Which access control mechanism provides the owner of an object the opportunity to

determine the access control permissions for other subjects?

A. Mandatory

B. Role-based

C. Discretionary

D. Token-based

2 . The elements UDI and CDI are associated with which access control model?

A. Mandatory access control

B. Clark-Wilson model

C. Biba integrity model

D. Bell-LaPadula confidentiality model

3 . The concept of separating elements of a system to prevent inadvertent information

sharing is?

A. Leverage existing components

B. Separation of duties

C. Weakest link

D. Least common mechanism

4 . Which of the following is true about the Biba integrity model?

A. No write up, no read down.

B. No read up, no write down.

C. It is described by the simple security rule.

D. It uses the high-water-mark principle.

5 . The concept of preventing a subject from denying a previous action with an object
in a system is a description of?

A. Simple security rule

B. Non-repudiation

C. Defense in depth

D. Constrained data item (CDI)

 6 . What was described in the chapter as being essential in order to implement
discretionary access controls?

A. Object owner–defined security access

B. Certificates

C. Labels

D. Security classifications

7 . The CIA of security includes:

A. Confidentiality, integrity, authentication

B. Certificates, integrity, availability

C. Confidentiality, inspection, authentication

D. Confidentiality, integrity, availability

8 . Complete mediation is an approach to security that includes:

A. Protect systems and networks by using defense in depth.

B. A security design that cannot be bypassed or circumvented.

C. The use of interlocking rings of trust to ensure protection to data elements.

D. The use of access control lists to enforce security rules.

9 . The fundamental approach to security in which an object has only the necessary
rights and privileges to perform its task with no additional permissions is a description
of:

A. Layered security

B. Least privilege

C. Role-based security

D. Clark-Wilson model

10 . Which access control technique relies on a set of rules to determine whether

access to an object will be granted or not?

A. Role-based access control

B. Object and rule instantiation access control

C. Rule-based access control

D. Discretionary access control

11 . The security principle that ensures that no critical function can be executed by any
single individual (by dividing the function into multiple tasks that can’t all be executed
by the same individual) is known as:

A. Discretionary access control

B. Security through obscurity

C. Separation of duties

D. Implicit deny

12 . The ability of a subject to interact with an object describes:

A. Authentication

B. Access

C. Confidentiality

D. Mutual authentication

13 . Open design places the focus of security e orts on:

A. Open-source software components

B. Hiding key elements (security through obscurity)

C. Proprietary algorithms

D. Producing a security mechanism in which its strength is independent of its

design

14 . The security principle of fail-safe is related to:

A. Session management

B. Exception management

C. Least privilege

D. Single point of failure

15 . Using the principle of keeping things simple is related to:

A. Layered security

B. Simple Security Rule

C. Economy of mechanism

D. Implementing least privilege for access control

Risk Management
Questions

To further help you prepare for the CSSLP exam, and to provide you with a feel for your
level of preparedness, answer the following questions and then check your answers
against the list of correct answers found at the end of the chapter.

1 . Of the following, which is not a class of controls?

A. Physical

B. Informative

C. Technical

D. Administrative

2 . Log file analysis is a form of what type of control?

A. Preventive

B. Detective

C. Corrective

D. Compensating

3 . To calculate ALE, you need?

A. SLE, asset value

B. ARO, asset value

C. SLE, ARO

D. Asset value, exposure factor

4 . Risk that remains after the application of controls is referred to as:

A. Acceptable risk

B. Business risk

C. Systematic risk

D. Residual risk

5 . Calculate ALE for asset value = $1000, exposure factor = .75, ARO = 2.

A. $1500

B. $15,000

C. $375

D. Cannot be determined without additional information

 6 . Single loss expectancy (SLE) can best be defined by which of the following
equations?

A. SLE = asset value * exposure factor

B. SLE = asset value * annualized rate of occurrence (ALE)

C. SLE = annualized loss expectancy (ALE) * annualized rate of occurrence (ARO)

D. SLE = annualized loss expectancy (ALE) * exposure factor

7 . Which of the following describes qualitative risk management?

