Most Recent ISC2 CSSLP Exam Dumps

In eavesdropping, dumpster diving, and shoulder surfing, the attacker violates the confidentiality of a system without affecting its state.

Hence, they are considered passive attacks.

The Federal Information Security Management Act of 2002 ('FISMA', 44 U.S.C. 3541, et seq.) is a United States federal law enacted in 2002 as

Title III of the E-Government Act of 2002 (Pub.L. 107-347, 116 Stat. 2899). The act recognized the importance of information security to the

economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an

agency-wide program to provide information security for the information and information systems that support the operations and assets of

the agency, including those provided or managed by another agency, contractor, or other source.

FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a 'risk-based policy for cost-effective

security'. FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the

agency's information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its

oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.

Answer C is incorrect. The Equal Credit Opportunity Act (ECOA) is a United States law (codified at 15 U.S.C. 1691 et seq.), enacted in

1974, that makes it unlawful for any creditor to discriminate against any applicant, with respect to any aspect of a credit transaction, on the

basis of race, color, religion, national origin, sex, marital status, or age; to the fact that all or part of the applicant's income derives from a

public assistance program; or to the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act.

The law applies to any person who, in the ordinary course of business, regularly participates in a credit decision, including banks, retailers,

bankcard companies, finance companies, and credit unions.

Answer B is incorrect. The Electronic Communications Privacy Act of 1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100 Stat. 1848, 18 U.S.C.

2510) was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include

transmissions of electronic data by computer. Specifically, ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets

Act of 1968 (the Wiretap Statute), which was primarily designed to prevent unauthorized government access to private electronic

communications. The ECPA also added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications

Act,18 U.S.C. 2701-2712.

Answer D is incorrect. The Fair Credit Reporting Act (FCRA) is an American federal law (codified at 15 U.S.C. 1681 et seq.) that regulates

the collection, dissemination, and use of consumer information, including consumer credit information. Along with the Fair Debt Collection

Practices Act (FDCPA), it forms the base of consumer credit rights in the United States. It was originally passed in 1970, and is enforced by the

US Federal Trade Commission.

The Organization Level is the Tier 1, and it addresses risks from an organizational perspective. It includes the following points:

The techniques and methodologies an organization plans to employ, to evaluate information system-related security risks.

During risk assessment, the methods and procedures the organization plans to use, to evaluate the significance of the risks identified.

The types and extent of risk mitigation measures the organization plans to employ, to address identified risks.

The level of risk tolerance.

According to the environment of operation, how the organization plans to monitor risks on an ongoing basis, given the inevitable

changes to organizational information system.

The organization plans to use the degree and type of oversight, in order to ensure that the risk management strategy is being

effectively carried out.

Answer D is incorrect. The RMF primarily operates at Tier 3.

In order to accomplish the task, you should limit the number of Syslog messages or TCP connections from a specific source for a certain time

period. This will prevent a denial of service (DoS) for the Syslog server and the loss of Syslog messages from other sources.

Answer D is incorrect. You can encrypt rotated log files automatically using third-party or OS mechanisms to protect data confidentiality.

Answer A is incorrect. You can use a different message format other than Syslog in order to accept data for aggregating data from

hosts that do not support Syslog.

Answer B is incorrect. You can enable the storage of log entries in both traditional Syslog files and a database for creating a database

storage for logs.

It is not a responsibility of a data owner. The data custodian (information custodian) is responsible for maintaining and protecting the data.

Answer B, A, and C are incorrect. All of these are responsibilities of a data owner.

The roles and responsibilities of a data owner are as follows:

The data owner (information owner) is usually a member of management, in charge of a specific business unit, and is ultimately

responsible for the protection and use of a specific subset of information.

The data owner decides upon the classification of the data that he is responsible for and alters that classification if the business needs

arise.

This person is also responsible for ensuring that the necessary security controls are in place, ensuring that proper access rights are

being used, defining security requirements per classification and backup requirements, approving any disclosure activities, and defining

user access criteria.

The data owner approves access requests or may choose to delegate this function to business unit managers. And it is the data owner

who will deal with security violations pertaining to the data he is responsible for protecting.

The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-day maintenance of the data protection

mechanisms to the data custodian.