• Home
  • Articles
  • [Q897-Q913] Certification Training for CISSP Exam Dumps Test Engine [2024]

[Q897-Q913] Certification Training for CISSP Exam Dumps Test Engine [2024]

Share

Certification Training for CISSP Exam Dumps Test Engine [2024]

Oct 11, 2024 Step by Step Guide to Prepare for CISSP Exam


ISC CISSP (Certified Information Systems Security Professional) exam is one of the most prestigious and sought-after certifications in the field of information security. It is designed for professionals who want to demonstrate their expertise in designing, implementing, and managing secure information systems. CISSP exam covers a wide range of topics, including access control, cryptography, network security, and software development security.


Information related to the ISC CISSP Certification

  • CISSP More than 8 million person-years of cyber security work experience.
  • ISC Certification has been on the rise since 2010, with over 8,000 individuals certified globally each year on average.
  • CISSP More than 1 million research papers referenced in security literature.
  • CISSP More than 4 million case studies were published in leading journals.

ISC CISSP Growth Plans ISC is actively expanding its certification program to reach more international professionals across the globe. The CISSP Dumps can assist you during the period of preparation for the exam CISSP. The first step toward this goal was to create an exam that is available in English, French, Spanish, Portuguese, and Chinese. ISC has also partnered with other leading certification bodies around the globe to offer the exam locally. By partnering with local testing authorities, ISC can provide exams in multiple languages for international candidates. Enrolling test centers offer ISC the opportunity to build a successful program around the globe.

The NCC Group, one of the world's leading independent information security consulting firms, is ISC official testing center liaison. It provides candidates in the United Kingdom with exam registration and exam delivery options. ISC has an agreement with Accredia, a leader in IT certification delivery, to handle test scheduling and operational tasks for candidates who wish to take the CISSP exam in South Africa.

 

NEW QUESTION # 897
The main categories of access control do NOT include:

  • A. Physical Access Control
  • B. Administrative Access Control
  • C. Random Access Control
  • D. Logical Access Control

Answer: C

Explanation:
There are several different categories of access control. The main categories are: --Physical Access Control --Administrative Access Control --Logical Access Control --Data Access Control


NEW QUESTION # 898
What is the BEST method to use for assessing the security impact of acquired software?

  • A. Common vulnerability review
  • B. Threat modeling
  • C. Vendor assessment
  • D. Software security compliance validation

Answer: B

Explanation:
Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. In either case, the process identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat.


NEW QUESTION # 899
Which of the following prevents improper aggregation of privileges in Role Based Access
Control (RBAC)?

  • A. The Clark-Wilson security model
  • B. Dynamic separation of duties
  • C. Hierarchical inheritance
  • D. The Bell-LaPadula security model

Answer: B


NEW QUESTION # 900
Which Orange Book evaluation level is described as "Structured Protection"?

  • A. B2
  • B. B1
  • C. B3
  • D. A1

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Level B2 is described as "Structured Protection".
B2: Structured Protection The security policy is clearly defined and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-defined interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system.
The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise.
Incorrect Answers:
A: Level A1 is "Verified Design", not "Structured Protection".
B: Level B3 is "Security Domains", not "Structured Protection".
D: Level B1 is "Labeled Security", not "Structured Protection".
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 395-397


NEW QUESTION # 901
Which of the following would BEST support effective testing of patch compatibility when patches are applied to an organization's systems?

  • A. Standardized configurations for devices
  • B. Automated system patching
  • C. Management support for patching
  • D. Standardized patch testing equipment

Answer: B

Explanation:
Section: Security Assessment and Testing


NEW QUESTION # 902
Why would a memory dump be admissible as evidence in court?

  • A. Because the state of the memory cannot be used as evidence.
  • B. Because it is used to identify the state of the system.
  • C. Because of the exclusionary rule.
  • D. Because it is used to demonstrate the truth of the contents.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A memory dump identifies the state of the system.
Computer-generated evidence that is in the form of routine operational business data or reports and binary disk or memory dumps now constitute exceptions to the rule that computer-generated evidence is hearsay, and is therefore admissible in court.
Incorrect Answers:
A: A memory dump does not identify the truth, it is identification of the state of the system.
C: The state of the memory, the system state, can be admissible as evidence in court.
D: The exclusionary rule refers to evidence that is inadmissible. The exclusionary rule is a legal principle in the United States, under constitutional law, which holds that evidence collected or analyzed in violation of the defendant's constitutional rights is sometimes inadmissible for a criminal prosecution in a court of law.
References:
Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 504


NEW QUESTION # 903
Which of the following would be best suited to oversee the development of an information security policy?

