exam questions

Exam SSCP All Questions

View all questions & answers for the SSCP exam

Exam SSCP topic 2 question 124 discussion

Actual exam question from ISC's SSCP
Question #: 124
Topic #: 2
[All SSCP Questions]

What can best be defined as the detailed examination and testing of the security features of an IT system or product to ensure that they work correctly and effectively and do not show any logical vulnerabilities, such as evaluation criteria?

  • A. Acceptance testing
  • B. Evaluation
  • C. Certification
  • D. Accreditation
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
Evaluation as a general term is described as the process of independently assessing a system against a standard of comparison, such as evaluation criteria.
Evaluation criterias are defined as a benchmark, standard, or yardstick against which accomplishment, conformance, performance, and suitability of an individual, hardware, software, product, or plan, as well as of risk-reward ratio is measured.
What is computer security evaluation?
Computer security evaluation is the detailed examination and testing of the security features of an IT system or product to ensure that they work correctly and effectively and do not show any logical vulnerabilities. The Security Target determines the scope of the evaluation. It includes a claimed level of Assurance that determines how rigorous the evaluation is.

Criteria -
Criteria are the "standards" against which security evaluation is carried out. They define several degrees of rigour for the testing and the levels of assurance that each confers. They also define the formal requirements needed for a product (or system) to meet each Assurance level.

TCSEC -
The US Department of Defense published the first criteria in 1983 as the Trusted Computer Security Evaluation Criteria (TCSEC), more popularly known as the
"Orange Book". The current issue is dated 1985. The US Federal Criteria were drafted in the early 1990s as a possible replacement but were never formally adopted.

ITSEC -
During the 1980s, the United Kingdom, Germany, France and the Netherlands produced versions of their own national criteria. These were harmonised and published as the Information Technology Security Evaluation Criteria (ITSEC). The current issue, Version 1.2, was published by the European Commission in
June 1991. In September 1993, it was followed by the IT Security Evaluation Manual (ITSEM) which specifies the methodology to be followed when carrying out
ITSEC evaluations.

Common Criteria -
The Common Criteria represents the outcome of international efforts to align and develop the existing European and North American criteria. The Common
Criteria project harmonises ITSEC, CTCPEC (Canadian Criteria) and US Federal Criteria (FC) into the Common Criteria for Information Technology Security
Evaluation (CC) for use in evaluating products and systems and for stating security requirements in a standardised way. Increasingly it is replacing national and regional criteria with a worldwide set accepted by the International Standards Organisation (ISO15408).
The following answer were not applicable:
Certification is the process of performing a comprehensive analysis of the security features and safeguards of a system to establish the extent to which the security requirements are satisfied. Shon Harris states in her book that Certification is the comprehensive technical evaluation of the security components and their compliance for the purpose of accreditation.
Wikipedia describes it as: Certification is a comprehensive evaluation of the technical and non-technical security controls (safeguards) of an information system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements
Accreditation is the official management decision to operate a system. Accreditation is the formal declaration by a senior agency official (Designated Accrediting
Authority (DAA) or Principal Accrediting Authority (PAA)) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural security controls (safeguards).
Acceptance testing refers to user testing of a system before accepting delivery.
Reference(s) used for this question:
HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January 2002. and https://en.wikipedia.org/wiki/Certification_and_Accreditation and http://www.businessdictionary.com/definition/evaluation-criteria.html and http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/secevalcriteria.shtml

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
lfrivas
1 week, 2 days ago
Selected Answer: C
Certification is the formal process of testing and evaluating the security features of an IT system or product to ensure they function correctly, effectively, and are free from logical vulnerabilities. It involves in-depth technical analysis, security testing, and verification against established standards such as Common Criteria or FIPS. Certification provides a documented assurance that the system meets specific security requirements. Evaluation, on the other hand, is a more general term. While it refers to the act of assessing or analyzing something, it does not necessarily follow a formal structure or result in an official validation. Certification includes evaluation, but goes beyond it by being formalized, structured, and producing official results that can be used for accreditation or compliance purposes.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago