SPM

True
4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.


True
11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________


True
12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________


True
2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.


True
3. Deterrence is the best method for preventing an illegal or unethical activity. ____________


True
5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________


True
6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________


True
2. A clearly directed strategy flows from top to bottom rather than from bottom to top.


True
5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.


True
9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.


True
1. Policies must specify penalties for unacceptable behavior and define an appeals process.


True
2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.


True
7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________


True
1. Small organizations spend more per user on security than medium- and large-sized organizations.


True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.


True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.


True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________


True
10. Each organization has to determine its own project management methodology for IT and information security projects.


True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.


True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.


True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________


True
10. Each organization has to determine its own project management methodology for IT and information security projects.


True
2. The InfoSec community often takes on the leadership role in addressing risk.


True
4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.


True
5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.


True
1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.


True
3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.


True
4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.


True
5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.


True
8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________


True
12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________


True
13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
True
14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________


b
16. Application of training and education is a common method of which risk control strategy?
a. mitigation b. defense
c. acceptance d. transferal


d
17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
a. acceptance b. avoidance
c. transference d. mitigation


a
18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan b. business continuity plan
c. disaster recovery plan d. damage control plan


c
19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability


b
20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
a. residual risk b. risk appetite
c. risk assurance d. risk termination


c
21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.


d
22. Which of the following affects the cost of a control?
a. liability insurance b. CBA report
c. asset resale d. maintenance


b
23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
a. annualized cost of the safeguard b. single loss expectancy
c. value to adversaries d. annualized loss expectancy


a
24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis b. exposure factor
c. single loss expectancy d. annualized rate of occurrence


b
25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
a. organizational feasibility b. political feasibility
c. technical feasibility d. operational feasibility


c
26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
a. conducting decision support b. implementing controls
c. evaluating alternative strategies d. measuring program effectiveness


a
27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components b. quantitative valuation of safeguards
c. subjective prioritization of controls d. risk analysis estimates


d
28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
a. OCTAVE b. FAIR
c. Hybrid Measures d. Delphi


c
29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
a. analysis and adjustment b. review and reapplication
c. monitoring and measurement d. evaluation and funding


c
30. Which of the following is not a step in the FAIR risk management framework?
a. identify scenario components b. evaluate loss event frequency
c. assess control impact d. derive and articulate risk


b
31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
a. probability calculation b. documented control strategy
c. risk acceptance plan d. mitigation plan


c
32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
a. feasibility analysis b. asset valuation
c. cost avoidance d. cost-benefit analysis


c
33. Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking b. due care and due diligence
c. selective risk avoidance d. the gold standard


d
34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
a. risk assessment b. risk treatment
c. risk communication d. risk determination


a
35. The NIST risk management approach includes all but which of the following elements?
a. inform b. assess
c. frame d. respond


d
Chapter 1

15. Communications security involves the protection of which of the following?.
a. radio handsets b. people, physical assets
c. the IT department d. media, technology, and content


b
16. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
a. accountability b. availability
c. authorization d. authentication


d
17. Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
a. Integrity b. Availability
c. Authentication d. Confidentiality


d
18. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
a. accountability b. authorization
c. identification d. authentication


c
19. What do audit logs that track user activity on an information system provide?
a. identification b. authorization
c. accountability d. authentication


d
20. Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?
a. leading b. controlling
c. organizing d. planning


a
21. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
a. organization b. planning
c. controlling d. leading


d
22. In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
a. zombie-in-the-middle b. sniff-in-the-middle
c. server-in-the-middle d. man-in-the-middle


c
23. Which of the following is the first step in the problem-solving process?
a. Analyze and compare the possible solutions
b. Develop possible solutions
c. Recognize and define the problem
d. Select, implement and evaluate a solution


c
24. Which of the following is NOT a step in the problem-solving process?
a. Select, implement and evaluate a solution
b. Analyze and compare possible solutions
c. Build support among management for the candidate solution
d. Gather facts and make assumptions


d
25. Which of the following is NOT a primary function of Information Security Management?
a. planning b. protection
c. projects d. performance


b
26. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
a. planning b. policy
c. programs d. people


b
27. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
a. protection
b. people
c. projects
d. policy


c
28. Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
a. bypass b. theft
c. trespass d. security


d
29. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
a. Viruses b. Worms
c. Spam d. Trojan horses


c
30. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
a. false alarms b. polymorphisms
c. hoaxes d. urban legends


b
31. Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
a. threats b. education
c. hugs d. paperwork


a
32. "4-1-9" fraud is an example of a ____________________ attack.
a. social engineering b. virus
c. worm d. spam


b
33. Which type of attack involves sending a large number of connection or information requests to a target?
a. malicious code b. denial-of-service (DoS)
c. brute force d. spear fishing


a
34. Which of the following is not among the 'deadly sins of software security'?
a. Extortion sins
b. Implementation sins
c. Web application sins
d. Networking sins


b
35. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
a. SSL b. SLA
c. MSL d. MIN


b
36. Blackmail threat of informational disclosure is an example of which threat category?
a. Espionage or trespass b. Information extortion
c. Sabotage or vandalism d. Compromises of intellectual property


a
37. One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
a. hacktivist b. phreak
c. hackcyber d. cyberhack


b
38. A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
a. denial-of-service b. distributed denial-of-service
c. virus d. spam


c
39. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
a. brute force b. DoS
c. back door d. hoax


a
40. A short-term interruption in electrical power availability is known as a ____.
a. fault
b. brownout
c. blackout d. lag


c
Chapter 2

12. Which subset of civil law regulates the relationships among individuals and among individuals
and organizations?
a. tort b. criminal
c. private d. public


c
13. Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
a. USA Patriot Act of 2001
b. American Recovery and Reinvestment Act
c. Health Information Technology for Economic and Clinical Health Act
d. National Information Infrastructure Protection Act of 1996


c
14. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
a. For purposes of commercial advantage
b. For private financial gain
c. For political advantage
d. In furtherance of a criminal act


d
15. Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
a. The Telecommunications Deregulation and Competition Act
b. National Information Infrastructure Protection Act
c. Computer Fraud and Abuse Act
d. The Computer Security Act


a
16. Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
a. The Electronic Communications Privacy Act of 1986
b. The Telecommunications Deregulation and Competition Act of 1996
c. National Information Infrastructure Protection Act of 1996
d. Federal Privacy Act of 1974


c
17. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
a. ECPA
b. Sarbanes-Oxley
c. HIPAA
d. Gramm-Leach-Bliley


b
18. Which law extends protection to intellectual property, which includes words published in electronic formats?
a. Freedom of Information Act b. U.S. Copyright Law
c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act


d
19. Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
a. Applied ethics b. Meta-ethics
c. Normative ethics d. Deontological ethics


d
20. Which of the following is an international effort to reduce the impact of copyright, trademark,
and privacy infringement, especially via the removal of technological copyright protection measures?
a. U.S. Copyright Law
b. PCI DSS
c. European Council Cybercrime Convention
d. DMCA


b
21. Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
a. Applied ethics b. Descriptive ethics
c. Normative ethics d. Deontological ethics


d
22. Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
a. utilitarian b. virtue
c. fairness or justice d. common good


b
23. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
a. ignorance b. malice
c. accident d. intent


b
24. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
a. remediation b. deterrence
c. persecution d. rehabilitation


a
25. Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
a. (ISC)2 b. ACM
c. SANS d. ISACA


b
26. Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
a. liability b. restitution
c. due diligence d. jurisdiction


b
27. Any court can impose its authority over an individual or organization if it can establish which of the following?
a. jurisprudence b. jurisdiction
c. liability d. sovereignty


c
Chapter 3

10. Which of the following explicitly declares the business of the organization and its intended areas of operations?
a. vision statement b. values statement
c. mission statement d. business statement


a
11. Which type of planning is the primary tool in determining the long-term direction taken by an organization?
a. strategic b. tactical
c. operational d. managerial


a
12. Which of the following is true about planning?
a. Strategic plans are used to create tactical plans
b. Tactical plans are used to create strategic plans
c. Operational plans are used to create tactical plans
d. Operational plans are used to create strategic plans


d
13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
a. strategic b. operational
c. organizational d. tactical


d
14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
a. Strategic b. Tactical
c. Organizational d. Operational


c
15. The basic outcomes of InfoSec governance should include all but which of the following?
a. Value delivery by optimizing InfoSec investments in support of organizational objectives
b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
c. Time management by aligning resources with personnel schedules and organizational objectives
d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively


c
16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
a. data owners
b. data custodians
c. data users
d. data generators


a
17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
a. Hold regular meetings with the CIO to discuss tactical InfoSec planning
b. Assign InfoSec to a key committee and ensure adequate support for that committee
c. Ensure the effectiveness of the corporation's InfoSec policy through review and approval
d. Identify InfoSec leaders, hold them accountable, and ensure support for them


b
18. Which of the following should be included in an InfoSec governance program?
a. An InfoSec development methodology
b. An InfoSec risk management methodology
c. An InfoSec project management assessment from an outside consultant
d. All of these are components of the InfoSec governance program


a
19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
a. Initiating b. Establishing
c. Acting d. Learning


b
20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
a. Initiating b. Establishing
c. Acting d. Learning


b
21. Which of the following is an information security governance responsibility of the Chief Security Officer?
a. Communicate policies and the program
b. Set security policy, procedures, programs and training
c. Brief the board, customers and the public
d. Implement policy, report security vulnerabilities and breaches


a
22. ISO 27014:2013 is the ISO 27000 series standard for ____________.
a. Governance of Information Security
b. Information Security Management
c. Risk Management
d. Policy Management


c
23. Which of the following is a key advantage of the bottom-up approach to security implementation?
a. strong upper-management support
b. a clear planning and implementation process
c. utilizes the technical expertise of the individual administrators
d. coordinated planning from upper management


b
24. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
a. software engineering b. joint application design
c. sequence-driven policies d. event-driven procedures


d
25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
a. modular continuous b. elementary cyclical
c. time-boxed circular d. traditional waterfall


a
26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
a. data owners
b. data custodians
c. data users
d. data generators


b
27. What is the first phase of the SecSDLC?
a. analysis b. investigation
c. logical design d. physical design


a
28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
a. chief information security officer
b. security technician
c. security manager
d. chief technology officer


d
29. In which phase of the SecSDLC does the risk management task occur?
a. physical design b. implementation
c. investigation d. analysis


b
30. An example of a stakeholder of a company includes all of the following except:
a. employees
b. the general public
c. stockholders
d. management


c
31. A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
a. champion
b. end user
c. team leader
d. policy developer


c
32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
a. chief information security officer
b. security technician
c. security manager
d. chief technology officer


a
33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
a. champion
b. end user
c. team leader
d. policy developer


a
34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
a. Board Risk Committee
b. Board Finance Committee
c. Board Audit Committee
d. Chairman of the Board


b
35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
a. vulnerability assessment
b. penetration testing
c. exploit identification
d. safeguard neutralization


a
37. The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.
a. vulnerability assessment
b. penetration testing
c. exploit identification
d. safeguard neutralization


a
38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.
a. enterprise risk management.
b. joint application design
c. security policy review
d. disaster recovery planning


d
39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
a. system controls b. technical controls
c. operational controls d. managerial controls


c
Chapter 4

11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
a. policy should never conflict with law b. policy must be able to stand up in court if challenged
c. policy should be agreed upon by all employees and management d. policy must be properly supported and administered


b
13. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
a. Enterprise information security policy
b. User-specific security policies
c. Issue-specific security policies
d. System-specific security policies


d
14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
a. appeals process b. legal recourse
c. what must be done to comply d. the proper operation of equipment


d
15. Which policy is the highest level of policy and is usually created first?
a. SysSP b. USSP
c. ISSP d. EISP


b
16. Which type of document is a more detailed statement of what must be done to comply with a policy?
a. procedure b. standard
c. guideline d. practice


b
17. Which of the following is an element of the enterprise information security policy?
a. access control lists
b. information on the structure of the InfoSec organization
c. articulation of the organization's SDLC methodology
d. indemnification of the organization against liability


a
18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
a. issue-specific b. enterprise information
c. system-specific d. user-specific


a
19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
a. Policy Review and Modification
b. Limitations of Liability
c. Systems Management
d. Statement of Purpose


a
20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
a. Violations of Policy
b. Systems Management
c. Prohibited Usage of Equipment
d. Authorized Access and Usage of Equipment


a
21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
a. can suffer from poor policy dissemintation, enforcement, and review
b. may skip vulnerabilities otherwise reported
c. may be more expensive than necessary
d. implementation can be less difficult to manage


a
22. Which of the following are the two general groups into which SysSPs can be separated?
a. technical specifications and managerial guidance b. business guidance and network guidance
c. user specifications and managerial guidance d. technical specifications and business guidance


d
23. What are the two general methods for implementing technical controls?
a. profile lists and configuration filters
b. firewall rules and access filters
c. user profiles and filters
d. access control lists and configuration rules


b
24. Which of the following is NOT an aspect of access regulated by ACLs?
a. what authorized users can access b. where the system is located
c. how authorized users can access the system d. when authorized users can access the system


c
25. Which of the following are instructional codes that guide the execution of the system when information is passing through it?
a. access control lists b. user profiles
c. configuration rules d. capability tables


d
26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
a. design b. analysis
c. implementation d. investigation


a
27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
a. design b. implementation
c. investigation d. analysis


b
28. A risk assessment is performed during which phase of the SecSDLC?
a. implementation b. analysis
c. design d. investigation


d
29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
a. policy developer b. policy reviewer
c. policy enforcer d. policy administrator


b
30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
a. policy administration b. due diligence
c. adequate security measures d. certification and accreditation


d
Chapter 5

13. Which of the following variables is the most influential in determining how to structure an information security program?
a. Security capital budget b. Organizational size
c. Security personnel budget d. Organizational culture


d
14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
a. they have a larger security staff than a small organization
b. they have a larger security budget (as percent of IT budget) than a small organization
c. they have a smaller security budget (as percent of IT budget) than a large organization
d. they have larger information security needs than a small organization


b
15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
a. Risk management b. Risk assessment
c. Systems testing d. Vulnerability assessment


a
16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. Systems testing b. Risk assessment
c. Incident response d. Systems security administration


c
17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
a. compliance b. policy
c. planning d. systems security administration


b
18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
a. policy
b. centralized authentication
c. compliance audit
d. risk management


a
19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
a. A security technician b. A security analyst
c. A security consultant d. The security manager


c
20. GGG security is commonly used to describe which aspect of security?
a. technical b. software
c. physical d. theoretical


c
21. What is the SETA program designed to do?
a. reduce the occurrence of external attacks
b. improve operations
c. reduce the occurence of accidental security breaches
d. increase the efficiency of InfoSec staff


c
22. A SETA program consists of three elements: security education, security training, and which of the following?.
a. security accountability b. security authentication
c. security awareness d. security authorization


b
23. The purpose of SETA is to enhance security in all but which of the following ways?
a. by building in-depth knowledge
b. by adding barriers
c. by developing skills
d. by improving awareness


c
24. Advanced technical training can be selected or developed based on which of the following?
a. level of previous education b. level of previous training
c. technology product d. number of employees


c
25. Which of the following is the first step in the process of implementing training?
a. Identify training staff
b. Identify target audiences
c. Identify program scope, goals, and objectives
d. Motivate management and employees


c
26. Which of the following is an advantage of the one-on-one method of training?
a. Trainees can learn from each other b. Very cost-effective
c. Customized d. Maximizes use of company resources


d
27. Which of the following is a disadvantage of the one-on-one training method?
a. Inflexible
b. May not be responsive to the needs of all the trainees
c. Content may not be customized to the needs of the organization
d. Resource intensive, to the point of being inefficient


d
28. Which of the following is an advantage of the formal class method of training?
a. Personal
b. Self-paced, can go as fast or as slow as the trainee needs
c. Can be scheduled to fit the needs of the trainee
d. Interaction with trainer is possible


a
29. Which of the following is an advantage of the user support group form of training?
a. Usually conducted in an informal social setting
b. Formal training plan
c. Can be live, or can be archived and viewed at the trainee's convenience
d. Can be customized to the needs of the trainee


b
30. Which of the following is NOT a step in the process of implementing training?
a. administer the program
b. hire expert consultants
c. motivate management and employees
d. identify target audiences


b
31. __________ is a simple project management planning tool.
a. RFP b. WBS
c. ISO 17799 d. SDLC


d
32. Which of the following is the most cost-effective method for disseminating security information and news to employees?
a. distance learning seminars b. security-themed Web site
c. conference calls d. security newsletter