  • A. Security Officers
  • B. System Administrators
  • C. Security administrators
  • D. End User

Answer: A

Explanation:
The security officer would be the best person to oversea the development of such policies.
Security officers and their teams have typically been charged with the responsibility of creating the security policies. The policies must be written and communicated appropriately to ensure that they can be understood by the end users. Policies that are poorly written, or written at too high of an education level (common industry practice is to focus the content for general users at the sixth- to eighth-grade reading level), will not be understood.
Implementing security policies and the items that support them shows due care by the company and its management staff. Informing employees of what is expected of them and the consequences of noncompliance can come down to a liability issue.
While security officers may be responsible for the development of the security policies, the effort should be collaborative to ensure that the business issues are addressed.
The security officers will get better corporate support by including other areas in policy development. This helps build buy-in by these areas as they take on a greater ownership of the final product. Consider including areas such as HR, legal, compliance, various IT areas and specific business area representatives who represent critical business units.
When policies are developed solely within the IT department and then distributed without business input, they are likely to miss important business considerations. Once policy documents have been created, the basis for ensuring compliance is established.
Depending on the organization, additional documentation may be necessary to support policy. This support may come in the form of additional controls described in standards, baselines, or procedures to help personnel with compliance. An important step after documentation is to make the most current version of the documents readily accessible to those who are expected to follow them. Many organizations place the documents on their intranets or in shared file folders to facilitate their accessibility. Such placement of these documents plus checklists, forms, and sample documents can make awareness more effective.
For your exam you should know the information below:
End User - The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated.
Executive Management/Senior Management - Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.
Security Officer - The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidelines.
Information Systems Security Professional- Drafting of security policies, standards and supporting guidelines, procedures, and baselines is coordinated through these individuals.
Guidance is provided for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed in this role.
Data/Information/Business/System Owners - A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls. Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information.
Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.
Data/Information Custodian/Steward - A data custodian is an individual or function that takes care of the information on behalf of the owner. These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, by systems administrators. This group administers access rights to the information assets.
Information Systems Auditor- IT auditors determine whether users, owners, custodians, systems, and networks are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements placed on systems. The auditors provide independent assurance to the management on the appropriateness of the security controls. The auditor examines the information systems and determines whether they are designed, configured, implemented, operated, and managed in a way ensuring that the organizational objectives are being achieved. The auditors provide top company management with an independent view of the controls and their effectiveness.
Business Continuity Planner - Business continuity planners develop contingency plans to prepare for any occurrence that could have the ability to impact the company's objectives negatively. Threats may include earthquakes, tornadoes, hurricanes, blackouts, changes in the economic/political climate, terrorist activities, fire, or other major actions potentially causing significant harm. The business continuity planner ensures that business processes can continue through the disaster and coordinates those activities with the business areas and information technology personnel responsible for disaster recovery.
Information Systems/ Technology Professionals- These personnel are responsible for designing security controls into information systems, testing the controls, and implementing the systems in production environments through agreed upon operating policies and procedures. The information systems professionals work with the business owners and the security professionals to ensure that the designed solution provides security controls commensurate with the acceptable criticality, sensitivity, and availability requirements of the application.
Security Administrator - A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies.
Network/Systems Administrator - A systems administrator (sysadmin/netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately.
Physical Security - The individuals assigned to the physical security role establish relationships with external law enforcement, such as the local police agencies, state police, or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security personnel manage the installation, maintenance, and ongoing operation of the closed circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader access control systems. Guards are placed where necessary as a deterrent to unauthorized access and to provide safety for the company employees. Physical security personnel interface with systems security, human resources, facilities, and legal and business areas to ensure that the practices are integrated.
Security Analyst - The security analyst role works at a higher, more strategic level than the previously described roles and helps develop policies, standards, and guidelines, as well as set various baselines. Whereas the previous roles are "in the weeds" and focus on pieces and parts of the security program, a security analyst helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly. This person works more at a design level than at an implementation level.
Administrative Assistants/Secretaries - This role can be very important to information security; in many companies of smaller size, this may be the individual who greets visitors, signs packages in and out, recognizes individuals who desire to enter the offices, and serves as the phone screener for executives. These individuals may be subject to social engineering attacks, whereby the potential intruder attempts to solicit confidential information that may be used for a subsequent attack. Social engineers prey on the goodwill of the helpful individual to gain entry. A properly trained assistant will minimize the risk of divulging useful company information or of providing unauthorized entry.
Help Desk Administrator - As the name implies, the help desk is there to field questions from users that report system problems. Problems may include poor response time, potential virus infections, unauthorized access, inability to access system resources, or questions on the use of a program. The help desk is also often where the first indications of security issues and incidents will be seen. A help desk individual would contact the computer security incident response team (CIRT) when a situation meets the criteria developed by the team. The help desk resets passwords, resynchronizes/reinitializes tokens and smart cards, and resolves other problems with access control.
Supervisor - The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose
Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security; making sure the employees' account information is up-to-date; and informing the security administrator when an employee is fired, suspended, or transferred. Any change that pertains to an employee's role within the company usually affects what access rights they should and should not have, so the user manager must inform the security administrator of these changes immediately.
Change Control Analyst Since the only thing that is constant is change, someone must make sure changes happen securely. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerabilities, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Or, a company can choose to just roll out the change and see what happens.
The following answers are incorrect:
Systems Administrator - A systems administrator (sysadmin/netadmin) configures network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure using tools and utilities such as patch management and software distribution mechanisms to install updates and test patches on organization computers. The administrator tests and implements system upgrades to ensure the continued reliability of the servers and network devices. The administrator provides vulnerability management through either commercial off the shelf (COTS) and/or non-COTS solutions to test the computing environment and mitigate vulnerabilities appropriately.
End User - The end user is responsible for protecting information assets on a daily basis through adherence to the security policies that have been communicated.
Security Administrator - A security administrator manages the user access request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and creates and deletes accounts and access permissions. The security administrator also terminates access privileges when individuals leave their jobs or transfer between company divisions. The security administrator maintains records of access request approvals and produces reports of access rights for the auditor during testing in an access controls audit to demonstrate compliance with the policies.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 109
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 108). McGraw-
Hill. Kindle Edition.


