not a classification by itself.

    All the other answers are incorrect. Threats result from a variety of factors, although they are classified in three types: Natural (e.g., hurricane, tornado, flood and fire), human (e.g. operator error, sabotage, malicious code) or technological (e.g. equipment failure, software error, telecommunications network outage, electric power failure).

    Reference:
    SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf, June 2002 (page 6).

  2. Which of the following enables the person responsible for contingency planning to focus risk management efforts and resources in a prioritized manner only on the identified risks?

    • Risk assessment
    • Residual risks
    • Security controls
    • Business units
    Explanation:
    The risk assessment is critical because it enables the person responsible for contingency planning to focus risk management efforts and resources in a prioritized manner only on the identified risks. The risk management process includes the risk assessment and determination of suitable technical, management, and operational security controls based on the level of threat the risk imposes. Business units should be included in this process.
    Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 7).
  3. Which of the following is NOT a common backup method?

    • Full backup method
    • Daily backup method
    • Incremental backup method
    • Differential backup method
    Explanation:
    A daily backup is not a backup method, but defines periodicity at which backups are made. There can be daily full, incremental or differential backups.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).
  4. Which backup method only copies files that have been recently added or changed and also leaves the archive bit unchanged?

    • Full backup method
    • Incremental backup method
    • Fast backup method
    • Differential backup method
    Explanation:

    A differential backup is a partial backup that copies a selected file to tape only if the archive bit for that file is turned on, indicating that it has changed since the last full backup. A differential backup leaves the archive bits unchanged on the files it copies.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).

    Also see: http://e-articles.info/e/a/title/Backup-Types/

    Backup software can use or ignore the archive bit in determining which files to back up, and can either turn the archive bit off or leave it unchanged when the backup is complete. How the archive bit is used and manipulated determines what type of backup is done, as follows

    Full backup
    A full backup, which Microsoft calls a normal backup, backs up every selected file, regardless of the status of the archive bit. When the backup completes, the backup software turns off the archive bit for every file that was backed up. Note that “full” is a misnomer because a full backup backs up only the files you have selected, which may be as little as one directory or even a single file, so in that sense Microsoft’s terminology is actually more accurate. Given the choice, full backup is the method to use because all files are on one tape, which makes it much easier to retrieve files from tape when necessary. Relative to partial backups, full backups also increase redundancy because all files are on all tapes. That means that if one tape fails, you may still be able to retrieve a given file from another tape.
    Differential backup

    A differential backup is a partial backup that copies a selected file to tape only if the archive bit for that file is turned on, indicating that it has changed since the last full backup. A differential backup leaves the archive bits unchanged on the files it copies. Accordingly, any differential backup set contains all files that have changed since the last full backup. A differential backup set run soon after a full backup will contain relatively few files. One run soon before the next full backup is due will contain many files, including those contained on all previous differential backup sets since the last full backup. When you use differential backup, a complete backup set comprises only two tapes or tape sets: the tape that contains the last full backup and the tape that contains the most recent differential backup.
    Incremental backup
    An incremental backup is another form of partial backup. Like differential backups, Incremental Backups copy a selected file to tape only if the archive bit for that file is turned on. Unlike the differential backup, however, the incremental backup clears the archive bits for the files it backs up. An incremental backup set therefore contains only files that have changed since the last full backup or the last incremental backup. If you run an incremental backup daily, files changed on Monday are on the Monday tape, files changed on Tuesday are on the Tuesday tape, and so forth. When you use an incremental backup scheme, a complete backup set comprises the tape that contains the last full backup and all of the tapes that contain every incremental backup done since the last normal backup. The only advantages of incremental backups are that they minimize backup time and keep multiple versions of files that change frequently. The disadvantages are that backed-up files are scattered across multiple tapes, making it difficult to locate any particular file you need to restore, and that there is no redundancy. That is, each file is stored only on one tape.

    Full copy backup
    A full copy backup (which Microsoft calls a copy backup) is identical to a full backup except for the last step. The full backup finishes by turning off the archive bit on all files that have been backed up. The full copy backup instead leaves the archive bits unchanged. The full copy backup is useful only if you are using a combination of full backups and incremental or differential partial backups. The full copy backup allows you to make a duplicate “full” backup—e.g., for storage offsite, without altering the state of the hard drive you are backing up, which would destroy the integrity of the partial backup rotation.
    Some Microsoft backup software provides a bizarre backup method Microsoft calls a daily copy backup. This method ignores the archive bit entirely and instead depends on the date- and timestamp of files to determine which files should be backed up. The problem is, it’s quite possible for software to change a file without changing the date- and timestamp, or to change the date- and timestamp without changing the contents of the file. For this reason, we regard the daily copy backup as entirely unreliable and recommend you avoid using it.

