SSCP Exam Question 61
Which must bear the primary responsibility for determining the level of protection needed for information systems resources?
Correct Answer: B
Explanation/Reference:
If there is no support by senior management to implement, execute, and enforce security policies and procedure, then they won't work. Senior management must be involved in this because they have an obligation to the organization to protect the assests . The requirement here is for management to show
"due diligence" in establishing an effective compliance, or security program. It is senior management that could face legal repercussions if they do not have sufficient controls in place.
The following answers are incorrect:
IS security specialists. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed.
Senior security analysts. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed.
systems auditors. Is incorrect because it is not the best answer, system auditors are responsible that the controls in place are effective. Senior management bears the primary responsibility for determining the level of protection needed.
If there is no support by senior management to implement, execute, and enforce security policies and procedure, then they won't work. Senior management must be involved in this because they have an obligation to the organization to protect the assests . The requirement here is for management to show
"due diligence" in establishing an effective compliance, or security program. It is senior management that could face legal repercussions if they do not have sufficient controls in place.
The following answers are incorrect:
IS security specialists. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed.
Senior security analysts. Is incorrect because it is not the best answer. Senior management bears the primary responsibility for determining the level of protection needed.
systems auditors. Is incorrect because it is not the best answer, system auditors are responsible that the controls in place are effective. Senior management bears the primary responsibility for determining the level of protection needed.
SSCP Exam Question 62
Which of the following is biggest factor that makes Computer Crimes possible?
Correct Answer: B
Section: Risk, Response and Recovery
Explanation/Reference:
The biggest factor that makes Computer Crimes possible is Victim Carelessness. Awareness and education can reduce the chance of someone becomming a victim.
The types and frequency of Computer Crimes are increasing at a rapid rate. Computer Crime was once mainly the result of insiders or disgruntled employees. Now just about everybody has access to the internet, professional criminals are taking advantage of this.
Specialized skills are no longer needed and a search on the internet can provide a fraudster with a plethora of tools that can be used to perpetuate fraud.
All too often carelessness leads to someone being a victim. People often use simple passwords or write them down in plain sight where they can be found by fraudsters. People throwing away papers loaded with account numbers, social security numbers, or other types of non-public personal information. There are phishing e-mail attempts where the fraudster tries to redirect a potential victim to a bogus site that resembles a legitimate site in an attempt to get the users' login ID and password, or other credentials. There is also social engineering.
Awareness and training can help reduce the chance of someone becoming a victim.
The following answers are incorrect:
The fraudster obtaining advanced training and special knowledge. Is incorrect because training and special knowledge is not required. There are many tools widely available to fraudsters.
Collusion with others in information processing. Is incorrect because as more and more people use computers in their daily lives, it is no longer necessary to have someone on the inside be a party to fraud attempts.
System design flaws. Is incorrect because while System design flaws are sometimes a factor in Computer Crimes more often then not it is victim carelessness that leads to Computer Crimes.
References:
OIG CBK Legal, Regulations, Compliance and Investigations (pages 695 - 697)
Explanation/Reference:
The biggest factor that makes Computer Crimes possible is Victim Carelessness. Awareness and education can reduce the chance of someone becomming a victim.
The types and frequency of Computer Crimes are increasing at a rapid rate. Computer Crime was once mainly the result of insiders or disgruntled employees. Now just about everybody has access to the internet, professional criminals are taking advantage of this.
Specialized skills are no longer needed and a search on the internet can provide a fraudster with a plethora of tools that can be used to perpetuate fraud.
All too often carelessness leads to someone being a victim. People often use simple passwords or write them down in plain sight where they can be found by fraudsters. People throwing away papers loaded with account numbers, social security numbers, or other types of non-public personal information. There are phishing e-mail attempts where the fraudster tries to redirect a potential victim to a bogus site that resembles a legitimate site in an attempt to get the users' login ID and password, or other credentials. There is also social engineering.
Awareness and training can help reduce the chance of someone becoming a victim.
The following answers are incorrect:
The fraudster obtaining advanced training and special knowledge. Is incorrect because training and special knowledge is not required. There are many tools widely available to fraudsters.
