Mike Chapple - (ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests

All of the questions in this book are also available in Sybex’s online practice test tool. To get access to this online format, go to www.wiley.com/go/sybextestprepand start by registering your book. You’ll receive a pin code and instructions on where to create an online test bank account. Once you have access, you can use the online version to create your own sets of practice tests from the book questions and practice in a timed and graded setting.

Do you need more? If you are not seeing passing grades on these practice tests, look for the all new (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide, Third Edition by Michael S. Wills (ISBN: 978-­1-­119-­85498-2). This book is an excellent resource to master any SSCP topics causing problems. This book maps every official exam objective to the corresponding chapter in the book to help track exam prep objective-­by-­objective, challenging review questions in each chapter to prepare for exam day, and online test prep materials with flashcards and additional practice tests.

THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 1.0: Security Operations and Administration1.1 Comply with codes of ethics(ISC)2 Code of EthicsOrganizational code of ethics1.2 Understand security conceptsConfidentialityIntegrityAvailabilityAccountabilityPrivacyNon-repudiationLeast privilegeSegregation of duties (SoD)1.3 Identify and implement security controlsTechnical controls (e.g., session timeout, password aging)Physical controls (e.g., mantraps, cameras, locks)Administrative controls (e.g., security policies, standards, procedures, baselines)Assessing compliancePeriodic audit and review1.4 Document and maintain functional security controlsDeterrent controlsPreventative controlsDetective controlsCorrective controlsCompensating controls1.5 Participate in asset management lifecycle (hardware, software, and data)Process, planning, design, and initiationDevelopment/AcquisitionInventory and licensingImplementation/AssessmentOperation/MaintenanceArchiving and retention requirementsDisposal and destruction1.6 Participate in change management lifecycleChange management (e.g., roles, responsibilities, processes)Security impact analysisConfiguration management (CM)1.7 Participate in implementing security awareness and training (e.g., social engineering/phishing)1.8 Collaborate with physical security operations (e.g., data center assessment, badging)

1 Maddox is conducting an information audit for his organization. Which one of the following elements that he discovered is least likely to be classified as PII when used in isolation?Street addressesItem codesMobile phone numbersSocial Security numbers

2 Carl recently assisted in the implementation of a new set of security controls designed to comply with legal requirements. He is concerned about the long-term maintenance of those controls. Which one of the following is a good way for Carl to ease his concerns?Firewall rulesPolicy documentsSecurity standardsPeriodic audits

3 Darlene was recently offered a consulting opportunity as a side job. She is concerned that the opportunity might constitute a conflict of interest. Which one of the following sources is most likely to provide her with appropriate guidance?Organizational code of ethics(ISC)2 code of ethicsOrganizational security policy(ISC)2 security policy

4 Which one of the following is an administrative control that can protect the confidentiality of information?EncryptionNondisclosure agreementFirewallFault tolerance

5 Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?His supply chainHis vendor contractsHis post-purchase build processThe original equipment manufacturer (OEM)

6 The (ISC)2 code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code?Protect society, the common good, the necessary public trust and confidence, and the infrastructure.Disclose breaches of privacy, trust, and ethics.Provide diligent and competent service to the principles.Advance and protect the profession.

7 Which one of the following control categories does not accurately describe a fence around a facility?PhysicalDetectiveDeterrentPreventive

8 Which one of the following actions might be taken as part of a business continuity plan?Restoring from backup tapesImplementing RAIDRelocating to a cold siteRestarting business operations

9 Which one of the following is an example of physical infrastructure hardening?Antivirus softwareHardware-based network firewallTwo-factor authenticationFire suppression system

10 Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?AvailabilityConfidentialityDisclosureDistributed

11 The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?Mandatory vacationSeparation of dutiesDefense in depthJob rotation

12 Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?IntegrityAvailabilityConfidentialityDenial

For questions 13–15, please refer to the following scenario.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks.

Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.

You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.

1 Users in the two offices would like to access each other’s file servers over the Internet. What control would provide confidentiality for those communications?Digital signaturesVirtual private networkVirtual LANDigital content management

2 You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?Server clusteringLoad balancingRAIDScheduled backups

3 Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?HashingACLsRead-only attributesFirewalls