SSCP Dumps Questions With Valid Answers

 Access Control Matrix model
l

An access control matrix is a table of subjects and objects indicating what
actions individual subjects can take upon individual objects. Matrices are data structures
that programmers implement as table lookups that will be used and enforced by the
operating system.
This type of access control is usually an attribute of DAC models. The access rights can be
assigned directly to the subjects (capabilities) or to the objects (ACLs).
Capability Table
A capability table specifies the access rights a certain subject possesses pertaining to
specific objects. A capability table is different from an ACL because the subject is bound to
the capability table, whereas the object is bound to the ACL.
Access control lists (ACLs)A ACLs are used in several operating systems, applications, and router configurations. They
are lists of subjects that are authorized to access a specific object, and they define what
level of authorization is granted. Authorization can be specific to an individual, group, or
role. ACLs map values from the access control matrix to the object.
Whereas a capability corresponds to a row in the access control matrix, the ACL
corresponds to a column of the matrix.
NOTE: Ensure you are familiar with the terms Capability and ACLs for the purpose of the
exam.
Resource(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
5264-5267). McGraw-Hill. Kindle Edition.
or
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Page 229 and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 1923-1925). Auerbach Publications. Kindle
Edition.

Corrective control

Business Continuity Plans are designed to minimize the damage done by the
event, and facilitate rapid restoration of the organization to its full operational capacity.
They are for use "after the fact", thus are examples of corrective controls.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity
Planning and Disaster Recovery Planning (page 273).
and
Conrad, Eric; Misenar, Seth; Feldman, Joshua (2012-09-01). CISSP Study Guide (Kindle
Location 8069). Elsevier Science (reference). Kindle Edition.
and

 C2

C2 is labeled Controlled Access Protection.
The TCSEC defines four divisions: D, C, B and A where division A has the highest security.
Each division represents a significant difference in the trust an individual or organization
can place on the evaluated system. Additionally divisions C, B and A are broken into a
series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
Each division and class expands or modifies as indicated the requirements of the
immediately prior division or class.
D — Minimal protection
Reserved for those systems that have been evaluated but that fail to meet the
requirements for a higher division
C — Discretionary protection
C1 —Discretionary Security Protection                                                                                                                   Identification and authentication
Separation of users and data
Discretionary Access Control (DAC) capable of enforcing access limitations on an
individual basis
Required System Documentation and user manuals
C2 — Controlled Access Protection
More finely grained DAC
Individual accountability through login procedures
Audit trails
Object reuse
Resource isolation
B — Mandatory protection B1 — Labeled Security Protection
Informal statement of the security policy model
Data sensitivity labels
Mandatory Access Control (MAC) over selected subjects and objects
Label exportation capabilities
All discovered flaws must be removed or otherwise mitigated
Design specifications and verification
B2 — Structured Protection
Security policy model clearly defined and formally documented
DAC and MAC enforcement extended to all subjects and objects
Covert storage channels are analyzed for occurrence and bandwidth
Carefully structured into protection-critical and non-protection-critical elements
Design and implementation enable more comprehensive testing and review
Authentication mechanisms are strengthened
Trusted facility management is provided with administrator and operator segregation
Strict configuration management controls are imposed
B3 — Security Domains
Satisfies reference monitor requirements
Structured to exclude code not essential to security policy enforcement
Significant system engineering directed toward minimizing complexity
Security administrator role defined
Audit security-relevant events
Automated imminent intrusion detection, notification, and response
Trusted system recovery procedures
Covert timing channels are analyzed for occurrence and bandwidth
An example of such a system is the XTS-300, a precursor to the XTS-400 A — Verified protection
A1 — Verified Design
Functionally identical to B3
Formal design and verification techniques including a formal top-level specification
Formal management and distribution procedures
An example of such a system is Honeywell's Secure Communications Processor SCOMP,
a precursor to the XTS-400
Beyond A1
System Architecture demonstrates that the requirements of self-protection and
completeness for reference monitors have been implemented in the Trusted Computing
Base (TCB).
Security Testing automatically generates test-case from the formal top-level specification or
formal lower-level specifications.
Formal Specification and Verification is where the TCB is verified down to the source code
level, using formal verification methods where feasible.
Trusted Design Environment is where the TCB is designed in a trusted facility with only   trusted (cleared) personnel.
The following are incorrect answers:
C1 is Discretionary security
C3 does not exists, it is only a detractor
B1 is called Labeled Security Protection.
Reference(s) used for this question:
HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april
1999.
and AIOv4 Security Architecture and Design (pages 357 - 361)
AIOv5 Security Architecture and Design (pages 358 - 362)

Transmission control protocol (TCP)

TCP provides a full-duplex, connection-oriented, reliable, virtual circuit. It
handles the sequencing and retransmission of lost packets.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3:
Telecommunications and Network Security (page 85).

Architecture Specific.

JAVA was developed so that the same program could be executed on
multiple hardware and operating system platforms, it is not Architecture Specific.
The following answers are incorrect:
Object-oriented. Is not correct because JAVA is object-oriented. It should use the objectoriented
programming methodology.
Distributed. Is incorrect because JAVA was developed to be able to be distrubuted, run on
multiple computer systems over a network. Multithreaded. Is incorrect because JAVA is multi-threaded that is calls to subroutines as is
the case with object-oriented programming.
A virus is a program that can replicate itself on a system but not necessarily spread itself by
network connections.