Free SSCP Exam Braindumps

- (Topic 2)
What is the main purpose of Corporate Security Policy?

1. A. To transfer the responsibility for the information security to all users of the organization
2. B. To communicate management's intentions in regards to information security
3. C. To provide detailed steps for performing specific actions
4. D. To provide a common framework for all development activities

Correct Answer: B
A Corporate Security Policy is a high level document that indicates what are management`s intentions in regard to Information Security within the organization. It is high level in purpose, it does not give you details about specific products that would be use, specific steps, etc..
The organization’s requirements for access control should be defined and documented in its security policies. Access rules and rights for each user or group of users should be clearly stated in an access policy statement. The access control policy should minimally consider:
Statements of general security principles and their applicability to the organization Security requirements of individual enterprise applications, systems, and services Consistency between the access control and information classification policies of different systems and networks
Contractual obligations or regulatory compliance regarding protection of assets Standards defining user access profiles for organizational roles
Details regarding the management of the access control system
As a Certified Information System Security Professional (CISSP) you would be involved directly in the drafting and coordination of security policies, standards and supporting guidelines, procedures, and baselines.
Guidance provided by the CISSP for technical security issues, and emerging threats are considered for the adoption of new policies. Activities such as interpretation of government regulations and industry trends and analysis of vendor solutions to include in the security architecture that advances the security of the organization are performed by the CISSP as well.
The following are incorrect answers:
To transfer the responsibility for the information security to all users of the organization is bogus. You CANNOT transfer responsibility, you can only tranfer authority. Responsibility will also sit with upper management. The keyworks ALL and USERS is also an indication that it is the wrong choice.
To provide detailed steps for performing specific actions is also a bogus detractor. A step by step document is referred to as a procedure. It details how to accomplish a specific task.
To provide a common framework for all development activities is also an invalid choice.
Security Policies are not restricted only to development activities. Reference Used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1551-1565). Auerbach Publications. Kindle Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 9109-9112). Auerbach Publications. Kindle Edition.

- (Topic 1)
The "vulnerability of a facility" to damage or attack may be assessed by all of the following except:

1. A. Inspection
2. B. History of losses
3. C. Security controls
4. D. security budget

Correct Answer: D
Source: The CISSP Examination Textbook- Volume 2: Practice by S. Rao Vallabhaneni.

- (Topic 6)
Which of the following statements pertaining to PPTP (Point-to-Point Tunneling Protocol) is incorrect?

1. A. PPTP allow the tunnelling of any protocols that can be carried within PPP.
2. B. PPTP does not provide strong encryption.
3. C. PPTP does not support any token-based authentication method for users.
4. D. PPTP is derived from L2TP.

Correct Answer: D
PPTP is an encapsulation protocol based on PPP that works at OSI layer 2 (Data Link) and that enables a single point-to-point connection, usually between a client and a server.
While PPTP depends on IP to establish its connection.
As currently implemented, PPTP encapsulates PPP packets using a modified version of the generic routing encapsulation (GRE) protocol, which gives PPTP to the flexibility of handling protocols other than IP, such as IPX and NETBEUI over IP networks.
PPTP does have some limitations:
It does not provide strong encryption for protecting data, nor does it support any token- based methods for authenticating users.
L2TP is derived from L2F and PPTP, not the opposite.

- (Topic 4)
Under the Business Exemption Rule to the hearsay evidence, which of the following exceptions would have no bearing on the inadmissibility of audit logs and audit trails in a court of law?

1. A. Records are collected during the regular conduct of business.
2. B. Records are collected by senior or executive management.
3. C. Records are collected at or near the time of occurrence of the act being investigated to generate automated reports.
4. D. You can prove no one could have changed the records/data/logs that were collected.

Correct Answer: B
Hearsay evidence is not normally admissible in court unless it has firsthand evidence that can be used to prove the evidence's accuracy, trustworthiness, and reliability like a business person who generated the computer logs and collected them.
It is important that this person generates and collects logs as a normal part of his business and not just this one time for court. It has to be a documented process that is carried out daily.
The value of evidence depends upon the genuineness and competence of the source; therefore, since record collection is not an activity likely to be performed by senior or executive management, records collected by senior or executive management are not likely to be admissible in court.
Hearsay evidence is usually not admissible in court unless it meets the Business Records Exemption rule to the Hearsay evidence.
• In certain instances computer records fall outside of the hearsay rule (e.g., business records exemption)
• Information relates to regular business activities
• Automatically computer generated data
• No human intervention
• Prove system was operating correctly
• Prove no one changed the data
If you have a documented business process and you make use of intrusion detection tools, log analysis tools, and you produce daily reports of activities, then the computer generated data might be admissible in court and would not be considered Hearsay Evidence.
Reference(s) used for this question:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 10: Law, Investigation, and Ethics (page 676).

- (Topic 2)
As per the Orange Book, what are two types of system assurance?

1. A. Operational Assurance and Architectural Assurance.
2. B. Design Assurance and Implementation Assurance.
3. C. Architectural Assurance and Implementation Assurance.
4. D. Operational Assurance and Life-Cycle Assurance.

Correct Answer: D
Are the two types of assurance mentioned in the Orange book. The following answers are incorrect:
Operational Assurance and Architectural Assurance. Is incorrect because Architectural Assurance is not a type of assurance mentioned in the Orange book.
Design Assurance and Implementation Assurance. Is incorrect because neither are types of assurance mentioned in the Orange book.
Architectural Assurance and Implementation Assurance. Is incorrect because neither are types of assurance mentioned in the Orange book.