d
33. Which of the following is true about a company's InfoSec awareness Web site?
a. it should contain large images to maintain interest
b. appearance doesn't matter if the information is there
c. it should be placed on the Internet for public use
d. it should be tested with multiple browsers


c
Chapter 6

16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
a. General management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization
c. Legal management must develop corporate-wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility


a
17. The identification and assessment of levels of risk in an organization describes which of the following?
a. Risk analysis b. Risk identification
c. Risk management d. Risk reduction


d
18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
a. Creating an inventory of information assets
b. Classifying and organizing information assets into meaningful groups
c. Assigning a value to each information asset
d. Calculating the severity of risks to which assets are exposed in their current setting


c
19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
a. Determining the likelihood that vulnerable systems will be attacked by specific threats
b. Calculating the severity of risks to which assets are exposed in their current setting
c. Assigning a value to each information asset
d. Documenting and reporting the findings of risk identification and assessment


d
20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
a. Part number b. Serial number
c. MAC address d. IP address


b
21. Which of the following is an attribute of a network device is physically tied to the network interface?
a. Serial number b. MAC address
c. IP address d. Model number


d
22. Which of the following attributes does NOT apply to software information assets?
a. Serial number b. Controlling entity
c. Manufacturer name d. Product dimensions


d
23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
a. Name b. MAC address
c. Serial number d. Manufacturer's model or part number


b
24. Data classification schemes should categorize information assets based on which of the following?
a. Value and uniqueness b. Sensitivity and security needs
c. Cost and replacement value d. Ease of reproduction and fragility


c
25. Classification categories must be mutually exclusive and which of the following?
a. Repeatable b. Unique
c. Comprehensive d. Selective


d
26. What is the final step in the risk identification process?
a. Assessing values for information assets b. Classifying and categorizing assets
c. Identifying and inventorying assets d. Listing assets in order of importance


b
27. Once an information asset is identified, categorized, and classified, what must also be assigned to it?
a. Asset tag b. Relative value
c. Location ID d. Threat risk


a
28. What should you be armed with to adequately assess potential weaknesses in each information asset?
a. Properly classified inventory b. Audited accounting spreadsheet
c. Intellectual property assessment d. List of known threats


c
29. Which of the following is an example of a technological obsolescence threat?
a. Hardware equipment failure b. Unauthorized access
c. Outdated servers d. Malware


a
30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
a. Cost of prevention b. Cost of litigation
c. Cost of detection d. Cost of identification


c
31. What is defined as specific avenues that threat agents can exploit to attack an information asset?
a. Liabilities b. Defenses
c. Vulnerabilities d. Weaknesses


b
32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
a. Risk exposure report b. Threats-vulnerabilities-assets worksheet
c. Costs-risks-prevention database d. Threat assessment catalog


b
33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
a. Vulnerability mitigation controls b. Risk assessment estimate factors
c. Exploit likelihood equation d. Attack analysis calculation


d
34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
a. Risk determination b. Assessing potential loss
c. Likelihood and consequences d. Uncertainty


a
35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
a. Uncertainty percentage b. Asset impact
c. Risk-rating factor d. Vulnerability likelihood


b
Chapter 7

16. Application of training and education is a common method of which risk control strategy?
a. mitigation b. defense
c. acceptance d. transferal


d
17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
a. acceptance b. avoidance
c. transference d. mitigation


a
18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan b. business continuity plan
c. disaster recovery plan d. damage control plan


c
19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability


b
20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
a. residual risk b. risk appetite
c. risk assurance d. risk termination


c
21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.


d
22. Which of the following affects the cost of a control?
a. liability insurance b. CBA report
c. asset resale d. maintenance


b
23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
a. annualized cost of the safeguard b. single loss expectancy
c. value to adversaries d. annualized loss expectancy


a
24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis b. exposure factor
c. single loss expectancy d. annualized rate of occurrence


b
25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
a. organizational feasibility b. political feasibility
c. technical feasibility d. operational feasibility


c
26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
a. conducting decision support b. implementing controls
c. evaluating alternative strategies d. measuring program effectiveness


a
27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components b. quantitative valuation of safeguards
c. subjective prioritization of controls d. risk analysis estimates


d
28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
a. OCTAVE b. FAIR
c. Hybrid Measures d. Delphi


c
29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
a. analysis and adjustment b. review and reapplication
c. monitoring and measurement d. evaluation and funding


c
30. Which of the following is not a step in the FAIR risk management framework?
a. identify scenario components b. evaluate loss event frequency
c. assess control impact d. derive and articulate risk


b
31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
a. probability calculation b. documented control strategy
c. risk acceptance plan d. mitigation plan


c
32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
a. feasibility analysis b. asset valuation
c. cost avoidance d. cost-benefit analysis


c
33. Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking b. due care and due diligence
c. selective risk avoidance d. the gold standard


d
34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
a. risk assessment b. risk treatment
c. risk communication d. risk determination


a
35. The NIST risk management approach includes all but which of the following elements?
a. inform b. assess
c. frame d. respond


a
36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
a. penetration tester
b. gray-hat hacker
c. script kiddie
d. zebra team


c
12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
a. On-target model b. Wood's model
c. Bull's-eye model d. Bergeron and Berube model


1. True or False? Information security management as a field is ever decreasing in
demand and responsibility because most organizations spend increasingly larger
percentages of their IT budgets in attempting to manage risk and mitigate intrusions,
not to mention the trend in many enterprises of moving all IT operations to an Internetconnected
infrastructure, known as enterprise cloud computing.
F


2. True or False? Information security is a business problem in the sense that the entire
organization must frame and solve security problems based on its own strategic
drivers, not solely on technical controls aimed to mitigate one type of attack.
T


3. True or False? In defining required skills for information security managers, the ISC has
arrived at an agreement on ten domains of information security that is known as the
Common Body of Knowledge (CBK).
T


4. True or False? Threats to information systems come in many flavors, some with
malicious intent, others with supernatural powers or expected surprises.
f


5. True or False? Threats are exploited with a variety of attacks, some technical, others not
so much.
t


1. The art of manipulating people into performing actions or divulging confidential
information, is known as:
A. Malware
B. Industrial espionage
C. Social engineering
D. Spam
E. Phishing
C


2. What describes activities such as theft of trade secrets, bribery, blackmail, and
technological surveillance as well as spying on commercial organizations and
sometimes governments?
A. Spam
B. Phishing
C. Hoaxes
D. Industrial espionage
E. Denial-of-service
D


3. What is the abuse of electronic messaging systems to indiscriminately send unsolicited
bulk messages, many of which contain hoaxes or other undesirable contents such as
links to phishing sites?
A. Spamming
B. Phishing
C. Hoaxes
D. Distributed denial-of-service
E. All of the Above
A


4. What is the criminally fraudulent process of attempting to acquire sensitive information
such as usernames, passwords, and credit-card details by masquerading as a
trustworthy entity in an electronic communication?
A. Splicing
B. Phishing
C. Bending
D. FSO
E. Cabling
B


5. What requires that an individual, program, or system process is not granted any more
access privileges than are necessary to perform the task?
A. Administrative controls
B. Principle of Least Privilege
C. Technical controls
D. Physical controls
E. Risk analysis
B


1. True or False? To give organizations a starting point to develop their own security management systems, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have developed a family of standards known as the Information Security Management System 27000 Family of Standards.
T


2. True or False? Training should also include creating company security policies and creating user roles that are specific to the organization.
T


3. True or False? The act of securing information has not been around for as long as the idea of storing information.
F


4. True or False? All personnel who come into contact with information systems need to be aware of the risks from improper use of those systems.
T


5. True or False? Each organization should not develop a company policy detailing the preferred use of company data or company software
F


1. _______ what is on the screen by photographing it?
A. Capture
B. Turn off
C. Document
D. Create
E. All of the above
C


2. _____the contents of the system's memory?
A. Turn off
B. Document
C. Create
D. Capture
E. All of the above
D


3. _____the computer?
A. Capture
B. Create
C. Document
D. Distribute
E. Turn off
E


4. _____a forensic image of the system's hard drive?
A. Create
B. Turn off
C. Capture
D. Document
E. All of the above
A


5. Devices that can be used to copy proprietary company data off the internal network are
known as:
A. Remote control software
B. Email
C. USB storage
D. General Internet use
E. Risk analysis
C


1. True or False? Security policies and procedures do not constitute the main part of any
organization's security.
F


2. True or False? Various security-related roles do not need to be maintained and well
defined.
F


3. True or False? End users have a responsibility to protect information assets on a daily
basis through adherence to the security policies that have been set and communicated.
T


4. True or False? Top management does not play an important role in protecting the
information assets in an organization.
F


5. True or False? The security officer "directs, coordinates, plans, and organizes
information security activities throughout the organization.
T


1. Who are responsible for ensuring that the information security policies and procedures
have been adhered to?
A. Information owners
B. Information system auditors
C. Security officers
D. Executive management
E. All of the above
B


2. Who is responsible for building IT security controls into the design and
implementations of the systems?
A. Information owners
B. Information system auditors
C. IT personnel
D. Systems Administrator
E. All of the above
C


3. Who is responsible for configuring the hardware and the operating system to ensure
that the information systems and their contents are available for business as and when
needed?
A. Information System Auditor
B. Information Owners
C. Systems Administrator
D. Security Officer
E. Executive Management
C


4. What analyzes the impact of outage on critical business function operations?
A. Risk assessment
B. Recovery strategy identification
C. Recovery strategy selection
D. Business impact analysis
E. All of the above
D


5. What documents the processes, equipment, and facilities required to restore the
IT assets?
A. Contingency plan development
B. User training
C. Plan verification
D. Plan maintenance
E. Recovery strategy selection
A


1. True or False? A digital identity is a representation of an entity in a general context.
f


2. True or False? Identity management refers to "the process of representing, using,
maintaining, deprovisioning and authenticating entities as digital identities in computer
networks."
t


3. True or False? Privacy is a central issue, due to the fact that the official authorities of
almost all countries have legal strict policies related to identity.
t


4. True or False? The evolution of the identity management system is away from the
simplification of user experience and reinforcing authentication.
f


5. True or False? The security is also compromised with the proliferation of the user's
password and even by it's strength.
f


1. The main identity management system deployed currently in the world of the Internet
is known as the?
A. Federated identity management model
B. Identity life cycle
C. Aggregate identity
D. Executive management model
E. Silo model
b


2. ________________ in centralized identity infrastructures, can't solve the problem of
cross-organizational authentication and authorization?
A. Centrally managed repositories
B. Information system auditors
C. IT personnel
D. Systems Administrators
E. All of the above
a


3. A relatively simple ____________ model is to build a platform that centralizes
identities?
A. Common user identity management
B. Simple centralized identity management
C. Unique identity management
D. Meta directory
E. Executive Management
b


4. What provides an abstraction boundary between application and the actual
implementation?
A. Single point of administration
B. Redundant directory information
C. Single point of reference
D. Business impact analysis
E. All of the above
c


5. What directories are not located in the same physical structure as the Web home
directory, but look as if they were to Web clients?
A. Single Sign-On
B. Seamless
C. Session
D. Virtual
E. Flexible
d


1. True or False? Information security concerns itself with the integrity and availability of
information systems and the information or data they contain and process.
f


2. True or False? Having physical access to a computer system allows an adversary to
bypass most security protections put in place to prevent unauthorized access.
t


3. True or False? An insider is an individual who, due to their role in the organization,
has some level of authorized access to the IS environment and systems.
t


4. True or False? An outsider is considered anyone who does not have authorized access
privileges to an information system or environment.
t


5. True or False? Malware can be generally defined as "a set of instructions that run on
your computer and make your system do something that allow an attacker to make it
do what he wants it to do."
t


1. What is a self-replicating code that attaches itself to another program?
A. Worm
B. Virus
C. Backdoor
D. Trojan Horse
E. User-level Rootkit
b


2. What is a self-replicating code that propagates over a network, usually without human
interaction?
A. Backdoor
B. Virus
C. Worm
D. Trojan Horse
E. User-level Rootkit
c


3. What is a program that bypasses standard security controls to provide an attacker
access, often in a stealthy way?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
d


4. What is a program that masquerades as a legitimate, useful program while also
performing malicious functions in the background?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


5. What is the Trojan/ backdoor code that modifies operating system software so the
attacker can maintain privileged access on a machine but remain hidden?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
e


1. True or False? Network firewalls are a vital component for maintaining a secure
environment and are often the first line of defense against attack.
t


2. True or False? When a packet arrives at a firewall, a hacker policy is applied to
determine the appropriate action.
f


3. True or False? Multiple rules of a single firewall policy may match a packet—for
example, a packet could match rules 2, 6, and 7 of the policy.
f


4. True or False? For most firewalls, the first rule that matches a packet is not typically
applied.
f


5. True or False? Given that a network firewall will not inspect all packets transmitted
between multiple networks, these devices need to determine the appropriate match
with minimal delay.
t


1. What refers to how often the rule is a match?
A. Worm
B. Virus
C. Backdoor
D. More popular
E. User-level Rootkit
d


2. What is the most basic type of a firewall since it only filters at the network and
transport layers (layers two and three)?
A. Backdoor
B. Virus
C. Worm
D. Packet filter
E. User-level Rootkit
d


3. What perform the same operations as packet filters, but also maintain state about the
packets that have arrived?
A. Stateful firewalls
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


4. What can filter traffic at the network, transport, and application layer?
A. Application layer firewalls
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


5. What can also be categorized based on where they are implemented or what they are
intended to protect—host or network?
A. Trojan Horse
B. Firewalls
C. Worm
D. Backdoor
E. User-level Rootkit
b


1. True or False? Penetration testing is the exploitation of vulnerabilities absent in an
organization's network.
f


2. True or False? Some sources classify penetration testing into two types—internal and
external—and then talk about the "variations" of these types of tests based on the
amount of information the test team has been given about the organization prior to
starting the test.
t


3. True or False? When a penetration test is conducted against Internet-facing hosts, it is
known as external testing.
t


4. True or False? There are three phases in a penetration test, and they mimic the phases
that an attacker would use to conduct a real attack.
t


5. True or False? The pre-attack phase consists of the penetration team's or hacker's
attempts to investigate or explore the potential target.
t


1. What stage involves the actual compromise of the target?
A. Worm Phase
B. Virus Phase
C. Backdoor Phase
D. More popular Phase
E. Attack Phase
e


2. What is unique to the penetration test team?
A. Backdoor Phase
B. Virus Phase
C. Post-Attack Phase
D. Packet filter Phase
E. User-level Rootkit Phase
c


3. What is simply a way to ensure that a particular activity is conducted in a standard
manner, with documented and repeatable results?
A. Stateful firewalls
B. Virus
C. Methodology
D. Backdoor
E. User-level Rootkit
c


4. What have been developed by particular entities offering network security services or
certifications?
A. Application layer firewalls
B. Proprietary methodologies
C. Worms
D. Backdoors
E. User-level Rootkit
b


5. What test is a systematic analysis of all security controls in place at the tested
organization?
A. Trojan Horse
B. Firewalls
C. Worm
D. Comprehensive penetration
E. User-level Rootkit
d



16. Application of training and education is a common method of which risk control strategy?
b. defense


17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
d. mitigation






00:02
01:10
18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan


19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset


20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
b. risk appetite


21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.


