Chapter 1 Security Operations and Administration (Domain 1)
THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
Domain 1.0: Security Operations and Administration1.1 Comply with codes of ethics(ISC)2 Code of EthicsOrganizational code of ethics1.2 Understand security conceptsConfidentialityIntegrityAvailabilityAccountabilityPrivacyNon-repudiationLeast privilegeSegregation of duties (SoD)1.3 Identify and implement security controlsTechnical controls (e.g., session timeout, password aging)Physical controls (e.g., mantraps, cameras, locks)Administrative controls (e.g., security policies, standards, procedures, baselines)Assessing compliancePeriodic audit and review1.4 Document and maintain functional security controlsDeterrent controlsPreventative controlsDetective controlsCorrective controlsCompensating controls1.5 Participate in asset management lifecycle (hardware, software, and data)Process, planning, design, and initiationDevelopment/AcquisitionInventory and licensingImplementation/AssessmentOperation/MaintenanceArchiving and retention requirementsDisposal and destruction1.6 Participate in change management lifecycleChange management (e.g., roles, responsibilities, processes)Security impact analysisConfiguration management (CM)1.7 Participate in implementing security awareness and training (e.g., social engineering/phishing)1.8 Collaborate with physical security operations (e.g., data center assessment, badging)
1 Maddox is conducting an information audit for his organization. Which one of the following elements that he discovered is least likely to be classified as PII when used in isolation?Street addressesItem codesMobile phone numbersSocial Security numbers
2 Carl recently assisted in the implementation of a new set of security controls designed to comply with legal requirements. He is concerned about the long-term maintenance of those controls. Which one of the following is a good way for Carl to ease his concerns?Firewall rulesPolicy documentsSecurity standardsPeriodic audits
3 Darlene was recently offered a consulting opportunity as a side job. She is concerned that the opportunity might constitute a conflict of interest. Which one of the following sources is most likely to provide her with appropriate guidance?Organizational code of ethics(ISC)2 code of ethicsOrganizational security policy(ISC)2 security policy
4 Which one of the following is an administrative control that can protect the confidentiality of information?EncryptionNondisclosure agreementFirewallFault tolerance
5 Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?His supply chainHis vendor contractsHis post-purchase build processThe original equipment manufacturer (OEM)
6 The (ISC)2 code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code?Protect society, the common good, the necessary public trust and confidence, and the infrastructure.Disclose breaches of privacy, trust, and ethics.Provide diligent and competent service to the principles.Advance and protect the profession.
7 Which one of the following control categories does not accurately describe a fence around a facility?PhysicalDetectiveDeterrentPreventive
8 Which one of the following actions might be taken as part of a business continuity plan?Restoring from backup tapesImplementing RAIDRelocating to a cold siteRestarting business operations
9 Which one of the following is an example of physical infrastructure hardening?Antivirus softwareHardware-based network firewallTwo-factor authenticationFire suppression system
10 Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?AvailabilityConfidentialityDisclosureDistributed
11 The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?Mandatory vacationSeparation of dutiesDefense in depthJob rotation
12 Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?IntegrityAvailabilityConfidentialityDenial
For questions 13–15, please refer to the following scenario.
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks.
Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.
You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.
1 Users in the two offices would like to access each other’s file servers over the Internet. What control would provide confidentiality for those communications?Digital signaturesVirtual private networkVirtual LANDigital content management
2 You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?Server clusteringLoad balancingRAIDScheduled backups
3 Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?HashingACLsRead-only attributesFirewalls
4 An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?Separation of dutiesLeast privilegeDefense in depthMandatory vacation
5 Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?PolicyBaselineGuidelineProcedure
6 Frank discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt?ConfidentialityIntegrityAvailabilityDenial
7 Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?AvailabilityDenialConfidentialityIntegrity
8 Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce?DenialConfidentialityIntegrityAvailability
9 Which one of the following is not an example of a technical control?Session timeoutPassword agingEncryptionData classification
For questions 22–25, please refer to the following scenario.
Jasper Diamonds is a jewelry manufacturer that markets and sells custom