Collusion with others in information processing. Is incorrect because as more and more people use computers in their daily lives, it is no longer necessary to have someone on the inside be a party to fraud attempts.
System design flaws. Is incorrect because while System design flaws are sometimes a factor in Computer Crimes more often then not it is victim carelessness that leads to Computer Crimes.
References:
OIG CBK Legal, Regulations, Compliance and Investigations (pages 695 - 697)
SSCP Exam Question 63
When a station communicates on the network for the first time, which of the following protocol would search for and find the Internet Protocol (IP) address that matches with a known Ethernet address?
Correct Answer: B
The RARP protocol sends out a packet, which includes its MAC address and a request to be informed of the IP address that should be assigned to that MAC address.
ARP does the opposite by broadcasting a request to find the Ethernet address that matches a known IP address.
ICMP supports packets containing error, control, and informational messages (e.g. PING). UDP runs over IP and is used primarily for broadcasting messages over a network.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87.
ARP does the opposite by broadcasting a request to find the Ethernet address that matches a known IP address.
ICMP supports packets containing error, control, and informational messages (e.g. PING). UDP runs over IP and is used primarily for broadcasting messages over a network.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87.
SSCP Exam Question 64
Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing?
Correct Answer: B
Explanation/Reference:
Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.
Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.
SSCP Exam Question 65
In an online transaction processing system (OLTP), which of the following actions should be taken when erroneous or invalid transactions are detected?
Correct Answer: C
In an online transaction processing system (OLTP) all transactions are recorded as they occur. When erroneous or invalid transactions are detected the transaction can be recovered by reviewing the logs.
As explained in the ISC2 OIG: OLTP is designed to record all of the business transactions of an organization as they occur. It is a data processing system facilitating and managing transaction-oriented applications. These are characterized as a system used by many concurrent users who are actively adding and modifying data to effectively change real-time data.
OLTP environments are frequently found in the finance, telecommunications, insurance, retail, transportation, and travel industries. For example, airline ticket agents enter data in the database in real-time by creating and modifying travel reservations, and these are increasingly joined by users directly making their own reservations and purchasing tickets through airline company Web sites as well as discount travel Web site portals. Therefore, millions of people may be accessing the same flight database every day, and dozens of people may be looking at a specific flight at the same time.
The security concerns for OLTP systems are concurrency and atomicity.
Concurrency controls ensure that two users cannot simultaneously change the same data, or that one user cannot make changes before another user is finished with it. In an airline ticket system, it is critical for an agent processing a reservation to complete the transaction, especially if it is the last seat available on the plane.
Atomicity ensures that all of the steps involved in the transaction complete successfully. If one step should fail, then the other steps should not be able to complete. Again, in an airline ticketing system, if the agent does not enter a name into the name data field correctly, the transaction should not be able to complete.
OLTP systems should act as a monitoring system and detect when individual processes
abort, automatically restart an aborted process, back out of a transaction if necessary,
allow distribution of multiple copies of application servers across machines, and perform
dynamic load balancing.
A security feature uses transaction logs to record information on a transaction before it is
processed, and then mark it as processed after it is done. If the system fails during the
transaction, the transaction can be recovered by reviewing the transaction logs.
Checkpoint restart is the process of using the transaction logs to restart the machine by
running through the log to the last checkpoint or good transaction. All transactions following
the last checkpoint are applied before allowing users to access the data again.
Wikipedia has nice coverage on what is OLTP:
Online transaction processing, or OLTP, refers to a class of systems that facilitate and
manage transaction-oriented applications, typically for data entry and retrieval transaction
processing. The term is somewhat ambiguous; some understand a "transaction" in the
context of computer or database transactions, while others (such as the Transaction
Processing Performance Council) define it in terms of business or commercial transactions.
OLTP has also been used to refer to processing in which the system responds immediately
to user requests. An automatic teller machine (ATM) for a bank is an example of a
commercial transaction processing application.