22. Which of the following affects the cost of a control?
d. maintenance


23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
b. single loss expectancy


24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis


25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
b. political feasibility


26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
c. evaluating alternative strategies


27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
d. Delphi


29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
c. monitoring and measurement


30. Which of the following is not a step in the FAIR risk management framework?
c. assess control impact


31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
b. documented control strategy


32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
c. cost avoidance


33. Which of the following is NOT an alternative to using CBA to justify risk controls?
c. selective risk avoidance


34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
d. risk determination


35. The NIST risk management approach includes all but which of the following elements?
a. inform


15. Communications security involves the protection of which of the following?.
d. media, technology, and content


16. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
b. availability




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
17. Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
d. Confidentiality


18. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
d. authentication


19. What do audit logs that track user activity on an information system provide?
c. accountability


20. Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?
d. planning


21. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
a. organization


22. In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
d. man-in-the-middle


23. Which of the following is the first step in the problem-solving process?
c. Recognize and define the problem


24. Which of the following is NOT a step in the problem-solving process?
c. Build support among management for the candidate solution


25. Which of the following is NOT a primary function of Information Security Management?
d. performance


26. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
b. policy


27. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
b. people


28. Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
c. trespass


29. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
d. Trojan horses


30. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
c. hoaxes


31. Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
b. education


32. "4-1-9" fraud is an example of a ____________________ attack.
a. social engineering


33. Which type of attack involves sending a large number of connection or information requests to a target?
b. denial-of-service (DoS)


34. Which of the following is not among the 'deadly sins of software security'?
a. Extortion sins


35. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
b. SLA


36. Blackmail threat of informational disclosure is an example of which threat category?
b. Information extortion


37. One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
a. hacktivist


38. A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
b. distributed denial-of-service


39. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
c. back door


40. A short-term interruption in electrical power availability is known as a ____.
a. fault


12. Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
c. private


13. Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
c. Health Information Technology for Economic and Clinical Health Act


14. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
c. For political advantage


15. Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
d. The Computer Security Act


16. Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
a. The Electronic Communications Privacy Act of 1986


17. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
c. HIPAA




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
18. Which law extends protection to intellectual property, which includes words published in electronic formats?
b. U.S. Copyright Law


19. Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
d. Deontological ethics


20. Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
d. DMCA


21. Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
b. Descriptive ethics


22. Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
d. common good


23. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
b. malice


24. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
b. deterrence


25. Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
a. (ISC)2


26. Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
b. restitution


27. Any court can impose its authority over an individual or organization if it can establish which of the following?
b. jurisdiction


10. Which of the following explicitly declares the business of the organization and its intended areas of operations?
c. mission statement


11. Which type of planning is the primary tool in determining the long-term direction taken by an organization?
a. strategic


12. Which of the following is true about planning?
a. Strategic plans are used to create tactical plans


13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
d. tactical


14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
d. Operational


15. The basic outcomes of InfoSec governance should include all but which of the following?
c. Time management by aligning resources with personnel schedules and organizational objectives


16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
c. data users


17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
a. Hold regular meetings with the CIO to discuss tactical InfoSec planning


18. Which of the following should be included in an InfoSec governance program?
b. An InfoSec risk management methodology


19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
a. Initiating


20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
b. Establishing


21. Which of the following is an information security governance responsibility of the Chief Security Officer?
b. Set security policy, procedures, programs and training


22. ISO 27014:2013 is the ISO 27000 series standard for ____________.
a. Governance of Information Security


23. Which of the following is a key advantage of the bottom-up approach to security implementation?
c. utilizes the technical expertise of the individual administrators


24. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
b. joint application design


25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
d. traditional waterfall


26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
a. data owners


27. What is the first phase of the SecSDLC?
b. investigation


28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
a. chief information security officer


29. In which phase of the SecSDLC does the risk management task occur?
d. analysis


30. An example of a stakeholder of a company includes all of the following except:
b. the general public


31. A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
c. team leader


32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
c. security manager


33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
a. champion


34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
a. Board Risk Committee


35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
b. penetration testing


37. The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.
a. vulnerability assessment


38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.
a. enterprise risk management.


39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
d. managerial controls


11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
c. policy should be agreed upon by all employees and management


13. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
b. User-specific security policies


14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
d. the proper operation of equipment


15. Which policy is the highest level of policy and is usually created first?
d. EISP


16. Which type of document is a more detailed statement of what must be done to comply with a policy?
b. standard


17. Which of the following is an element of the enterprise information security policy?
b. information on the structure of the InfoSec organization


18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
a. issue-specific


19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
a. Policy Review and Modification


20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
a. Violations of Policy


21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
a. can suffer from poor policy dissemintation, enforcement, and review


22. Which of the following are the two general groups into which SysSPs can be separated?
a. technical specifications and managerial guidance


23. What are the two general methods for implementing technical controls?
d. access control lists and configuration rules


24. Which of the following is NOT an aspect of access regulated by ACLs?
b. where the system is located


25. Which of the following are instructional codes that guide the execution of the system when information is passing through it?
c. configuration rules


26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
d. investigation


27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
a. design


28. A risk assessment is performed during which phase of the SecSDLC?
b. analysis


29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
d. policy administrator


30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
b. due diligence


13. Which of the following variables is the most influential in determining how to structure an information security program?
d. Organizational culture


14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
d. they have larger information security needs than a small organization


15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
b. Risk assessment


16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. Systems testing


17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
c. planning


18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
b. centralized authentication


19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
a. A security technician


20. GGG security is commonly used to describe which aspect of security?
c. physical


21. What is the SETA program designed to do?
c. reduce the occurence of accidental security breaches


22. A SETA program consists of three elements: security education, security training, and which of the following?.
c. security awareness


23. The purpose of SETA is to enhance security in all but which of the following ways?
b. by adding barriers


24. Advanced technical training can be selected or developed based on which of the following?
c. technology product


25. Which of the following is the first step in the process of implementing training?
c. Identify program scope, goals, and objectives


26. Which of the following is an advantage of the one-on-one method of training?
c. Customized


27. Which of the following is a disadvantage of the one-on-one training method?
d. Resource intensive, to the point of being inefficient


28. Which of the following is an advantage of the formal class method of training?
d. Interaction with trainer is possible


29. Which of the following is an advantage of the user support group form of training?
a. Usually conducted in an informal social setting


30. Which of the following is NOT a step in the process of implementing training?
b. hire expert consultants


31. __________ is a simple project management planning tool.
b. WBS


32. Which of the following is the most cost-effective method for disseminating security information and news to employees?
d. security newsletter


33. Which of the following is true about a company's InfoSec awareness Web site?
d. it should be tested with multiple browsers


16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
c. Legal management must develop corporate-wide standards


17. The identification and assessment of levels of risk in an organization describes which of the following?
a. Risk analysis


18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
d. Calculating the severity of risks to which assets are exposed in their current setting


19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
c. Assigning a value to each information asset


20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
d. IP address


21. Which of the following is an attribute of a network device is physically tied to the network interface?
b. MAC address


22. Which of the following attributes does NOT apply to software information assets?
d. Product dimensions


23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
d. Manufacturer's model or part number


24. Data classification schemes should categorize information assets based on which of the following?
b. Sensitivity and security needs


25. Classification categories must be mutually exclusive and which of the following?
c. Comprehensive


26. What is the final step in the risk identification process?
d. Listing assets in order of importance


27. Once an information asset is identified, categorized, and classified, what must also be assigned to it?
b. Relative value


28. What should you be armed with to adequately assess potential weaknesses in each information asset?
a. Properly classified inventory


29. Which of the following is an example of a technological obsolescence threat?
c. Outdated servers


30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
a. Cost of prevention


31. What is defined as specific avenues that threat agents can exploit to attack an information asset?
c. Vulnerabilities


32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
b. Threats-vulnerabilities-assets worksheet


33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
b. Risk assessment estimate factors


34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
d. Uncertainty


35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
a. Uncertainty percentage


16. Application of training and education is a common method of which risk control strategy?
b. defense


17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
d. mitigation


18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan


19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset


20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
b. risk appetite


21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.


22. Which of the following affects the cost of a control?
d. maintenance


23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
b. single loss expectancy


24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis


25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
b. political feasibility


26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
c. evaluating alternative strategies


27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components


28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
d. Delphi


29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
c. monitoring and measurement


30. Which of the following is not a step in the FAIR risk management framework?
c. assess control impact


31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
b. documented control strategy


32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
c. cost avoidance


33. Which of the following is NOT an alternative to using CBA to justify risk controls?
c. selective risk avoidance


34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
d. risk determination


35. The NIST risk management approach includes all but which of the following elements?
a. inform


36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
a. penetration tester


12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
c. Bull's-eye model


1. The first step in solving problems is to gather facts and make assumptions.
False


2. Corruption of information can occur only while information is being stored.
False


3. The authorization process takes place before the authentication process.
False


4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.
True


5. DoS attacks cannot be launched against routers.
False


6. "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual's shoulder or viewing the information from a distance. _________________________
False - surfing


7. When voltage levels lag (experience a momentary increase), the extra voltage can severely damage or destroy equipment. _________________________
False - spike


8. The macro virus infects the key operating system files located in a computer's start up sector. _________________________
False - boot


9. The application of computing and network resources to try every possible combination of options of a password is called a dictionary attack. _________________________
False - brute force


10. The term phreaker is now commonly associated with an individual who cracks or removes software protection that is designed to prevent unauthorized duplication. _________________________
False - cracker


11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________
True


12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________
True


13. A device (or a software program on a computer) that can monitor data traveling on a network is known as a socket sniffer. _________________________
False - packet


14. One form of e-mail attack that is also a DoS attack is called a mail spoof, in which an attacker overwhelms the receiver with excessive quantities of e-mail. _________________________
False - bomb


1. Ethics carry the sanction of a governing authority.
False


2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.
True


3. Deterrence is the best method for preventing an illegal or unethical activity. ____________
True


4. ISACA is a professional association with a focus on authorization, control, and security. ___________
False - auditing


5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________
True


6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________
True


7. It is the responsibility of InfoSec professionals to understand state laws and standards. ____________
False - regulations


8. InfraGard began as a cooperative effort between the FBI's Cleveland field office and local intelligence professionals. ___________
False - technology


9. Information ambiguation occurs when pieces of non-private data are combined to create information that violates privacy. _________________________
False - aggregation


10. To protect intellectual property and competitive advantage, Congress passed the Entrepreneur Espionage Act (EEA) in 1996. ___________
False - Economic


11. A signaling law specifies a requirement for organizations to notify affected parties when they have experienced a specified type of loss of information. ____________
False - breach


1. Because it sets out general business intentions, a mission statement does not need to be concise.
False


2. A clearly directed strategy flows from top to bottom rather than from bottom to top.
True


3. The primary goal of external monitoring is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses.
False


4. A top-down approach to information security usually begins with a systems administrator's attempt to improve the security of their systems.
False


5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.
True


6. Values statements should therefore be ambiguous; after all, they are meant to express the aspirations of the organization.
False - Vision, vision


7. A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization is a stockbroker.
False - stakeholder


8. The ISA 27014:2013 standard promotes five risk management processes, which should be adopted by the organization's executive management and its governing board.
False - governance


9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
True


1. Policies must specify penalties for unacceptable behavior and define an appeals process.
True


2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
True


3. The 'Authorized Uses' section of an ISSP specifies what the identified technology cannot be used for.
False


4. Rule-based policies are less specific to the operation of a system than access control lists.
False


5. Since most policies are drafted by a single person and then reviewed by a higher-level manager, employee input should not be considered since it makes the process too complex.
False


6. Technology is the essential foundation of an effective information security program. _____________
False - Policy


7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________
True


8. Non mandatory recommendations that the employee may use as a reference in complying with a policy.are known as regulations. ____________
False - guidelines


9. Examples of actions that illustrate compliance with policies are known as laws.
False - practices


10. The need for effective policy management has led to the emergence of a class of hardware tools that supports policy development, implementation, and maintenance.
False - software


1. Small organizations spend more per user on security than medium- and large-sized organizations.
True


2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
False


3. Threats from insiders are more likely in a small organization than in a large one.
False


4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.
False


5. On-the-job training can result in substandard work performance while the trainee gets up to speed.
True


6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
False


7. Planners need to estimate the effort required to complete each task, subtask, or action step.
True


8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.
False


9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________
True


10. Each organization has to determine its own project management methodology for IT and information security projects.
True


11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________
False - milestones


2. Legal assessment for the implementation of the information security program is almost always done by the information security or IT departments.
False


12. Most information security projects require a trained project developer. _________________________
False - manager


3. Threats from insiders are more likely in a small organization than in a large one.
False


4. The security education, training, and awareness (SETA) program is designed to reduce the occurence of external security attacks.
False


5. On-the-job training can result in substandard work performance while the trainee gets up to speed.
True


6. The first step in the work breakdown structure (WBS) approach encompasses activities, but not deliverables.
False


7. Planners need to estimate the effort required to complete each task, subtask, or action step.
True


8. The work breakdown structure (WBS) can only be prepared with a complex specialized desktop PC application.
False


9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________
True


10. Each organization has to determine its own project management methodology for IT and information security projects.
True


11. In the early stages of planning, the project planner should attempt to specify completion dates only for major employees within the project. _________________________
False - milestones


12. Most information security projects require a trained project developer. _________________________
False - manager


1. Having an established risk management program means that an organization's assets are completely protected.
False


2. The InfoSec community often takes on the leadership role in addressing risk.
True


3. MAC addresses are considered a reliable identifier for devices with network interfaces, since they are essentially foolproof.
False


4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
True


5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
True


6. The secretarial community often takes on the leadership role in addressing risk. ____________
False - InfoSec, infosec, Information Security, information security


7. An approach to combining risk identification, risk assessment, and risk appetite into a single strategy. is known as risk protection. ___________
False - analysis


8. Some threats can manifest in multiple ways, yielding multiple exploits for an asset-threat pair. ____________
False - vulnerabilities


9. The recognition, enumeration, and documentation of risks to an organization's information assets. is known as risk control. ____________
False - identification


10. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment. ____________
False - threat


11. A formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it is known as a data categorization scheme. ____________
False - classification


12. The probability that a specific vulnerability within an organization will be the target of an attack is known as risk. ____________
False - likelihood


13. The information technology management community of interest often takes on the leadership role in addressing risk. ____________
False - infosec, information security


14. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet. ____________
False - vulnerabilities


15. An asset valuation approach that uses categorical or nonnumeric values rather than absolute numerical measures is known as numberless assessment. ____________
False - qualitative


1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
True


2. The defense risk control strategy may be accomplished by outsourcing to other organizations.
False


3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
True


4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
True


5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
True


6. The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy. ____________
False - defense


7. A benchmark is derived by comparing measured actual performance against established standards for the measured category. ____________
False - baseline


8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________
True


9. The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as the defense risk control strategy. ___________
False - transference


10. An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel is known as operational feasibility. ____________
False - technical


11. The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation is known as the termination risk control strategy.
False - acceptance


12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________
True


13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
True


14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________
True


15. In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as the annualized risk of occurrence. ____________
False - rate


1. Small organizations spend more per user on security than medium- and large-sized organizations.
True


16. Application of training and education is a common method of which risk control strategy?
b. defense


17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
d. mitigation


18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan


19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset


20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
b. risk appetite


21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.


22. Which of the following affects the cost of a control?
d. maintenance


23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
b. single loss expectancy


24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis


25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
b. political feasibility


26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
c. evaluating alternative strategies


27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components


28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
d. Delphi


29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
c. monitoring and measurement


30. Which of the following is not a step in the FAIR risk management framework?
c. assess control impact


31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
b. documented control strategy


32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
c. cost avoidance


33. Which of the following is NOT an alternative to using CBA to justify risk controls?
c. selective risk avoidance


34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
d. risk determination


35. The NIST risk management approach includes all but which of the following elements?
a. inform


15. Communications security involves the protection of which of the following?.
d. media, technology, and content


16. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
b. availability


17. Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
d. Confidentiality


18. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
d. authentication


19. What do audit logs that track user activity on an information system provide?
c. accountability


20. Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?
d. planning


21. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
a. organization


22. In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
d. man-in-the-middle


23. Which of the following is the first step in the problem-solving process?
c. Recognize and define the problem


24. Which of the following is NOT a step in the problem-solving process?
c. Build support among management for the candidate solution


25. Which of the following is NOT a primary function of Information Security Management?
d. performance


26. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
b. policy


27. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
b. people


28. Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
c. trespass


29. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
d. Trojan horses


30. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
c. hoaxes


31. Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
b. education


32. "4-1-9" fraud is an example of a ____________________ attack.
a. social engineering


33. Which type of attack involves sending a large number of connection or information requests to a target?
b. denial-of-service (DoS)


34. Which of the following is not among the 'deadly sins of software security'?
a. Extortion sins


35. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
b. SLA


36. Blackmail threat of informational disclosure is an example of which threat category?
b. Information extortion


37. One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
a. hacktivist


38. A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
b. distributed denial-of-service


39. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
c. back door


40. A short-term interruption in electrical power availability is known as a ____.
a. fault


12. Which subset of civil law regulates the relationships among individuals and among individuals and organizations?
c. private


13. Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
c. Health Information Technology for Economic and Clinical Health Act


14. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
c. For political advantage


15. Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
d. The Computer Security Act


16. Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
a. The Electronic Communications Privacy Act of 1986


17. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
c. HIPAA


18. Which law extends protection to intellectual property, which includes words published in electronic formats?
b. U.S. Copyright Law


19. Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
d. Deontological ethics


20. Which of the following is an international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures?
d. DMCA


21. Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
b. Descriptive ethics


22. Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
d. common good


23. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
b. malice


24. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
b. deterrence


25. Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
a. (ISC)2


26. Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
b. restitution


27. Any court can impose its authority over an individual or organization if it can establish which of the following?
b. jurisdiction


10. Which of the following explicitly declares the business of the organization and its intended areas of operations?
c. mission statement


11. Which type of planning is the primary tool in determining the long-term direction taken by an organization?
a. strategic


12. Which of the following is true about planning?
a. Strategic plans are used to create tactical plans


13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
d. tactical


14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
d. Operational


15. The basic outcomes of InfoSec governance should include all but which of the following?
c. Time management by aligning resources with personnel schedules and organizational objectives


16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
c. data users


17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
a. Hold regular meetings with the CIO to discuss tactical InfoSec planning


18. Which of the following should be included in an InfoSec governance program?
b. An InfoSec risk management methodology


19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
a. Initiating


20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
b. Establishing


21. Which of the following is an information security governance responsibility of the Chief Security Officer?
b. Set security policy, procedures, programs and training


22. ISO 27014:2013 is the ISO 27000 series standard for ____________.
a. Governance of Information Security


23. Which of the following is a key advantage of the bottom-up approach to security implementation?
c. utilizes the technical expertise of the individual administrators


24. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
b. joint application design


25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
d. traditional waterfall


26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
a. data owners


27. What is the first phase of the SecSDLC?
b. investigation


28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
a. chief information security officer


29. In which phase of the SecSDLC does the risk management task occur?
d. analysis


30. An example of a stakeholder of a company includes all of the following except:
b. the general public


31. A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
c. team leader


32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
c. security manager


33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
a. champion


34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
a. Board Risk Committee


35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
b. penetration testing


37. The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.
a. vulnerability assessment


38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.
a. enterprise risk management.


