1. A user has some extremely valuable data. The data is backed up to a flash stick and
placed in a data safe. Which two principles of the CIA triad does this address?
A. Confidentiality and integrity
B. Confidentiality and availability
C. Integrity and availability
D. Availability and nonrepudiation
The correct answer is B. The user is ensuring a form of availability by having a data backup.
Confidentiality is being accomplished by locking up the flash stick. The question does not
describe any practice that could constitute integrity protection and the CIA triad does not deal
with nonrepudiation.
2. Which best describes the concept of availability?
A. Users can make authorized changes
B. There is a level of assurance that data hasn’t been altered
C. Data is available to authorized users when required
D. Backups are protected at off-site locations
The correct answer is C. Availability is the concept of having resources (not just data) available
whenever they are required. A and B best relate to integrity, while D is a more narrow definition
that combines availability with confidentiality.
3. What security principle might best be deployed to prevent fraud?
A. Least privilege
B. Auditing
C. Discretionary access control
D. Separation of duties
The correct answer is D. B assists in the detection of fraud but would not typically be able to
prevent the problem. A restricts access based upon the need-to-know element, but again does
not necessarily prevent the problem. C is irrelevant.
4. Define integrity.
A. Data being correct and up to date
B. Data being accessible
C. Protection from unauthorized access
D. Data being preserved in an unaltered state
2
Practice Quiz
SSCP Practice Quiz
The correct answer is D. A is partially correct as it is necessary to maintain good data quality.
Under most Data Protection Acts, we are required to ensure data is accurate and current.
However, our primary concern is to have confidence that the data we are processing is not
subjected to improper alteration by either accidental or intentional actions. B is a function of
availability and C is a function of authorization.
5. Which of the following is the BEST definition of an asset?
A. A hardware system in a data center
B. People in sensitive environments
C. Software running in a secure environment
D. An item perceived as having value
The correct answer is D. Even though A, B, and C are considered to be assets, the question is
asking for the best definition, not examples. An asset is anything that has value to the
organization.
6. What is the correct order of the asset lifecycle phases?
A. Create, use, share, store, archive, and destroy
B. Create, share, use, archive, store, and destroy
C. Create, store, use, share, archive, and destroy
D. Create, share, archive, use, store, and destroy
The correct answer is C. This is the correct order of the lifecycle phases of assets: create, store,
use, share, archive, and destroy. This is according to the Securosis Blog.
7. What is the best method for dealing with data remanence on SSDs?
A. Physical destruction
B. Degaussing
C. Formatting
D. Overwriting
The correct answer is A. Degaussing only works on magnetic media and formatting doesn’t
permanently delete data, as it may still be recovered forensically. Overwriting is not effective on
SSDs.
8. A list of company-restricted websites would best be handled in the first instance by what
type of control?
A. Physical
B. Administrative
C. Environmental
D. Technical
3
Practice Quiz
SSCP Practice Quiz
The correct answer is B. A physical control might be used to prevent access from a given
device and a technical control might be employed to enforce the corporate policy.
Environment is not one of the three types of control.
9. Whenever an organization chooses to perform risk mitigation to address a particular risk,
what other form of risk management will also be included?
A. Risk transference
B. Risk avoidance
C. Risk capture
D. Risk acceptance
The correct answer is D. Risk mitigation always leaves some residual risk; the purpose of risk
mitigation is to get risk down to an acceptable level.
10. What is the main goal of a risk assessment program?
A. To calculate annualized loss expectancy (ALE) formulas
B. To develop a disaster recovery plan (DRP)
C. To evaluate risk mitigation
D. To help balance the cost between risk and countermeasures
The correct answer is D. A is a process to calculate risk. C is a testing process and B is a different
business process.
Â
SSCP_10Questions_Answers_Rational_07-25-23
Â
Â
Â
- A user has some extremely valuable data. The data is backed up to a flash stick and placed in a data safe. Which two principles of the CIA triad does this address?
Â
Â
Â
Â
SSCP Practice Quiz
Are you ready for exam day? Test your knowledge with this short 10-item quiz and get recommendations on next steps toward SSCP certification.
You answered 4 correctly!
Build confidence leading up to exam day
Study for the exam anytime, anywhere with SSCP Flash Cards. Test your knowledge of key terms and get immediate feedback on the accuracy for your answers.
SSCP Flash Cards >>
Use our SSCP Self-Study Resources to reinforce your learning >>
Check Resultskeyboard_arrow_down
1)
A user has some extremely valuable data. The data is backed up to a flash stick and placed in a data safe. Which two principles of the CIA triad does this address?
doneb. Confidentiality and availability
CORRECT
2)
Which best describes the concept of availability?
donec. Data is available to authorized users when required
CORRECT
3)
What security principle might best be deployed to prevent fraud?
closeb. There is a level of assurance that data hasn’t been altereddonec. Data is available to authorized users when required
INCORRECT
4)
Define integrity.
closea. Data being correct and up to datedoned. Data being preserved in an unaltered state
INCORRECT
5)
Which of the following is the BEST definition of an asset?
doned. An item perceived as having value
CORRECT
6)
What is the correct order of the asset lifecycle phases?
Not Answered
7)
What is the best method for dealing with data remanence on SSDs?
Not Answered
8)
A list of company-restricted websites would best be handled in the first instance by what type of control?
closed. Technicaldoneb. Administrative
INCORRECT
9)
Whenever an organization chooses to perform risk mitigation to address a particular risk, what other form of risk management will also be included?
Not Answered
10)
What is the main goal of a risk assessment program?
doned. To help balance the cost between risk and countermeasures
CORRECT
Â
Â
6)
What is the correct order of the asset lifecycle phases?
INCORRECT
7)
What is the best method for dealing with data remanence on SSDs?
INCORRECT
8)
A list of company-restricted websites would best be handled in the first instance by what type of control?
9)
Whenever an organization chooses to perform risk mitigation to address a particular risk, what other form of risk management will also be included?
Â
Â
Â
