New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

ISC2 CSSLP Exam - Topic 1 Question 65 Discussion

Actual exam question for ISC2's CSSLP exam
Question #: 65
Topic #: 1
[All CSSLP Questions]

Della works as a security engineer for BlueWell Inc. She wants to establish configuration management and control procedures that will document proposed or actual changes to the information system. Which of the following phases of NIST SP 800-37 C&A methodology will define the above task?

Show Suggested Answer Hide Answer
Suggested Answer: A

The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must

be recovered as defined by the organization. The RPO is generally a definition of what an organization determines is an 'acceptable loss' in a

disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2

hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Answer B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a service level within which a business process

must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. It

includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the communication to the users. Decision time

for user representative is not included. The business continuity timeline usually runs parallel with an incident management timeline and may

start at the same, or different, points.

In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a

process (usually in conjunction with the Business Continuity planner). The RTOs are then presented to senior management for acceptance.

The RTO attaches to the business process and not the resources required to support the process.

Answer D is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on

recovery methodology the technology support team develops. This is the time frame the technology support takes to deliver the recovered

infrastructure to the business.

Answer C is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point

Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to Continuous Data Protection services.


by Angella at Feb 27, 2023, 04:01 AM

Limited Time Offer

25%

Off

Get Premium CSSLP Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Esteban
4 months ago
Really? I didn't think this was that straightforward.
upvoted 0 times
...
Leonida
4 months ago
Wait, isn't Security Accreditation also relevant?
upvoted 0 times
...
Katie
4 months ago
Agreed, Security Certification makes sense here.
upvoted 0 times
...
Eva
4 months ago
I thought it was Continuous Monitoring.
upvoted 0 times
...
Pansy
4 months ago
It's definitely the Security Certification phase!
upvoted 0 times
...
Dallas
5 months ago
I practiced a similar question before, and I think Security Accreditation is more about the final approval rather than documenting changes. So, I’m not confident about that one.
upvoted 0 times
...
Kattie
5 months ago
I’m leaning towards Initiation because it seems like the starting point for establishing procedures, but I could be mixing it up with another framework.
upvoted 0 times
...
Devora
5 months ago
I remember studying the phases of NIST SP 800-37, and I feel like Security Certification could be relevant too, but it’s more about validating security controls, right?
upvoted 0 times
...
Ariel
5 months ago
I think the answer might be Continuous Monitoring since it involves ongoing changes and documentation, but I'm not entirely sure.
upvoted 0 times
...
Vilma
5 months ago
Hmm, I'm a bit unsure about this one. I know logistic regression is used for binary outcomes, but I can't quite remember if it handles both numerical and categorical predictors. I'll have to think this through carefully.
upvoted 0 times
...
Douglass
5 months ago
Okay, I think I've got this. The key is to identify the level of competition that best describes the nature of the rivalry between these two hotel options. I'll need to analyze their products and services to determine the appropriate level.
upvoted 0 times
...
Vincenza
5 months ago
I'm leaning towards the Lightning Design System Zip. It seems like the most direct way to access the prebuilt components and resources the designer needs for their Salesforce UI mockups.
upvoted 0 times
...
Peggy
5 months ago
Hmm, I'm a bit unsure about this one. Should I use the -i flag to make the search case-insensitive, or is that not necessary? I'll have to think about it a bit more.
upvoted 0 times
...
Rosalia
5 months ago
Okay, let me think this through step-by-step. I'll start by identifying the key decision factors - credit score, annual income, and vehicle type. Then I'll work through each possible combination to determine the minimum number of test cases.
upvoted 0 times
...
Isidra
5 months ago
I think it's absorption costing where overheads are applied based on production volume, but I'm not entirely sure.
upvoted 0 times
...
Shakira
9 months ago
Nah, it's definitely 'Continuous Monitoring'. Gotta keep those systems under surveillance, you know? Della's gonna be the security boss of the century.
upvoted 0 times
...
Gwen
9 months ago
Ooh, 'Security Accreditation'! That's gotta be it, right? I mean, who doesn't love a good ol' security accreditation process? It's like a party for the IT crowd.
upvoted 0 times
Brunilda
8 months ago
Definitely, it's all about documenting proposed or actual changes to the information system.
upvoted 0 times
...
Rocco
8 months ago
Yeah, I agree. That phase deals with establishing configuration management and control procedures.
upvoted 0 times
...
Cordie
8 months ago
I think it's D) Security Accreditation.
upvoted 0 times
...
Inocencia
8 months ago
D) Security Accreditation
upvoted 0 times
...
Hubert
8 months ago
C) Continuous Monitoring
upvoted 0 times
...
Garry
9 months ago
B) Security Certification
upvoted 0 times
...
Alishia
9 months ago
A) Initiation
upvoted 0 times
...
...
Billi
10 months ago
Hmm, this one's tricky. I think the 'Initiation' phase sounds about right, but I'll have to double-check my notes. Della's got her work cut out for her, that's for sure.
upvoted 0 times
Audria
8 months ago
B) Security Certification
upvoted 0 times
...
Lashaunda
8 months ago
I think you're right, 'Initiation' is where Della would define those procedures.
upvoted 0 times
...
Kasandra
9 months ago
A) Initiation
upvoted 0 times
...
...
Vilma
10 months ago
I'm not sure, but I think it could also be B) Security Certification. That phase involves verifying security controls.
upvoted 0 times
...
Dana
11 months ago
I agree with Denny. Security Accreditation makes sense for documenting proposed changes.
upvoted 0 times
...
Audrie
11 months ago
Wait, NIST SP 800-37? That's like a secret code for security geeks. I'm just hoping I can spell 'configuration' correctly on the exam.
upvoted 0 times
Olive
9 months ago
D) Security Accreditation
upvoted 0 times
...
Pearline
9 months ago
C) Continuous Monitoring
upvoted 0 times
...
Jody
9 months ago
B) Security Certification
upvoted 0 times
...
Elenore
10 months ago
A) Initiation
upvoted 0 times
...
...
Denny
11 months ago
I think the answer is D) Security Accreditation.
upvoted 0 times
...

Save Cancel