39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
d. managerial controls


11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
c. policy should be agreed upon by all employees and management


13. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
b. User-specific security policies


14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
d. the proper operation of equipment


15. Which policy is the highest level of policy and is usually created first?
d. EISP


16. Which type of document is a more detailed statement of what must be done to comply with a policy?
b. standard


17. Which of the following is an element of the enterprise information security policy?
b. information on the structure of the InfoSec organization


18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
a. issue-specific


19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
a. Policy Review and Modification


20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
a. Violations of Policy


21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
a. can suffer from poor policy dissemintation, enforcement, and review


22. Which of the following are the two general groups into which SysSPs can be separated?
a. technical specifications and managerial guidance


23. What are the two general methods for implementing technical controls?
d. access control lists and configuration rules


24. Which of the following is NOT an aspect of access regulated by ACLs?
b. where the system is located


25. Which of the following are instructional codes that guide the execution of the system when information is passing through it?
c. configuration rules


26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
d. investigation


27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
a. design


28. A risk assessment is performed during which phase of the SecSDLC?
b. analysis


29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
d. policy administrator


30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
b. due diligence


13. Which of the following variables is the most influential in determining how to structure an information security program?
d. Organizational culture


14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
d. they have larger information security needs than a small organization


15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
b. Risk assessment


16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. Systems testing


17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
c. planning


18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
b. centralized authentication


19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
a. A security technician


20. GGG security is commonly used to describe which aspect of security?
c. physical


21. What is the SETA program designed to do?
c. reduce the occurence of accidental security breaches


22. A SETA program consists of three elements: security education, security training, and which of the following?.
c. security awareness


23. The purpose of SETA is to enhance security in all but which of the following ways?
b. by adding barriers


24. Advanced technical training can be selected or developed based on which of the following?
c. technology product


25. Which of the following is the first step in the process of implementing training?
c. Identify program scope, goals, and objectives


26. Which of the following is an advantage of the one-on-one method of training?
c. Customized


27. Which of the following is a disadvantage of the one-on-one training method?
d. Resource intensive, to the point of being inefficient


28. Which of the following is an advantage of the formal class method of training?
d. Interaction with trainer is possible


29. Which of the following is an advantage of the user support group form of training?
a. Usually conducted in an informal social setting


30. Which of the following is NOT a step in the process of implementing training?
b. hire expert consultants


31. __________ is a simple project management planning tool.
b. WBS


32. Which of the following is the most cost-effective method for disseminating security information and news to employees?
d. security newsletter


33. Which of the following is true about a company's InfoSec awareness Web site?
d. it should be tested with multiple browsers


16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
c. Legal management must develop corporate-wide standards


17. The identification and assessment of levels of risk in an organization describes which of the following?
a. Risk analysis


18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
d. Calculating the severity of risks to which assets are exposed in their current setting


19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
c. Assigning a value to each information asset


20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
d. IP address


21. Which of the following is an attribute of a network device is physically tied to the network interface?
b. MAC address


22. Which of the following attributes does NOT apply to software information assets?
d. Product dimensions


23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
d. Manufacturer's model or part number


24. Data classification schemes should categorize information assets based on which of the following?
b. Sensitivity and security needs


25. Classification categories must be mutually exclusive and which of the following?
c. Comprehensive


26. What is the final step in the risk identification process?
d. Listing assets in order of importance


27. Once an information asset is identified, categorized, and classified, what must also be assigned to it?
b. Relative value


28. What should you be armed with to adequately assess potential weaknesses in each information asset?
a. Properly classified inventory


29. Which of the following is an example of a technological obsolescence threat?
c. Outdated servers


30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
a. Cost of prevention


31. What is defined as specific avenues that threat agents can exploit to attack an information asset?
c. Vulnerabilities


32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
b. Threats-vulnerabilities-assets worksheet


33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
b. Risk assessment estimate factors


34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
d. Uncertainty


35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
a. Uncertainty percentage


16. Application of training and education is a common method of which risk control strategy?
b. defense


17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
d. mitigation


18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan


19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset


20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
b. risk appetite


21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.


22. Which of the following affects the cost of a control?
d. maintenance


23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
b. single loss expectancy


24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis


25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
b. political feasibility


26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
c. evaluating alternative strategies


27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components


28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
d. Delphi


29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
c. monitoring and measurement


30. Which of the following is not a step in the FAIR risk management framework?
c. assess control impact


31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
b. documented control strategy


32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
c. cost avoidance


33. Which of the following is NOT an alternative to using CBA to justify risk controls?
c. selective risk avoidance


34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
d. risk determination


35. The NIST risk management approach includes all but which of the following elements?
a. inform


12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
c. Bull's-eye model


36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
a. penetration tester


When can executives be charged with negligence?
A. If they follow the transborder laws
B. If they do not properly report and prosecute attackers
C. If they properly inform users that they may be monitored
D. If they do not practice due care when protecting resources
D


To better deal with computer crime, several legislative bodies have taken what
steps in their strategy?
A. Expanded several privacy laws
B. Broadened the definition of property to include data
C. Required corporations to have computer crime insurance
D. Redefined transborder issues
B






00:02
01:10
Which factor is the most important item when it comes to ensuring security is
successful in an organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees
A


Which of the following standards would be most useful to you in ensuring your
information security management system follows industry best practices?
A. NIST SP 800-53
B. Six Sigma
C. ISO/IEC 27000 series
D. COSO IC
C


Which of the following is true about data breaches?
A. They are exceptionally rare.
B. They always involve personally identifiable information (PII).
C. They may trigger legal or regulatory requirements.
D. The United States has no laws pertaining to data breaches.
C


When is it acceptable to not take action on an identified risk?
A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and
potential loss.
D


Which is the most valuable technique when determining if a specific security
control should be implemented?
A. Risk analysis
B. Cost/benefit analysis
C. ALE results
D. Identifying the vulnerabilities and threats causing the risk
B


Which best describes the purpose of the ALE calculation?
A. Quantifies the security level of the environment
B. Estimates the loss possible for a countermeasure
C. Quantifies the cost/benefit result
D. Estimates the loss potential of a threat in a span of a year
D


How do you calculate residual risk?
A. Threats × risks × asset value
B. (Threats × asset value × vulnerability) × risks
C. SLE × frequency = ALE
D. (Threats × vulnerability × asset value) × controls gap
D


Why should the team that will perform and review the risk analysis information
be made up of people in different departments?
A. To make sure the process is fair and that no one is left out.
B. It shouldn't. It should be a small group brought in from outside the
organization because otherwise the analysis is biased and unusable.
C. Because people in different departments understand the risks of their
department. Thus, it ensures the data going into the analysis is as close to
reality as possible.
D. Because the people in the different departments are the ones causing the risks,
so they should be the ones held accountable.
C


Which best describes a quantitative risk analysis?
A. A scenario-based analysis to research different security threats
B. A method used to apply severity levels to potential loss, probability of loss,
and risks
C. A method that assigns monetary values to components in the risk assessment
D. A method that is based on gut feelings and opinions
C


Why is a truly quantitative risk analysis not possible to achieve?
A. It is possible, which is why it is used.
B. It assigns severity levels. Thus, it is hard to translate into monetary values.
C. It is dealing with purely quantitative elements.
D. Quantitative measures must be applied to qualitative elements.
D


What is COBIT and where does it fit into the development of information
security systems and security programs?
A. Lists of standards, procedures, and policies for security program development
B. Current version of ISO 17799
C. A framework that was developed to deter organizational internal fraud
D. Open standards for control objectives
D


What is the ISO/IEC 27799 standard?
A. A standard on how to protect personal health information
B. The new version of BS 17799
C. Definitions for the new ISO 27000 series
D. The new version of NIST SP 800-60
A


OCTAVE, NIST SP 800-30, and AS/NZS 4360 are different approaches to
carrying out risk management within companies and organizations. What are the
differences between these methods?
A. NIST SP 800-30 and OCTAVE are corporate based, while AS/NZS is
international.
B. NIST SP 800-30 is IT based, while OCTAVE and AS/NZS 4360 are
corporate based.
C. AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based.
D. NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is
international.
B


A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Reaizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server's configuration and employed strict operating system access controls.

The fact that the server has been in an unlocked room marked "Room 1" for the
last few years means the company was practicing which of the following?
A. Logical security
B. Risk management
C. Risk transference
D. Security through obscurity
D


A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Reaizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server's configuration and employed strict operating system access controls.

The new reinforced lock and cage serve as which of the following?
A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls
B


A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Reaizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server's configuration and employed strict operating system access controls.

The operating system access controls comprise which of the following?
A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls
A


A company has an e-commerce web-site that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,The firewall costs $65,000 per year to implement and maintain.

How much does the firewall save the company in loss expenses?
A. $62,000
B. $3,000
C. $65,000
D. $30,000
A


A company has an e-commerce web-site that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,The firewall costs $65,000 per year to implement and maintain.

What is the value of the firewall to the company?
A. $62,000
B. $3,000
C. -$62,000
D. -$3,000
D


A company has an e-commerce web-site that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,The firewall costs $65,000 per year to implement and maintain.

Which of the following describes the company's approach to risk management?
A. Risk transference
B. Risk avoidance
C. Risk acceptance
D. Risk mitigation
D


A small remote office for a company is valued at $800,It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

What is the single loss expectancy (SLE) for the facility suffering from a fire?
A. $80,000
B. $480,000
C. $320,000
D. 60%
B




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
A small remote office for a company is valued at $800,It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

What is the annualized rate of occurrence (ARO)?
A. 1
B. 10
C. .1
D. .01
C


A small remote office for a company is valued at $800,It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

What is the annualized loss expectancy (ALE)?
A. $480,000
B. $32,000
C. $48,000
D. .6
C


The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect mappings pertaining to the individual standards that make up the ISO/IEC 27000 series?
i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC
27003 outlines the ISMS program's requirements.
ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC
27002 outlines the metrics framework.
iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/
IEC 27005 outlines risk management guidelines.
iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines
the implementation framework.
A. i, iii
B. i, ii
C. ii, iii, iv
D. i, ii, iii, iv
D


The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time?
i. Information Technology Infrastructure Library should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement.
ii. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon.
iii. Capability Maturity Model Integration should be integrated because it provides distinct maturity levels.
iv. The Open Group Architecture Framework should be integrated because it provides a structure for process improvement.
A. i, iii
B. ii, iii, iv
C. ii, iii
D. ii, iv
C


Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank's personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

Todd documents several fraud opportunities that the employees have at the financial institution so that management understands these risks and allocates the funds and resources for his suggested solutions. Which of the following best describes the control Todd should put into place to be able to carry out fraudulent investigation activity?
A. Separation of duties
B. Rotation of duties
C. Mandatory vacations
D. Split knowledge
C


Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank's personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

If the financial institution wants to force collusion to take place for fraud to happen successfully in this situation, what should Todd put into place?
A. Separation of duties
B. Rotation of duties
C. Social engineering
D. Split knowledge
A


Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank's personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide?
A. Separation of duties by ensuring that a supervisor must approve the cashing of a check over $3,This is an administrative control that provides preventative protection for Todd's organization.
B. Rotation of duties by ensuring that one employee only stays in one position for up to three months at a time. This is an administrative control that provides detective capabilities.
C. Security awareness training, which is a preventive administrative control that can also emphasize enforcement.
D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.
D


Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured, along with what to do in this situation.

Which of the following best describes what Susan needs to ensure the operations staff creates for proper configuration standardization?
A. Dual control
B. Redundancy
C. Training
D. Baselines
D


Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured, along with what to do in this situation.

Which of the following is the best way for Susan to illustrate to her boss the dangers of the current configuration issues?
A. Map the configurations to the compliancy requirements.
B. Compromise a system to illustrate its vulnerability.
C. Audit the systems.
D. Carry out a risk assessment.
D


Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured, along with what to do in this situation.

Which of the following is one of the most likely solutions that Susan will come up with and present to her boss?
A. Development of standards
B. Development of training
C. Development of monitoring
D. Development of testing
A


What is one of the first steps in developing a business continuity plan?
A. Identify a backup solution.
B. Perform a simulation test.
C. Perform a business impact analysis.
D. Develop a business resumption plan.
C


The purpose of initiating emergency procedures right after a disaster takes place is
to prevent loss of life and injuries, and to _______________.
A. secure the area to ensure that no looting or fraud takes place
B. mitigate further damage
C. protect evidence and clues
D. investigate the extent of the damages
B


Which of the following would you use to control the public distribution, reproduction,
display, and adaptation of an original white paper written by your staff?
A. Copyright
B. Trademark
C. Patent
D. Trade secret
B


Many privacy laws dictate which of the following rules?
A. Individuals have a right to remove any data they do not want others to know.
B. Agencies do not need to ensure that the data is accurate.
C. Agencies need to allow all government agencies access to the data.
D. Agencies cannot use collected data for a purpose different from what they
were collected for.
D


The term used to denote a potential cause of an unwanted incident, which may
result in harm to a system or organization is
A. Vulnerability
B. Exploit
C. Threat
D. Attacker
C


A CISSP candidate signs an ethics statement prior to taking the CISSP
examination. Which of the following would be a violation of the (ISC) 2 Code of
Ethics that could cause the candidate to lose his or her certification?
A. E-mailing information or comments about the exam to other CISSP
candidates
B. Submitting comments on the questions of the exam to (ISC) 2
C. Submitting comments to the board of directors regarding the test and content
of the class
D. Conducting a presentation about the CISSP certification and what the
certification means
A


Which of the following has an incorrect definition mapping?
i. Civil (code) law: Based on previous interpretations of laws
ii. Common law: Rule-based law, not precedence-based
iii. Customary law: Deals mainly with personal conduct and patterns of behavior
iv. Religious law: Based on religious beliefs of the region
A. i, iii
B. i, ii, iii
C. i, ii
D. iv
C


Which of the following statements is true about the information life cycle?
A. The information life cycle begins with its archival and ends with its classification.
B. Most information must be retained indefinitely.
C. The information life cycle begins with its acquisition/creation and ends with its disposal/destruction.
D. Preparing information for use does not typically involve adding metadata to it.
C


Ensuring data consistency is important for all the following reasons, except
A. Replicated data sets can become desynchronized.
B. Multiple data items are commonly needed to perform a transaction.
C. Data may exist in multiple locations within our information systems.
D. Multiple users could attempt to modify data simultaneously.
B


Which of the following makes the most sense for a single organization's
classification levels for data?
A. Unclassified, Secret, Top Secret
B. Public, Releasable, Unclassified
C. Sensitive, Sensitive But Unclassified (SBU), Proprietary
D. Proprietary, Trade Secret, Private
A


Which of the following is the most important criterion in determining the
classification of data?
A. The level of damage that could be caused if the data were disclosed
B. The likelihood that the data will be accidentally or maliciously disclosed
C. Regulatory requirements in jurisdictions within which the organization is
not operating
D. The cost of implementing controls for the data
A


