ISC2 Certified Secure Software Lifecycle Professional Exam Practice Test

Answer : A

The Biba model is a formal state transition system of computer security policy that describes a set of access control rules

designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may

not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject.

Answer : A

This is a type of service-level agreement.

A service-level agreement (SLA) is a negotiated agreement between two parties where one is the customer and the other is the service

provider. It records a common understanding about services, priorities, responsibilities, guarantees, and warranties. Each area of service

scope should have the 'level of service' defined. The SLA may specify the levels of availability, serviceability, performance, operation, or other

attributes of the service, such as billing.

Answer C is incorrect. Non-disclosure agreements (NDAs) are often used to protect the confidentiality of an invention as it is being

evaluated by potential licensees.

Answer D is incorrect. License agreements (LA) describe the rights and responsibilities of a party related to the use and exploitation of

intellectual property.

Answer B is incorrect. There is no such type of agreement as VPN.

Answer : C

A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known. It helps

a business to obtain an economic advantage over its competitors or customers. In some jurisdictions, such secrets are referred to as

confidential information or classified information.

Answer A is incorrect. A copyright is a form of intellectual property, which secures to its holder the exclusive right to produce copies of

his or her works of original expression, such as a literary work, movie, musical work or sound recording, painting, photograph, computer

program, or industrial design, for a defined, yet extendable, period of time. It does not cover ideas or facts. Copyright laws protect intellectual

property from misuse by other individuals.

Answer B is incorrect. A utility model is an intellectual property right to protect inventions.

Answer D is incorrect. A cookie is a small bit of text that accompanies requests and pages as they move between Web servers and

browsers. It contains information that is read by a Web application, whenever a user visits a site. Cookies are stored in the memory or hard

disk of client computers. A Web site stores information, such as user preferences and settings in a cookie. This information helps in providing

customized services to users. There is absolutely no way a Web server can access any private information about a user or his computer

through cookies, unless a user provides the information. A Web server cannot access cookies created by other Web servers.

Answer : A, C, D

According to the NIST SAMATE, dynamic analysis tools operate by generating runtime vulnerability scenario using the following functions:

Resource fault injection

Network fault injection

System fault injection

User interface fault injection

Design attack

Implementation attack

File corruption

Answer B is incorrect. This function is summarized for static analysis tools.

Answer : A, C, D

In eavesdropping, dumpster diving, and shoulder surfing, the attacker violates the confidentiality of a system without affecting its state.

Hence, they are considered passive attacks.

Answer : D

It is not a responsibility of a data owner. The data custodian (information custodian) is responsible for maintaining and protecting the data.

Answer B, A, and C are incorrect. All of these are responsibilities of a data owner.

The roles and responsibilities of a data owner are as follows:

The data owner (information owner) is usually a member of management, in charge of a specific business unit, and is ultimately

responsible for the protection and use of a specific subset of information.

The data owner decides upon the classification of the data that he is responsible for and alters that classification if the business needs

arise.

This person is also responsible for ensuring that the necessary security controls are in place, ensuring that proper access rights are

being used, defining security requirements per classification and backup requirements, approving any disclosure activities, and defining

user access criteria.

The data owner approves access requests or may choose to delegate this function to business unit managers. And it is the data owner

who will deal with security violations pertaining to the data he is responsible for protecting.

The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-day maintenance of the data protection

mechanisms to the data custodian.

Answer : C

C&A consists of four phases in a DITSCAP assessment. These phases are the same as NIACAP phases. The order of these phases is as

follows:

1.Definition: The definition phase is focused on understanding the IS business case, the mission, environment, and architecture. This

phase determines the security requirements and level of effort necessary to achieve Certification & Accreditation (C&A).

2.Verification: The second phase confirms the evolving or modified system's compliance with the information. The verification phase

ensures that the fully integrated system will be ready for certification testing.

3.Validation: The third phase confirms abidance of the fully integrated system with the security policy. This phase follows the

requirements slated in the SSAA. The objective of the validation phase is to show the required evidence to support the DAA in

accreditation process.

4.Post Accreditation: The Post Accreditation is the final phase of DITSCAP assessment and it starts after the system has been certified

and accredited for operations. This phase ensures secure system management, operation, and maintenance to save an acceptable

level of residual risk.