Free Access to ISC.SSCP.v2023-01-01.q803 with Valid Practice Test (Page 119)

Question 586

Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector?

A.Using a TACACS+ server.
B.Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall.
C.Setting modem ring count to at least 5.
D.Only attaching modems to non-networked hosts.

Question 587

What can be defined as: It confirms that users' needs have been met by the supplied solution ?

A.Accreditation
B.Certification
C.Assurance
D.Acceptance

Correct Answer: D

Explanation/Reference:
Acceptance confirms that users' needs have been met by the supplied solution. Verification and Validation informs Acceptance by establishing the evidence - set against acceptance criteria - to determine if the solution meets the users' needs. Acceptance should also explicitly address any integration or interoperability requirements involving other equipment or systems. To enable acceptance every user and system requirement must have a 'testable' characteristic.
Accreditation is the formal acceptance of security, adequacy, authorization for operation and acceptance of existing risk. Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode using a prescribed set of safeguards to an acceptable level of risk.
Certification is the formal testing of security safeguards and assurance is the degree of confidence that the implemented security measures work as intended. The certification is a Comprehensive evaluation of the technical and nontechnical security features of an IS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified ecurity requirements.
Assurance is the descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the Security Targets (ST) and Protection Profiles (PP), respectively.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 4, August 1999.
and
Official ISC2 Guide to the CISSP CBK, Second Edition, on page 211.
and
http://www.aof.mod.uk/aofcontent/tactical/randa/content/randaintroduction.htm

Question 588

Which of the following is less likely to be included in the change control sub-phase of the
maintenance phase of a software product?

A.Estimating the cost of the changes requested
B.Recreating and analyzing the problem
C.Determining the interface that is presented to the user
D.Establishing the priorities of requests

Question 589

Why would a memory dump be admissible as evidence in court?

A.Because it is used to demonstrate the truth of the contents.
B.Because it is used to identify the state of the system.
C.Because the state of the memory cannot be used as evidence.
D.Because of the exclusionary rule.

Question 590

What is the goal of the Maintenance phase in a common development process of a security policy?

A.to review the document on the specified review date
B.publication within the organization
C.to write a proposal to management that states the objectives of the policy
D.to present the document to an approving body

Question 586

Question 587

Question 588

Question 589

Question 590

Download PDF File