The effect of data aggregation on classification levels is best described by which of
the following?
A. Data classification standards apply to all the data within an organization.
B. Aggregation is a disaster recovery technique with no effect on classification.
C. A low-classification aggregation of data can be deconstructed into higher-classification data items.
D. Items of low-classification data combine to create a higher-classification set.
D


Who bears ultimate responsibility for the protection of assets within the
organization?
A. Data owners
B. Cyber insurance providers
C. Senior management
D. Security professionals
C


During which phase or phases of the information life cycle can cryptography be
an effective control?
A. Use
B. Archival
C. Disposal
D. All the above
D


A transition into the disposal phase of the information life cycle is most commonly triggered by
A. Senior management
B. Insufficient storage
C. Acceptable use policies
D. Data retention policies
D


Information classification is most closely related to which of the following?
A. The source of the information
B. The information's destination
C. The information's value
D. The information's age
C


The data owner is most often described by all of the following except
A. Manager in charge of a business unit
B. Ultimately responsible for the protection of the data
C. Financially liable for the loss of the data
D. Ultimately responsible for the use of the data
C


Data at rest is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
D


Data in motion is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
C


Data in use is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
B


Who has the primary responsibility of determining the classification level for
information?
A. The functional manager
B. Senior management
C. The owner
D. The user
C


If different user groups with different security access levels need to access the same information, which of the following actions should management take?
A. Decrease the security level on the information to ensure accessibility and usability of the information.
B. Require specific written approval each time an individual needs to access the information.
C. Increase the security controls on the information.
D. Decrease the classification label on the information.
C


What should management consider the most when classifying data?
A. The type of employees, contractors, and customers who will be accessing
the data
B. Availability, integrity, and confidentiality
C. Assessing the risk level and disabling countermeasures
D. The access controls that will be protecting the data
B


Who is ultimately responsible for making sure data is classified and protected?
A. Data owners
B. Users
C. Administrators
D. Management
D


Which of the following requirements should the data retention policy address?
A. Legal
B. Regulatory
C. Operational
D. All the above
D


Which of the following is not addressed by the data retention policy?
A. What data to keep
B. For whom data is kept
C. How long data is kept
D. Where data is kept
B


Which of the following best describes an application of cryptography to protect data at rest?
A. VPN
B. Degaussing
C. Whole-disk encryption
D. Up-to-date antivirus software
C


Which of the following best describes an application of cryptography to protect data in motion?
A. Testing software against side-channel attacks
B. TLS
C. Whole-disk encryption
D. EDLP
B


Which of the following best describes the mitigation of data remanence by a
physical destruction process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
D


Which of the following best describes the mitigation of data remanence by a
degaussing destruction process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
C


Which of the following best describes the mitigation of data remanence by an
overwriting process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
A


What is the final step in authorizing a system for use in an environment?
A. Certification
B. Security evaluation and rating
C. Accreditation
D. Verification
C


What feature enables code to be executed without the usual security checks?
A. Temporal isolation
B. Maintenance hook
C. Race conditions
D. Process multiplexing
B


If a component fails, a system should be designed to do which of the following?
A. Change to a protected execution domain
B. Change to a problem state
C. Change to a more secure state
D. Release all data held in volatile memory
C


The trusted computing base (TCB) contains which of the following?
A. All trusted processes and software components
B. All trusted security policies and implementation mechanisms
C. All trusted software and design mechanisms
D. All trusted software and hardware components
D


What is the imaginary boundary that separates components that maintain security from components that are not security related?
A. Reference monitor
B. Security kernel
C. Security perimeter
D. Security policy
D


What is the best description of a security kernel from a security point of view?
A. Reference monitor
B. Resource manager
C. Memory mapper
D. Security perimeter
A


In secure computing systems, why is there a logical form of separation used between processes?
A. Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources.
B. Processes are contained within their own security perimeter so they can only access protection levels above them.
C. Processes are contained within their own security perimeter so they can only access protection levels equal to them.
D. The separation is hardware and not logical in nature.
A


What type of rating is used within the Common Criteria framework?
A. PP
B. EPL
C. EAL
D. A-D
C


Which of the following is a true statement pertaining to memory addressing?
A. The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value.
B. The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value.
C. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value.
D. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value.
A


Pete is a new security manager at a financial institution that develops its own internal software for specific proprietary functionality. The financial institution has several locations distributed throughout the world and has bought several individual companies over the last ten years, each with its own heterogeneous environment. Since each purchased company had its own unique environment, it has been difficult to develop and deploy internally developed software in an effective manner that meets all the necessary business unit requirements. Which of the following best describes a standard that Pete should ensure the software development team starts to implement so that various business needs can be met
A. ISO/IEC 42010
B. Common Criteria
C. ISO/IEC 43010
D. ISO/IEC 15408
A


Which of the following is an incorrect description pertaining to the common components that make up computer systems?
i. General registers are commonly used to hold temporary processing data, while special registers are used to hold process-characteristic data as in condition bits.
ii. A processor sends a memory address and a "read" request down an address bus and a memory address and a "write" request down an I/O bus.
iii. Process-to-process communication commonly takes place through memory stacks, which are made up of individually addressed buffer locations.
iv. A CPU uses a stack return pointer to keep track of the next instruction sets it needs to process.
A. i
B. i, ii
C. ii, iii
D. ii, iv
D


Mark is a security administrator who is responsible for purchasing new computer systems for a co-location facility his company is starting up. The company has several time-sensitive applications that require extensive processing capabilities. The co-location facility is not as large as the main facility, so it can only fit a smaller number of computers, which still must carry the same processing load as the systems in the main building. Which of the following best describes the most important aspects of the products Mark needs to purchase for these purposes?
A. Systems must provide symmetric multiprocessing capabilities and virtualized environments.
B. Systems must provide asymmetric multiprocessing capabilities and virtualized environments.
C. Systems must provide multiprogramming multiprocessing capabilities and virtualized environments.
D. Systems must provide multiprogramming multiprocessing capabilities and symmetric multiprocessing environments.
B


Tom is a new security manager who is responsible for reviewing the current software that the company has developed internally. He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform more slowly, but by rebooting the systems this issue goes away.

Which of the following best describes a characteristic of the software that may be causing issues?
A. Cooperative multitasking
B. Preemptive multitasking
C. Maskable interrupt use
D. Nonmaskable interrupt use
A


Tom is a new security manager who is responsible for reviewing the current software that the company has developed internally. He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform more slowly, but by rebooting the systems this issue goes away.

Which of the following best describes why rebooting helps with system performance in the situation described in this scenario?
A. Software is not using cache memory properly.
B. Software is carrying out too many mode transitions.
C. Software is working in ring 0.
D. Software is not releasing unused memory.
D


Steve has found out that the soft- ware product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement ddress space layout randomization and data execution protection.

Which of the following best describes Steve's confusion?
A. Certification must happen first before the evaluation process can begin.
B. Accreditation is the acceptance from management, which must take place efore the evaluation process.
C. Evaluation, certification, and accreditation are carried out by different groups ith different purposes.
D. Evaluation requirements include certification and accreditation components.
C


Steve has found out that the soft- ware product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement ddress space layout randomization and data execution protection.

Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner?
A. Improved security kernel processes
B. Improved security perimeter processes
C. Improved application programming interface processes
D. Improved garbage collection processes
A


Steve has found out that the soft- ware product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement ddress space layout randomization and data execution protection.

Which of the following best describes some of the issues that the evaluation testers most likely ran into while testing the submitted product?
A. Nonprotected ROM sections
B. Vulnerabilities that allowed malicious code to execute in protected memory sections
C. Lack of a predefined and implemented trusted computing base
D. Lack of a predefined and implemented security kernel
B


John has been told that one of the applications installed on a web server within the DMZ accepts any length of information that a customer using a web browser inputs into the form the web server provides to collect new customer data. Which of the following describes an issue that John should be aware of pertaining to this type of vulnerability?
A. Application is written in the C programming language.
B. Application is not carrying out enforcement of the trusted computing base.
C. Application is running in ring 3 of a ring-based architecture.
D. Application is not interacting with the memory manager properly.
A


What is the goal of cryptanalysis?
A. To determine the strength of an algorithm
B. To increase the substitution functions in a cryptographic algorithm
C. To decrease the transposition functions in a cryptographic algorithm
D. To determine the permutations used
A


Why has the frequency of successful brute-force attacks increased?
A. The use of permutations and transpositions in algorithms has increased.
B. As algorithms get stronger, they get less complex, and thus more susceptible to attacks.
C. Processor speed and power have increased.
D. Key length reduces over time.
C


Which of the following is not a property or characteristic of a one-way hash function?
A. It converts a message of arbitrary length into a value of fixed length.
B. Given the digest value, it should be computationally infeasible to find the corresponding message.
C. It should be impossible or rare to derive the same digest from two different messages.
D. It converts a message of fixed length to an arbitrary length value.
D


What would indicate that a message had been modified?
A. The public key has been altered.
B. The private key has been altered.
C. The message digest has been altered.
D. The message has been encrypted properly.
C


Which of the following is a U.S. federal government algorithm developed for creating secure message digests?
A. Data Encryption Algorithm
B. Digital Signature Standard
C. Secure Hash Algorithm
D. Data Signature Algorithm
C


Which of the following best describes the difference between HMAC and CBC-MAC?
A. HMAC creates a message digest and is used for integrity; CBC-MAC is used to encrypt blocks of data for confidentiality.
B. HMAC uses a symmetric key and a hashing algorithm; CBC-MAC uses the first block for the checksum.
C. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.
D. HMAC encrypts a message with a symmetric key and then puts the result through a hashing algorithm; CBC-MAC encrypts the whole message.
C


What is an advantage of RSA over DSA?
A. It can provide digital signature and encryption functionality.
B. It uses fewer resources and encrypts faster because it uses symmetric keys.
C. It is a block cipher rather than a stream cipher.
D. It employs a one-time encryption pad.
A


What is used to create a digital signature?
A. The receiver's private key
B. The sender's public key
C. The sender's private key
D. The receiver's public key
C


Which of the following best describes a digital signature?
A. A method of transferring a handwritten signature to an electronic document
B. A method to encrypt confidential information
C. A method to provide an electronic signature and encryption
D. A method to let the receiver of the message prove the source and integrity of a message
D


How many bits make up the effective length of the DES key?
A. 56
B. 64
C. 32
D. 16
A


Why would a certificate authority revoke a certificate?
A. If the user's public key has become compromised
B. If the user changed over to using the PEM model that uses a web of trust
C. If the user's private key has become compromised
D. If the user moved to a new location
C


What does DES stand for?
A. Data Encryption System
B. Data Encryption Standard
C. Data Encoding Standard
D. Data Encryption Signature
B


Which of the following best describes a certificate authority?
A. An organization that issues private keys and the corresponding algorithms
B. An organization that validates encryption processes
C. An organization that verifies encryption keys
D. An organization that issues certificates
D


What does DEA stand for?
A. Data Encoding Algorithm
B. Data Encoding Application
C. Data Encryption Algorithm
D. Digital Encryption Algorithm
C


Who was involved in developing the first public key algorithm?
A. Adi Shamir
B. Ross Anderson
C. Bruce Schneier
D. Martin Hellman
D


What process usually takes place after creating a DES session key?
A. Key signing
B. Key escrow
C. Key clustering
D. Key exchange
D


DES performs how many rounds of transposition/permutation and substitution?
A. 16
B. 32
C. 64
D. 56
A


Which of the following is a true statement pertaining to data encryption when it
is used to protect data?
A. It verifies the integrity and accuracy of the data.
B. It requires careful key management.
C. It does not require much system overhead in resources.
D. It requires keys to be escrowed.
B


If different keys generate the same ciphertext for the same message, what is
this called?
A. Collision
B. Secure hashing
C. MAC
D. Key clustering
D


What is the definition of an algorithm's work factor?
A. The time it takes to encrypt and decrypt the same plaintext
B. The time it takes to break the encryption
C. The time it takes to implement 16 rounds of computation
D. The time it takes to apply substitution functions
D


What is the primary purpose of using one-way hashing on user passwords?
A. It minimizes the amount of primary and secondary storage needed to store passwords.
B. It prevents anyone from reading passwords in plaintext.
C. It avoids excessive processing required by an asymmetric algorithm.
D. It prevents replay attacks.
B


Which of the following is based on the fact that it is hard to factor large numbers into two original prime numbers?
A. ECC
B. RSA
C. DES
D. Diffie-Hellman
B


Which of the following describes the difference between the Data Encryption Standard and the Rivest-Shamir-Adleman algorithm?
A. DES is symmetric, while RSA is asymmetric.
B. DES is asymmetric, while RSA is symmetric.
C. They are hashing algorithms, but RSA produces a 160-bit hashing value.
D. DES creates public and private keys, while RSA encrypts messages. A
...


Which of the following uses a symmetric key and a hashing algorithm?
A. HMAC
B. Triple-DES
C. ISAKMP-OAKLEY
D. RSA
A


The generation of keys that are made up of random values is referred to as Key Derivation Functions (KDFs). What values are not commonly used in this key generation process?
A. Hashing values
B. Asymmetric values
C. Salts
D. Passwords
B


When should a Class C fire extinguisher be used instead of a Class A fire extinguisher?
A. When electrical equipment is on fire
B. When wood and paper are on fire
C. When a combustible liquid is on fire
D. When the fire is in an open area
A


Which of the following is not a main component of CPTED?
A. Natural access control
B. Natural surveillance
C. Territorial reinforcement
D. Target hardening
D


Which problems may be caused by humidity in an area with electrical devices?
A. High humidity causes excess electricity, and low humidity causes corrosion.
B. High humidity causes corrosion, and low humidity causes static electricity.
C. High humidity causes power fluctuations, and low humidity causes static electricity.
D. High humidity causes corrosion, and low humidity causes power fluctuations.
B


What does positive pressurization pertaining to ventilation mean?
A. When a door opens, the air comes in.
B. When a fire takes place, the power supply is disabled.
C. When a fire takes place, the smoke is diverted to one room.
D. When a door opens, the air goes out.
D


Which of the following answers contains a category of controls that does not belong in a physical security program?
A. Deterrence and delaying
B. Response and detection
C. Assessment and detection
D. Delaying and lighting
D


How does TKIP provide more protection for WLAN environments?
A. It uses the AES algorithm.
B. It decreases the IV size and uses the AES algorithm.
C. It adds more keying material.
D. It uses MAC and IP filtering.
C


Which of the following is not a characteristic of the IEEE 802.11a standard?
A. It works in the 5-GHz range.
B. It uses the OFDM spread spectrum technology.
C. It provides 52 Mbps in bandwidth.
D. It covers a smaller distance than 802.11b.
C


Why are switched infrastructures safer environments than routed networks?
A. It is more difficult to sniff traffic since the computers have virtual private connections.
B. They are just as unsafe as nonswitched environments.
C. The data link encryption does not permit wiretapping.
D. Switches are more intelligent than bridges and implement security mechanisms.
A


Which of the following protocols is considered connection-oriented?
A. IP
B. ICMP
C. UDP
D. TCP
D


Which of the following can take place if an attacker can insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the data link layer?
A. Open relay manipulation
B. VLAN hopping attack
C. Hypervisor denial-of-service attack
D. Smurf attack
B


Which of the following proxies cannot make access decisions based upon protocol commands?
A. Application
B. Packet filtering
C. Circuit
D. Stateful
C


Which of the following is a bridge-mode technology that can monitor individual traffic links between virtual machines or can be integrated within a hypervisor component?
A. Orthogonal frequency division
B. Unified threat management modem
C. Virtual firewall
D. Internet Security Association and Key Management Protocol
C


Which of the following shows the layer sequence as layers 2, 5, 7, 4, and 3?
A. Data link, session, application, transport, and network
B. Data link, transport, application, session, and network
C. Network, session, application, network, and transport
D. Network, transport, application, session, and presentation
A


Which of the following technologies integrates previously independent security solutions with the goal of providing simplicity, centralized control, and streamlined processes?
A. Network convergence
B. Security as a service
C. Unified threat management
D. Integrated convergence management
C


Metro Ethernet is a MAN protocol that can work in network infrastructures made up of access, aggregation, metro, and core layers. Which of the following best describes these network infrastructure layers?
A. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a core network. The metro layer is the metropolitan area network. The core connects different metro networks.
B. The access layer connects the customer's equipment to a service provider's core network. Aggregation occurs on a distribution network at the core. The metro layer is the metropolitan area network.
C. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different access layers.
D. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.
D


Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec?
A. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks.
B. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity.
C. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange.
D. Internet Key Exchange provides authenticated keying material for use with encryption algorithms.
D


