Free Preparation Discussions
MENU
ISC2 CSSLP Exam Questions
- Topic 1: Manage Security Within a Software Development Methodology/ Define Software Security Requirements
- Topic 2: Perform Security Architecture and Design Review/ Identify and Analyze Compliance Requirements
- Topic 3: Analyze Security Implications of Test Results/ Identify and Analyze Data Classification Requirements
- Topic 4: Incorporate Integrated Risk Management (IRM)/ Develop Security Requirement Traceability Matrix (STRM)
- Topic 5: Use Secure Architecture and Design Principles, Patterns, and Tools/ Model (Non-Functional) Security Properties and Constraints
- Topic 6: Perform Verification and Validation Testing/ Performing Architectural Risk Assessment
- Topic 7: Define and Develop Security Documentation/ Identify and Analyze Privacy Requirements
- Topic 8: Develop Security Testing Strategy and Plan/ Evaluate and Select Reusable Secure Design
- Topic 9: Securely Reuse Third-Party Code or Libraries/ Identify Security Standards and Frameworks
- Topic 10: Apply Security During the Build Process/ Define Secure Operational Architecture
- Topic 11: Adhere to Relevant Secure Coding Practices/ Identify Undocumented Functionality
Free ISC2 CSSLP Exam Actual Questions
Note: Premium Questions for CSSLP were last updated On Dec. 12, 2024 (see below)
Which of the following describes the acceptable amount of data loss measured in time?
The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must
be recovered as defined by the organization. The RPO is generally a definition of what an organization determines is an 'acceptable loss' in a
disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2
hours. Based on this RPO the data must be restored to within 2 hours of the disaster.
Answer B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a service level within which a business process
must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. It
includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the communication to the users. Decision time
for user representative is not included. The business continuity timeline usually runs parallel with an incident management timeline and may
start at the same, or different, points.
In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a
process (usually in conjunction with the Business Continuity planner). The RTOs are then presented to senior management for acceptance.
The RTO attaches to the business process and not the resources required to support the process.
Answer D is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on
recovery methodology the technology support team develops. This is the time frame the technology support takes to deliver the recovered
infrastructure to the business.
Answer C is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point
Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to Continuous Data Protection services.
Who amongst the following makes the final accreditation decision?
The DAA, also known as Authorizing Official, makes the final accreditation decision. The Designated Approving Authority (DAA), in the United
States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level
of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation and can determine that the system's
risks are not at an acceptable level and the system is not ready to be operational.
Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information
System Security Officer (ISSO) are as follows:
Manages the security of the information system that is slated for Certification & Accreditation (C&A).
Insures the information systems configuration with the agency's information security policy.
Supports the information system owner/information owner for the completion of security-related responsibilities.
Takes part in the formal configuration management process.
Prepares Certification & Accreditation (C&A) packages.
Answer A is incorrect. An Information System Security Engineer (ISSE) plays the role of an advisor. The responsibilities of an
Information System Security Engineer are as follows:
Provides view on the continuous monitoring of the information system.
Provides advice on the impacts of system changes.
Takes part in the configuration management process.
Takes part in the development activities that are required to implement system changes.
Follows approved system changes.
Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief
Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,
and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,
financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk
and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management
(ERM) approach.
Fill in the blank with an appropriate phrase The is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity.
The Biba model is a formal state transition system of computer security policy that describes a set of access control rules
designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may
not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject.
Who amongst the following makes the final accreditation decision?
The DAA, also known as Authorizing Official, makes the final accreditation decision. The Designated Approving Authority (DAA), in the United
States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level
of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation and can determine that the system's
risks are not at an acceptable level and the system is not ready to be operational.
Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information
System Security Officer (ISSO) are as follows:
Manages the security of the information system that is slated for Certification & Accreditation (C&A).
Insures the information systems configuration with the agency's information security policy.
Supports the information system owner/information owner for the completion of security-related responsibilities.
Takes part in the formal configuration management process.
Prepares Certification & Accreditation (C&A) packages.
Answer A is incorrect. An Information System Security Engineer (ISSE) plays the role of an advisor. The responsibilities of an
Information System Security Engineer are as follows:
Provides view on the continuous monitoring of the information system.
Provides advice on the impacts of system changes.
Takes part in the configuration management process.
Takes part in the development activities that are required to implement system changes.
Follows approved system changes.
Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief
Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,
and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,
financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk
and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management
(ERM) approach.
Fill in the blank with an appropriate phrase The is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity.
The Biba model is a formal state transition system of computer security policy that describes a set of access control rules
designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may
not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Lazaro
10 days agoTawanna
12 days agoCarissa
27 days agoWynell
1 months agoMabelle
1 months agoAshley
1 months agoShenika
2 months agoNicolette
2 months agoTerina
2 months agoDustin
2 months agoMarylin
2 months agoDulce
3 months agoCarmela
3 months agoLeah
3 months agoErinn
4 months agoLarue
5 months agoRochell
5 months agoElli
6 months ago