Top Quality ISC2 CCSP Free Question Online

NEW QUESTION 1

Gathering business requirements can aid the organization in determining all of this information about organizational assets, except:

• A. Full inventory
• B. Criticality
• C. Value
• D. Usefulness

Answer: D

Explanation:
When we gather information about business requirements, we need to do a complete inventory, receive accurate valuation of assets (usually from the owners of those assets), and assess criticality; this collection of information does not tell us, objectively, how useful an asset is, however.

NEW QUESTION 2

Which security concept is based on preventing unauthorized access to data while also ensuring that it is accessible to those authorized to use it?

• A. Integrity
• B. Availability
• C. Confidentiality
• D. Nonrepudiation

Answer: C

Explanation:
The main goal of confidentiality is to ensure that sensitive information is not made available or leaked to parties that should not have access to it, while at the same time ensuring that those with appropriate need and authorization to access it can do so in a manner commensurate with their needs and confidentiality requirements.

NEW QUESTION 3

Which of the following threat types involves the sending of untrusted data to a user's browser to be executed with their own credentials and access?

• A. Missing function level access control
• B. Cross-site scripting
• C. Cross-site request forgery
• D. Injection

Answer: B

Explanation:
Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user's browser without going through any validation or sanitization processes, or where the code is not properly
escaped from processing by the browser. The code is then executed on the user's browser with the user's own access and permissions, allowing an attacker to redirect their web traffic, steal data from their session, or potentially access information on the user's own computer that their browser has the ability to access.

NEW QUESTION 4

Which of the following is NOT a commonly used communications method within cloud environments to secure data in transit?

• A. IPSec
• B. HTTPS
• C. VPN
• D. DNSSEC

Answer: D

Explanation:
DNSSEC is used as a security extension to DNS lookup queries in order to ensure the authenticity and authoritativeness of hostname resolutions, in order to prevent spoofing and redirection of traffic. Although it is a very important concept to be employed for security practices, it is not used to secure or encrypt data transmissions. HTTPS is the most commonly used security mechanism for data communications between clients and websites and web services. IPSec is less commonly used, but is also intended to secure communications between servers. VPN is commonly used to secure traffic into a network area or subnet for developers and administrative users.

NEW QUESTION 5

BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the amount of data and services needed to reach the predetermined level of operations?

• A. SRE
• B. RPO
• C. RSL
• D. RTO

Answer: B

Explanation:
The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. SRE is provided as an erroneous response.

NEW QUESTION 6

Along with humidity, temperature is crucial to a data center for optimal operations and protection of equipment.
Which of the following is the optimal temperature range as set by ASHRAE?

• A. 69.8 to 86.0 degrees Fahrenheit (21 to 30 degrees Celsius)
• B. 51.8 to 66.2 degrees Fahrenheit (11 to 19 degrees Celsius)
• C. 64.4 to 80.6 degrees Fahrenheit (18 to 27 degrees Celsius)
• D. 44.6 to 60.8 degrees Fahrenheit (7 to 16 degrees Celsius)

Answer: C

Explanation:
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends

NEW QUESTION 7

Which protocol operates at the network layer and provides for full point-to-point encryption of all communications and transmissions?

• A. IPSec
• B. VPN
• C. SSL
• D. TLS

Answer: A

Explanation:
IPSec is a protocol for encrypting and authenticating packets during transmission between two parties and can involve any type of device, application, or service. The protocol performs both the authentication and negotiation of security policies between the two parties at the start of the connection and then maintains these policies throughout the lifetime of the connection. TLS operates at the application layer, not the network layer, and is widely used to secure communications between two parties. SSL is similar to TLS but has been deprecated. Although a VPN allows a secure channel for communications into a private network from an outside location, it's not a protocol.

NEW QUESTION 8

APIs are defined as which of the following?

• A. A set of protocols, and tools for building software applications to access a web-based software application or tool
• B. A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool
• C. A set of standards for building software applications to access a web-based software application or tool
• D. A set of routines and tools for building software applications to access web-based software applications

Answer: B

Explanation:
All the answers are true, but B is the most complete.

NEW QUESTION 9

What is the best source for information about securing a physical asset's BIOS?

• A. Security policies
• B. Manual pages
• C. Vendor documentation
• D. Regulations

Answer: C

Explanation:
Vendor documentation from the manufacturer of the physical hardware is the best source of best practices for securing the BIOS.

NEW QUESTION 10

For optimal security, trust zones are used for network segmentation and isolation. They allow for the separation of various systems and tiers, each with its own security level.
Which of the following is typically used to allow administrative personnel access to trust zones?