  5. To protect and/or restore lost, corrupted, or deleted information, thereby preserving the data integrity and availability is the purpose of:

    • Remote journaling.
    • Database shadowing.
    • A tape backup method.
    • Mirroring.
    Explanation:

    The purpose of a tape backup method is to protect and/or restore lost, corrupted, or deleted information, thereby preserving the data integrity and ensuring availability.

    All other choices could suffer from corruption and it might not be possible to restore the data without proper backups being done.

    This is a tricky question, if the information is lost, corrupted, or deleted only a good backup could be use to restore the information. Any synchronization mechanism would update the mirror copy and the data could not be recovered.

    With backups there could be a large gap where your latest data may not be available. You would have to look at your Recovery Point Objective and see if this is acceptable for your company recovery objectives.

    The following are incorrect answers:

    Mirroring will preserve integrity and restore points in all cases of drive failure. However, if you have corrupted data on the primary set of drives you may get corrupted data on the secondary set as well.

    Remote Journaling provides Continuous or periodic synchronized recording of transaction data at a remote location as a backup strategy. (http://www.businessdictionary.com/definition/remote-journaling.html) With journaling there might be a gap of time between the data updates being send in batch at regular interval. So some of the data could be lost.

    Database shadowing is synonymous with Mirroring but it only applies to databases, but not to information and data as a whole.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 68.

  6. Which of the following is NOT a task normally performed by a Computer Incident Response Team (CIRT)?

    • Develop an information security policy.
    • Coordinate the distribution of information pertaining to the incident to the appropriate parties.
    • Mitigate risk to the enterprise.
    • Assemble teams to investigate the potential vulnerabilities.
    Explanation:
    Writing a corporate security policy is normally a task of upper management in an organization. Other tasks would usually be performed by a Computer Incident Response Team.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 64).
  7. Which of the following backup methods is most appropriate for off-site archiving?

    • Incremental backup method
    • Off-site backup method
    • Full backup method
    • Differential backup method
    Explanation:
    The full backup makes a complete backup of every file on the system every time it is run. Since a single backup set is needed to perform a full restore, it is appropriate for off-site archiving.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).
  8. Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)?

    • Calculate the risk for each different business function.
    • Identify the company’s critical business functions.
    • Calculate how long these functions can survive without these resources.
    • Develop a mission statement.
    Explanation:

    The Business Impact Analysis is critical for the development of a business continuity plan (BCP). It identifies risks, critical processes and resources needed in case of recovery and quantifies the impact a disaster will have upon the organization. The development of a mission statement is normally performed before the BIA.

    A BIA (business impact analysis ) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions ; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level.

    BIA Steps
    The more detailed and granular steps of a BIA are outlined here:

    1. Select individuals to interview for data gathering.
    2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
    3. Identify the company’s critical business functions.
    4. Identify the resources these functions depend upon.
    5. Calculate how long these functions can survive without these resources.
    6. Identify vulnerabilities and threats to these functions.
    7. Calculate the risk for each different business function.
    8. Document findings and report them to management.

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Location 21076). Auerbach Publications. Kindle Edition.
    and
    Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 905-910). McGraw-Hill. Kindle Edition.

  9. Which backup method does not reset the archive bit on files that are backed up?

    • Full backup method
    • Incremental backup method
    • Differential backup method
    • Additive backup method
    Explanation:
    The differential backup method only copies files that have changed since the last full backup was performed. It is additive in the fact that it does not reset the archive bit so all changed or added files are backed up in every differential backup until the next full backup. The “additive backup method” is not a common backup method.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).
  10. Which common backup method is the fastest on a daily basis?

    • Full backup method
    • Incremental backup method
    • Fast backup method
    • Differential backup method
    Explanation:
    The incremental backup method only copies files that have been recently changed or added. Only files with their archive bit set are backed up. This method is fast and uses less tape space but has some inherent vulnerabilities, one being that all incremental backups need to be available and restored from the date of the last full backup to the desired date should a restore be needed.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).
  11. Which of the following specifically addresses cyber attacks against an organization’s IT systems?

