ISC2 Certified Secure Software Lifecycle Professional Exam

The security challenges for DRM are as follows:

Key hiding: It prevents tampering attacks that target the secret keys. In the key hiding process, secret keys are used for

authentication, encryption, and node-locking.

Device fingerprinting: It prevents fraud and provides secure authentication. Device fingerprinting includes the summary of hardware

and software characteristics in order to uniquely identify a device.

OTA provisioning: It provides end-to-end encryption or other secure ways for delivery of copyrighted software to mobile devices.

Answer B is incorrect. Access control is not a security challenge for DRM.

A host-based intrusion prevention system (HIPS) is an application usually employed on a single computer. It complements traditional finger-

print-based and heuristic antivirus detection methods, since it does not need continuous updates to stay ahead of new malware. When a

malicious code needs to modify the system or other software residing on the machine, a HIPS system will notice some of the resulting changes

and prevent the action by default or notify the user for permission. It can handle encrypted and unencrypted traffic equally and cannot detect

events scattered over the network.

Answer B is incorrect. Network address translation (NAT) is a technique that allows multiple computers to share one or more IP

addresses. NAT is configured at the server between a private network and the Internet. It allows the computers in a private network to share

a global, ISP assigned address. NAT modifies the headers of packets traversing the server. For packets outbound to the Internet, it translates

the source addresses from private to public, whereas for packets inbound from the Internet, it translates the destination addresses from

public to private.

Answer A is incorrect. Network intrusion prevention system (NIPS) is a hardware/software platform that is designed to analyze, detect,

and report on security related events. NIPS is designed to inspect traffic and based on its configuration or security policy, it can drop malicious

traffic. NIPS is able to detect events scattered over the network and can react.

The DAA, also known as Authorizing Official, makes the final accreditation decision. The Designated Approving Authority (DAA), in the United

States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level

of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation and can determine that the system's

risks are not at an acceptable level and the system is not ready to be operational.

Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information

System Security Officer (ISSO) are as follows:

Manages the security of the information system that is slated for Certification & Accreditation (C&A).

Insures the information systems configuration with the agency's information security policy.

Supports the information system owner/information owner for the completion of security-related responsibilities.

Takes part in the formal configuration management process.

Prepares Certification & Accreditation (C&A) packages.

Answer A is incorrect. An Information System Security Engineer (ISSE) plays the role of an advisor. The responsibilities of an

Information System Security Engineer are as follows:

Provides view on the continuous monitoring of the information system.

Provides advice on the impacts of system changes.

Takes part in the configuration management process.

Takes part in the development activities that are required to implement system changes.

Follows approved system changes.

Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief

Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,

and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,

financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk

and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management

(ERM) approach.

Tamper resistance is resistance tampered by the users of a product, package, or system, or the users who can physically access it. It includes

simple as well as complex devices. The complex device encrypts all the information between individual chips, or renders itself inoperable.

Tamper resistance is generally used in packages in order to determine package or product tampering.

Answer B is incorrect. Tamper evident specifies a process or device that makes unauthorized access to the protected object easily

detected.

Answer D is incorrect. Tamper proofing makes computers resistant to interference. Tamper proofing measures include automatic

removal of sensitive information, automatic shutdown, and automatic physical locking.

Answer C is incorrect. Tamper data is used to view and modify the HTTP or HTTPS headers and post parameters.

The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must

be recovered as defined by the organization. The RPO is generally a definition of what an organization determines is an 'acceptable loss' in a

disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2

hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Answer B is incorrect. The Recovery Time Objective (RTO) is the duration of time and a service level within which a business process

must be restored after a disaster or disruption in order to avoid unacceptable consequences associated with a break in business continuity. It

includes the time for trying to fix the problem without a recovery, the recovery itself, tests and the communication to the users. Decision time

for user representative is not included. The business continuity timeline usually runs parallel with an incident management timeline and may

start at the same, or different, points.

In accepted business continuity planning methodology, the RTO is established during the Business Impact Analysis (BIA) by the owner of a

process (usually in conjunction with the Business Continuity planner). The RTOs are then presented to senior management for acceptance.

The RTO attaches to the business process and not the resources required to support the process.

Answer D is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on

recovery methodology the technology support team develops. This is the time frame the technology support takes to deliver the recovered

infrastructure to the business.

Answer C is incorrect. The Recovery Consistency Objective (RCO) is used in Business Continuity Planning in addition to Recovery Point

Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to Continuous Data Protection services.