A. The process of using equations to determine impacts of risks to an enterprise

B. The use of experience and knowledge in the determination of single loss

expectancies

C. The process of objectively determining the impact of an event that a ects a

project, program, or business

D. The process of subjectively determining the impact of an event that a ects a

project, program, or business

8 . Risk is defined as:

A. Any characteristic of an asset that can be exploited by a threat to cause harm

B. Any circumstance or event with the potential to cause harm to an asset

C. The overall decision-making process of identifying threats and vulnerabilities

and their potential impacts

D. The possibility of su ering a loss

9 . A measure of the magnitude of loss of an asset is:

A. Impact level

B. Exposure factor

C. Residual risk

D. Loss factor

10 . A well-formed risk statement includes all except:

A. Asset

B. Impact

C. Frequency
 D. Mitigation

11 . Backups are an example of what type of control?

A. Preventive

B. Detective

C. Corrective

D. Operational

12 . Two controls, each 60 percent e ective in series, are placed to mitigate risk in a
system worth $100,000. What is the value of residual risk?

A. $60,000

B. $36,000

C. $40,000

D. $16,000

13 . Quantitative risk management depends upon:

A. Expert judgment and experience

B. Historical loss data

C. Impact factor definition

D. Exposure ratio

14 . The following are all examples of technological risk except:

A. Regulatory

B. Security

C. Change management

D. Privacy

15 . Which of the following is measured in dollars?

A. Exposure factor

B. SLE

C. ARO

D. Impact factor
Security Policies and Regulations

1 . The primary governing law for federal computer systems is:

A. NIST

B. Sarbanes-Oxley

C. FISMA

D. Gramm-Leach-Bliley

2 . Which of the following is a security standard associated with the collection,

processing, and storing of credit card data?

A. Gramm-Leach-Bliley

B. PCI DSS

C. HIPAA

D. HITECH

3 . To protect a novel or nonobvious tangible item that will be sold to the public, one
can use which of the following?

A. Patent

B. Trademark

C. Trade secret

D. Licensing

4 . The organization responsible for the Top Ten list of web application vulnerabilities
is:

A. DHS

B. OCTAVE

C. Microsoft

D. OWASP

5 . When using customer data as test data for production testing, what process is
used to ensure privacy?

A. Data anonymization

B. Delinking

C. Safe Harbor principles

 D. Data disambiguation

6 . Which of the following is not a common PII element?

A. Full name

B. Order number

C. IP address

D. Date of birth

7 . Which of the following is an important element in preventing data breach when

backup tapes are lost in transit?

A. Service level agreements with a backup storage company

B. Use of split tapes to separate records

C. Proprietary backup systems

D. Data encryption

8 . To interface data sharing between U.S. and European firms, one would invoke:

A. Safe Harbor principles

B. Data anonymization

C. Onward transfer protocol

D. Data protection regulation

9 . Which standard is characterized by Target of Evaluation and Security Targets?

A. ISO 9126 Software Quality Assurance

B. ISO 15288 Systems and Software Engineering

C. ISO 2700X series

D. ISO 15408 Common Criteria

10 . Which of the following are mandatory for use in federal systems?

A. NIST SP 800 series

B. FIPS

C. NISTIRs

D. ITL security bulletins

11 . Which of the following is not a framework to improve IT operations?

 A. ITIL

B. COBIT

C. COSO

D. OWASP

12 . The third level of the CMMI model is called:

A. Quantified

B. Managed

C. Defined

D. Optimizing

13 . Reference monitors must possess all of the following properties except:

A. E icient

B. Complete mediation

C. Tamper-proof

D. Verifiable

14 . HIPAA and HITECH specify protection of which of the following?

