SSCP Dumps Questions With Valid Answers

Fiber Distributed Data Interface (FDDI).

FDDI is a token-passing ring scheme like a token ring, yet it also has a
second ring that remains dormant until an error condition is detected on the primary ring.
Fiber Distributed Data Interface (FDDI) provides a 100 Mbit/s optical standard for data
transmission in a local area network that can extend in range up to 200 kilometers (124
miles). Although FDDI logical topology is a ring-based token network, it does not use the
IEEE 802.5 token ring protocol as its basis; instead, its protocol is derived from the IEEE
802.4 token bus timed token protocol. In addition to covering large geographical areas,
FDDI local area networks can support thousands of users. As a standard underlying
medium it uses optical fiber, although it can use copper cable, in which case it may be refer
to as CDDI (Copper Distributed Data Interface). FDDI offers both a Dual-Attached Station
(DAS), counter-rotating token ring topology and a Single-Attached Station (SAS), token bus
passing ring topology.
Ethernet is a family of frame-based computer networking technologies for local area
networks (LANs). The name came from the physical concept of the ether. It defines a
number of wiring and signaling standards for the Physical Layer of the OSI networking
model as well as a common addressing format and Media Access Control at the Data Link
Layer.
In computer networking, Fast Ethernet is a collective term for a number of Ethernet
standards that carry traffic at the nominal rate of 100 Mbit/s, against the original Ethernet
speed of 10 Mbit/s. Of the fast Ethernet standards 100BASE-TX is by far the most common
and is supported by the vast majority of Ethernet hardware currently produced. Fast
Ethernet was introduced in 1995 and remained the fastest version of Ethernet for three years before being superseded by gigabit Ethernet.
Broadband in data can refer to broadband networks or broadband Internet and may have
the same meaning as above, so that data transmission over a fiber optic cable would be
referred to as broadband as compared to a telephone modem operating at 56,000 bits per
second. However, a worldwide standard for what level of bandwidth and network speeds
actually constitute Broadband have not been determined.[1]
Broadband in data communications is frequently used in a more technical sense to refer to
data transmission where multiple pieces of data are sent simultaneously to increase the
effective rate of transmission, regardless of data signaling rate. In network engineering this
term is used for methods where two or more signals share a medium.[Broadband Internet
access, often shortened to just broadband, is a high data rate Internet access—typically
contrasted with dial-up access using a 56k modem.
Dial-up modems are limited to a bitrate of less than 56 kbit/s (kilobits per second) and
require the full use of a telephone line—whereas broadband technologies supply more than
double this rate and generally without disrupting telephone use.
Source:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 72.
also see:
http://en.wikipedia.org/ 

All areas of the enterprise.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. 