Systems that are built on the OSI framework are considered open systems. What does this mean?
A. They do not have authentication mechanisms configured by default.
B. They have interoperability issues.
C. They are built with internationally accepted protocols and standards so they can easily communicate with other systems.
D. They are built with international protocols and standards so they can choose what types of systems they will communicate with.
C


Which of the following protocols work in the following layers: application, data link, network, and transport?
A. FTP, ARP, TCP, and UDP
B. FTP, ICMP, IP, and UDP
C. TFTP, ARP, IP, and UDP
D. TFTP, RARP, IP, and ICMP
C


What takes place at the data link layer?
A. End-to-end connection
B. Dialog control
C. Framing
D. Data syntax
C


What takes place at the session layer?
A. Dialog control
B. Routing
C. Packet sequencing
D. Addressing
A


Which best describes the IP protocol?
A. A connectionless protocol that deals with dialog establishment, maintenance, and destruction
B. A connectionless protocol that deals with the addressing and routing of packets
C. A connection-oriented protocol that deals with the addressing and routing of packets
D. A connection-oriented protocol that deals with sequencing, error detection, and flow control
B


Which of the following is not a characteristic of the Protected Extensible Authentication Protocol?
A. Authentication protocol used in wireless networks and point-to-point connections
B. Designed to provide authentication for 802.11 WLANs
C. Designed to support 802.1X port access control and Transport Layer Security
D. Designed to support password-protected connections
D


The ______________ is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP.
A. Session Initiation Protocol
B. Real-time Transport Protocol
C. SS7
D. VoIP
A


Which of the following is not one of the stages of the DHCP lease process?
i. Discover
ii. Offer
iii. Request
iv. Acknowledgment
A. All of them
B. None of them
C. i, ii
D. ii, iii
B


An effective method to shield networks from unauthenticated DHCP clients is
through the use of _______________ on network switches.
A. DHCP snooping
B. DHCP protection
C. DHCP shielding
D. DHCP caching
A


Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

What type of client ports should Don make sure the institution's software is using when client-to-server communication needs to take place?
A. Well known
B. Registered
C. Dynamic
D. Free
C


Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

Which of the following is a cost-effective countermeasure that Don's team should implement?
A. Stateful firewall
B. Network address translation
C. SYN proxy
D. IPv6
C


Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

What should Don's team put into place to stop the masquerading attacks that have been taking place?
A. Dynamic packet filter firewall
B. ARP spoofing protection
C. Disable unnecessary ICMP traffic at edge routers
D. SRPC
D


Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP Echo Request packets to all the hosts on a specific subnet, which is aimed at one specific server.

Which of the following is most likely the issue that Grace's team experienced when their systems went offline?
A. Three critical systems were connected to a dual-attached station.
B. Three critical systems were connected to a single-attached station.
C. The secondary FDDI ring was overwhelmed with traffic and dropped the three critical systems.
D. The FDDI ring is shared in a metropolitan environment and only allows each company to have a certain number of systems connected to both rings.
B


Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP Echo Request packets to all the hosts on a specific subnet, which is aimed at one specific server.

Which of the following is the best type of fiber that should be implemented in
this scenario?
A. Single mode
B. Multimode
C. Optical carrier
D. SONET
B


Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP Echo Request packets to all the hosts on a specific subnet, which is aimed at one specific server.

Which of the following is the best and most cost-effective countermeasure for Grace's team to put into place?
A. Network address translation
B. Disallowing unnecessary ICMP traffic coming from untrusted networks
C. Application-based proxy firewall
D. Screened subnet using two firewalls from two different vendors
B


John is the manager of the security team within his company. He has learned that attackers have installed sniffers through- out the network without the company's knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

Which of the following is the best countermeasure to put into place to help reduce the threat of network sniffers viewing network management traffic?
A. SNMP v3
B. L2TP
C. CHAP
D. Dynamic packet filtering firewall
A


John is the manager of the security team within his company. He has learned that attackers have installed sniffers through- out the network without the company's knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.
Which of the following unauthorized activities have most likely been taking place
in this situation?
A. DNS querying
B. Phishing
C. Forwarding
D. Zone transfer
D


John is the manager of the security team within his company. He has learned that attackers have installed sniffers through- out the network without the company's knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

Which of the following is the best countermeasure that John's team should implement to protect from improper caching issues?
A. PKI
B. DHCP snooping
C. ARP protection
D. DNSSEC
D


Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean's team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following is most likely taking place to allow spurious packets to gain unauthorized access to critical servers?
A. TCP sequence hijacking is taking place.
B. Source routing is not restricted.
C. Fragment attacks are underway.
D. Attacker is tunneling communication through PPP.
B


Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean's team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following best describes the firewall configuration issues Sean's team member is describing?
A. Clean-up rule, stealth rule
B. Stealth rule, silent rule
C. Silent rule, negate rule
D. Stealth rule, silent rule
C


Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean's team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following best describes why Sean's team wants to put in the mentioned countermeasure for the most commonly attacked systems?
A. Prevent production system hijacking
B. Reduce DoS attack effects
C. Gather statistics during the process of an attack
D. Increase forensic capabilities
B


Tom's company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom's team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom's boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

What should Tom's team implement to provide source authentication and data encryption at the data link level?
A. IEEE 802.1AR
B. IEEE 802.1AE
C. IEEE 802.1AF
D. IEEE 802.1X
D


Tom's company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom's team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom's boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

Which of the following solutions is best to meet the company's need to protect wireless traffic?
A. EAP-TLS
B. EAP-PEAP
C. LEAP
D. EAP-TTLS
D


Tom's company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom's team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom's boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

Which of the following is the best solution to meet the company's need for broadband wireless connectivity?
A. WiMAX
B. IEEE 802.12
C. WPA2
D. IEEE 802.15
A


Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network's NAT device. Lance has also found out that caching attacks have been successful against the company's public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password based authentication options.

Based upon the information in the scenario, what should the network team implement as it pertains to IPv6 tunneling?
A. Teredo should be configured on IPv6-aware hosts that reside behind the NAT device.
B. 6to4 should be configured on IPv6-aware hosts that reside behind the NAT device.
C. Intra-Site Automatic Tunnel Addressing Protocol should be configured on IPv6-aware hosts that reside behind the NAT device.
D. IPv6 should be disabled on all systems.
A


Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network's NAT device. Lance has also found out that caching attacks have been successful against the company's public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password based authentication options.

Which of the following is the best countermeasure for the attack type addressed in the scenario?
A. DNSSEC
B. IPSec
C. Split server configurations
D. Disabling zone transfers
A


Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network's NAT device. Lance has also found out that caching attacks have been successful against the company's public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password based authentication options.

Which of the following technologies should Lance's team investigate for increased
authentication efforts?
A. Challenge Handshake Authentication Protocol
B. Simple Authentication and Security Layer
C. IEEE 802.2AB
D. EAP-SSL
B


Wireless LAN technologies have gone through different versions over the years
to address some of the inherent security issues within the original IEEE 802.11
standard. Which of the following provides the correct characteristics of Wi-Fi
Protected Access 2 (WPA2)?
A. IEEE 802.1X, WEP, MAC
B. IEEE 802.1X, EAP, TKIP
C. IEEE 802.1X, EAP, WEP
D. IEEE 802.1X, EAP, CCMP
D


Alice wants to send a message to Bob, who is several network hops away from her. What is the best approach to protecting the confidentiality of the message?
A. PPTP
B. S/MIME
C. Link encryption
D. SSH
B


Charlie uses PGP on his Linux-based email client. His friend Dave uses S/MIME on his Windows-based email. Charlie is unable to send an encrypted email to Dave. What is the likely reason?
A. PGP and S/MIME are incompatible
B. Each has a different secret key
C. Each is using a different CA
D. There is not enough information to determine the likely reason
A


1. Which of the following statements correctly describes biometric methods?
A. They are the least expensive and provide the most protection.
B. They are the most expensive and provide the least protection.
C. They are the least expensive and provide the least protection.
D. They are the most expensive and provide the most protection.
B


2. Which of the following statements correctly describes passwords?
A. They are the least expensive and most secure.
B. They are the most expensive and least secure.
C. They are the least expensive and least secure.
D. They are the most expensive and most secure.
C


3. How is a challenge/response protocol utilized with token device implementations?
A. This protocol is not used; cryptography is used.
B. An authentication service generates a challenge, and the smart token generates a response based on the challenge.
C. The token challenges the user for a username and password.
D. The token challenges the user's password against a database of stored credentials.
D


4. Which access control method is considered user-directed?
A. Nondiscretionary
B. Mandatory
C. Identity-based
D. Discretionary
B


5. Which item is not part of a Kerberos authentication implementation?
A. Message authentication code
B. Ticket granting service
C. Authentication service
D. Users, programs, and services
A


6. If a company has a high turnover rate, which access control structure is best?
A. Role-based
B. Decentralized
C. Rule-based
D. Discretionary
A


7. The process of mutual authentication involves _______________.
A. a user authenticating to a system and the system authenticating to the user
B. a user authenticating to two systems at the same time
C. a user authenticating to a server and then to a process
D. a user authenticating, receiving a ticket, and then authenticating to a service
A


8. In discretionary access control security, who has delegation authority to grant access to data?
A. User
B. Security officer
C. Security policy
D. Owner
D


9. Which could be considered a single point of failure within a single sign-on implementation?
A. Authentication server
B. User's workstation
C. Logon credentials
D. RADIUS
A


10. What role does biometrics play in access control?
A. Authorization
B. Authenticity
C. Authentication
D. Accountability
C


11. Who or what determines if an organization is going to operate under a discretionary, mandatory, or nondiscretionary access control model?
A. Administrator
B. Security policy
C. Culture
D. Security levels
B


12. Which of the following best describes what role-based access control offers companies in reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and cannot access resources.
B. It provides a centralized approach for access control, which frees up department managers.
C. User membership in roles can be easily revoked and new ones established as job assignments dictate.
D. It enforces enterprise-wide security policies, standards, and guidelines.
C


13. Which of the following is the best description of directories that are used in identity management technology?
A. Most are hierarchical and follow the X.500 standard.
B. Most have a flat architecture and follow the X.400 standard.
C. Most have moved away from LDAP.
D. Many use LDAP.
A


14. Which of the following is not part of user provisioning?
A. Creation and deactivation of user accounts
B. Business process implementation
C. Maintenance and deactivation of user objects and attributes
D. Delegating user administration
B


15. What is the technology that allows a user to remember just one password?
A. Password generation
B. Password dictionaries
C. Password rainbow tables
D. Password synchronization
D


16. Which of the following is not considered an anomaly-based intrusion protection system?
A. Statistical anomaly-based
B. Protocol anomaly-based
C. Temporal anomaly-based
D. Traffic anomaly-based
C


20. Which of the following has the correct term-to-definition mapping?
i. Brute-force attacks: Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
ii. Dictionary attacks: Files of thousands of words are compared to the user's password until a match is found.
iii. Social engineering: An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.
iv. Rainbow table: An attacker uses a table that contains all possible passwords already in a hash format.
A. i, ii
B. i, ii, iv
C. i, ii, iii, iv
D. i, ii, iii
C


21. George is responsible for setting and tuning the thresholds for his company's behavior-based IDS. Which of the following outlines the possibilities of not doing this activity properly?
A. If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, malicious activities are not identified (false negatives).
B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, malicious activities are not identified (false positives).
C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, malicious activities are not identified (false negatives).
D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, malicious activities are not identified (false negatives).
C


22. Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.

Which of the following changes would be best for Tom's team to implement?
A. Move from namespaces to distinguished names.
B. Move from meta-directories to virtual directories.
C. Move from RADIUS to TACACS+.
D. Move from a centralized to a decentralized control model.
B


23. Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.

Which of the following components should Tom make sure his team puts into place?
A. Single sign-on module
B. LDAP directory service synchronization
C. Web access management
D. X.500 database
C


24. Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.

Tom has been told that he has to reduce staff from the help-desk team. Which of the following technologies can help with the company's help-desk budgetary issues?
A. Self-service password support
B. RADIUS implementation
C. Reduction of authoritative IdM sources
D. Implement a role-based access control model
A


25. Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through the company's web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.

Which of the following is the best identity management technology that Lenny should consider implementing to accomplish some of the company's needs?
A. LDAP directories for authoritative sources
B. Digital identity provisioning
C. Active Directory
D. Federated identity
D


26. Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through the company's web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.

Lenny has a meeting with the internal software developers who are responsible for implementing the necessary functionality within the web-based system. Which of the following best describes the two items that Lenny needs to be prepared to discuss with this team?
A. Service Provisioning Markup Language and the Extensible Access Control Markup Language
B. Standard Generalized Markup Language and the Generalized Markup Language
C. Extensible Markup Language and the HyperText Markup Language
D. Service Provisioning Markup Language and the Generalized Markup Language
A


27. Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through the company's web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.

Pertaining to the CEO's security concerns, what should Lenny suggest the company put into place?
A. Security event management software, an intrusion prevention system, and behavior-based intrusion detection
B. Security information and event management software, an intrusion detection system, and signature-based protection
C. An intrusion prevention system, security event management software, and malware protection
D. An intrusion prevention system, security event management software, and war-dialing protection
A


28. Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets such as databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO's secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.

Which of the following is the best remote access technology for this situation?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos
C


29. Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets such as databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO's secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.

What are the two main security concerns Robbie is most likely being asked to identify and mitigate?
A. Social engineering and spear-phishing
B. War dialing and pharming
C. Spear-phishing and war dialing
D. Pharming and spear-phishing
C


30. Tanya is working with the company's internal software development team. Before a user of an application can access files located on the company's centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company's missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.

Which of the following best describes what is currently in place?
A. Capability-based access system
B. Synchronous tokens that generate one-time passwords
C. RADIUS
D. Kerberos
A


31. Tanya is working with the company's internal software development team. Before a user of an application can access files located on the company's centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company's missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.

Which of the following is one of the easiest and best solutions Tanya can consider for proper data protection?
A. Implementation of mandatory access control
B. Implementation of access control lists
C. Implementation of digital signatures
D. Implementation of multilevel security
B


32. Tanya is working with the company's internal software development team. Before a user of an application can access files located on the company's centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company's missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.

Which of the following is the best single sign-on technology for this situation?
A. PKI
B. Kerberos
C. RADIUS
D. TACACS+
B


33. Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.

Which of the following best describes the type of environment Harry's team needs to set up?
A. RADIUS
B. Service-oriented architecture
C. Public key infrastructure
D. Web services
B


34. Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.

Which of the following best describes the types of languages and/or protocols that Harry needs to ensure are implemented?
A. Security Assertion Markup Language, Extensible Access Control Markup Language, Service Provisioning Markup Language
B. Service Provisioning Markup Language, Simple Object Access Protocol, Extensible Access Control Markup Language
C. Extensible Access Control Markup Language, Security Assertion Markup Language, Simple Object Access Protocol
D. Service Provisioning Markup Language, Security Association Markup Language
C


35. Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.