NEW QUESTION # 904
What is the second phase of public key infrastructure (PKI) key/certificate life-cycle management?

  • A. Implementation Phase
  • B. Issued Phase
  • C. Initialization Phase
  • D. Cancellation Phase

Answer: B

Explanation:
the second phase of public key infrastructure (PKI) key/certificate life-cycle management is the issued phase, which means that the digital certificate and the corresponding public-private key pair are generated, signed, and delivered to the entity, such as a user, device, or process, that requested or applied for the certificate and the key pair. The issued phase can help to ensure the validity, authenticity, or integrity of the certificate and the key pair, by using various methods, techniques, or tools, such as cryptographic algorithms, digital signatures, or certificate authorities, that can create, verify, or certify the certificate and the key pair. The other phases of public key infrastructure (PKI) key/certificate life-cycle management are:
* Initialization Phase: The first phase, which means that the entity initiates, submits, or registers the request or application for the certificate and the key pair, by providing the necessary information, data, or details, such as the identity, role, or privilege of the entity, that are required or sufficient to identify, authenticate, or authorize the entity, to access or use the systems, networks, or resources, of an organization.
* Maintenance Phase: The third phase, which means that the certificate and the key pair are monitored, updated, or renewed, to ensure the effectiveness, efficiency, or relevance of the certificate and the key pair, as well as to address any changes, issues, or feedbacks, that may arise or occur in the organization, environment, or situation.
* Revocation Phase: The fourth phase, which means that the certificate and the key pair are invalidated, suspended, or terminated, to prevent or avoid any unauthorized, improper, or malicious use of the certificate and the key pair, such as in the case of compromise, expiration, or replacement of the certificate and the key pair.
Implementation Phase, Cancellation Phase, or Initialization Phase are not the second phase of public key infrastructure (PKI) key/certificate life-cycle management, as they are either more related to the other phases, stages, or steps, such as implementation, which means to execute, activate, or apply the certificate and the key pair, to access or use the systems, networks, or resources, of an organization, cancellation, which means to withdraw, cancel, or reject the request or application for the certificate and the key pair, such as in the case of denial, error, or duplication of the request or application, or initialization, which means to initiate, submit, or register the request or application for the certificate and the key pair, that are performed or conducted before or after the issued phase, during the public key infrastructure (PKI) key/certificate life-cycle management process, or to the other activities, tasks, or functions, such as execution, withdrawal, or initiation, that are performed or conducted during the public key infrastructure (PKI) key/certificate life-cycle management process, rather than to the issued phase, during the public key infrastructure (PKI) key/certificate life-cycle management process.


