ISC2 CSSLP PDF Exam Questions:

Detection risks are the risks that an auditor will not be able to find what they are looking to detect. Hence, it becomes tedious to report

negative results when material conditions (faults) actually exist. Detection risk includes two types of risk:

Sampling risk: This risk occurs when an auditor falsely accepts or erroneously rejects an audit sample.

Nonsampling risk: This risk occurs when an auditor fails to detect a condition because of not applying the appropriate procedure or

using procedures inconsistent with the audit objectives (detection faults).

Answer A is incorrect. Residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being

abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically

conceivable measures).

The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats vulnerability). In the economic context,

residual means 'the quantity left over at the end of a process; a remainder'.

Answer D is incorrect. Inherent risk, in auditing, is the risk that the account or section being audited is materially misstated without

considering internal controls due to error or fraud. The assessment of inherent risk depends on the professional judgment of the auditor, and

it is done after assessing the business environment of the entity being audited.

Answer B is incorrect. A secondary risk is a risk that arises as a straight consequence of implementing a risk response. The secondary

risk is an outcome of dealing with the original risk. Secondary risks are not as rigorous or important as primary risks, but can turn out to be so

if not estimated and planned properly.

The NIACAP roles are nearly the same as the DITSCAP roles. Four minimum participants (roles) are required to perform a NIACAP security

assessment:

IS program manager: The IS program manager is the primary authorization advocate. He is responsible for the Information Systems

(IS) throughout the life cycle of the system development.

Designated Approving Authority (DAA): The Designated Approving Authority (DAA), in the United States Department of Defense, is the

official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.

Certification agent: The certification agent is also referred to as the certifier. He provides the technical expertise to conduct the

certification throughout the system life cycle.

User representative: The user representative focuses on system availability, access, integrity, functionality, performance, and

confidentiality in a Certification and Accreditation (C&A) process.

Answer D is incorrect. Information Assurance Manager (IAM) is one of the key participants in the DIACAP process.

The demon dialing technique automatically tests every phone line in an exchange and tries to locate modems that are attached to the

network. Information about these modems can then be used to attempt external unauthorized access.

Answer B is incorrect. In sniffing, a protocol analyzer is used to capture data packets that are later decoded to collect information such

as passwords or infrastructure configurations.

Answer D is incorrect. Dumpster diving technique is used for searching paper disposal areas for unshredded or otherwise improperly

disposed-of reports.

Answer C is incorrect. Social engineering is the most commonly used technique of all, getting information (like passwords) just by

asking for them.

Designated Approving Authority (DAA) is also known as the accreditor.

Answer A is incorrect. The data owner (information owner) is usually a member of management, in charge of a specific business unit,

and is ultimately responsible for the protection and use of a specific subset of information.

Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief

Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,

and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,

financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk

and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management

(ERM) approach.

Answer C is incorrect. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the

most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals. The

CIO plays the role of a leader and reports to the chief executive officer, chief operations officer, or chief financial officer. In military

organizations, they report to the commanding officer.

The various MAC levels are as follows:

MAC I: It states that the systems have high availability and high integrity.

MAC II: It states that the systems have high integrity and medium availability.

MAC III: It states that the systems have basic integrity and availability.