Mike Chapple - (ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests

23 Which one of the following does not describe a standard physical security requirement for wiring closets?Place only in areas monitored by security guards.Do not store flammable items in the closet.Use sensors on doors to log entries.Perform regular inspections of the closet.

24 Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks?FirewallIntrusion detection systemParameter checkingVulnerability scanning

25 Juan is retrofitting an existing door to his facility to include a lock with automation capabilities. Which one of the following types of lock is easiest to install as a retrofit to the existing door?MantrapElectric lockMagnetic lockTurnstile

26 Rhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown here. What type of card is this?Smart cardProximity cardMagnetic stripe cardPhase three card

27 Which one of the following facilities would have the highest level of physical security requirements?Data centerNetwork closetSCIFCubicle work areas

28 Glenda is investigating a potential privacy violation within her organization. The organization notified users that it was collecting data for product research that would last for six months and then disposed of the data at the end of that period. During the time that they had the data, they also used it to target a marketing campaign. Which principle of data privacy was most directly violated?Data minimizationAccuracyStorage limitationsPurpose limitations

29 What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?CorrectiveLogicalCompensatingAdministrative

30 Match each of the numbered security controls listed with exactly one of the lettered categories shown. Choose the category that best describes each control. You may use each control category once, more than once, or not at all.ControlsPasswordAccount reviewsBadge readersMFAIDPCategoriesAdministrativeTechnicalPhysical

31 Which of the following access control categories would not include a door lock?PhysicalCorrectivePreventativeDeterrent

For questions 53–54, please refer to the following scenario.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

1 As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?Separation of dutiesLeast privilegeAggregationSeparation of privileges

2 As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?Segregation of dutiesAggregationTwo-person controlDefense in depth

3 Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?Need to knowLeast privilegeSeparation of dutiesTwo-person control

4 Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?Least privilegeTwo-person controlJob rotationSeparation of duties

5 Which of the following is not true about the (ISC)2 code of ethics?Adherence to the code is a condition of certification.Failure to comply with the code may result in revocation of certification.The code applies to all members of the information security profession.Members who observe a breach of the code are required to report the possible violation.

6 Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?Need to knowLeast privilegeTwo-person controlTransitive trust

7 Connor’s company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?EspionageConfidentiality breachSabotageIntegrity breach

8 Which one of the following is not a canon of the (ISC)2 code of ethics?Protect society, the common good, necessary public trust and confidence, and the infrastructure.Promptly report security vulnerabilities to relevant authorities.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.

9 When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?Least privilegeSeparation of dutiesJob rotationSecurity through obscurity

10 Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications?Security guidelinesSecurity policyBaseline configurationRunning configuration

11 Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?Unit testingAcceptance testingRegression testingVulnerability testing

12 Which one of the following security practices suggests that an organization should deploy multiple, overlapping security controls to meet security objectives?Defense in depthSecurity through obscurityLeast privilegeSeparation of duties

13 What technology asset management practice would an organization use to ensure that systems meet baseline security standards?Change managementPatch managementConfiguration managementIdentity management

14 The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack best ensure accountability for actions taken on systems in his environment?Review the logs and require digital signatures for each log.Require authentication for all actions taken and capture logs centrally.Log the use of administrative credentials and encrypt log data in transit.Require authorization and capture logs centrally.

15 Veronica is responsible for her organization’s asset management program. During what stage of the process would she select the controls that will be used to protect assets from theft?Implementation/assessmentOperation/maintenanceInventory and licensingProcess, planning, design, and initiation

16 Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?GNU Public LicenseFreewareOpen sourcePublic domain

17 When an attacker called an organization’s help desk and persuaded them to reset a password due to the help desk employee’s trust and willingness to help, what type of attack succeeded?Trojan horseSocial engineeringPhishingWhaling