NEW QUESTION # 905
If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/memory area, what security problem is MOST likely to exist?

  • A. Disclosure of residual data.
  • B. Unauthorized obtaining of a privileged execution state.
  • C. Data leakage through covert channels.
  • D. Denial of service through a deadly embrace.

Answer: A

Explanation:
Allowing objects to be used sequentially by multiple users without a refresh of the
objects can lead to disclosure of residual data. It is important that steps be taken to eliminate the
chance for the disclosure of residual data.
Object reuse refers to the allocation or reallocation of system resources to a user or, more
appropriately, to an application or process. Applications and services on a computer system may
create or use objects in memory and in storage to perform programmatic functions. In some
cases, it is necessary to share these resources between various system applications. However,
some objects may be employed by an application to perform privileged tasks on behalf of an
authorized user or upstream application. If object usage is not controlled or the data in those
objects is not erased after use, they may become available to unauthorized users or processes.
Disclosure of residual data and Unauthorized obtaining of a privileged execution state are both a
problem with shared memory and resources. Not clearing the heap/stack can result in residual
data and may also allow the user to step on somebody's session if the security token/identify was
maintained in that space. This is generally more malicious and intentional than accidental though.
The MOST common issue would be Disclosure of residual data.
The following answers are incorrect:
Unauthorized obtaining of a privileged execution state. Is incorrect because this is not a problem
with Object Reuse.
Data leakage through covert channels. Is incorrect because it is not the best answer. A covert
channel is a communication path. Data leakage would not be a problem created by Object Reuse.
In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Lampson is defined as "(channels) not intended for information transfer at all, such as the service program's effect on system load." to distinguish it from Legitimate channels that are subjected to access controls by COMPUSEC. Denial of service through a deadly embrace. Is incorrect because it is only a detractor.
References: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4174-4179). Auerbach Publications. Kindle Edition. and https://www.fas.org/irp/nsa/rainbow/tg018.htm and http://en.wikipedia.org/wiki/Covert_channel


NEW QUESTION # 906
Which of the following exemplifies proper separation of duties?

  • A. Programmers are permitted to use the system console.
  • B. Console operators are permitted to mount tapes and disks.
  • C. Operators are not permitted modify the system time.
  • D. Tape operators are permitted to use the system console.

Answer: C

Explanation:
This is an example of Separation of Duties because operators are prevented from modifying the system time which could lead to fraud. Tasks of this nature should be performed by they system administrators.
AIO defines Separation of Duties as a security principle that splits up a critical task among two or more individuals to ensure that one person cannot complete a risky task by himself.
The following answers are incorrect:
Programmers are permitted to use the system console. Is incorrect because programmers should not be permitted to use the system console, this task should be performed by operators. Allowing programmers access to the system console could allow fraud to occur so this is not an example of Separation of Duties..
Console operators are permitted to mount tapes and disks. Is incorrect because operators should be able to mount tapes and disks so this is not an example of Separation of Duties.
Tape operators are permitted to use the system console. Is incorrect because operators should be able to use the system console so this is not an example of Separation of Duties.
References:
OIG CBK Access Control (page 98 - 101)
AIOv3 Access Control (page 182)


NEW QUESTION # 907
Which backup method only copies files that have been recently added or changed and also leaves the archive bit unchanged?

