ISC2 CSSLP Certified Secure Software Lifecycle Professional Exam Practice Test

Answer : A

The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must

be recovered as defined by the organization. The RPO is generally a definition of what an organization determines is an 'acceptable loss' in a

disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2

hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Answer B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a service level within which a business process

must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. It

includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the communication to the users. Decision time

for user representative is not included. The business continuity timeline usually runs parallel with an incident management timeline and may

start at the same, or different, points.

In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a

process (usually in conjunction with the Business Continuity planner). The RTOs are then presented to senior management for acceptance.

The RTO attaches to the business process and not the resources required to support the process.

Answer D is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on

recovery methodology the technology support team develops. This is the time frame the technology support takes to deliver the recovered

infrastructure to the business.

Answer C is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point

Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to Continuous Data Protection services.

Answer : A

This is a type of service-level agreement.

A service-level agreement (SLA) is a negotiated agreement between two parties where one is the customer and the other is the service

provider. It records a common understanding about services, priorities, responsibilities, guarantees, and warranties. Each area of service

scope should have the 'level of service' defined. The SLA may specify the levels of availability, serviceability, performance, operation, or other

attributes of the service, such as billing.

Answer C is incorrect. Non-disclosure agreements (NDAs) are often used to protect the confidentiality of an invention as it is being

evaluated by potential licensees.

Answer D is incorrect. License agreements (LA) describe the rights and responsibilities of a party related to the use and exploitation of

intellectual property.

Answer B is incorrect. There is no such type of agreement as VPN.

Answer : C

A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known. It helps

a business to obtain an economic advantage over its competitors or customers. In some jurisdictions, such secrets are referred to as

confidential information or classified information.

Answer A is incorrect. A copyright is a form of intellectual property, which secures to its holder the exclusive right to produce copies of

his or her works of original expression, such as a literary work, movie, musical work or sound recording, painting, photograph, computer

program, or industrial design, for a defined, yet extendable, period of time. It does not cover ideas or facts. Copyright laws protect intellectual

property from misuse by other individuals.

Answer B is incorrect. A utility model is an intellectual property right to protect inventions.

Answer D is incorrect. A cookie is a small bit of text that accompanies requests and pages as they move between Web servers and

browsers. It contains information that is read by a Web application, whenever a user visits a site. Cookies are stored in the memory or hard

disk of client computers. A Web site stores information, such as user preferences and settings in a cookie. This information helps in providing

customized services to users. There is absolutely no way a Web server can access any private information about a user or his computer

through cookies, unless a user provides the information. A Web server cannot access cookies created by other Web servers.

Answer : A, C, D

According to the NIST SAMATE, dynamic analysis tools operate by generating runtime vulnerability scenario using the following functions:

Resource fault injection

Network fault injection

System fault injection

User interface fault injection

Design attack

Implementation attack

File corruption

Answer B is incorrect. This function is summarized for static analysis tools.

Answer : A, C, D

In eavesdropping, dumpster diving, and shoulder surfing, the attacker violates the confidentiality of a system without affecting its state.

Hence, they are considered passive attacks.

Answer : D

A contingency plan is a plan devised for a specific situation when things could go wrong. Contingency plans include specific strategies and

actions to deal with specific variances to assumptions resulting in a particular problem, emergency, or state of affairs. They also include a

monitoring process and triggers for initiating planned actions.

Answer A is incorrect. Disaster recovery is the process, policies, and procedures related to preparing for recovery or continuation of

technology infrastructure critical to an organization after a natural or human-induced disaster.

Answer B is incorrect. It deals with the plans and procedures that identify and prioritize the critical business functions that must be

preserved.

Answer C is incorrect. It includes the plans and procedures documented that ensure the continuity of critical operations during any

period where normal operations are impossible.

Answer : C

In computing, a service-oriented architecture (SOA) is a flexible set of design principles used during the phases of systems development and

integration. A deployed SOA-based architecture will provide a loosely-integrated suite of services that can be used within multiple business

domains.

SOA also generally provides a way for consumers of services, such as web-based applications, to be aware of available SOA-based services.

For example, several disparate departments within a company may develop and deploy SOA services in different implementation languages;

their respective clients will benefit from a well understood, well defined interface to access them. XML is commonly used for interfacing with

SOA services, though this is not required.

SOA defines how to integrate widely disparate applications for a world that is Web-based and uses multiple implementation platforms. Rather

than defining an API, SOA defines the interface in terms of protocols and functionality. An endpoint is the entry point for such an SOA

implementation.

(Layer interaction in Service-oriented architecture)

Answer A is incorrect. SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology for Enterprise Security

Architecture and Service Management. SABSA is a model and a methodology for developing risk-driven enterprise information security

architectures and for delivering security infrastructure solutions that support critical business initiatives. The primary characteristic of the

SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security

has an enabling function through which new business opportunities can be developed and exploited.

Answer D is incorrect. The service-oriented modeling and architecture (SOMA) includes an analysis and design method that extends

traditional object-oriented and component-based analysis and design methods to include concerns relevant to and supporting SOA.

Answer B is incorrect. Enterprise architecture describes the terminology, the composition of subsystems, and their relationships with

the external environment, and the guiding principles for the design and evolution of an enterprise.