ISC2 CSSLP Certified Secure Software Lifecycle Professional Exam Practice Test

Answer : A

DIACAP describes a residual risk as the risk remaining after a risk mitigation has occurred. The Department of Defense Information Assurance

Certification and Accreditation Process (DIACAP) is a process defined by the United States Department of Defense (DoD) for managing risk.

DIACAP replaced the former process, known as DITSCAP (Department of Defense Information Technology Security Certification and

Accreditation Process), in 2006.

DoD Instruction (DoDI) 8510.01 establishes a standard DoD-wide process with a set of activities, general tasks, and a management structure

to certify and accredit an Automated Information System (AIS) that will maintain the Information Assurance (IA) posture of the Defense

Information Infrastructure (DII) throughout the system's life cycle.

DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or

classified information since December 1997. It identifies four phases:

1.System Definition

2.Verification

3.Validation

4.Re-Accreditation

Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information

System Security Officer (ISSO) are as follows:

Manages the security of the information system that is slated for Certification & Accreditation (C&A).

Insures the information systems configuration with the agency's information security policy.

Supports the information system owner/information owner for the completion of security-related responsibilities.

Takes part in the formal configuration management process.

Prepares Certification & Accreditation (C&A) packages.

Answer C is incorrect. The Designated Approving Authority (DAA), in the United States Department of Defense, is the official with the

authority to formally assume responsibility for operating a system at an acceptable level of risk. The DAA is responsible for implementing

system security. The DAA can grant the accreditation and can determine that the system's risks are not at an acceptable level and the system

is not ready to be operational.

Answer B is incorrect. System Security Authorization Agreement (SSAA) is an information security document used in the United States

Department of Defense (DoD) to describe and accredit networks and systems. The SSAA is part of the Department of Defense Information

Technology Security Certification and Accreditation Process, or DITSCAP (superseded by DIACAP). The DoD instruction (issues in December

1997, that describes DITSCAP and provides an outline for the SSAA document is DODI 5200.40. The DITSCAP application manual (DoD 8510.1-

M), published in July 2000, provides additional details.

Answer : B

NIST has developed a suite of documents for conducting Certification & Accreditation (C&A). These documents are as follows:

NIST Special Publication 800-37: This document is a guide for the security certification and accreditation of Federal Information

Systems.

NIST Special Publication 800-53: This document provides a guideline for security controls for Federal Information Systems.

NIST Special Publication 800-53A. This document consists of techniques and procedures for verifying the effectiveness of security

controls in Federal Information System.

NIST Special Publication 800-59: This document is a guideline for identifying an information system as a National Security System.

NIST Special Publication 800-60: This document is a guide for mapping types of information and information systems to security

objectives and risk levels.

Answer : C

2Mosaic is a tool used for watermark breaking. It is an attack against a digital watermarking system. In this type of attack, an image is

chopped into small pieces and then placed together. When this image is embedded into a web page, the web browser renders the small

pieces into one image. This image looks like a real image with no watermark in it. This attack is successful, as it is impossible to read

watermark in very small pieces.

Answer D is incorrect. Gifshuffle is used to hide message or information inside GIF images. It is done by shuffling the colormap. This tool

also provides compression and encryption.

Answer B and A are incorrect. Active Attacks and Steg-Only Attacks are used to attack Steganography.

Answer : C

The change management system is comprised of several components that guide the change request through the process. When a change

request is made that will affect the project scope. The Configuration Management System evaluates the change request and documents the

features and functions of the change on the project scope.

Answer : A, B, C, E, F

The different categories of penetration testing are as follows:

Open-box: In this category of penetration testing, testers have access to internal system code. This mode is basically suited for Unix or

Linux.

Closed-box: In this category of penetration testing, testers do not have access to closed systems. This method is good for closed

systems.

Zero-knowledge test: In this category of penetration testing, testers have to acquire information from scratch and they are not

supplied with information concerning the IT system.

Partial-knowledge test: In this category of penetration testing, testers have knowledge that may be applicable to a specific type of

attack and associated vulnerabilities.

Full-knowledge test: In this category of penetration testing, testers have massive knowledge concerning the information system to be

evaluated.

Answer D is incorrect. There is no such category of penetration testing.

Answer : A, D, E, F

The various patterns applicable to aspects of authentication in the Web applications are as follows:

Account lockout: It implements a limit on the incorrect password attempts to protect an account from automated password-guessing

attacks.

Authenticated session: It allows a user to access more than one access-restricted Web page without re-authenticating every page. It

also integrates user authentication into the basic session model.

Password authentication: It provides protection against weak passwords, automated password-guessing attacks, and mishandling of

passwords.

Password propagation: It offers a choice by requiring that a user's authentication credentials be verified by the database before

providing access to that user's data.

Answer B and C are incorrect. Secure assertion and partitioned application patterns are applicable to

software assurance in general.

Answer : B

The definition phase of the DITSCAP/NIACAP model takes place at the beginning of the project, or at the initial C&A effort of a legacy system.

C&A consists of four phases in a DITSCAP assessment. These phases are the same as NIACAP phases. The order of these phases is as

follows:

1.Definition: The definition phase is focused on understanding the IS business case, the mission, environment, and architecture. This

phase determines the security requirements and level of effort necessary to achieve Certification & Accreditation (C&A).

2.Verification: The second phase confirms the evolving or modified system's compliance with the information. The verification phase

ensures that the fully integrated system will be ready for certification testing.

3.Validation: The third phase confirms abidance of the fully integrated system with the security policy. This phase follows the

requirements slated in the SSAA. The objective of the validation phase is to show the required evidence to support the DAA in

accreditation process.

4.Post Accreditation: The Post Accreditation is the final phase of DITSCAP assessment and it starts after the system has been certified

and accredited for operations. This phase ensures secure system management, operation, and maintenance to save an acceptable

level of residual risk.