OFFICIAL (ISC)² SSCP EXAM QUESTIONS
AND CORRECT ANSWERS
Document specific requirements that a customer has about any aspect of a vendor's
service performance.
A) DLR
B) Contract
C) SLR
D) NDA -CORRECTANSWER C) SLR (Service-Level Requirements)
_________ identifies and triages risks. -CORRECTANSWER Risk Assessment
_________ are external forces that jeopardize security. -CORRECTANSWER Threats
_________ are methods used by attackers. -CORRECTANSWER Threat Vectors
_________ are the combination of a threat and a vulnerability. -CORRECTANSWER
Risks
We rank risks by _________ and _________. -CORRECTANSWER Likelihood and
impact
,_________ use subjective ratings to evaluate risk likelihood and impact. -
CORRECTANSWER Qualitative Risk Assessment
_________ use objective numeric ratings to evaluate risk likelihood and impact. -
CORRECTANSWER Quantitative Risk Assessment
_________ analyzes and implements possible responses to control risk. -
CORRECTANSWER Risk Treatment
_________ changes business practices to make a risk irrelevant. -CORRECTANSWER
Risk Avoidance
_________ reduces the likelihood or impact of a risk. -CORRECTANSWER Risk
Mitigation
An organization's _________ is the set of risks that it faces. -CORRECTANSWER Risk
Profile
_________ Initial Risk of an organization. -CORRECTANSWER Inherent Risk
_________ Risk that remains in an organization after controls. -CORRECTANSWER
Residual Risk
,_________ is the level of risk an organization is willing to accept. -CORRECTANSWER
Risk Tolerance
_________ reduce the likelihood or impact of a risk and help identify issues. -
CORRECTANSWER Security Controls
_________ stop a security issue from occurring. -CORRECTANSWER Preventive
Control
_________ identify security issues requiring investigation. -CORRECTANSWER
Detective Control
_________ remediate security issues that have occurred. -CORRECTANSWER
Recovery Control
Hardening == Preventative -CORRECTANSWER Virus == Detective
Backups == Recovery -CORRECTANSWER For exam (Local and Technical Controls
are the same)
_________ use technology to achieve control objectives. -CORRECTANSWER
Technical Controls
, _________ use processes to achieve control objectives. -CORRECTANSWER
Administrative Controls
_________ impact the physical world. -CORRECTANSWER Physical Controls
_________ tracks specific device settings. -CORRECTANSWER Configuration
Management
_________ provide a configuration snapshot. -CORRECTANSWER Baselines (track
changes)
_________ assigns numbers to each version. -CORRECTANSWER Versioning
_________ serve as important configuration artifacts. -CORRECTANSWER Diagrams
_________ and _________ help ensure a stable operating environment. -
CORRECTANSWER Change and Configuration Management
Purchasing an insurance policy is an example of which risk management strategy? -
CORRECTANSWER Risk Transference
What two factors are used to evaluate a risk? -CORRECTANSWER Likelihood and
Impact
AND CORRECT ANSWERS
Document specific requirements that a customer has about any aspect of a vendor's
service performance.
A) DLR
B) Contract
C) SLR
D) NDA -CORRECTANSWER C) SLR (Service-Level Requirements)
_________ identifies and triages risks. -CORRECTANSWER Risk Assessment
_________ are external forces that jeopardize security. -CORRECTANSWER Threats
_________ are methods used by attackers. -CORRECTANSWER Threat Vectors
_________ are the combination of a threat and a vulnerability. -CORRECTANSWER
Risks
We rank risks by _________ and _________. -CORRECTANSWER Likelihood and
impact
,_________ use subjective ratings to evaluate risk likelihood and impact. -
CORRECTANSWER Qualitative Risk Assessment
_________ use objective numeric ratings to evaluate risk likelihood and impact. -
CORRECTANSWER Quantitative Risk Assessment
_________ analyzes and implements possible responses to control risk. -
CORRECTANSWER Risk Treatment
_________ changes business practices to make a risk irrelevant. -CORRECTANSWER
Risk Avoidance
_________ reduces the likelihood or impact of a risk. -CORRECTANSWER Risk
Mitigation
An organization's _________ is the set of risks that it faces. -CORRECTANSWER Risk
Profile
_________ Initial Risk of an organization. -CORRECTANSWER Inherent Risk
_________ Risk that remains in an organization after controls. -CORRECTANSWER
Residual Risk
,_________ is the level of risk an organization is willing to accept. -CORRECTANSWER
Risk Tolerance
_________ reduce the likelihood or impact of a risk and help identify issues. -
CORRECTANSWER Security Controls
_________ stop a security issue from occurring. -CORRECTANSWER Preventive
Control
_________ identify security issues requiring investigation. -CORRECTANSWER
Detective Control
_________ remediate security issues that have occurred. -CORRECTANSWER
Recovery Control
Hardening == Preventative -CORRECTANSWER Virus == Detective
Backups == Recovery -CORRECTANSWER For exam (Local and Technical Controls
are the same)
_________ use technology to achieve control objectives. -CORRECTANSWER
Technical Controls
, _________ use processes to achieve control objectives. -CORRECTANSWER
Administrative Controls
_________ impact the physical world. -CORRECTANSWER Physical Controls
_________ tracks specific device settings. -CORRECTANSWER Configuration
Management
_________ provide a configuration snapshot. -CORRECTANSWER Baselines (track
changes)
_________ assigns numbers to each version. -CORRECTANSWER Versioning
_________ serve as important configuration artifacts. -CORRECTANSWER Diagrams
_________ and _________ help ensure a stable operating environment. -
CORRECTANSWER Change and Configuration Management
Purchasing an insurance policy is an example of which risk management strategy? -
CORRECTANSWER Risk Transference
What two factors are used to evaluate a risk? -CORRECTANSWER Likelihood and
Impact
