ISC2 Certified Secure Software Lifecycle Professional CSSLP Exam Questions

Answer : B, C, D

The characteristics of the DIAP Information Readiness Assessment function are as follows :

It provides data needed to accurately assess IA readiness.

It identifies and generates IA requirements.

It performs vulnerability/threat analysis assessment.

Answer A is incorrect. It is a function performed by the ASSET system.

Answer : A

The Annualized Loss Expectancy (ALE) that occurs due to a threat can be calculated by multiplying the Single Loss Expectancy (SLE) with the

Annualized Rate of Occurrence (ARO).

Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) X Annualized Rate of Occurrence (ARO)

Annualized Rate of Occurrence (ARO) is a number that represents the estimated frequency in which a threat is expected to occur. It is

calculated based upon the probability of the event occurring and the number of employees that could make that event occur.

Single Loss Expectancy (SLE) is the value in dollars that is assigned to a single event. SLE can be calculated by the following formula:

SLE = Asset Value ($) X Exposure Factor (EF)

The Exposure Factor (EF) represents the % of assets loss caused by a threat. The EF is required to calculate Single Loss Expectancy (SLE).

Answer : B, C, D

Perl, .NET, and PHP are examples of the application programming interface (API). API is a set of routines, protocols, and tools that users can

use to work with a component, application, or operating system. It consists of one or more DLLs that provide specific functionality. API helps in

reducing the development time of applications by reducing application code. Most operating environments, such as MS-Windows, provide an

API so that programmers can write applications consistent with the operating environment.

Answer A is incorrect. HTML stands for Hypertext Markup Language. It is a set of markup symbols or codes used to create Web pages

and define formatting specifications. The markup tells the Web browser how to display the content of the Web page.

Answer : D

According to the question, you are hiring a local expert team for casting the column. As you have transferred your risk to a third party, this is

the transference risk response that you have adopted. Transference is a strategy to mitigate negative risks or threats. In this strategy,

consequences and the ownership of a risk is transferred to a third party. This strategy does not eliminate the risk but transfers responsibility

of managing the risk to another party. Insurance is an example of transference.

Answer C is incorrect. Mitigation is a risk response planning technique associated with threats that seeks to reduce the probability of

occurrence or impact of a risk to below an acceptable threshold. Risk mitigation involves taking early action to reduce the probability and

impact of a risk occurring on the project. Adopting less complex processes, conducting more tests, or choosing a more stable supplier are

examples of mitigation actions.

Answer A is incorrect. Avoidance involves changing the project management plan to eliminate the threat entirely.

Answer B is incorrect. Acceptance response is a part of Risk Response planning process. Acceptance response delineates that the

project plan will not be changed to deal with the risk. Management may develop a contingency plan if the risk does occur. Acceptance

response to a risk event is a strategy that can be used for risks that pose either threats or opportunities. Acceptance response can be of two

types:

Passive acceptance: It is a strategy in which no plans are made to try or avoid or mitigate the risk.

Active acceptance: Such responses include developing contingency reserves to deal with risks, in case they occur.

Acceptance is the only response for both threats and opportunities.

Answer : A

The service-oriented logical design modeling establishes service relationships and message exchange paths. It also addresses service

visibility and crafts service logical compositions.

Answer : C

2Mosaic is a tool used for watermark breaking. It is an attack against a digital watermarking system. In this type of attack, an image is

chopped into small pieces and then placed together. When this image is embedded into a web page, the web browser renders the small

pieces into one image. This image looks like a real image with no watermark in it. This attack is successful, as it is impossible to read

watermark in very small pieces.

Answer D is incorrect. Gifshuffle is used to hide message or information inside GIF images. It is done by shuffling the colormap. This tool

also provides compression and encryption.

Answer B and A are incorrect. Active Attacks and Steg-Only Attacks are used to attack Steganography.

Answer : B

The business continuity plan is designed to protect critical business processes from natural or man-made failures or disasters and the

resultant loss of capital due to the unavailability of normal business processes.

Business Continuity Planning (BCP) is the creation and validation of a practiced logistical plan for how an organization will recover and restore

partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical

plan is called a business continuity plan.

Answer C is incorrect. The crisis communication plan can be broadly defined as the plan for the exchange of information before, during,

or after a crisis event. It is considered as a sub-specialty of the public relations profession that is designed to protect and defend an

individual, company, or organization facing a public challenge to its reputation.

The aim of crisis communication plan is to assist organizations to achieve continuity of critical business processes and information flows under

crisis, disaster or event driven circumstances.

Answer A is incorrect. A contingency plan is a plan devised for a specific situation when things could go wrong. Contingency plans are

often devised by governments or businesses who want to be prepared for anything that could happen. Contingency plans include specific

strategies and actions to deal with specific variances to assumptions resulting in a particular problem, emergency, or state of affairs. They also

include a monitoring process and 'triggers' for initiating planned actions. They are required to help governments, businesses, or individuals to

recover from serious incidents in the minimum time with minimum cost and disruption.

Answer D is incorrect. A disaster recovery plan should contain data, hardware, and software that can be critical for a business. It

should also include the plan for sudden loss such as hard disc crash. The business should use backup and data recovery utilities to limit the

loss of data.