Practice Quiz

SSCP Practice Quiz

1. A user has some extremely valuable data. The data is backed up to a flash stick and
placed in a data safe. Which two principles of the CIA triad does this address?
a. Confidentiality and integrity
b. Confidentiality and availability
c. Integrity and availability
d. Availability and nonrepudiation

The correct answer is B. The user is ensuring a form of availability by having a data backup.
Confidentiality is being accomplished by locking up the flash stick. The question does not
describe any practice that could constitute integrity protection and the CIA triad does not deal
with nonrepudiation.

2. Which best describes the concept of availability?

a. Users can make authorized changes
b. There is a level of assurance that data hasn’t been altered
c. Data is available to authorized users when required
d. Backups are protected at off-site locations

The correct answer is C. Availability is the concept of having resources (not just data) available
whenever they are required. A and B best relate to integrity, while D is a more narrow
definition that combines availability with confidentiality.

3. What security principle might best be deployed to prevent fraud?

a. Least privilege
b. Auditing
c. Discretionary access control
d. Separation of duties

The correct answer is D. B assists in the detection of fraud but would not typically be able to
prevent the problem. A restricts access based upon the need-to-know element, but again does
not necessarily prevent the problem. C is irrelevant.

4. Define integrity.
a. Data being correct and up to date
b. Data being accessible
c. Protection from unauthorized access
d. Data being preserved in an unaltered state

SSCP Practice Quiz 1

 Practice Quiz

The correct answer is D. A is partially correct as it is necessary to maintain good data quality.
Under most Data Protection Acts, we are required to ensure data is accurate and current.
However, our primary concern is to have confidence that the data we are processing is not
subjected to improper alteration by either accidental or intentional actions. B is a function of
availability and C is a function of authorization.

5. Which of the following is the BEST definition of an asset?

a. A hardware system in a data center
b. People in sensitive environments
c. Software running in a secure environment
d. An item perceived as having value

The correct answer is D. Even though A, B, and C are considered to be assets, the question is
asking for the best definition, not examples. An asset is anything that has value to the
organization.

6. What is the correct order of the asset lifecycle phases?

a. Create, use, share, store, archive, and destroy
b. Create, share, use, archive, store, and destroy
c. Create, store, use, share, archive, and destroy
d. Create, share, archive, use, store, and destroy

The correct answer is C. This is the correct order of the lifecycle phases of assets: create, store,
use, share, archive, and destroy. This is according to the Securosis Blog.

7. What is the best method for dealing with data remanence on SSDs?
a. Physical destruction
b. Degaussing
c. Formatting
d. Overwriting

The correct answer is A. Degaussing only works on magnetic media and formatting doesn’t
permanently delete data, as it may still be recovered forensically. Overwriting is not effective
on SSDs.

8. A list of company-restricted websites would best be handled in the first instance by

what type of control?
a. Physical
b. Administrative
c. Environmental
d. Technical

SSCP Practice Quiz 2

 Practice Quiz

The correct answer is B. A physical control might be used to prevent access from a given
device and a technical control might be employed to enforce the corporate policy.
Environment is not one of the three types of control.

9. Whenever an organization chooses to perform risk mitigation to address a

particular risk, what other form of risk management will also be included?
a. Risk transference
b. Risk avoidance
c. Risk capture
d. Risk acceptance

The correct answer is D. Risk mitigation always leaves some residual risk; the purpose of risk
mitigation is to get risk down to an acceptable level.

10. What is the main goal of a risk assessment program?

a. To calculate annualized loss expectancy (ALE) formulas
b. To develop a disaster recovery plan (DRP)
c. To evaluate risk mitigation
d. To help balance the cost between risk and countermeasures

The correct answer is D. A is a process to calculate risk. C is a testing process and B is a

different business process.

SSCP Practice Quiz 3