  • A. Incremental backup method
  • B. Full backup method
  • C. Differential backup method
  • D. Fast backup method

Answer: C

Explanation:
A differential backup is a partial backup that copies a selected file to tape only if the archive bit for that file is turned on, indicating that it has changed since the last full backup. A differential backup leaves the archive bits unchanged on the files it copies.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3:
Telecommunications and Network Security (page 69).
Also see: http://e-articles.info/e/a/title/Backup-Types/
Backup software can use or ignore the archive bit in determining which files to back up, and can either turn the archive bit off or leave it unchanged when the backup is complete.
How the archive bit is used and manipulated determines what type of backup is done, as follows
Full backup
A full backup, which Microsoft calls a normal backup, backs up every selected file, regardless of the status of the archive bit. When the backup completes, the backup software turns off the archive bit for every file that was backed up. Note that "full" is a misnomer because a full backup backs up only the files you have selected, which may be as little as one directory or even a single file, so in that sense Microsoft's terminology is actually more accurate. Given the choice, full backup is the method to use because all files are on one tape, which makes it much easier to retrieve files from tape when necessary.
Relative to partial backups, full backups also increase redundancy because all files are on all tapes. That means that if one tape fails, you may still be able to retrieve a given file from another tape.
Differential backup
A differential backup is a partial backup that copies a selected file to tape only if the archive bit for that file is turned on, indicating that it has changed since the last full backup. A differential backup leaves the archive bits unchanged on the files it copies. Accordingly, any differential backup set contains all files that have changed since the last full backup. A differential backup set run soon after a full backup will contain relatively few files. One run soon before the next full backup is due will contain many files, including those contained on all previous differential backup sets since the last full backup. When you use differential backup, a complete backup set comprises only two tapes or tape sets: the tape that contains the last full backup and the tape that contains the most recent differential backup.
Incremental backup
An incremental backup is another form of partial backup. Like differential backups,
Incremental Backups copy a selected file to tape only if the archive bit for that file is turned on. Unlike the differential backup, however, the incremental backup clears the archive bits for the files it backs up. An incremental backup set therefore contains only files that have changed since the last full backup or the last incremental backup. If you run an incremental backup daily, files changed on Monday are on the Monday tape, files changed on Tuesday are on the Tuesday tape, and so forth. When you use an incremental backup scheme, a complete backup set comprises the tape that contains the last full backup and all of the tapes that contain every incremental backup done since the last normal backup. The only advantages of incremental backups are that they minimize backup time and keep multiple versions of files that change frequently. The disadvantages are that backed-up files are scattered across multiple tapes, making it difficult to locate any particular file you need to restore, and that there is no redundancy. That is, each file is stored only on one tape.
Full copy backup
A full copy backup (which Microsoft calls a copy backup) is identical to a full backup except for the last step. The full backup finishes by turning off the archive bit on all files that have been backed up. The full copy backup instead leaves the archive bits unchanged. The full copy backup is useful only if you are using a combination of full backups and incremental or differential partial backups. The full copy backup allows you to make a duplicate "full" backup-e.g., for storage offsite, without altering the state of the hard drive you are backing up, which would destroy the integrity of the partial backup rotation.
Some Microsoft backup software provides a bizarre backup method Microsoft calls a daily copy backup. This method ignores the archive bit entirely and instead depends on the date- and timestamp of files to determine which files should be backed up. The problem is, it's quite possible for software to change a file without changing the date- and timestamp, or to change the date- and timestamp without changing the contents of the file. For this reason, we regard the daily copy backup as entirely unreliable and recommend you avoid using it.


NEW QUESTION # 908
Which of the following BEST explains why computerized information systems frequently fail to meet the needs of users?

  • A. Constantly changing user needs.
  • B. Inadequate user participation in defining the system's requirements.
  • C. Inadequate quality assurance (QA) tools.
  • D. Inadequate project management.