The company's partners need to integrate compatible authentication functionality into their web portals to allow for interoperability across the different company boundaries. Which of the following will deal with this issue?
A. Service Provisioning Markup Language
B. Simple Object Access Protocol
C. Extensible Access Control Markup Language
D. Security Assertion Markup Language
D


Internal audits are the preferred approach when which of the following is true?
A. The organization lacks the organic expertise to conduct them.
B. Regulatory requirements dictate the use of a third-party auditor.
C. The budget for security testing is limited or nonexistent.
D. There is concern over the spillage of proprietary or confidential information.
C


All of the following are steps in the security audit process except which one?
A. Document the results.
B. Convene a management review.
C. Involve the right business unit leaders.
D. Determine the scope.
B


Which of the following is an advantage of using third-party auditors? A. They may have knowledge that an organization wouldn't otherwise be able to leverage.
B. Their cost.
C. The requirement for NDAs and supervision.
D. Their use of automated scanners and reports.
A


Choose the term that describes an audit report that covers the information security controls of a service organization and is intended for public release.
A. SOC 1
B. SOC 2
C. SOC 3
D. Both B and C.
C


Which of the following is true of a vulnerability assessment?
A. The aim is to identify as many vulnerabilities as possible.
B. It is not concerned with the effects of the assessment on other systems.
C. It is a predictive test aimed at assessing the future performance of a system.
D. Ideally the assessment is fully automated with no human involvement.
A


An assessment whose goal is to assess the susceptibility of an organization to social engineering attacks is best classified as
A. Physical testing
B. Personnel testing
C. Vulnerability testing
D. Network testing
B


Which of the following is an assessment that affords the auditor detailed knowledge of the system's architecture before conducting the test?
A. White box testing
B. Gray box testing
C. Black box testing
D. Zero knowledge testing
A


Vulnerability scans normally involve all of the following except which one?
A. The identification of active hosts on the network
B. The identification of malware on all hosts
C. The identification of misconfigured settings
D. The identification of operating systems
B


Security event logs can best be protected from tampering by which one of the following?
A. Encrypting the contents using asymmetric key encryption
B. Ensuring every user has administrative rights on their own workstations
C. Using remote logging over simplex communications media
D. Storing the event logs on DVD-RW
C


Synthetic transactions are best described as
A. Real user monitoring (RUM)
B. Transactions that fall outside the normal purpose of a system
C. Transactions that are synthesized from multiple users' interactions with the system
D. A way to test the behavior and performance of critical services
D


Suppose you want to study the actions an adversary may attempt against your system and test the effectiveness of the controls you have emplaced to mitigate the associated risks. Which of the following approaches would best allow you to accomplish this goal?
A. Misuse case testing
B. Use case testing
C. Real user monitoring (RUM)
D. Fuzzing
A


Code reviews include all the following except which one?
A. Ensuring the code conforms to applicable coding standards
B. Discussing bugs, design issues, and anything else that comes up about the code
C. Agreeing on a "disposition" for the code
D. Fuzzing the code
D


Interface testing could involve which of the following?
A. The application programming interface (API)
B. The graphical user interface (GUI)
C. Both of the above
D. None of the above
C


One of the actions that attackers typically attempt after compromising a system is to acquire the ability to mimic a normal privileged user. What is one way in which they may accomplish this?
A. Rebooting the compromised host
B. Exporting the password hash table
C. Pivoting from the compromised host to another target
D. Adding a privileged user account
D


Which of the following is not normally an element of user accounts management audits?
A. Password hashing
B. Signed AUPs
C. Privileged accounts
D. Suspended accounts
A


How might one test adherence to the user accounts policy?
A. User self-reporting
B. Penetration testing
C. Management review
D. User records auditing
D


Which operating systems allows users to temporarily elevate their privileges in order to launch an application at a higher privilege level?
A. All major desktop operating systems
B. Recent versions of Windows
C. Linux and Windows
D. Recent versions of Mac OS X
A


All of the following are normally legitimate reasons to suspend rather than delete user accounts except which one?
A. Regulatory compliance
B. Protection of the user's privacy
C. Investigation of a subsequently discovered event
D. Data retention policy
B


Data backup verification efforts should
A. Have the smallest scope possible
B. Be based on the threats to the organization
C. Maximize impact on business
D. Focus on user data
B


Why would an organization need to periodically test disaster recovery and business continuity plans if they've already been shown to work?
A. Environmental changes may render them ineffective over time.
B. It has low confidence in the abilities of the testers.
C. To appease senior leadership.
D. Resources may not be available in the future to test again.
A


All of the following are types of tests for disaster recovery and business continuity plans except which one?
A. Structured walk-through test
B. Simulation test
C. Null hypothesis test
D. Full-interruption test
C


What is the difference between security training and security awareness training?
A. Security training is focused on skills, while security awareness training is focused on recognizing and responding to issues.
B. Security training must be performed, while security awareness training is an aspirational goal.
C. Security awareness training is focused on security personnel, while security training is geared toward all users.
D. There is no difference. These terms refer to the same process.
A


Which of the following is not a form of social engineering?
A. Pretexting
B. Fishing
C. Whaling
D. Blackmailing
B


What is a key performance indicator (KPI)?
A. Any attribute of the ISMS that can be described as a value
B. The value of a factor at a particular point in time
C. A derived value that is generated by comparing multiple measurements against each other or against a baseline
D. An interpretation of one or more metrics that describes the effectiveness of the ISMS
D


Which of the following is true about key risk indicators (KRIs)?
A. They tell managers where an organization stands with regard to its goals.
B. They are inputs to the calculation of single loss expectancy (SLE).
C. They tell managers where an organization stands with regard to its risk appetite.
D. An interpretation of one or more metrics that describes the effectiveness of the ISMS.
C


Which of the following is true of management reviews?
A. They happen periodically and include results of audits as a key input.
B. They happen in an ad hoc manner as the needs of the organization dictate.
C. They are normally conducted by mid-level managers, but their reports are presented to the key business leaders.
D. They are focused on assessing the management of the information systems.
A


What is the difference between due care and due diligence?
A. Due care is the continual effort to ensure that the right thing takes place, and due diligence is the continual effort to stay compliant with regulations.
B. Due care is based on the prudent person concept, whereas due diligence is not.
C. They mean the same thing.
D. Due diligence involves investigating the risks, whereas due care involves carrying out the necessary steps to mitigate these risks.
D


Why should employers make sure employees take their vacations?
A. They have a legal obligation.
B. It is part of due diligence.
C. It is a way for fraud to be uncovered.
D. To ensure the employee does not get burnt out.
C


Which of the following best describes separation of duties and job rotation?
A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot perform a high-risk task alone.
B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position.
C. They are the same thing, but with different titles.
D. They are administrative controls that enforce access control and protect the company's resources.
B


If a programmer is restricted from updating and modifying production code, what is this an example of?
A. Rotation of duties
B. Due diligence
C. Separation of duties
D. Controlling input values
C


Why is it important to control and audit input and output values?
A. Incorrect values can cause mistakes in data processing and be evidence of fraud.
B. Incorrect values can be the fault of the programmer and do not comply with the due care clause.
C. Incorrect values can be caused by brute-force attacks.
D. Incorrect values are not security issues.
A


What is the difference between least privilege and need to know?
A. A user should have least privilege that restricts her need to know.
B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources.
C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know.
D. They are two different terms for the same issue.
C


Which of the following would not require updated documentation?
A. An antivirus signature update
B. Reconfiguration of a server
C. A change in security policy
D. The installation of a patch to a production server
A


A company needs to implement a CCTV system that will monitor a large area outside the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length
A


Which of the following is not a true statement about CCTV lenses?
A. Lenses that have a manual iris should be used in outside monitoring.
B. Zoom lenses will carry out focus functionality automatically.
C. Depth of field increases as the size of the lens opening decreases.
D. Depth of field increases as the focal length of the lens decreases.
A


What is true about a transponder?
A. It is a card that can be read without sliding it through a card reader.
B. It is a biometric proximity device.
C. It is a card that a user swipes through a card reader to gain access to a facility.
D. It exchanges tokens with an authentication server.
A


When is a security guard the best choice for a physical access control mechanism?
A. When discriminating judgment is required
B. When intrusion detection is required
C. When the security budget is low
D. When access controls are in place
A


Which of the following is not a characteristic of an electrostatic intrusion detection system?
A. It creates an electrostatic field and monitors for a capacitance change.
B. It can be used as an intrusion detection system for large areas.
C. It produces a balance between the electric capacitance and inductance of an object.
D. It can detect if an intruder comes within a certain range of an object.
B


What is a common problem with vibration-detection devices used for perimeter security?
A. They can be defeated by emitting the right electrical signals in the protected area.
B. The power source is easily disabled.
C. They cause false alarms.
D. They interfere with computing devices.
C


Which of the following is not considered a delaying mechanism?
A. Locks
B. Defense-in-depth measures
C. Warning signs
D. Access controls
C


What are the two general types of proximity identification devices?
A. Biometric devices and access control devices
B. Swipe card devices and passive devices
C. Preset code devices and wireless devices
D. User-activated devices and system sensing devices
D


Which is not a drawback to installing intrusion detection and monitoring systems?
A. It's expensive to install.
B. It cannot be penetrated.
C. It requires human response.
D. It's subject to false alarms.
B


What is a cipher lock?
A. A lock that uses cryptographic keys
B. A lock that uses a type of key that cannot be reproduced
C. A lock that uses a token and perimeter reader
D. A lock that uses a keypad
D


If a cipher lock has a door delay option, what does that mean?
A. After a door is open for a specific period, the alarm goes off.
B. It can only be opened during emergency situations.
C. It has a hostage alarm capability.
D. It has supervisory override capability.
A


Which of the following best describes the difference between a warded lock and
a tumbler lock?
A. A tumbler lock is more simplistic and easier to circumvent than a warded lock.
B. A tumbler lock uses an internal bolt, and a warded lock uses internal cylinders.
C. A tumbler lock has more components than a warded lock.
D. A warded lock is mainly used externally, and a tumbler lock is used internally.
C


All of the following are best practices for controlling the software that is installed and authorized to run in our systems except which?
A. Application whitelisting
B. Code reviews
C. Gold Masters
D. Least privilege
B


You come across an advanced piece of polymorphic malware that uses a custom communications protocol for network traffic. This protocol has a distinctive signature in its header. Which tool is best suited to mitigate this malware by preventing the packets from traversing the network?
A. Antimalware
B. Stateful firewall
C. Intrusion detection system (IDS)
D. Intrusion prevention system (IPS)
D


Which best describes a hot-site facility versus a warm- or cold-site facility?
A. A site that has disk drives, controllers, and tape drives
B. A site that has all necessary PCs, servers, and telecommunications
C. A site that has wiring, central air-conditioning, and raised flooring
D. A mobile site that can be brought to the company's parking lot
B


Which is the best description of remote journaling?
A. Backing up bulk data to an offsite facility
B. Backing up transaction logs to an offsite facility
C. Capturing and saving transactions to two mirrored servers in-house
D. Capturing and saving transactions to different media types
B


Which of the following is something that should be required of an offsite backup facility that stores backed-up media for companies?
A. The facility should be within to minutes of the original facility to ensure easy access.
B. The facility should contain all necessary PCs and servers and should have raised flooring.
C. The facility should be protected by an armed guard.
D. The facility should protect against unauthorized access and entry.
D


Which of the following does not describe a reciprocal agreement?
A. The agreement is enforceable.
B. It is a cheap solution.
C. It may be able to be implemented right after a disaster.
D. It could overwhelm a current data processing site.
A


Which of the following describes a cold site?
A. Fully equipped and operational in a few hours
B. Partially equipped with data processing equipment
C. Expensive and fully configured
D. Provides environmental measures but no equipment
D


After a computer forensic investigator seizes a computer during a crime investigation, what is the next step?
A. Label and put it into a container, and then label the container
B. Dust the evidence for fingerprints
C. Make an image copy of the disks
D. Lock the evidence in the safe
C


Which of the following is a necessary characteristic of evidence for it to
be admissible?
A. It must be real.
B. It must be noteworthy.
C. It must be reliable.
D. It must be important.
C


If a company deliberately planted a flaw in one of its systems in the hope of detecting an attempted penetration and exploitation of this flaw, what would this be called?
A. Incident recovery response
B. Entrapment
C. Illegal
D. Enticement
D


An application is downloaded from the Internet to perform disk cleanup and to delete unnecessary temporary files. The application is also recording network login data and sending it to another party. This application is best described as which of the following?
A. A virus
B. A Trojan horse
C. A worm
D. A logic bomb
B


Which of the following best describes the term DevOps?
A. The practice of incorporating development, IT, and quality assurance (QA) staff into software development projects.
B. A multidisciplinary development team with representatives from many or all the stakeholder populations.
C. The operationalization of software development activities to support just-in- time delivery.
D. A software development methodology that relies more on the use of operational prototypes than on extensive upfront planning.
A


A system has been patched many times and has recently become infected with a dangerous virus. If antimalware software indicates that disinfecting a file may damage it, what is the correct action?
A. Disinfect the file and contact the vendor
B. Back up the data and disinfect the file
C. Replace the file with the file saved the day before
D. Restore an uninfected version of the patched file from backup media
D


What is the purpose of polyinstantiation?
A. To restrict lower-level subjects from accessing low-level information
B. To make a copy of an object and modify the attributes of the second copy
C. To create different objects that will react in different ways to the same input
D. To create different objects that will take on inheritance attributes from their class
B


Database views provide what type of security control?
A. Detective
B. Corrective
C. Preventive
D. Administrative
C


Which of the following techniques or set of techniques is used to deter database inference attacks?
A. Partitioning, cell suppression, and noise and perturbation
B. Controlling access to the data dictionary
C. Partitioning, cell suppression, and small query sets
D. Partitioning, noise and perturbation, and small query sets
A


When should security first be addressed in a project?
A. During requirements development
B. During integration testing
C. During design specifications
D. During implementation
A


An online transaction processing (OLTP) system that detects an invalid transaction should do which of the following?
A. Roll back and rewrite over original data
B. Terminate all transactions until properly addressed
C. Write a report to be reviewed
D. Checkpoint each data entry
C


Which of the following are rows and columns within relational databases?
A. Rows and tuples
B. Attributes and rows
C. Keys and views
D. Tuples and attributes
D


Databases can record transactions in real time, which usually updates more than one database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement thecharacteristics of what's known as the ACID test. Which of the following are incorrect characteristics of the ACID test?
i. Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect.
ii. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases.
iii. Isolation Transactions execute in isolation until completed, without interacting with other transactions.
iv. Durability Once the transaction is verified as inaccurate on all systems, it is committed and the databases cannot be rolled back.
A. i, ii
B. ii. iii
C. ii, iv
D. iv
D


The software development life cycle has several phases. Which of the following lists these phases in the correct order?
A. Requirements gathering, design, development, maintenance, testing, release
B. Requirements gathering, design, development, testing, release
C. Prototyping, build and fix, increment, test, maintenance
D. Prototyping, testing, requirements gathering, integration, testing
B


John is a manager of the application development department within his company. He needs to make sure his team is carrying out all of the correct testing types and at the right times of the development stages. Which of the following accurately describe types of software testing that should be carried out?
i. Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions.
ii. Integration testing Verifying that components work together as outlined in design specifications.
iii. Acceptance testing Ensuring that the code meets customer requirements.
iv. Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection.
A. i, ii
B. ii, iii
C. i, ii, iv
D. i, ii, iii, iv
D


Tim is a software developer for a financial institution. He develops middleware software code that carries out his company's business logic functions. One of the applications he works with is written in the C programming language and seems to be taking up too much memory as it runs over time. Which of the following best describes what Tim should implement to rid this software of this type of problem?
A. Bounds checking
B. Garbage collector
C. Parameter checking
D. Compiling
B


Marge has to choose a software development model that her team should follow. The application that her team is responsible for developing is a critical application that can have few to no errors. Which of the following best describes the type of model her team should follow?
A. Cleanroom
B. Joint Analysis Development (JAD)
C. Rapid Application Development (RAD)
D. Reuse model
A


__________ is a software testing technique that provides invalid, unexpected, or random data to the input interfaces of a program.
A. Agile testing
B. Structured testing
C. Fuzzing
D. EICAR
C


Which of the following is the second level of the Capability Maturity Model
Integration?
A. Repeatable
B. Defined
C. Managed
D. Optimizing
A


One of the characteristics of object-oriented programming is deferred commitment. Which of the following is the best description for this characteristic?
A. The building blocks of software are autonomous objects, cooperating through the exchange of messages.
B. The internal components of an object can be redefined without changing other parts of the system.
C. Classes are reused by other programs, though they may be refined through inheritance.
D. Object-oriented analysis, design, and modeling map to business needs and solutions.
D


Which of the following attack types best describes what commonly takes place when you insert specially crafted and excessively long data into an input field?
A. Traversal attack
B. Unicode encoding attack
C. URL encoding attack
D. Buffer overflow attack
B


Which of the following has an incorrect attack to definition mapping?
A. EBJ XSS attack Content processing stages performed by the client, typically in client-side Java.
B. Nonpersistent XSS attack Improper sanitation of response from a web client.
C. Persistent XSS attack Data provided by attackers is saved on the server.
D. DOM-based XSS attack Content processing stages performed by the client, typically in client-side JavaScript.
A


John is reviewing database products. He needs a product that can manipulate a standard set of data for his company's business logic needs. Which of the following should the necessary product implement?
A. Relational database
B. Object-relational database
C. Network database
D. Dynamic-static
B


ActiveX Data Objects (ADO) is an API that allows applications to access back- end database systems. It is a set of ODBC interfaces that exposes the functionality of data sources through accessible objects. Which of the following are incorrect characteristics of ADO?
i. It's a low-level data access programming interface to an underlying data access technology (such as OLE DB).
ii. It's a set of COM objects for accessing data sources, not just database access.
iii. It allows a developer to write programs that access data without knowing how the database is implemented.
iv. SQL commands are required to access a database when using ADO.
A. i, iv
B. ii, iii
C. i, ii, iii
D. i, ii, iii, iv
A


Database software performs three main types of integrity services: semantic, referential, and entity. Which of the following correctly describes one of these services?
i. A semantic integrity mechanism makes sure structural and semantic rules are enforced.
ii. A database has referential integrity if all foreign keys reference existing primary keys.
iii. Entity integrity guarantees that the tuples are uniquely identified by primary key values.
A. ii
B. ii, iii
C. i, ii, iii
D. i, ii
C


Which of the following is not very useful in assessing the security of acquired software?
A. The reliability and maturity of the vendor
B. The NIST's National Software Reference Library
C. Third-party vulnerability assessments
D. In-house code reviews
B


Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Program- mers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package.

