SCP Security Certified Program (SCP) - SC0-502 Exam Questions

QUESTION NO: 1
The MegaCorp network has been running smoothly for some time now. You are growing confident that you have taken care of all the critical needs, and that the network is moving towards a new state of maturity in the current configuration. You head out of the office on Friday at noon, since you have put in lots of long hours over the lat month.
On Monday, you are driving into the office, and you happen to look at the speed limit sign that is on the road right next to MegaCorp. On the sign, in black paint, you see the following symbol:
Compaq
)(
Not good, you think, someone has been wardriving your office complex. That better not be in my office. The office building that MegaCorp is in has many other offices and companies, MegaCorp is not the only tenant.
When you get inside, you check all your primary systems, router, firewall, and servers, looking for quick and fast signs of trouble. There does not seem to be any trouble so far. You check through your Snort logs, and so far so good. You are starting to think that whatever the war drivers found, it was not part of MegaCorp.
You know that the MegaCorp policy does not allow for wireless devices, and you have neither installed nor approved any wireless for the network. Since it is still early (you get in at 7:30 on Mondays), you do not have anyone to talk to about adding any wireless devices.
Select the solution that will allow you to find any unauthorized wireless devices in the network in the least amount of time, and with the least disruption to the office and employees.}

A. You take your laptop, which has a built-in wireless network card, and you enable it. You had not enabled the card before, as you know that wireless is not used in this network. You do a quick install of NetStumbler and watch on screen to see what might come up sitting in your office. A few seconds after the WNIC is initialized and NetStumbler is running, you see the following line in NetStumbler: MAC: 46EAB5FD7C43, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100. You expand channel 11 on the left side of NetStumbler, and see that MAC 46EAB5FD7C43 is bolded.
You are surprised to find that there is a wireless device running in the network, and now you are off to see if you can locate the physical device. You take your laptop and head out of your office. You get about 20 feet away from the office when you are stopped by the HR director, who needs help with a laser printer. You also stop to chat about your findings with the CEO, who has just come in to the office. You put your laptop back in your office, to check later in the day.
Although you did not isolate the physical location of the device, you are confident that you have indeed found a rogue device. As soon as you locate the device, you will make a report for the CEO, and see to it that the device is removed immediately. B. You take your laptop, initialize your WNIC, plug in your external antenna, and enable NetStumbler. You are glad that you keep all your gear nearby, even when you don normally use it. You would have had a 40 minute round trip drive to go home and get your own wardriving equipment.
By 8:30 you have found several wireless devices, but are not sure which, if any might be in your office. The output from NetStumbler shows the following:
MAC:46EAB5FD7C43, SSID:Dell, Channel:11, Type:Peer, Beacon:100 MAC:AB3B3E23AB45, SSID:Cisco, Channel:9, Type:AP, Beacon:85 MAC:000625513AAE, SSID:Compaq, Channel:7, Type:Peer, WEP, Beacon:67 MAC:000C4119420F, SSID:Private, Channel:11, Type:AP, Beacon:55
The one you are most interested in is the Compaq device, as although you know the war drivers might have just written it down, you want to look for Compaq devices first. The Compaq is also an AP, so your suspicion is high. You walk around the office, watching for the numbers in NetStumbler to adjust.
As you walk towards the street, you note the strength of the Compaq device weakens, by the time you get near the windows the signal is very weak. So, you turn around and walk away from the street, and sure enough the signal gets stronger. You actually walk out the main office door into the building interior courtyard. Across the courtyard you find the signal stronger and stronger.
After you walk around for some time, you are sure that you have isolated the signal as coming from an office inside the building and exactly opposite MegaCorp. The device is not in your office, and you will report this to the CEO. You will also ask the CEO if you should inform the neighbor that their network is possibly at risk due to their wireless network use. C. You take your laptop, initialize your WNIC, plug in your external antenna, and enable NetStumbler. You are glad that you keep all your gear nearby, even when you don't normally use it. It is not yet 8:00, and you will be able to walk the office freely, looking for any rogue device.
You turn on the laptop, and turn on your WNIC and NetStumbler. Right away, you see the
following line: MAC: 46EAB5FD7C43, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100. You
think that is what you were expecting, and you go on looking for the unauthorized device.
You walk around the office for a while, and see no fluctuation in the numbers, and do not see any
other devices on screen. By 8:30, most of the employees have come into the office. You meet the
CEO, who is just coming into the office and give a short report on what you are doing. Everyone
you meet has their lunches, work files, briefcases or laptop bags, and they get settled in like any
other day. You get pulled into several conversations with your co-workers as they get started.
At 9:10, you get back to your laptop and you look down at your screen to see what NetStumbler
has to show. There are now two lines, versus the one that was there before:
MAC: 46EAB5FD7C4, SSID: Dell, Channel: 11, Type: Peer, Beacon: 100.
MAC: 000BCDA36ED, SSID: Compaq, Channel: 9, Type: Peer, Beacon: 75.
You close your laptop confident that you now know the exact location of the rogue device, which
you have identified as a Compaq laptop, running in peer mode, and you go to address the device
immediately. D. You decide to spend a full hour and a half from 8:00 to 9:30 going over your logs and data. Until then, you wrap up some early email and pull the log files together to review.
It takes some time to gather all the log files that you can find, but you are able to get everything you need. You get the log form the Router, the Firewall, the IDS, the internal servers, and the web and ftp server. For the next 90 minutes you do nothing other than study the logs looking for unusual traffic, or anything that would be a trigger to you that there has been an intruder in the network.
First, you spend time on the router logs. On the routers you see a series of the following events: %SYS-5-CONFIG_I: Configured from console by vty1 (10.10.50.23) This is an event you consider, and dismiss as not from an attacker.
You then analyze the firewall, and again there you find that there are no logs indicating an intruder is present. All the IP traffic is from authorized IP Addresses. The IDS logs yield similar results. Only authorized traffic from hosts that have legitimate IP Addresses from the inside of the network.
Analyzing the server logs brings you to the same conclusion. All four severs show that the only access has been from the authorized hosts in the network, that no foreign IP Addresses have even attempted a connection into the private servers. The web\ftp server that has a public IP Address has had some failed attempts, but these are all in the realm of what you expect, nothing there stands out to you as well.
After your hour and half, you feel that you have gone through all the logs, and that there is no evidence that there has been any unauthorized access into any of your network resources, and you conclude that the wireless device is not in your office. E. Since the company has a clear policy against the use of wireless devices, and since you know each employee you are fairly confident that the device in question is not inside the MegaCorp office. You schedule from 8:00 to 8:30 to do a visual walkthrough of the facilities.
At 8:00, you grab your notebook, which has a network map and other reference notes, and you begin your walkthrough. You walk into every office, except for the CEO office, which is locked, and access is not granted.
You spend several minutes in each office, and you spend some time in the open area where the majority of the employees work. You do not see any wireless access points, and you do not see any wireless antennas sticking up anywhere. It takes you more than the half an hour you allocated.
By 9:00, the office has filled up, and most people are getting their workweek started. You see the CEO walking in, and motion that you have a question. You say, "I am doing a quick walkthrough of the office, there might be a wireless device in here, and I know they are not allowed, so I am checking to see if I can find it." "As far as I know, there are no wireless devices in the network. We don't allow it, and I know that no one has asked me to put in wireless." "That what I thought. I sure we don't have any running here." You reply. You are confident the wireless problem is in another office.

