Incorrect answers i the SSCP Quizlet

JonP · ‎11-13-2023

Hello.

I just took the SSCP readiness quiz found in the link below. Of the ten questions, two of them were marked as "incorrect". There's no feedback on the quizlet, so I'd like your feedback since I think the answer from ISC2 in the Quizlet is incorrect in both instances.

Question 3 describes an integrity requirement: you prevent fraud by assuring the integrity of the data, which is why I answered b). ISC2 tells me this is incorrect and that the correct answer is d), which is the definition of Availability; I don't think data availability prevents fraud, although ensuring only valid users have access goes some way, if you cannot assure the integrity, then valid users can still conduct fraud by covering their tracks.

On question 9, they ask, "What other form of Risk Management will also be included?" I answered c) because Risk Capture is what you do immediately after risk identification. You identify a risk, then capture it in the risk register, so it comes before Risk Mitigation and is always included in the Risk Mitigation process. "Risk acceptance" according to CISSP OSG (Page 67) "...is the result, after a cost/benefit analysis shows that countermeasure costs [i.e. Mitigations] outweigh the possible costs of loss due to a risk." In other words, Risk Acceptance is what you do if you don't want to do Risk Mitigation.

Who is wrong here? Me or ISC2? If it's me, please explain. Thank you

Quizlet can be found here

https://cloud.connect.isc2.org/sscp-quiz Screenshot 2023-11-13 130441.png

Jon Pertwee CISSP, CRISC, CIPP/E, PMP MSc. IT Security Management.

Early_Adopter · ‎11-13-2023

I guess the first question is talking about authorisation as well as availability- I assume the author may clumsily be hinting about confidentiality - data theft from improper access would also be fraudulent, it’s a poorly written question by the looks I’d fall on integrity however.

Second one I’d fall down more on the authors side - after the risk is mitigated with a compensating control residual risk would need to be accepted. Putting it in the risk register would be something you’d do for any risk you hadn’t got down to zero.

Just quick thoughts.

dcontesti · ‎11-13-2023

I took the quiz and for number 3, I don't believe that it is a well written question as it is open ended and could have multiple partially correct answers.

Based on the actual question (9) I can see why you might pick C. Personally have an issue with this question.

There are four common risk mitigation strategies. Typically the most common include avoidance, reduction, transference, and acceptance. There are others (risk sharing, risk buffering, etc.) The question actually lists transference, acceptance and avoidance as distractors

I believe the question needs to be reviewed and maybe rewritten.

mhoo

d

JonP · ‎11-14-2023

@Early_Adopter

I think in the first one we need to revert to the syllabus.

If, as you assume, it's a clumsy reference to access controls, then there are two points to be made:

- First, access controls as described in the answer, only addresses threats from external actors, not insider threats.

- Second, the response I made is the definition of Integrity (According to the exam itself, in another question it asked what the definition of integrity was, I answered this, and the answer was marked correct.) So if I revert to ISC2's definition of Integrity, according to ISC2's CISSP Exam Study Guide, 9th edition, page 6

"Integrity can be examined from 3 perspectives:
1 - Preventing unauthorised subjects from making changes.
2 - Preventing authorised subjects from making unauthorised changes.
3 - Maintaining internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any other object is valid, consistent and verifiable"

If we consider perspective 1, this matches with the authorisation requirement in answer c) given by ISC2 as the correct answer.

If we consider perspective 2, this surpasses the answer given by ISC2 by adding additional controls on authorised users, therefore b) is the better answer because it includes any controls in answer c) and additional controls.

I did some research after posting this, and I agree with your conclusion about the Risk Management question, especially since "Risk capture" is not a recognised Risk Management process.

Jon Pertwee CISSP, CRISC, CIPP/E, PMP MSc. IT Security Management.

Early_Adopter · ‎11-14-2023

Hey Jon,

We’re in concurrence on the first one - I’d almost certainly answer integrity as the best fit as the question is written - though I’d disagree on your first assumption in that you can easily have a population of authorised and non- authorised users. We could add R, W, M to what our authorised users could do - then we’re into fraud by improper modification(W,M) vs fraud by theft(R) - (I steal your info and use to to pretext) though we’re assuming “availability to authorised users” means authorised users only do correct things intentionally- any user monitoring system is going to keep an accountable record of what users did and there will be some verification of the users work. Horrible question, and I think we’re being over-generous to it to it…

“Now I’ve caught you … you Risk you!!!” 😛