Answer: B

Explanation:
Inadequate user participation in defining the system's requirements. Most projects fail to meet the needs of the users because there was inadequate input in the initial steps of the project from the user community and what their needs really are.
The other answers, while potentially valid, are incorrect because they do not represent the most common problem assosciated with information systems failing to meet the needs of users.
References: All in One pg 834
Only users can define what their needs are and, therefore, what the system should accomplish. Lack of adequate user involvement, especially in the systems requirements phase, will usually result in a system that doesn't fully or adequately address the needs of the user.
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 296).


NEW QUESTION # 909
A federal agency has hired an auditor to perform penetration testing on a critical system as part of the mandatory, annual Federal Information Security Management Act (FISMA) security assessments. The auditor is new to this system but has extensive experience with all types of penetration testing. The auditor has decided to begin with sniffing network traffic. What type of penetration testing is the auditor conducting?

  • A. White box testing
  • B. Black box testing
  • C. Red box testing
  • D. Gray box testing

Answer: D


NEW QUESTION # 910
Which of the following statements pertaining to block ciphers is NOT true?

  • A. It operates on fixed-size blocks of plaintext.
  • B. Some Block ciphers can operate internally as a stream.
  • C. It is more suitable for software than hardware implementations.
  • D. Plain text is encrypted with a public key and decrypted with a private key.

Answer: D

Explanation:
Explanation/Reference:
Explanation:
It is not true that plain text is encrypted with a public key and decrypted with a private key with a block cipher. Block ciphers use symmetric keys.
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data.
Stream ciphers represent a different approach to symmetric encryption from block ciphers. Block ciphers operate on large blocks of digits with a fixed, unvarying transformation. This distinction is not always clear- cut: in some modes of operation, a block cipher primitive is used in such a way that it acts effectively as a stream cipher.
Incorrect Answers:
A: It is true that a block cipher operates on fixed-size blocks of plaintext.
B: Stream ciphers require a lot of randomness and encrypt individual bits at a time. This requires more processing power than block ciphers require, which is why stream ciphers are better suited to be implemented at the hardware level. Because block ciphers do not require as much processing power, they can be easily implemented at the software level.
D: It is true that some Block ciphers can operate internally as a stream.
References:
https://en.wikipedia.org/wiki/Block_cipher
https://en.wikipedia.org/wiki/Stream_cipher


NEW QUESTION # 911
Which statement below is accurate about the difference between issuespecific and system-specific policies?

  • A. System-specific policy is much more technically focused.
  • B. Issue-specific policy commonly addresses only one system.
  • C. Issue-specific policy is much more technically focused.
  • D. System-specific policy is similar to program policy.

Answer: A

Explanation:
Often, managerial computer system security policies are categorized
into three basic types:
Program policy used to create an organization's computer security
program
Issue-specific policies used to address specific issues of concern
to the organization
System-specific policies technical directives taken by management
to protect a particular system
Program policy and issue-specific policy both address policy from
a broad level, usually encompassing the entire organization. However,
they do not provide sufficient information or direction, for
example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. System-specific policy is much more focused, since it addresses
only one system.
Table A.1 helps illustrate the difference between these three types
of policies. Source: National Institute of Standards and Technology, An
Introduction to Computer Security: The NIST Handbook Special Publica-
tion 800-12.

image002


NEW QUESTION # 912
What is the MAXIMUM number of host addresses available in a Class B IPv4 network?

  • A. 16,384
  • B. 0
  • C. 65,534
  • D. 16,277,214

Answer: C


NEW QUESTION # 913
......


ISC CISSP (Certified Information Systems Security Professional) Exam is a globally recognized certification for information security professionals. It is a highly sought-after certification for those who want to demonstrate their expertise in information security and advance their careers in this field. The CISSP certification is offered by the International Information System Security Certification Consortium (ISC)², which is a non-profit organization that specializes in information security education and certification.

 

Ultimate Guide to Prepare CISSP Certification Exam for ISC Certification: https://www.validdumps.top/CISSP-exam-torrent.html

ISC Certification CISSP Real Exam Questions and Answers FREE Updated: https://drive.google.com/open?id=1yq1AKUjle9oOZMwQljFYtABPVq8V63vo

Related Articles

more
ISC CISSP Certification Practice Exam