    • Continuity of support plan
    • Business continuity plan
    • Incident response plan
    • Continuity of operations plan
    Explanation:

    The incident response plan focuses on information security responses to incidents affecting systems and/or networks. It establishes procedures to address cyber attacks against an organization’s IT systems. These procedures are designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial of service, or unauthorized changes to system hardware or software. The continuity of support plan is the same as an IT contingency plan. It addresses IT system disruptions and establishes procedures for recovering a major application or general support system. It is not business process focused. The business continuity plan addresses business processes and provides procedures for sustaining essential business operations while recovering from a significant disruption. The continuity of operations plan addresses the subset of an organization’s missions that are deemed most critical and procedures to sustain these functions at an alternate site for up to 30 days.

    Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, December 2001 (page 8).

  12. During the salvage of the Local Area Network and Servers, which of the following steps would normally be performed first?

    • Damage mitigation
    • Install LAN communications network and servers
    • Assess damage to LAN and servers
    • Recover equipment
    Explanation:

    The first activity in every recovery plan is damage assessment, immediately followed by damage mitigation.

    This first activity would typically include assessing the damage to all network and server components (including cables, boards, file servers, workstations, printers, network equipment), making a list of all items to be repaired or replaced, selecting appropriate vendors and relaying findings to Emergency Management Team.

    Following damage mitigation, equipment can be recovered and LAN communications network and servers can be reinstalled.

    Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 135).

  13. Which of the following rules pertaining to a Business Continuity Plan/Disaster Recovery Plan is incorrect?

    • In order to facilitate recovery, a single plan should cover all locations.
    • There should be requirements to form a committee to decide a course of action. These decisions should be made ahead of time and incorporated into the plan.
    • In its procedures and tasks, the plan should refer to functions, not specific individuals.
    • Critical vendors should be contacted ahead of time to validate equipment can be obtained in a timely manner.
    Explanation:

    The first documentation rule when it comes to a BCP/DRP is “one plan, one building”. Much of the plan revolves around reconstructing a facility and replenishing it with production contents. If more than one facility is involved, then the reader of the plan will find it difficult to identify quantities and specifications of replacement resource items. It is possible to have multiple plans for a single building, but those plans must be linked so that the identification and ordering of resource items is centralized. All other statements are correct.

    Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 162).

  14. Which of the following steps should be one of the first step performed in a Business Impact Analysis (BIA)?

    • Identify all CRITICAL business units within the organization.
    • Evaluate the impact of disruptive events.
    • Estimate the Recovery Time Objectives (RTO).
    • Identify and Prioritize Critical Organization Functions
    Explanation:

    Project Initiation and Management

    This is the first step in building the Business Continuity program is project initiation and management. During this phase, the following activities will occur:

    Obtain senior management support to go forward with the project
    Define a project scope, the objectives to be achieved, and the planning assumptions
    Estimate the project resources needed to be successful, both human resources and financial resources
    Define a timeline and major deliverables of the project In this phase, the program will be managed like a project, and a project manager should be assigned to the BC and DR domain.

    The next step in the planning process is to have the planning team perform a BIA. The BIA will help the company decide what needs to be recovered, and how quickly. Mission functions are typically designated with terms such as critical, essential, supporting and nonessential to help determine the appropriate prioritization.

    One of the first steps of a BIA is to Identify and Prioritize Critical Organization Functions. All organizational functions and the technology that supports them need to be classified based on their recovery priority. Recovery time frames for organization operations are driven by the consequences of not performing the function. The consequences may be the result of organization lost during the down period; contractual commitments not met resulting in fines or lawsuits, lost goodwill with customers.

    All other answers are incorrect.

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 21073-21075). Auerbach Publications. Kindle Edition.
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 20697-20710). Auerbach Publications. Kindle Edition.

  15. A business continuity plan should list and prioritize the services that need to be brought back after a disaster strikes. Which of the following services is more likely to be of primary concern in the context of what your Disaster Recovery Plan would include?

    • Marketing/Public relations
    • Data/Telecomm/IS facilities
    • IS Operations
    • Facilities security
    Explanation:
    The main concern when recovering after a disaster is data, telecomm and IS facilities. Other services, in descending priority order are: IS operations, IS support services, market structure, marketing/public relations, customer service & systems support, market regulation/surveillance, listing, application development, accounting services, facilities, human resources, facilities security, legal and Office of the Secretary, national sales.
    Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 129).
  16. Which disaster recovery plan test involves functional representatives meeting to review the plan in detail?

    • Simulation test
    • Checklist test
    • Parallel test
    • Structured walk-through test
    Explanation:

    The structured walk-through test occurs when the functional representatives meet to review the plan in detail. This involves a thorough look at each of the plan steps, and the procedures that are invoked at that point in the plan. This ensures that the actual planned activities are accurately described in the plan. The checklist test is a method of testing the plan by distributing copies to each of the functional areas. The simulation test plays out different scenarios. The parallel test is essentially an operational test that is performed without interrupting current processing.