• A. IPSec
• B. SSH
• C. VPN
• D. TLS

Answer: C

Explanation:
Virtual private networks (VPNs) are used to provide administrative personnel with secure communication channels through security systems and into trust zones. They allow staff who perform system administration tasks to have access to ports and systems that are not allowed from the public Internet. IPSec is an encryption protocol for point-to-point communications at the network level, and may be used within a trust zone but not to give access into a trust zone. TLS enables encryption of communications between systems and services and would likely be used to secure the VPN communications, but it does not represent the overall concept being asked for in the question. SSH allows for secure shell access to systems, but not for general access into trust zones.

NEW QUESTION 11

Which of the following should NOT be part of the requirement analysis phase of the software development lifecycle?

• A. Functionality
• B. Programming languages
• C. Software platform
• D. Security requirements

Answer: D

Explanation:
Security requirements should be incorporated into the software development lifecycle (SDLC) from the earliest requirement gathering stage and should be incorporated prior to the requirement analysis phase.

NEW QUESTION 12

A localized incident or disaster can be addressed in a cost-effective manner by using which of the following?

• A. UPS
• B. Generators
• C. Joint operating agreements
• D. Strict adherence to applicable regulations

Answer: C

Explanation:
Joint operating agreements can provide nearby relocation sites so that a disruption limited to the organization’s own facility and campus can be addressed at a different facility and campus. UPS and generators are not limited to serving needs for localized causes. Regulations do not promote cost savings and are not often the immediate concern during BC/DR activities.

NEW QUESTION 13

Your new CISO is placing increased importance and focus on regulatory compliance as your applications and systems move into cloud environments.
Which of the following would NOT be a major focus of yours as you develop a project plan to focus on regulatory compliance?

• A. Data in transit
• B. Data in use
• C. Data at rest
• D. Data custodian

Answer: D

Explanation:
The jurisdictions where data is being stored, processed, or consumed are the ones that dictate the regulatory frameworks and compliance requirements, regardless of who the data owner or custodian might be. The other concepts for protecting data would all play a prominent role in regulatory compliance with a move to the cloud environment. Each concept needs to be evaluated based on the new configurations as well as any potential changes in jurisdiction or requirements introduced with the move to a cloud.

NEW QUESTION 14

BCDR strategies do not typically involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the amount of services that need to be recovered to meet BCDR objectives?

• A. RSL
• B. RTO
• C. RPO
• D. SRE

Answer: A

Explanation:
The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the determined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. SRE is provided as an erroneous response.

NEW QUESTION 15

What process is used within a cloud environment to maintain resource balancing and ensure that resources are available where and when needed?

• A. Dynamic clustering
• B. Dynamic balancing
• C. Dynamic resource scheduling
• D. Dynamic optimization

Answer: D

Explanation:
Dynamic optimization is the process through which the cloud environment is constantly maintained to ensure resources are available when and where needed, and that physical nodes do not become overloaded or near capacity, while others are underutilized.

NEW QUESTION 16

Which cloud storage type is typically used to house virtual machine images that are used throughout the environment?

• A. Structured
• B. Unstructured
• C. Volume
• D. Object

Answer: D

Explanation:
Object storage is typically used to house virtual machine images because it is independent from other systems and is focused solely on storage. It is also the most appropriate for handling large individual files. Volume storage, because it is allocated to a specific host, would not be appropriate for the storing of virtual images. Structured and unstructured are storage types specific to PaaS and would not be used for storing items used throughout a cloud environment.

NEW QUESTION 17

What does dynamic application security testing (DAST) NOT entail?

• A. Scanning
• B. Probing
• C. Discovery
• D. Knowledge of the system

Answer: D

Explanation:
Dynamic application security testing (DAST) is considered "black box" testing and begins with no inside knowledge of the application or its configurations. Everything about the application must be discovered during the testing.

NEW QUESTION 18

Which regulatory system pertains to the protection of healthcare data?

• A. HIPAA
• B. HAS
• C. HITECH
• D. HFCA

Answer: A

Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) sets stringent requirements in the United
States for the protection of healthcare records.

NEW QUESTION 19

What process is used within a clustered system to provide high availability and load balancing?

• A. Dynamic balancing
• B. Dynamic clustering
• C. Dynamic optimization
• D. Dynamic resource scheduling

Answer: D

Explanation:
Dynamic resource scheduling (DRS) is used within all clustering systems as the method for clusters to provide high availability, scaling, management, and workload distribution and balancing of jobs and processes. From a physical infrastructure perspective, DRS is used to balance compute loads between physical hosts in a cloud to maintain the desired thresholds and limits on the physical hosts.

NEW QUESTION 20
......