ISC2 ISSMP PDF Exam Questions:

Configuration management is a field of management that focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life.

Configuration Management System is a subsystem of the overall project management system. It is a collection of formal documented procedures used to identify and document the functional and physical characteristics of a product, result, service, or component of the project.

It also controls any changes to such characteristics, and records and reports each change and its implementation status. It includes the documentation, tracking systems, and defined approval levels necessary for authorizing and controlling changes. Audits are performed as part of configuration management to determine if the requirements have been met.

Answer option C is incorrect. The procurement management plan defines more than just the procurement of team members, if needed. It defines how procurements will be planned and executed, and how the organization and the vendor will fulfill the terms of the contract.

Answer option B is incorrect. Risk Management is used to identify, assess, and control risks. It includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats.

Answer option D is incorrect. Change Management is used to ensure that standardized methods and procedures are used for efficient handling of all changes.

Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/MIME) are two ways of sending secure e-mail messages over the Internet. Both use public key cryptography, where users each possess two keys, a public key for encrypting, and a private key for decrypting messages. Because PGP has evolved from a free distribution, it is more popular than S/MIME.

Answer option A is incorrect. Transport Layer Security (TLS) is an application layer protocol that uses a combination of public and symmetric key processing to encrypt data.

Answer option D is incorrect. Internet Protocol Security (IPSec) is a standard-based protocol that provides the highest level of VPN security. IPSec can encrypt virtually everything above the networking layer. It is used for VPN connections that use the L2TP protocol. It secures both data and password.

IPSec cannot be used with Point-to-Point Tunneling Protocol (PPTP).

According to the question, incident response team announced that this was a controlled event not an incident. Incident response team performed the identification step to rectify the incident.

Identification is the first post-attack step in Incident handling process. In this phase of the incident handling process, the Incident Handler determines whether the incident exists or not. An incident is described as an event in a system or network that poses threat to the environment. Identification of an incident becomes more difficult with the increase in the complexity of the attack. The Incident Handler should gather all facts and make decisions on the basis of those facts. Incident Handler needs to identify the following characteristics of an attack before it can be properly processeD.

The reciprocal agreements are arrangements between two or more organizations with similar equipment and applications. According to this agreement, organizations provide computer time to each other in the case of an emergency. Theses types of agreements are commonly done between organizations that have unique hardware or software that cannot be maintained at a hot or warm site.

Answer option B is incorrect. A business impact analysis (BIA) is a crisis management and business impact analysis technique that identifies those threats that can impact the business continuity of operations. Such threats can be either natural or man-made. The BIA team should have a clear understanding of the organization, key business processes, and IT resources for assessing the risks associated with continuity. In the BIA team, there should be senior management, IT personnel, and end users to identify all resources that are to be used during normal operations.

Answer option C is incorrect. The duplicate processing facilities work in the same manner as the hot site facilities, with the exception that they are completely dedicated, self-developed recovery facilities. The duplicate facility holds same equipment, operating systems, and applications and might have regularly synchronized data. The examples of the duplicate processing facilities can be the large organizations that have multiple geographic locations.

Answer option A is incorrect. A cold site is a backup site in case disaster has taken place in a data center. This is the least expensive disaster recovery solution, usually having only a single room with no equipment. All equipment is brought to the site after the disaster. It can be on site or off site.

Data diddling involves changing data prior to or during input to a computer in an effort to commit fraud. It also refers to the act of intentionally modifying information, programs, or documentations.

Answer option C is incorrect. Eavesdropping is the process of listening in private conversations. It also includes attackers listening in on the network traffic. For example, it can be done over telephone lines (wiretapping), e-mail, instant messaging, and any other method of communication considered private.

Answer option D is incorrect. Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, etc. In IP spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging the source IP address causes the responses to be misdirected.

Answer option B is incorrect. Wiretapping is an act of monitoring telephone and Internet conversations by a third party. It is only legal with prior consent. Legalized wiretapping is generally practiced by the police or any other recognized governmental authority.