SSCP Free Practice Test

- (Topic 5)
Which of the following statements pertaining to message digests is incorrect?

1. A. The original file cannot be created from the message digest.
2. B. Two different files should not have the same message digest.
3. C. The message digest should be calculated using at least 128 bytes of the file.
4. D. Messages digests are usually of fixed size.

Correct Answer: C
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 160).

- (Topic 4)
Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)?

1. A. Calculate the risk for each different business function.
2. B. Identify the company??s critical business functions.
3. C. Calculate how long these functions can survive without these resources.
4. D. Develop a mission statement.

Correct Answer: D
The Business Impact Analysis is critical for the development of a business continuity plan (BCP). It identifies risks, critical processes and resources needed in case of recovery and quantifies the impact a disaster will have upon the organization. The development of a mission statement is normally performed before the BIA.
A BIA (business impact analysis ) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions ; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function??s criticality level.
BIA Steps
The more detailed and granular steps of a BIA are outlined here:
1. Select individuals to interview for data gathering.
2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
3. Identify the company??s critical business functions.
4. Identify the resources these functions depend upon.
5. Calculate how long these functions can survive without these resources.
6. Identify vulnerabilities and threats to these functions.
7. Calculate the risk for each different business function.
8. Document findings and report them to management.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Location 21076). Auerbach Publications. Kindle Edition. and
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 905-910). McGraw-Hill. Kindle Edition.

- (Topic 4)
Business Continuity and Disaster Recovery Planning (Primarily) addresses the:

1. A. Availability of the CIA triad
2. B. Confidentiality of the CIA triad
3. C. Integrity of the CIA triad
4. D. Availability, Confidentiality and Integrity of the CIA triad

Correct Answer: A
The Information Technology (IT) department plays a very important role in identifying and protecting the company's internal and external information dependencies. Also, the information technology elements of the BCP should address several vital issue, including:
Ensuring that the company employs sufficient physical security mechanisms to preserve vital network and hardware components. including file and print servers.
Ensuring that the organization uses sufficient logical security methodologies (authentication, authorization, etc.) for sensitive data.
Reference: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, page 279.

- (Topic 4)
Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?

1. A. A threat
2. B. A vulnerability
3. C. A risk
4. D. An exposure

Correct Answer: B
It is a software , hardware or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited. This vulnerability may be a service running on a server, unpatched applications or operating system software etc.
The following answers are incorrect because:
Threat: A threat is defined as a potential danger to information or systems. The threat is someone or something will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a 'Threat Agent'. A threat agent could be an intruder accessing the network through a port on the firewall , a process accessing data that violates the security policy.
Risk:A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open , there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.
Exposure: An exposure is an instance of being exposed to losses from a threat agent. REFERENCES:
SHON HARRIS , ALL IN ONE THIRD EDITION : Chapter 3 : Security Management
Practices , Pages: 57-59

- (Topic 2)
Related to information security, the guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered is an example of which of the following?

1. A. integrity
2. B. confidentiality
3. C. availability
4. D. identity

Correct Answer: A
Integrity is the guarantee that the message sent is the message received, and that the message was not intentionally or unintentionally altered.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 60.