A. PHI

B. PII

C. CMMI

D. PFI

15 . Safe Harbor principles include:

A. Notice, choice, security

B. Nonrepudiation, notice, integrity

C. Enforcement, onward transfer, verifiable

D. Impact factor, security, acces s

Software Development Methodologies

1 . Creating a secure development lifecycle involves:

A. Adding security features to the software

 B. Including threat modeling

C. Training coders to find and remove security errors

D. Modifying the development process, not the software product

2 . A software product that has security but lacks quality can result in:

A. Exploitable vulnerabilities

B. Undocumented features that result in undesired behaviors

C. Poor maintainability

D. Missing security elements

3 . Which of the following is not an attribute of an SDL process?

A. Fuzz testing

B. Bug bars

C. Authentication

D. Developer security awareness

4 . Periodic reviews to ensure that security issues are addressed as part of the
development process are called:

A. Security gates

B. Security checklist

C. Threat model

D. Attack surface area analysis

5 . The term DREAD stands for:

A. Damage potential, Recoverability, Exploitability, Asset a ected, and

Discoverability

B. Damage potential, Reproducibility, Exploitability, A ected user base, and

Discoverability

C. Damage potential, Reproducibility, External vulnerability, asset A ected, and

Discoverability

D. Design issue, Reproducibility, Exploitability, Asset a ected, and Discoverability

6 . The term STRIDE stands for:

 A. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service,
and Elevation of privilege

B. Spoofing, Tampering, Reproducibility, Information disclosure, Denial of service,

and Elevation of privilege

C. Spoofing, Tampering, Reproducibility, Information disclosure, Discoverability,

and Elevation of privilege

D. Spoofing, Tampering, Repudiation, Information disclosure, Discoverability, and

Elevation of privilege

7 . Which of the following describes the purpose of threat modeling?

A. Enumerate threats to the software

B. Define the correct and secure data flows in a program

C. Communicate testing requirements to the test team

D. Communicate threat and mitigation information across the development team

8 . A tool to examine the vulnerability of input interfaces is:

A. Threat model

B. Bug bar

C. Attack surface analysis

D. Fuzz testing framework

9 . A linear model for software development is the:

A. Scrum model

B. Spiral model

C. Waterfall model

D. Agile model

10 . User stories convey high-level user requirements in the:

A. XP model

B. Prototyping model

C. Spiral model

D. Waterfall model

11 . Bug bars are used to:

 A. Track bugs

B. Score bugs

C. Manage bugs

D. Attribute bugs to developers

12 . The Microsoft SD3+C model is:

A. Design, Default, Directive, and Concise

B. Design, Development, Deployment, and Communications

C. Design, Deployment, Directive, and Concise

D. Design, Default, Deployment, and Communications

13 . What is used to ensure that all security activities are being correctly carried out as
part of the development process?

A. Project manager judgment

B. Security leads

C. Security engineers

D. Security reviews

14 . The objectives of an SDL are to achieve all of the following except:

A. Reduce the number of security vulnerabilities in software

B. Reduce the severity of security vulnerabilities in software

C. Eliminate threats to the software

D. Document a complete understanding of the vulnerabilities in software

15 . Which is the most common security vulnerability mitigation methodology used in

design?

A. Defense in depth

B. Separation of duties

C. Least privilege

D. Auditabilit y

Policy Decomposition
When policies decompose into audit risk requirements, the following are the three
types of audit-related risks:

A. Requirements risk, development risk, testing risk

B. Tangible risk, intangible risk, residual risk

C. Inherent risk, control risk, detection risk

D. Confidentiality risk, integrity risk, availability risk

2 . To what set of requirements can issues involving protecting data from

unauthorized disclosure be decomposed to?

A. Authorization

B. Authentication

C. Integrity

D. Confidentiality

3 . Issues related to denying illegitimate access into systems map to what kind of
security requirements?

A. Authorization

B. Availability

C. Integrity

D. Confidentiality

4 . The process by which a user enters some token to demonstrate to the system that
they are the user they purport to be is:

A. Identification

B. Authorization

C. Authentication

D. Auditing

5 . Restricting access to objects based on the identity of a subject or the groups to

which they belong is an example of which of the following?

