CSSLP Exam Guide UPDATED ACTUAL
Exam Questions and CORRECT Answers
Which access control mechanism provides the owner of an object the opportunity to determine
the access control permissions for other subjects?
a. Mandatory
b. Role-based
c. Discretionary
d. Token-based - CORRECT ANSWER - Discretionary
The elements UDI and CDI are associated with which access control model?
a. Mandatory access control
b. Clark-Wilson
c. Biba integrity
d. Bell-LaPadula confidentiality - CORRECT ANSWER - Clark-Wilson
The concept of separating elements of a system to prevent inadvertent information sharing is?
a. Leverage existing components
b. separation of duties
c. weakest link
d. least common mechanism - CORRECT ANSWER - Least Common Mechanism
Which of the following is true about the Biba Integrity Model?
a. No write up, no read down
b. No read up, no write down
c. It is described by the simple security rule
d. It uses the high-water-mark principle - CORRECT ANSWER - No write up, no read
down
,The concept of preventing a subject from denying a previous action with an object in a system is
a description of?
a. Simple security rule
b. Non-repudiation
c. Defense in depth
d. Constrained data item (CDI) - CORRECT ANSWER - Non-repudiation
What was described as being essential in order to implement discretionary access controls?
a. Object owner-defined security access
b. Certificates
c. Labels
d. Security classifications - CORRECT ANSWER - Object owner-defined security access
The CIA of security includes:
a. Confidentiality, integrity, authentication
b. Certificates, integrity, availability
c. Confidentiality, inspection, authentication
d. Confidentiality, integrity, availability - CORRECT ANSWER - Confidentiality,
integrity, availability
Complete mediation is an approach to security that includes:
a. Protect systems and networks by using defense in depth
b. A security design that cannot be bypassed or circumvented
c. The use of interlocking rings of trust to ensure protection to data elements
d. The use of access control lists to enforce security rules - CORRECT ANSWER -A
security design that cannot be bypassed or circumvented (Complete Mediation)
The fundamental approach to security in which an object has only the necessary rights and
privilege to perform its task with no additional permissions is a description of:
,a. Layered security
b. Least privilege
c. Role-based security
d. Clark-Wilson model - CORRECT ANSWER - Least Privilege
Which access control technique relies on a set of rules to determine whether access to an object
will be granted or not?
a. role-based access control
b. Object and rule instantiate access control
c. Rule-based access control
d. Discretionary access control - CORRECT ANSWER - Rule-based access control
The security principle that ensures that no critical function can be executed by any single
individual (by dividing the function into multiple tasks that can't all be executed by the same
individual) is know as:
a. Discretionary access control
b. Security through obscurity
c. Separation of duties
d. Implicit deny - CORRECT ANSWER - Separation of duties
The ability of a subject to interact with an object describes:
a. authentication
b. Access
c. Confidentiality
d. Mutual authentication - CORRECT ANSWER - Access
Open design places the focus of security efforts on:
a. Open-source software components
b. Hiding key elements (security through obscurity)
, c. Proprietary algorithms
d. Producing a security mechanism in which its strength is independent of its design -
CORRECT ANSWER - Producing a security mechanism in which its strength is
independent of its design
The security principle of fail-safe is related to:
a. Session management
b. Exception management
c. Least privilege
d. Single point of failure - CORRECT ANSWER - Exception management
Using the principle of keeping things simple is related to:
a. Layered security
b. simple Security Rule
c. Economy of mechanism
d. Implementing least privilege for access control - CORRECT ANSWER - Economy of
mechanism
Of the following, which is not a class of controls?
a. Physical
b. Informative
c. Technical
d. Administrative - CORRECT ANSWER - Informative
Log file analysis is a form of what type of control?
a. Preventive
b. Detective
c. Corrective
d. Compensating - CORRECT ANSWER - Detective
Exam Questions and CORRECT Answers
Which access control mechanism provides the owner of an object the opportunity to determine
the access control permissions for other subjects?
a. Mandatory
b. Role-based
c. Discretionary
d. Token-based - CORRECT ANSWER - Discretionary
The elements UDI and CDI are associated with which access control model?
a. Mandatory access control
b. Clark-Wilson
c. Biba integrity
d. Bell-LaPadula confidentiality - CORRECT ANSWER - Clark-Wilson
The concept of separating elements of a system to prevent inadvertent information sharing is?
a. Leverage existing components
b. separation of duties
c. weakest link
d. least common mechanism - CORRECT ANSWER - Least Common Mechanism
Which of the following is true about the Biba Integrity Model?
a. No write up, no read down
b. No read up, no write down
c. It is described by the simple security rule
d. It uses the high-water-mark principle - CORRECT ANSWER - No write up, no read
down
,The concept of preventing a subject from denying a previous action with an object in a system is
a description of?
a. Simple security rule
b. Non-repudiation
c. Defense in depth
d. Constrained data item (CDI) - CORRECT ANSWER - Non-repudiation
What was described as being essential in order to implement discretionary access controls?
a. Object owner-defined security access
b. Certificates
c. Labels
d. Security classifications - CORRECT ANSWER - Object owner-defined security access
The CIA of security includes:
a. Confidentiality, integrity, authentication
b. Certificates, integrity, availability
c. Confidentiality, inspection, authentication
d. Confidentiality, integrity, availability - CORRECT ANSWER - Confidentiality,
integrity, availability
Complete mediation is an approach to security that includes:
a. Protect systems and networks by using defense in depth
b. A security design that cannot be bypassed or circumvented
c. The use of interlocking rings of trust to ensure protection to data elements
d. The use of access control lists to enforce security rules - CORRECT ANSWER -A
security design that cannot be bypassed or circumvented (Complete Mediation)
The fundamental approach to security in which an object has only the necessary rights and
privilege to perform its task with no additional permissions is a description of:
,a. Layered security
b. Least privilege
c. Role-based security
d. Clark-Wilson model - CORRECT ANSWER - Least Privilege
Which access control technique relies on a set of rules to determine whether access to an object
will be granted or not?
a. role-based access control
b. Object and rule instantiate access control
c. Rule-based access control
d. Discretionary access control - CORRECT ANSWER - Rule-based access control
The security principle that ensures that no critical function can be executed by any single
individual (by dividing the function into multiple tasks that can't all be executed by the same
individual) is know as:
a. Discretionary access control
b. Security through obscurity
c. Separation of duties
d. Implicit deny - CORRECT ANSWER - Separation of duties
The ability of a subject to interact with an object describes:
a. authentication
b. Access
c. Confidentiality
d. Mutual authentication - CORRECT ANSWER - Access
Open design places the focus of security efforts on:
a. Open-source software components
b. Hiding key elements (security through obscurity)
, c. Proprietary algorithms
d. Producing a security mechanism in which its strength is independent of its design -
CORRECT ANSWER - Producing a security mechanism in which its strength is
independent of its design
The security principle of fail-safe is related to:
a. Session management
b. Exception management
c. Least privilege
d. Single point of failure - CORRECT ANSWER - Exception management
Using the principle of keeping things simple is related to:
a. Layered security
b. simple Security Rule
c. Economy of mechanism
d. Implementing least privilege for access control - CORRECT ANSWER - Economy of
mechanism
Of the following, which is not a class of controls?
a. Physical
b. Informative
c. Technical
d. Administrative - CORRECT ANSWER - Informative
Log file analysis is a form of what type of control?
a. Preventive
b. Detective
c. Corrective
d. Compensating - CORRECT ANSWER - Detective