    Source: HARE, Chris, CISSP Study Guide: Business Continuity Planning Domain,

  17. The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation of the corresponding vulnerability. Therefore, a legal liability may exists when:

    • (C < L) or C is less than L
    • (C < L – (residual risk)) or C is less than L minus residual risk
    • (C > L) or C is greather than L
    • (C > L – (residual risk)) or C is greather than L minus residual risk
    Explanation:

    If the cost is lower than the estimated loss (C < L), then legal liability may exists if you fail to implement the proper safeguards.

    Government laws and regulations require companies to employ reasonable security measures to reduce private harms such as identity theft due to unauthorized access. The U.S. Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the broader European Directive 95/46/EC, Article 17, both require that companies employ reasonable or
    appropriate administrative and technical security measures to protect consumer information.

    The GLBA is a U.S. Federal law enacted by U.S. Congress in 1998 to allow consolidation among commercial banks. The GLBA Safeguards Rule is U.S. Federal regulation created in reaction to the GLBA and enforced by the U.S.
    Federal Trade Commission (FTC). The Safeguards Rule requires companies to implement a security plan to protect the confidentiality and integrity of consumer personal information and requires the designation of an individual responsible for compliance.

    Because these laws and regulations govern consumer personal information, they can lead to new requirements for information systems for which companies are responsible to comply.

    The act of compliance includes demonstrating due diligence, which is defined as “reasonable efforts that persons make to satisfy legal requirements or discharge their legal obligations”. Reasonableness in software systems includes industries standards and may allow for imperfection. Lawyers representing firms and other organizations, regulators, system administrators and engineers all face considerable challenge in determining what constitutes “reasonable” security measures for several reasons, including:

    1. Compliance changes with the emergence of new security vulnerabilities due to innovations in information technology;

    2. Compliance requires knowledge of specific security measures, however publicly available best practices typically include general goals and only address broad categories of vulnerability; and

    3. Compliance is a best-effort practice, because improving security is costly and companies must prioritize security spending commensurate with risk of non-compliance. In general, the costs of improved security are certain, but the
    improvement in security depends on unknown variables and probabilities outside the control of companies.

    The following reference(s) were used for this question:

    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 315.
    and
    http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf

  18. A Business Continuity Plan should be tested:

    • Once a month.
    • At least twice a year.
    • At least once a year.
    • At least once every two years.
    Explanation:

    It is recommended that testing does not exceed established frequency limits. For a plan to be effective, all components of the BCP should be tested at least once a year. Also, if there is a major change in the operations of the organization, the plan should be revised and tested not more than three months after the change becomes operational.

    Source: BARNES, James C. & ROTHSTEIN, Philip J., A Guide to Business Continuity Planning, John Wiley & Sons, 2001 (page 165).

  19. Which of the following statements pertaining to a Criticality Survey is incorrect?

    • It is implemented to gather input from all personnel that is going to be part of the recovery teams.
    • The purpose of the survey must be clearly stated.
    • Management’s approval should be obtained before distributing the survey.
    • Its intent is to find out what services and systems are critical to keeping the organization in business.
    Explanation:

    The Criticality Survey is implemented through a standard questionnaire to gather input from the most knowledgeable people. Not all personnel that is going to be part of recovery teams is necessarily able to help in identifying critical functions of the organization.

    The intent of such a survey is to identify the services and systems that are critical to the organization.

    Having a clearly stated purpose for the survey helps in avoiding misinterpretations.

    Management’s approval of the survey should be obtained before distributing it.
    Source: HARE, Chris, CISSP Study Guide: Business Continuity Planning Domain,

  20. Which of the following statements pertaining to the maintenance of an IT contingency plan is incorrect?

    • The plan should be reviewed at least once a year for accuracy and completeness.
    • The Contingency Planning Coordinator should make sure that every employee gets an up-to-date copy of the plan.
    • Strict version control should be maintained.
    • Copies of the plan should be provided to recovery personnel for storage offline at home and office.
    Explanation:

    Because the contingency plan contains potentially sensitive operational and personnel information, its distribution should be marked accordingly and controlled. Not all employees would obtain a copy, but only those involved in the execution of the plan.
    All other statements are correct.

    NOTE FROM CLEMENT:
    I have received multiple emails stating the explanations contradict the correct answer. It seems many people have a hard time with negative question. In this case the Incorrect choice (the one that is not true) is the correct choice. Be very carefull of such questions, you will get some on the real exam as well.

    Reference(s) used for this question:
    SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems