ISSAP - Information Systems Security Architecture Professional Security Architecture Modeling Questions and Answers

Question 1

A security architect is tasked with developing a security architecture that is tightly aligned with business objectives and integrates risk management throughout the entire lifecycle of enterprise systems. Which of the following frameworks is MOST suitable for this purpose due to its business-driven approach?

Accepted Answer

SABSA

Answer

SABSA (Sherwood Applied Business Security Architecture) is specifically designed as a business-driven security architecture framework. It starts by analyzing business requirements and uses a risk-based approach to develop a security architecture that supports business goals. TOGAF is a general enterprise architecture framework, Zachman is an ontology for organizing artifacts, and STRIDE is a threat modeling methodology, not a comprehensive architecture framework.

Question 2

During a threat modeling session for a new online payment application, the security team is categorizing potential threats. An attacker attempting to modify the transaction amount after it has been submitted but before it is processed would fall under which category of the STRIDE model?

Accepted Answer

Tampering

Answer

The STRIDE model categorizes threats to help analyze a system for security vulnerabilities. Tampering refers to the unauthorized modification of data. In this scenario, altering the transaction amount is a direct manipulation of data, which is a classic example of a tampering threat. Spoofing relates to impersonation, Repudiation to denying an action, and Information Disclosure to exposing data to unauthorized parties.

Question 3

A security architect is using the DREAD model to prioritize threats identified for a critical system. A specific vulnerability is easy to discover and exploit, but it affects only a small, non-critical user group and causes minimal damage. Which DREAD component would result in the LOWEST score for this vulnerability?

Accepted Answer

Affected Users & Damage

Answer

The DREAD model rates threats based on five categories: Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. In the given scenario, the vulnerability is easy to discover, reproduce, and exploit, which would lead to high scores in those categories. However, since it affects few users and causes minimal harm, the 'Affected Users' and 'Damage' components would receive the lowest scores, thus lowering the overall priority of the threat.

Question 4

Which of the following enterprise architecture frameworks is structured as an ontology, providing a schema for organizing architectural artifacts based on six interrogatives (What, How, Where, Who, When, Why) and six different perspectives (e.g., Planner, Owner, Designer)?

Accepted Answer

Zachman Framework

Answer

The Zachman Framework is an enterprise ontology and schema for organizing and classifying architectural artifacts. It is structured as a two-dimensional matrix with columns representing interrogatives (What, How, Where, etc.) and rows representing different stakeholder perspectives (Planner, Owner, etc.). It is not a methodology but a way to ensure all aspects of an enterprise are considered from various points of view.

Question 5

A company is adopting The Open Group Architecture Framework (TOGAF) for its enterprise architecture. To ensure security is embedded throughout the process, the security architect recommends integrating security activities into each phase of the Architecture Development Method (ADM). During which ADM phase would the architect primarily define the security requirements for data and applications?

Accepted Answer

Phase C: Information Systems Architectures

Answer

Within the TOGAF Architecture Development Method (ADM), Phase C is focused on Information Systems Architectures, which is divided into two sub-phases: Data Architecture and Application Architecture. It is in this phase that the specific security requirements and controls related to how data is stored, managed, and accessed, and how applications should be designed securely, are developed.

ISSAP - Information Systems Security Architecture Professional Practice Test

ISSAP - Information Systems Security Architecture Professional Practice Test

ISSAP - Information Systems Security Architecture Professional Security Architecture Modeling Questions and Answers