Security Officers

The security officer would be the best person to oversea the development of
such policies.
Security officers and their teams have typically been charged with the responsibility of
creating the security policies. The policies must be written and communicated appropriately
to ensure that they can be understood by the end users. Policies that are poorly written, or
written at too high of an education level (common industry practice is to focus the content
for general users at the sixth- to eighth-grade reading level), will not be understood.
Implementing security policies and the items that support them shows due care by the
company and its management staff. Informing employees of what is expected of them and
the consequences of noncompliance can come down to a liability issue.
While security officers may be responsible for the development of the security policies, the
effort should be collaborative to ensure that the business issues are addressed.
The security officers will get better corporate support by including other areas in policydevelopment. This helps build buy-in by these areas as they take on a greater ownership of
the final product. Consider including areas such as HR, legal, compliance, various IT areas
and specific business area representatives who represent critical business units.
When policies are developed solely within the IT department and then distributed without
business input, they are likely to miss important business considerations. Once policy
documents have been created, the basis for ensuring compliance is established.
Depending on the organization, additional documentation may be necessary to support
policy. This support may come in the form of additional controls described in standards,
baselines, or procedures to help personnel with compliance. An important step after
documentation is to make the most current version of the documents readily accessible to
those who are expected to follow them. Many organizations place the documents on their
intranets or in shared file folders to facilitate their accessibility. Such placement of these
documents plus checklists, forms, and sample documents can make awareness more
effective For your exam you should know the information below:
End User - The end user is responsible for protecting information assets on a daily basis
through adherence to the security policies that have been communicated.
Executive Management/Senior Management - Executive management maintains the
overall responsibility for protection of the information assets. The business operations are
dependent upon information being available, accurate, and protected from individuals
without a need to know.
Security Officer - The security officer directs, coordinates, plans, and organizes information
security activities throughout the organization. The security officer works with many
different individuals, such as executive management, management of the business units,
technical staff, business partners, auditors, and third parties such as vendors. The security
officer and his or her team are responsible for the design, implementation, management,
and review of the organization’s security policies, standards, procedures, baselines, and
guidelines.Information Systems Security Professional- Drafting of security policies, standards and
supporting guidelines, procedures, and baselines is coordinated through these individuals.
Guidance is provided for technical security issues, and emerging threats are considered for
the adoption of new policies. Activities such as interpretation of government regulations
and industry trends and analysis of vendor solutions to include in the security architecture
that advances the security of the organization are performed in this role.
Data/Information/Business/System Owners - A business executive or manager is typically
responsible for an information asset. These are the individuals that assign the appropriate
classification to information assets. They ensure that the business information is protected
with appropriate controls. Periodically, the information asset owners need to review the
classification and access rights associated with information assets. The owners, or their
delegates, may be required to approve access to the information. Owners also need to
determine the criticality, sensitivity, retention, backups, and safeguards for the information.
Owners or their delegates are responsible for understanding the risks that exist with
regards to the information that they control Data/Information Custodian/Steward - A data custodian is an individual or function that
takes care of the information on behalf of the owner. These individuals ensure that the
information is available to the end users and is backed up to enable recovery in the event
of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, by systems administrators. This group
administers access rights to the information assets.
Information Systems Auditor- IT auditors determine whether users, owners, custodians,
systems, and networks are in compliance with the security policies, procedures, standards,
baselines, designs, architectures, management direction, and other requirements placed
on systems. The auditors provide independent assurance to the management on the
appropriateness of the security controls. The auditor examines the information systems and
determines whether they are designed, configured, implemented, operated, and managed
in a way ensuring that the organizational objectives are being achieved. The auditors
provide top company management with an independent view of the controls and their
effectiveness.Business Continuity Planner - Business continuity planners develop contingency plans to
prepare for any occurrence that could have the ability to impact the company’s objectives
negatively. Threats may include earthquakes, tornadoes, hurricanes, blackouts, changes in
the economic/political climate, terrorist activities, fire, or other major actions potentially
causing significant harm. The business continuity planner ensures that business processes
can continue through the disaster and coordinates those activities with the business areas
and information technology personnel responsible for disaster recovery.
Information Systems/ Technology Professionals- These personnel are responsible for
designing security controls into information systems, testing the controls, and implementing
the systems in production environments through agreed upon operating policies and
procedures. The information systems professionals work with the business owners and the
security professionals to ensure that the designed solution provides security controls
commensurate with the acceptable criticality, sensitivity, and availability requirements of
the application.Security Administrator - A security administrator manages the user access request process
and ensures that privileges are provided to those individuals who have been authorized for
access by application/system/data owners. This individual has elevated privileges and
creates and deletes accounts and access permissions. The security administrator also
terminates access privileges when individuals leave their jobs or transfer between company
divisions. The security administrator maintains records of access request approvals and
produces reports of access rights for the auditor during testing in an access controls audit
to demonstrate compliance with the policies.
Network/Systems Administrator - A systems administrator (sysadmin/netadmin) configures
network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure
using tools and utilities such as patch management and software distribution mechanisms
to install updates and test patches on organization computers. The administrator tests and
implements system upgrades to ensure the continued reliability of the servers and network
devices. The administrator provides vulnerability management through either commercial
off the shelf (COTS) and/or non-COTS solutions to test the computing environment and
mitigate vulnerabilities appropriately.Physical Security - The individuals assigned to the physical security role establish
relationships with external law enforcement, such as the local police agencies, state police,
or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security
personnel manage the installation, maintenance, and ongoing operation of the closed
circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader
access control systems. Guards are placed where necessary as a deterrent to
unauthorized access and to provide safety for the company employees. Physical security
personnel interface with systems security, human resources, facilities, and legal and
business areas to ensure that the practices are integrated.Security Analyst - The security analyst role works at a higher, more strategic level than the
previously described roles and helps develop policies, standards, and guidelines, as well
as set various baselines. Whereas the previous roles are “in the weeds” and focus on
pieces and parts of the security program, a security analyst helps define the security
program elements and follows through to ensure the elements are being carried out and
practiced properly. This person works more at a design level than at an implementation
level.Administrative Assistants/Secretaries - This role can be very important to information
security; in many companies of smaller size, this may be the individual who greets visitors,
signs packages in and out, recognizes individuals who desire to enter the offices, and
serves as the phone screener for executives. These individuals may be subject to social
engineering attacks, whereby the potential intruder attempts to solicit confidential
information that may be used for a subsequent attack. Social engineers prey on the
goodwill of the helpful individual to gain entry. A properly trained assistant will minimize the
risk of divulging useful company information or of providing unauthorized entry.Help Desk Administrator - As the name implies, the help desk is there to field questions
from users that report system problems. Problems may include poor response time,
potential virus infections, unauthorized access, inability to access system resources, or
questions on the use of a program. The help desk is also often where the first indications of
security issues and incidents will be seen. A help desk individual would contact thecomputer security incident response team (CIRT) when a situation meets the criteria
developed by the team. The help desk resets passwords, resynchronizes/reinitializes
tokens and smart cards, and resolves other problems with access control.
Supervisor - The supervisor role, also called user manager, is ultimately responsible for all
user activity and any assets created and owned by these users. For example, suppose
Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that
these employees understand their responsibilities with respect to security; making sure the
employees’ account information is up-to-date; and informing the security administrator
when an employee is fired, suspended, or transferred. Any change that pertains to an
employee’s role within the company usually affects what access rights they should and
should not have, so the user manager must inform the security administrator of these
changes immediately.Change Control Analyst Since the only thing that is constant is change, someone must
make sure changes happen securely. The change control analyst is responsible for
approving or rejecting requests to make changes to the network, systems, or software. This
role must make certain that the change will not introduce any vulnerabilities, that it has
been properly tested, and that it is properly rolled out. The change control analyst needs to
understand how various changes can affect security, interoperability, performance, and
productivity. Or, a company can choose to just roll out the change and see what happensThe following answers are incorrect:
Systems Administrator - A systems administrator (sysadmin/netadmin) configures network
and server hardware and the operating systems to ensure that the information can be
available and accessible. The administrator maintains the computing infrastructure using
tools and utilities such as patch management and software distribution mechanisms to
install updates and test patches on organization computers. The administrator tests and
implements system upgrades to ensure the continued reliability of the servers and network
devices. The administrator provides vulnerability management through either commercial
off the shelf (COTS) and/or non-COTS solutions to test the computing environment and
mitigate vulnerabilities appropriately.End User - The end user is responsible for protecting information assets on a daily basis
through adherence to the security policies that have been communicated.
Security Administrator - A security administrator manages the user access request process
and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and
creates and deletes accounts and access permissions. The security administrator also
terminates access privileges when individuals leave their jobs or transfer between company
divisions. The security administrator maintains records of access request approvals and
produces reports of access rights for the auditor during testing in an access controls audit
to demonstrate compliance with the policies.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 109
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 108). McGraw-
Hill. Kindle Edition

Risk Acceptance

A deviation from an organization-wide security policy requires you to manage
the risk. If you deviate from the security policy then you are required to accept the risks that
might occur.
In some cases, it may be prudent for an organization to simply accept the risk that is
presented in certain scenarios. Risk acceptance is the practice of accepting certain risk(s),
typically based on a business decision that may also weigh the cost versus the benefit of
dealing with the risk in another way.
The OIG defines Risk Management as: This term characterizes the overall process.
The first phase of risk assessment includes identifying risks, risk-reducing measures, and
the budgetary impact of implementing decisions related to the acceptance, avoidance, or
transfer of risk.The second phase of risk management includes the process of assigning priority to,
budgeting, implementing, and maintaining appropriate risk-reducing measures.
Risk management is a continuous process of ever-increasing complexity. It is how we
evaluate the impact of exposures and respond to them. Risk management minimizes loss
to information assets due to undesirable events through identification, measurement, and
control. It encompasses the overall security review, risk analysis, selection and evaluation
of safeguards, cost–benefit analysis, management decision, and safeguard identification
and implementation, along with ongoing effectiveness review.
Risk management provides a mechanism to the organization to ensure that executive
management knows current risks, and informed decisions can be made to use one of the
risk management principles: risk avoidance, risk transfer, risk mitigation, or risk
acceptance.
The 4 ways of dealing with risks are: Avoidance, Transfer, Mitigation, Acceptance
The following answers are incorrect:
Risk assignment. Is incorrect because it is a distractor, assignment is not one of the ways
to manage risk.
Risk reduction. Is incorrect because there was a deviation of the security policy. You could
have some additional exposure by the fact that you deviated from the policy.
Risk containment. Is incorrect because it is a distractor, containment is not one of the ways
to manage risk.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 8882-8886). Auerbach Publications. Kindle
Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 10206-10208). Auerbach Publications. Kindle
Edition.

Time period between the arrival of a revocation request and the publication of the
revocation information

The length of time between the Issuer’s receipt of a revocation request and
the time the Issuer is required to revoke the certificate should bear a reasonable
relationship to the amount of risk the participants are willing to assume that someone may
rely on a certificate for which a proper evocation request has been given but has not yet
been acted upon.
How quickly revocation requests need to be processed (and CRLs or certificate status
databases need to be updated) depends upon the specific application for which the Policy
Authority is rafting the Certificate Policy.
A Policy Authority should recognize that there may be risk and lost tradeoffs with respect to
grace periods for revocation notices.
If the Policy Authority determines that its PKI participants are willing to accept a graceperiod of a few hours in exchange for a lower implementation cost, the Certificate Policy
may reflect that decision.