The technology is used in a number of industries, including banking, airlines, mailorder,
supermarkets, and manufacturing. Applications include electronic banking, order
processing, employee time clock systems, e-commerce, and eTrading.
There are two security concerns for OLTP system: Concurrency and Atomicity
ATOMICITY
In database systems, atomicity (or atomicness) is one of the ACID transaction properties.
In an atomic transaction, a series of database operations either all occur, or nothing occurs.
A guarantee of atomicity prevents updates to the database occurring only partially, which
can cause greater problems than rejecting the whole series outright.
The etymology of the phrase originates in the Classical Greek concept of a fundamental
and indivisible component; see atom.
An example of atomicity is ordering an airline ticket where two actions are required:
payment, and a seat reservation. The potential passenger must either:
both pay for and reserve a seat; OR
neither pay for nor reserve a seat.
The booking system does not consider it acceptable for a customer to pay for a ticket
without securing the seat, nor to reserve the seat without payment succeeding.
CONCURRENCY
Database concurrency controls ensure that transactions occur in an ordered fashion.
The main job of these controls is to protect transactions issued by different
users/applications from the effects of each other. They must preserve the four
characteristics of database transactions ACID test: Atomicity, Consistency, Isolation, and
Durability. Read http://en.wikipedia.org/wiki/ACID for more details on the ACID test.
Thus concurrency control is an essential element for correctness in any system where two
database transactions or more, executed with time overlap, can access the same data,
e.g., virtually in any general-purpose database system. A well established concurrency
control theory exists for database systems: serializability theory, which allows to effectively
design and analyze concurrency control methods and mechanisms.
Concurrency is not an issue in itself, it is the lack of proper concurrency controls that
makes it a serious issue.
The following answers are incorrect:
The transactions should be dropped from processing. Is incorrect because the transactions
are processed and when erroneous or invalid transactions are detected the transaction can
be recovered by reviewing the logs.
The transactions should be processed after the program makes adjustments. Is incorrect
because the transactions are processed and when erroneous or invalid transactions are
detected the transaction can be recovered by reviewing the logs.
The transactions should be corrected and reprocessed. Is incorrect because the
transactions are processed and when erroneous or invalid transactions are detected the
transaction can be recovered by reviewing the logs.
References:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 12749-12768). Auerbach Publications. Kindle Edition. and http://en.wikipedia.org/wiki/Online_transaction_processing and http://databases.about.com/od/administration/g/concurrency.htm
As explained in the ISC2 OIG: OLTP is designed to record all of the business transactions of an organization as they occur. It is a data processing system facilitating and managing transaction-oriented applications. These are characterized as a system used by many concurrent users who are actively adding and modifying data to effectively change real-time data.
OLTP environments are frequently found in the finance, telecommunications, insurance, retail, transportation, and travel industries. For example, airline ticket agents enter data in the database in real-time by creating and modifying travel reservations, and these are increasingly joined by users directly making their own reservations and purchasing tickets through airline company Web sites as well as discount travel Web site portals. Therefore, millions of people may be accessing the same flight database every day, and dozens of people may be looking at a specific flight at the same time.
The security concerns for OLTP systems are concurrency and atomicity.
Concurrency controls ensure that two users cannot simultaneously change the same data, or that one user cannot make changes before another user is finished with it. In an airline ticket system, it is critical for an agent processing a reservation to complete the transaction, especially if it is the last seat available on the plane.
Atomicity ensures that all of the steps involved in the transaction complete successfully. If one step should fail, then the other steps should not be able to complete. Again, in an airline ticketing system, if the agent does not enter a name into the name data field correctly, the transaction should not be able to complete.
OLTP systems should act as a monitoring system and detect when individual processes
abort, automatically restart an aborted process, back out of a transaction if necessary,
allow distribution of multiple copies of application servers across machines, and perform
dynamic load balancing.
A security feature uses transaction logs to record information on a transaction before it is
processed, and then mark it as processed after it is done. If the system fails during the
transaction, the transaction can be recovered by reviewing the transaction logs.
Checkpoint restart is the process of using the transaction logs to restart the machine by
running through the log to the last checkpoint or good transaction. All transactions following
the last checkpoint are applied before allowing users to access the data again.