A. Discretionary access control

B. Mandatory access control

C. Rule-based access control

 D. Authentication

6 . What was described in the chapter as being essential in order to implement

discretionary access control?

A. Object owner–defined security access

B. Certificates

C. Labels

D. Security classifications

7 . The CIA of security includes:

A. Confidentiality, integrity, authentication

B. Certificates, integrity, availability

C. Confidentiality, inspection, authentication

D. Confidentiality, integrity, availability

8 . A security policy that is associated with securing PII is an example of what type of
computer security policy?

A. System-specific policy

B. Program policy

C. Organizational policy

D. Issue-specific policy

9 . When an audit fails to find a specific risk during an examination of a system, this is
an example of what type of risk?

A. Detection risk

B. Audit risk

C. Inherent risk

D. Control risk

10 . Which access control technique discussed relies on a set of rules to determine

whether access to an object will be granted or not?

A. Role-based access control

B. Object and rule instantiation access control

C. Rule-based access control

 D. Discretionary access control

11 . When both parties authenticate each other, this is defined as:

A. Mandatory access control

B. Dual authentication

C. Separation of duties

D. Mutual authentication

12 . The ability of a subject to interact with an object describes:

A. Authentication

B. Activity

C. Confidentiality

D. Mutual authentication

13 . Which of the following is not an example of something that can be used as a

shared secret?

A. Something you know

B. Something you have

C. Something you are

D. Something you want

14 . An example of a policy element that is related to integrity is:

A. Record error detection and correction

B. Ensure systems are available for authorized users

C. Who is authorized to see what specific data elements

D. Control risk

15 . Ensuring that the software security requirements address the legal and regulatory
policy issues is an example of:

A. System-based security policy

B. Risk mitigation

C. Internal requirements

D. External requirements
Data Classification and Categorization

The party that determines which users or groups should have access to specific data
elements is:

A. Data custodian

B. Data manager

C. System administrator

D. Data owner

2 . HR and payroll data should be classified by which methodology?

A. Utility

B. Impact

C. Structured

D. Sensitivity

3 . Which of the following would not be considered structured data?

A. Excel spreadsheet of parts prices

B. Oracle database of customer orders

C. XML file of parts and descriptions

D. Log file of VPN failures

4 . Which of the following is not a stage of the data lifecycle?

A. Retention

B. Disposal

C. Sharing

D. Generation

5 . The party responsible for defining data classification is:

A. Data custodian

B. Senior manager (CIO)

C. Security management

D. Data owner

6 . To match the level of protection desired for data, which of the following elements
is used?
 A. Data classification

B. Impact analysis

C. Data usage

D. Security rules

7 . Which of the following is not a type of data in a system?

A. Security sensitive

B. PII

C. Hidden

D. Encrypted

8 . When deleting data at the end of its life, consideration should be given to copies.
Which of the following copies is not necessary to specifically manage?

A. Shadow copies

B. Backups

C. DR sites (hot sites)

D. Data warehouse history

9 . Managing authorized users and access controls for data is a responsibility of:

A. Security analyst/technician

B. Data owner

C. System administrator

D. Data custodian

10 . The standard categories of risk associated with impact analysis include:

A. Financial impact, people impact, security impact

B. Time impact, people impact, financial impact

C. Financial impact, people impact, customer impact

D. Time impact, customer impact, people impact

11 . Data retention is primarily driven by what?

A. Business requirements

B. Security requirements
 C. Storage space requirements

D. Government regulation

12 . If the loss of confidentiality of a data element would have no e ect on the

enterprise, this data element would be in which risk category?

A. High

B. Low

C. Safe

D. Moderate or medium

13 . Retention requirements for data in a system are determined by:

A. Business requirements

B. Storage space

C. Data sensitivity

D. Data impact

14 . Data classification is performed at which stage of the lifecycle model?

A. Data retention

B. Disposal

C. Generation

D. Data reduction

15 . The party responsible for performing operational tasks associated with data
retention and disposal is:

A. Backup operator

B. Data owner

C. Data custodian

D. Security personnel