ISC2 Certified Secure Software Lifecycle Professional Exam

The security challenges for DRM are as follows:

Key hiding: It prevents tampering attacks that target the secret keys. In the key hiding process, secret keys are used for

authentication, encryption, and node-locking.

Device fingerprinting: It prevents fraud and provides secure authentication. Device fingerprinting includes the summary of hardware

and software characteristics in order to uniquely identify a device.

OTA provisioning: It provides end-to-end encryption or other secure ways for delivery of copyrighted software to mobile devices.

Answer B is incorrect. Access control is not a security challenge for DRM.

The Chinese Wall Model is the basic security model developed by Brewer and Nash. This model prevents information flow that may cause a

conflict of interest in an organization representing competing clients. The Chinese Wall Model provides both privacy and integrity for data.

Answer D is incorrect. The Biba model is a formal state transition system of computer security policy that describes a set of access

control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that

subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject.

Answer C is incorrect. The Clark-Wilson model provides a foundation for specifying and analyzing an integrity policy for a computing

system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing

corruption of data items in a system due to either error or malicious intent.

The model's enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the

model is based on the notion of a transaction.

Answer A is incorrect. The Bell-La Padula Model is a state machine model used for enforcing access control in government and military

applications. The model is a formal state transition model of computer security policy that describes a set of access control rules which use

security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g.,'Top Secret'), down to the least

sensitive (e.g., 'Unclassified' or 'Public').

The Bell-La Padula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model

which describes rules for the protection of data integrity.

The security challenges for DRM are as follows:

Key hiding: It prevents tampering attacks that target the secret keys. In the key hiding process, secret keys are used for

authentication, encryption, and node-locking.

Device fingerprinting: It prevents fraud and provides secure authentication. Device fingerprinting includes the summary of hardware

and software characteristics in order to uniquely identify a device.

OTA provisioning: It provides end-to-end encryption or other secure ways for delivery of copyrighted software to mobile devices.

Answer B is incorrect. Access control is not a security challenge for DRM.

A host-based intrusion prevention system (HIPS) is an application usually employed on a single computer. It complements traditional finger-

print-based and heuristic antivirus detection methods, since it does not need continuous updates to stay ahead of new malware. When a

malicious code needs to modify the system or other software residing on the machine, a HIPS system will notice some of the resulting changes

and prevent the action by default or notify the user for permission. It can handle encrypted and unencrypted traffic equally and cannot detect

events scattered over the network.

Answer B is incorrect. Network address translation (NAT) is a technique that allows multiple computers to share one or more IP

addresses. NAT is configured at the server between a private network and the Internet. It allows the computers in a private network to share

a global, ISP assigned address. NAT modifies the headers of packets traversing the server. For packets outbound to the Internet, it translates

the source addresses from private to public, whereas for packets inbound from the Internet, it translates the destination addresses from

public to private.

Answer A is incorrect. Network intrusion prevention system (NIPS) is a hardware/software platform that is designed to analyze, detect,

and report on security related events. NIPS is designed to inspect traffic and based on its configuration or security policy, it can drop malicious

traffic. NIPS is able to detect events scattered over the network and can react.

The DAA, also known as Authorizing Official, makes the final accreditation decision. The Designated Approving Authority (DAA), in the United

States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level

of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation and can determine that the system's

risks are not at an acceptable level and the system is not ready to be operational.

Answer D is incorrect. An Information System Security Officer (ISSO) plays the role of a supporter. The responsibilities of an Information

System Security Officer (ISSO) are as follows:

Manages the security of the information system that is slated for Certification & Accreditation (C&A).

Insures the information systems configuration with the agency's information security policy.

Supports the information system owner/information owner for the completion of security-related responsibilities.

Takes part in the formal configuration management process.

Prepares Certification & Accreditation (C&A) packages.

Answer A is incorrect. An Information System Security Engineer (ISSE) plays the role of an advisor. The responsibilities of an

Information System Security Engineer are as follows:

Provides view on the continuous monitoring of the information system.

Provides advice on the impacts of system changes.

Takes part in the configuration management process.

Takes part in the development activities that are required to implement system changes.

Follows approved system changes.

Answer B is incorrect. A Chief Risk Officer (CRO) is also known as Chief Risk Management Officer (CRMO). The Chief Risk Officer or Chief

Risk Management Officer of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks,

and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational,

financial, or compliance-related. CRO's are accountable to the Executive Committee and The Board for enabling the business to balance risk

and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management

(ERM) approach.