SSCP Exam Review Questions.
With correct and verified answers
How many years of experience are required to earn the Associate of (ISC)2 designation?
A. Zero
B. One
C. Two
D. Five
Correct answer [Security Fundamentals]
A. You don't need to meet the experience requirement to earn the Associate of (ISC)2 designation, so
zero years of experience are required. The SSCP certification requires one year of direct full-time
security work experience. If you earn the Associate of (ISC)2 designation, you have two years from
the date (ISC)2 notifies you that you have passed the SSCP exam to obtain the required experience
and apply to become a fully certified SSCP (which includes submitting the required endorsement
form). The CISSP certification requires five years of experience."
"What are the three elements of the security triad?
A. Authentication authorization, and accounting
B. Confidentiality, integrity, and availability
C. Identification, authentication, and authorization
D. Confidentiality, integrity, and authorization –
Correct answer [Security Fundamentals]
B. The CIA security triad includes three fundamental principles of security designed to prevent losses
in confidentiality, integrity, and availability. Authentication, authorization, and accounting are the
AAAs of security, and identification, authentication, and authorization are required for accountability,
but these are not part of the CIA security triad."
"Who is responsible for ensuring that security controls are in place to protect against the loss of
confidentiality integrity, or availability of their systems and data?
A. IT administrators
B. System and information owners
C. CFO
D. Everyone - Correct answer
[Security Fundamentals]
,B. System and information owners are responsible for ensuring that these security controls are in
place. IT administrators or other IT security personnel might implement and maintain them. While it
can be argued that the Chief Executive Officer (CEO) is ultimately responsible for all security, the
Chief Financial Officer is responsible for finances, not IT security. Assigning responsibility to everyone
results in no one taking responsibility."
"You are sending an e-mail to a business partner that includes proprietary data. You want to ensure
that the partner can access the data but that no one else can. What security principle should you
apply?
A. Authentication
B. Availability
C. Confidentiality
D. Integrity –
Correct answer [Security Fundamentals]
C. Confidentiality helps prevent the unauthorized disclosure of data to unauthorized personnel, and
you can enforce it with encryption in this scenario. Authentication allows a user to claim an identity
(such as with a username) and prove the identity (such as with a password). Availability ensures that
data is available when needed. Integrity ensures that the data hasn't been modified."
"Your organization wants to ensure that attackers are unable to modify data within a database. What
security principle is the organization trying to enforce?
A. Accountability
B. Availability
C. Confidentiality
D. Integrity –
Correct answer [Security Fundamentals]
D. Integrity ensures that data is not modified, and this includes data within a database.
Accountability ensures that systems identify users, track their actions, and monitor their behavior.
Availability ensures that IT systems and data are available when needed. Confidentiality protects
against the unauthorized disclosure of data."
"An organization wants to ensure that authorized employees are able to access resources during
normal business hours. What security principle is the organization trying to enforce?
A. Accountability
B. Availability
C. Integrity
D. Confidentiality –
Correct answer [Security Fundamentals]
,B. Availability ensures that IT systems and data are available when needed, such as during normal
business hours. Accountability ensures that users are accurately identified and authenticated, and
their actions are tracked with logs. Integrity ensures that data is not modified. Confidentiality
protects the unauthorized disclosure of data to unauthorized users."
"An organization has created a disaster recovery plan. What security principle is the organization
trying to enforce?
A. Authentication
B. Availability
C. Integrity
D. Confidentiality –
Correct answer [Security Fundamentals]
B. Availability ensures that IT systems and data are available when needed. Disaster recovery plans
help an organization ensure availability of critical systems after a disaster. Users prove their identity
with authentication. Integrity provides assurances that data and systems have not been modified.
Confidentiality protects against the unauthorized disclosure of data."
"Your organization has implemented a least privilege policy. Which of the following choices describes
the most likely result of this policy?
A. It adds multiple layers of security.
B. No single user has full control over any process.
C. Users can only access data they need to perform their jobs.
D. It prevents users from denying they took an action. –
Correct answer [Security Fundamentals]
C. The principle of least privilege ensures that users have access to the data they need to perform
their jobs, but no more. Defense in depth ensures an organization has multiple layers of security.
Separation of duties ensures that no single user has full control over any process. Non-repudiation
prevents users from denying they took an action."
"Your organization wants to implement policies that will deter fraud by dividing job responsibilities.
Which of the following policies should they implement?
A. Nonrepudiation
B. Least privilege
C. Defense in depth
D. Separation of duties - Correct answer [Security Fundamentals]
D. Separation of duties helps prevent fraud by dividing job responsibilities and ensuring that no
single person has complete control over an entire process. Nonrepudiation ensures that parties are
not able to deny taking an action. The principle of least privilege ensures that users have only the
rights and permissions they need to perform their jobs, but no more. Defense in depth provides a
layered approach to security."
, "Which one of the following concepts provides the strongest security?
A. Defense in depth
B. Nonrepudiation
C. Security triad
D. AAAs of security - Correct answer [Security Fundamentals]
A. Defense in depth provides a layered approach to security by implementing several different
security practices simultaneously and is the best choice of
the available answers to provide the strongest security. The security triad (confidentiality, integrity,
and availability) identifies the main goals of security. Nonrepudiation prevents an individual from
denying that he or she took an action. The AAAs of security are authentication, authorization, and
accounting."
"Which of the following would a financial institution use to validate an e-commerce transaction?
A. Nonrepudiation
B. Least privilege
C. Authentication
D. Signature - Correct answer [Security Fundamentals]
A. Digital signatures used by some online institutions to validate transactions and provide
nonrepudiation. Least privilege ensures that users have only the rights and permissions they need to
perform their jobs, and no more. Authentication verifies a user's identity. A written signature is not
used in e-commerce."
"What are the AAAs of information security?
A. Authentication, availability, and authorization
B. Accounting, authentication, and availability
C. Authentication, authorization, and accounting
D. Availability, accountability, and authorization - Correct answer [Security Fundamentals]
C. The AAAs of information security are authentication, authorization, and accounting. Availability is
part of the CIA security triad (confidentiality, integrity, and availability), but it is not part of the AAAs
of information security."
"You want to ensure that a system can identify individual users track their activity, and log their
actions. What does this provide?
A. Accountability
B. Availability
C. Authentication
D. Authorization - Correct answer [Security Fundamentals]