Correct Answer: C

QUESTION NO: 2
Blue thanks you for your plan and design and took it into consideration. You are then informed that Blue has gone ahead and made a new plan, which will incorporate some of your suggestions, but is going to build the network a bit differently. In Testbed and in each remote office there will be a single self-sufficient CA hierarchy, one that is designed to directly integrate with the existing network. Blue mentions that the hierarchy is only to go two-levels deep, you are not to make an extensive hierarchy in any location. This means a distinct CA hierarchy in six locations, inclusive of the Testbed headquarters.
Using this information, choose the solution that will provide for the proper rollout of the Certificate Authorities in the network.}

A. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as a Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Stand-Alone Subordinate Enrollment Authority to function as the Registration Authority 6.Once the Stand-Alone Subordinate is installed, take the Enterprise Root CA offline 7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate B. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure CATool on the Root CA 4.Configure CATool on the Registration Authority, as a subordinate to the Root CA 5.Once the Subordinate CA is active, take the Root CA offline 6.Configure users for the CAs 7.Configure each Root CA to trust each other Root CA via cross certification 8.Test the CA hierarchy 9.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate C. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Enterprise Registration Authority, as a subordinate to the Enterprise Root CA 6.Once the Subordinate CA is active, take the Enterprise Root CA offline 7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate D. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Registration Authority, as a subordinate to the Enterprise Root CA 6.Test the CA hierarchy 7.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate E. In each location, you recommend the following steps:In each location, you recommend the following steps: 1.Harden a system to function as the Root CA1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure CATool on the Root CA 4.Configure CATool on the Registration Authority, as a subordinate to the Root CA 5.Configure users for the CAs 6.Configure each Root CA to trust each other Root CA via cross certification 7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate

Correct Answer: D

QUESTION NO: 3
Now that the network is moving towards a trusted network, you are preparing for the specific new implementations in GlobalCorp. Just as you wrap up some paperwork for the morning, Orange calls you and lets you know that you are going to be needed in a meeting this afternoon.
You get to Orange's office and sit down at the desk. Orange begins the conversation, " You know we have some solid fundamental issues addressed in our new trusted network, but I have yet to feel that we have addressed any serious concerns."
"Ie been thinking about some similar issues," you reply.
"Good, then I sure you have been thinking about our email. Right now, I cannot guarantee the integrity of any email, and I cannot guarantee the confidentiality of any email. We have reasonable controls towards guaranteeing the availability of our email, but what the point if there is no confidentiality or integrity?"
"I agree. I think that addressing this issue should be an immediate priority."
"One concern is that whatever the system is that we put in place, it must be very user-friendly. As we roll out these new systems, anything that will significantly increase the calls into the help desk is something we need to minimize. A second concern is that it not be too costly. We already have this new investment in the trusted network, we need to be sure that we utilize what are building to the fullest extent possible."
"I think we should be able to do that without much difficulty. I already have some solid ideas," you reply.
"OK, take a few days on this. For the moment, just concern yourself with the executive building; the others can follow the plan in their own buildings. Let meet again this coming Monday and you can describe your suggestion then."
Based on this conversation, and your knowledge of GlobalCorp, select the best solution to the email problems in the network.}

A. After careful consideration you decide that you will implement secure email in a test group using X.509v3 digital certificates. You choose this since every user received their certificate during an earlier phase, and those certificates included the ability to be used for secure email.
Using the X.509v3 certificates, you will configure each machine to use S\MIME. You go to each computer and open Outlook Express, which is the default client email program in the test group. You go to the Tools and Account option, selecting the Mail tab, and the properties for the email account.
You select he Security Tab and in the submenu for the Signing Certificate you configure the certificate for the user's account. You select 3DES as the algorithm to use. You then check the Encrypt Contents And Attachments For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You accept the default of including the digital id when sending signed messages and the default to add sender certificates to the user address book, and close the properties the email account.
You show the user how to send and receive email, showing the Purple ribbon that indicates a signed message and the Orange lock that indicates an encrypted message. B. After careful consideration you decide that you will implement secure email in a test group using GPG. You have decided to use GPG to avoid any licensing conflicts that might occur if any user requires secure email exchange with another individual that is in a country with different cryptography laws. You will go to each computer and you will install GPG on each system.
Once installed, you will show each user how to create the required directory structure, by typing the command: gpg --gen-key Once the directory structure is created, you will show each user how to generate the required files, by typing the command: gpg--gen-key Since you want very secure email, you configure each system to use 2048 bit key strength and you select DSA and ElGamal encryption.
With GPG installed and configured, you show each user how to use their new secure email. You have them open Outlook and create a new message to you. Once the message is created, you have them select the Security drop-down list and choose both GPG Sign and GPG Encrypt, and then press send.
You show them on your laptop that you receive the message. You press Reply, and on your laptop also select the Security drop-down menu, where you choose both GPG Sign and GPG Encrypt. The user receives the message, and you show that secure email was successfully sent and received. C. After careful consideration you decide that you will implement secure email in a test group using X.509v3 digital certificates. You choose this since every user received their certificate during an earlier phase, and those certificates included the ability to be used for secure email.
You will configure each machine to use PGP, with the X.509v3 certificates option. You go to each computer and open Outlook Express, which is the default client email program in the test group. You go to the Tools and Account option, selecting the Mail tab, and the properties for the email account.
You select he Security Tab and in the submenu for the Signing Certificate you configure the certificate for the user account. You select DSA and ElGamal as the cryptosystem to use. You then check the Encrypt Contents And Attachments For All Outgoing Messages check box and the Digitally Sign All Outgoing Messages check box. You accept the default of including the digital id when sending signed messages and the default to add sender certificates to the user address book, and close the properties the email account.
You show the user how to send and receive email, showing the Purple ribbon that indicates a signed message and the Orange lock that indicates an encrypted message. D. After careful consideration you decide that you will implement secure email in a test group using PGP. You will use a full licensed version of PGP. You will go to each computer and you will install the full PGP on each system.
Once installed, you will show each user how to create a PGP certificate by requesting the certificate from the CATool CA server you installed specifically for secure email. After the user has received a certificate, you associate that PGP certificate with their Windows domain user account.
With the PGP certificate associated with the user account, you show each user how to manage their key ring. You show them how to generate their key, and you configure all user key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you configure the email client of each user.
You explain that each user will have to install the public key of each other user in the network. You test this by sending an email from your laptop with your PGP certificate attached, and you have the user save the attachment to their Outlook folder. With the certificate saved, you show them how to send secure email to you. You receive the email on your laptop, and double-click the lock to show the user that the secure email message was successfully sent and received. E. After careful consideration you decide that you will implement secure email in a test group using PGP. You will use a full licensed version of PGP. You will go to each computer and you will install the full PGP on each system.
Once installed, you will show each user how to create a PGP certificate by requesting the certificate from the MS Enterprise Root CA server you installed, and configured specifically for secure email certificates. After the user has received a certificate, you associate that PGP certificate with their Windows domain user account.
With the PGP certificate associated with the user account, you show each user how to manage their key ring. You show them how to generate their key, and you configure all user key strength to be 2048 bits. Now that the user has a strong key and a PGP certificate, you configure the email client of each user.
You explain that each user will have to install the public key of each other user in the network. You test this by sending an email from your laptop with your PGP certificate attached, and you have the user save the attachment to their Outlook folder. With the certificate saved, you show them how to send secure email to you. You receive the email on your laptop, and double-click the lock to show the user that the secure email message was successfully sent and received.

Correct Answer: A

QUESTION NO: 4
GlobalCorp is a company that makes state of the art aircraft for commercial and government use. Recently GlobalCorp has been working on the next generation of low orbit space vehicles, again for both commercial and governmental markets.
GlobalCorp has corporate headquarters in Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people. GlobalCorp is the largest company in town, where most families have at least one family member working there.
The corporate office in Testbed has 4,000 total employees, on a 40-acre campus environment. The largest buildings are the manufacturing plants, which are right next to the Research and Development labs. The manufacturing plants employee approximately 1,000 people and the R&D labs employ 500 people. There is one executive building, where approximately 500 people work. The rest of the employees work in Marketing, Accounting, Press and Investor Relations, and so on. The entire complex has a vast underground complex of tunnels that connect each building.
All critical functions are run from the Testbed office, with remote offices around the world. The remote offices are involved in marketing and sales of GlobalCorp products. These offices also perform maintenance on the GlobalCorp aircraft and will occasionally perform R&D and on-site manufacturing.
There are 5 remote offices, located in: New York, California, Japan, India, and England. Each of the remote offices has a dedicated T3 line to the GlobalCorp HQ, and all network traffic is routed through the Testbed office the remote offices do not have direct Internet connections.
You had been working for two years in the New York office, and have been interviewing for the lead security architect position in Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who calls you to let you know that you got the job. You are to report to Testbed in one month, just in time for the annual meeting, and in the meantime you review the overview of the GlobalCorp network:

Your first day in GlobalCorp Testbed, you get your office setup, move your things in place, and about the time you turn on your laptop, there is a knock on your door. It is Orange, the Chief Security Officer, who informs you that there is a meeting that you need to attend in a half an hour.
With your laptop in hand, you come to the meeting, and are introduced to everyone. Orange begins the meeting with a discussion on the current state of security in GlobalCorp.
"For several years now, we have constantly been spending more and more money on our network defense, and I feel confident that we are currently well defended." Orange, puts a picture on the wall projecting the image of the network, and then continues, "We have firewalls at each critical point, we have separate Internet access for our public systems, and all traffic is routed through our controlled access points. So, with all this, you might be wondering why I have concern."
At this point a few people seem to nod in agreement. For years, GlobalCorp has been at the forefront of perimeter defense and security. Most in the meeting are not aware that there is much else that could be done.
Blue continues, "Some of you know this, for the rest it is new news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all know, MassiveCorp has been trying to build their orbital systems up to our standards for years and have never been able to do so. So, from a security point of view, I am concerned."
This is news to most people, Yellow, the Vice President of Research asks, "We have the best in firewalls, we have the best in you and your systems, what are you suggesting?"
The meeting continues for some time, with Orange leading the discussion on a whole new set of technologies currently not used in the network. After some time, it is agreed upon that GlobalCorp will migrate to a trusted networking environment.
The following week, Orange informs you that you will be working directly together on the development of the planning and design of the trusted network. The network is going to run a full PKI, with all clients and servers in the network using digital certificates. You are grateful that in the past two years, Orange has had all the systems changed to be running only Windows 2000, both server and professional systems, running Active Directory. You think the consistent platform will make the PKI roll out easier.
The entire GlobalCorp network is running Active Directory, with the domain structure as in the following list:
Testbed.globalcorp.org
Newyork.globalcorp.org
California.globalcorp.org
Japan.globalcorp.org
India.globalcorp.org
England.globalcorp.org
Although you will be working in the Testbed office, the plan you develop will need to include the entire GlobalCorp organization. Based on this information, select the solution that describes the best plan for the new trusted network of GlobalCorp:}

A. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system, outside of the executive office, to be a full hierarchy, with the Root CA for the
hierarchy located in the executive building. Every remote office will have a subordinate CA, and
every other building on the campus in Testbed will have a subordinate CA.
4.In the executive building, you design the system to be a mesh CA structure, with one CA per
floor of the building.
5.Design the hierarchy with each remote office and building having it own enrollment CA.
6.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
7.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
8.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
9.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
10.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
11.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network. B. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network. C. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:A.
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network. D. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network. E. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.

Correct Answer: B