Wikipedia has nice coverage on what is OLTP:
Online transaction processing, or OLTP, refers to a class of systems that facilitate and
manage transaction-oriented applications, typically for data entry and retrieval transaction
processing. The term is somewhat ambiguous; some understand a "transaction" in the
context of computer or database transactions, while others (such as the Transaction
Processing Performance Council) define it in terms of business or commercial transactions.
OLTP has also been used to refer to processing in which the system responds immediately
to user requests. An automatic teller machine (ATM) for a bank is an example of a
commercial transaction processing application.
The technology is used in a number of industries, including banking, airlines, mailorder,
supermarkets, and manufacturing. Applications include electronic banking, order
processing, employee time clock systems, e-commerce, and eTrading.
There are two security concerns for OLTP system: Concurrency and Atomicity
ATOMICITY
In database systems, atomicity (or atomicness) is one of the ACID transaction properties.
In an atomic transaction, a series of database operations either all occur, or nothing occurs.
A guarantee of atomicity prevents updates to the database occurring only partially, which
can cause greater problems than rejecting the whole series outright.
The etymology of the phrase originates in the Classical Greek concept of a fundamental
and indivisible component; see atom.
An example of atomicity is ordering an airline ticket where two actions are required:
payment, and a seat reservation. The potential passenger must either:
both pay for and reserve a seat; OR
neither pay for nor reserve a seat.
The booking system does not consider it acceptable for a customer to pay for a ticket
without securing the seat, nor to reserve the seat without payment succeeding.
CONCURRENCY
Database concurrency controls ensure that transactions occur in an ordered fashion.
The main job of these controls is to protect transactions issued by different
users/applications from the effects of each other. They must preserve the four
characteristics of database transactions ACID test: Atomicity, Consistency, Isolation, and
Durability. Read http://en.wikipedia.org/wiki/ACID for more details on the ACID test.
Thus concurrency control is an essential element for correctness in any system where two
database transactions or more, executed with time overlap, can access the same data,
e.g., virtually in any general-purpose database system. A well established concurrency
control theory exists for database systems: serializability theory, which allows to effectively
design and analyze concurrency control methods and mechanisms.
Concurrency is not an issue in itself, it is the lack of proper concurrency controls that
makes it a serious issue.
The following answers are incorrect:
The transactions should be dropped from processing. Is incorrect because the transactions
are processed and when erroneous or invalid transactions are detected the transaction can
be recovered by reviewing the logs.
The transactions should be processed after the program makes adjustments. Is incorrect
because the transactions are processed and when erroneous or invalid transactions are
detected the transaction can be recovered by reviewing the logs.
The transactions should be corrected and reprocessed. Is incorrect because the
transactions are processed and when erroneous or invalid transactions are detected the
transaction can be recovered by reviewing the logs.
References:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 12749-12768). Auerbach Publications. Kindle Edition. and http://en.wikipedia.org/wiki/Online_transaction_processing and http://databases.about.com/od/administration/g/concurrency.htm
- Other Version
- 11170ISC.SSCP.v2022-10-04.q999
- 77ISC.Vceprep.SSCP.v2022-05-30.by.mildred.592q.pdf
- 15993ISC.SSCP.v2022-01-26.q859
- 111ISC.Exam4labs.SSCP.v2021-08-27.by.janice.837q.pdf
- Latest Upload
- 117F5.F5CAB5.v2026-06-22.q29
- 127Juniper.JN0-650.v2026-06-22.q31
- 144Salesforce.Plat-Admn-201.v2026-06-22.q72
- 154VMware.3V0-21.25.v2026-06-20.q29
- 162Microsoft.AB-731.v2026-06-19.q23
- 307IIA.IIA-CIA-Part2.v2026-06-19.q308
- 178DAMA.MD-1220.v2026-06-19.q66
- 190ISTQB.CT-AI.v2026-06-18.q68
- 337IIA.IIA-CIA-Part3.v2026-06-17.q220
- 224WGU.Introduction-to-IT.v2026-06-17.q67