Which of the following is the best technology for Sandy's team to implement as it pertains to the previous scenario?
A. Computer-aided software engineering tools
B. Software configuration management
C. Software development life-cycle management
D. Software engineering best practices
B


Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Program- mers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package.

Which is the best software architecture that Sandy should introduce her team to for effective business application use?
A. Distributed component object architecture
B. Simple Object Access Protocol architecture
C. Enterprise JavaBeans architecture
D. Service-oriented architecture
D


Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Program- mers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package.

Which best describes the approach Sandy's team member took when creating the business-oriented software package mentioned within the scenario?
A. Software as a Service
B. Cloud computing
C. Web services
D. Mashup
D


Karen wants her team to develop software that allows her company to take advantage of and use many of the web services currently available by other companies. Which of the following best describes the components that need to be in place and what their roles are?
A. Web service provides the application functionality. Universal Description, Discovery, and Integration describes the web service's specifications. The Web Services Description Language provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service.
B. Web service provides the application functionality. The Web Services Description Language describes the web service's specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service.
C. Web service provides the application functionality. The Web Services Description Language describes the web service's specifications. The Simple Object Access Protocol provides the mechanisms for web services to be posted and discovered. Universal Description, Discovery, and Integration allows for the exchange of messages between a requester and provider of a web service.
D. Web service provides the application functionality. The Simple Object Access Protocol describes the web service's specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Web Services Description Language allows for the exchange of messages between a requester and provider of a web service.
B


Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the following characters "%and "../". The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database.

Which of the following best describes attacks that could be taking place against this organization?
A. Cross-site scripting and certification stealing
B. URL encoding and directory traversal attacks
C. Parameter validation manipulation and session management attacks
D. Replay and password brute-force attacks
B


Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the following characters "%and "../". The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database.

Which of the following functions is the web server software currently carrying out, and what is an associated security concern Brad should address?
A. The web server should carry out a secondary set of input validation rules on the presented data before processing it.
B. Server-side includes validation The web server should carry out a secondary set of input validation rules on the presented data before processing it.
C. Data Source Name logical naming access The web server should be carrying out a second set of reference integrity rules.
D. Data Source Name logical naming access The web server should carry out a secondary set of input validation rules on the presented data before processing it.
A


Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the following characters "%and "../". The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database.

Pertaining to the network architecture described in the previous scenario, which of the following attack types should Brad be concerned with?
A. Parameter validation attack
B. Injection attack
C. Cross-site scripting
D. Database connector attack
B


Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research finding, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded.

Based upon this scenario, what is most likely the biggest risk Josh's company needs to be concerned with?
A. Market share drop if the attackers are able to bring the specific product to market more quickly than Josh's company.
B. Confidentiality of e-mail messages. Attackers may post all captured e-mail messages to the Internet.
C. Impact on reputation if the customer base finds out about the attack.
D. Depth of infiltration of attackers. If attackers have compromised other systems, more confidential data could be at risk.
A


Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research finding, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded.

The attackers in this situation would be seen as which of the following?
A. Vulnerability
B. Threat
C. Risk
D. Threat agent
D


Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research finding, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded.

If Josh is correct in his assumptions, which of the following best describes the vulnerability, threat, and exposure, respectively?
A. E-mail server is hardened, an entity could exploit programming code flaw, server is compromised and leaking data.
B. E-mail server is not patched, an entity could exploit a vulnerability, server is hardened.
C. E-mail server misconfiguration, an entity could exploit misconfiguration, server is compromised and leaking data.
D. DMZ firewall misconfiguration, an entity could exploit misconfiguration, internal e-mail server is compromised.
C


Aaron is a security manager who needs to develop a solution to allow his company's mobile devices to be authenticated in a standardized and centralized manner using digital certificates. The applications these mobile clients use require a TCP connection. Which of the following is the best solution for Aaron to implement?
A. SESAME using PKI
B. RADIUS using EAP
C. Diameter using EAP
D. RADIUS using TTLS
C


Terry is a security manager for a credit card processing company. His company uses internal DNS servers, which are placed within the LAN, and external DNS servers, which are placed in the DMZ. The company also relies upon DNS servers provided by its service provider. Terry has found out that attackers have been able to manipulate several DNS server caches to point employee traffic to malicious websites. Which of the following best describes the solution this company should implement?
A. IPSec
B. PKI
C. DNSSEC
D. MAC-based security
C


It is important to deal with the issue of "reasonable expectation of privacy" (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of privacy is used when defining the scope of the privacy protections provided by the
A. Federal Privacy Act
B. PATRIOT Act
C. Fourth Amendment of the Constitution
D. Bill of Rights
C


Jane is suspicious that an employee is sending sensitive data to one of the company's competitors. The employee has to use this data for daily activities, thus it is difficult to properly restrict the employee's access rights. In this scenario, which best describes the company's vulnerability, threat, risk, and necessary control?
A. Vulnerability is employee access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed network traffic monitoring.
B. Vulnerability is lenient access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed user monitoring.
C. Vulnerability is employee access rights, threat is internal employees misusing privileged access, risk is the business impact of confidentiality, and the necessary control is multifactor authentication.
D. Vulnerability is employee access rights, threat is internal users misusing privileged access, risk is the business impact of confidentiality, and the necessary control is CCTV.
B


Which of the following best describes what role-based access control offers companies in reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and cannot access resources.
B. It provides a centralized approach for access control, which frees up department managers.
C. User membership in roles can be easily revoked and new ones established as job assignments dictate.
D. It enforces an enterprise-wide security policy, standards, and guidelines.
C


Mark works for a large corporation operating in multiple countries worldwide. He is reviewing his company's policies and procedures dealing with data breaches. Which of the following is an issue that he must take into consideration?
A. Each country may or may not have unique notification requirements.
B. All breaches must be announced to affected parties within 24 hours.
C. Breach notification is a "best effort" process and not a guaranteed process.
D. Breach notifications are avoidable if all PII is removed from data stores.
A


A software development company released a product that committed several errors that were not expected once deployed in their customers' environments. All of the software code went through a long list of tests before being released. The team manager found out that after a small change was made to the code, the program was not tested before it was released. Which of the following tests was most likely not conducted?
A. Unit
B. Compiled
C. Integration
D. Regression
D


It is important to choose the right risk analysis methodology to meet the goals of the organization's needs. Which of the following best describes when the risk management standard AS/NZS 4360 should be used?
A. When there is a need to assess items of an organization that are directly related to information security
B. When there is a need to assess items of an organization that are not just restricted to information security
C. When a qualitative method is needed to prove the compliance levels as they pertain to regulations
D. When a qualitative method is needed to prove the compliance levels as they pertain to laws
B


Companies should follow certain steps in selecting and implementing a new computer product. Which of the following sequences is ordered correctly?
A. Evaluation, accreditation, certification
B. Evaluation, certification, accreditation
C. Certification, evaluation, accreditation
D. Certification, accreditation, evaluation
B


Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence

Which of the following approaches has been implemented in this scenario?
A. Defense-in-depth
B. Security through obscurity
C. Information security management system
D. BS 17799
B


Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence

Which ISO/IEC standard would be best for Jack to follow to meet his goals?
A. ISO/IEC 27002
B. ISO/IEC 27004
C. ISO/IEC 27005
D. ISO/IEC 27006
C


Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence

Which standard should Jack suggest to his boss for compliance?
A. BS 17799
B. ISO/IEC 27004
C. ISO/IEC 27799
D. BS 7799:2011
C


An operating system maintains several processes in memory at the same time. The processes can only interact with the CPU during their assigned time slices since there is only one CPU and many processes. Each process is assigned an interrupt value to allow for this type of time slicing to take place. Which of the following best describes the difference between maskable and nonmaskable interrupts?
A. A maskable interrupt is assigned to a critical process, and a nonmaskable interrupt is assigned to a noncritical process.
B. A maskable interrupt is assigned to a process in ring 0, and a nonmaskable interrupt is assigned to a process in ring 3.
C. A maskable interrupt is assigned to a process in ring 3, and a nonmaskable interrupt is assigned to a process in ring 4.
D. A maskable interrupt is assigned to a noncritical process, and a nonmaskable interrupt is assigned to a critical process.
D


The confidentiality of sensitive data is protected in different ways depending on the state of the data. Which of the following is the best approach to protecting data in transit?
A. SSL
B. VPN
C. IEEE 802.1x
D. Whole-disk encryption
B


There are different categories for evidence depending upon what form it is in and possibly how it was collected. Which of the following is considered supporting evidence?
A. Best evidence
B. Corroborative evidence
C. Conclusive evidence
D. Direct evidence
B


A(n) _____ is the graphical representation of data commonly used on websites. It is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot.
A. Anti-spoofing symbol
B. CAPTCHA
C. Spam anti-spoofing symbol
D. CAPCHAT
B


Mark has been asked to interview individuals to fulfill a new position in his company, chief privacy officer (CPO). What is the function of this type of position?
A. Ensuring that company financial information is correct and secure
B. Ensuring that customer, company, and employee data is protected
C. Ensuring that security policies are defined and enforced
D. Ensuring that partner information is kept safe
B


A risk management program must be developed properly and in the right sequence. Which of the following provides the correct sequence for the steps listed?
Develop a risk management team
Calculate the value of each asset
Identify the vulnerabilities and threats that can affect the identified assets
Identify company assets to be assessed
A. 1, 3, 2, 4
B. 2, 1, 4, 3
C. 3, 1, 4, 2
D. 1, 4, 2, 3
D


Jack needs to assess the performance of a critical web application that his company recently upgraded. Some of the new features are very profitable, but not frequently used. He wants to ensure that the user experience is positive, but doesn't want to wait for the users to report problems. Which of the following techniques should Jack use?
A. Real user monitoring
B. Synthetic transactions
C. Log reviews
D. Management review
B


Which of the following best describes a technical control for dealing with the risks presented by data remanence?
A. Encryption
B. Data retention policies
C. File deletion
D. Using solid-state drives (SSD)
A


George is the security manager of a large bank, which provides online banking and other online services to its customers. George has recently found out that some of the bank's customers have complained about changes to their bank accounts that they did not make. George worked with the security team and found out that all changes took place after proper authentication steps were completed. Which of the following describes what most likely took place in this situation?
A. Web servers were compromised through cross-scripting attacks.
B. TLS connections were decrypted through a man-in-the-middle attack.
C. Personal computers were compromised with Trojan horses that installed keyloggers.
D. Web servers were compromised and masquerading attacks were carried out.
C


Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the suite provides different functionality. Which of the following is not a function or characteristic of IPSec?
A. Encryption
B. Link layer protection
C. Authentication
D. Protection of packet payloads and the headers
B


In what order would a typical PKI infrastructure perform the following transactions?
Receiver decrypts and obtains session key.
Sender requests receiver's public key.
Public key is sent from a public directory.
Sender sends a session key encrypted with receiver's public key.
A. 4, 3, 2, 1
B. 2, 1, 3, 4
C. 2, 3, 4, 1
D. 2, 4, 3, 1 C


Tim is the CISO for a large distributed financial investment organization. The company's network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim's team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default.

Which of the following is the best solution for this company to implement as it pertains to the first issue addressed in the scenario?
A. Event correlation tools
B. Intrusion detection systems
C. Security information and event management
D. Security event correlation management tools
C


Tim is the CISO for a large distributed financial investment organization. The company's network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim's team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default.

Which of the following best describes why Tim should be concerned about the second issue addressed in the scenario?
A. Software and devices that are scanning traffic for suspicious activity may only be configured to evaluate one system type.
B. Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate one service type.
C. Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate two protocol types.
D. Software and devices that are monitoring traffic for suspicious activity may only be configured to evaluate one traffic type.
D


Which of the following is not a concern of a security professional considering adoption of Internet of Things (IoT) devices?
A. Weak or nonexistent authentication mechanisms
B. Vulnerability of data at rest and data in motion
C. Difficulty of deploying patches and updates
D. High costs associated with connectivity
D


What type of rating system is used within the Common Criteria structure?
A. PP
B. EPL
C. EAL
D. A-D
C


31.____, a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies.
____ is an XML-based framework being developed by OASISfor exchanging user, resource, and service provisioning information between cooperating organizations.
A. Service Provisioning Markup Language (SPML), Extensible Access Control Markup Language (XACML)
B. Extensible Access Control Markup Language (XACML), Service Provisioning Markup Language (SPML)
C. Extensible Access Control Markup Language (XACML), Security Assertion Markup Language (SAML)
D. Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML)
B


Doors configured in fail-safe mode assume what position in the event of a powerfailure?
A. Open and locked
B. Closed and locked
C. Closed and unlocked
D. Open
C


Next-generation firewalls combine the best attributes of other types of firewalls. Which of the following is not a common characteristic of these firewall types?
A. Integrated intrusion prevention system
B. Sharing signatures with cloud-based aggregators
C. Automated incident response
D. High cost
C


The purpose of security awareness training is to expose personnel to security issues so that they may be able to recognize them and better respond to them. Which of the following is not normally a topic covered in security awareness training?
A. Social engineering
B. Phishing
C. Whaling
D. Trolling
D


Zack is a security consultant who has been hired to help an accounting company improve some of their current e-mail secu- rity practices. The company wants to ensure that when their clients send the company accounting files and data, the clients cannot later deny sending these messages. The company also wants to integrate a more granular and secure authentication method for their current mail server and clients.

Which of the following best describes how client messages can be dealt with and addresses the first issue outlined in the scenario?
A. The company needs to integrate a public key infrastructure and the Diameter protocol.
B. Clients must encrypt messages with their public key before sending them to the accounting company.
C. The company needs to have all clients sign a formal document outlining nonrepudiation requirements.
D. Clients must digitally sign messages that contain financial information.
D


Zack is a security consultant who has been hired to help an accounting company improve some of their current e-mail secu- rity practices. The company wants to ensure that when their clients send the company accounting files and data, the clients cannot later deny sending these messages. The company also wants to integrate a more granular and secure authentication method for their current mail server and clients.

Which of the following would be the best solution to integrate to meet the authentication requirements outlined in the scenario?
A. TLS
B. IPSec
C. 802.1x
D. SASL
D


Rennie needs to ensure that the BCP project will be successful. His manager has asked him to carry out a SWOT analysis to ensure that the defined objectives within the scope can be accomplished and to identify issues that could impede the necessary success and productivity required of the project as a whole. Which of the following is not considered to be a basic tenet of a SWOT analysis?
A. Strengths: Characteristics of the project team that give it an advantage over others
B. Weaknesses: Characteristics that place the team at a disadvantage relative to others
C. Opportunities: Elements that could contribute to the project's success
D. Trends: Elements that could contribute to the project's failure
D


A ____ is the amount of time it should take to recover from a is the amount of data, measured in time, that can
disaster, and a ____ be lost and be tolerable from that same event.
A. recovery time objective, recovery point objective
B. recovery point objective, recovery time objective
C. maximum tolerable downtime, work recovery time
D. work recovery time, maximum tolerable downtime
A


Mary is playing around on her computer late at night and discovers a way to compromise a small company's personnel files. She decides to take a look around, but does not steal any information. Is she still committing a crime even if she does not steal any of the information?
A. No, since she does not steal any information, she is not committing a crime.
B. Yes, she has gained unauthorized access.
C. Not if she discloses the vulnerability she exploited to the company.
D. Yes, she could jeopardize the system without knowing it.
B


In the structure of Extensible Access Control Markup Language (XACML), a Subject element is the ____ , a Resource element is the ____ , and an Action element is the ____.
A. requesting entity, requested entity, types of access
B. requested entity, requesting entity, types of access
C. requesting entity, requested entity, access control
D. requested entity, requesting entity, access control
A


The Mobile IP protocol allows location-independent routing of IP datagrams on the Internet. Each mobile node is identified by its ____, disregarding its current location in the Internet. While away from its home network, a mobile node is associated with a ____.
A. prime address, care-of address
B. home address, care-of address
C. home address, secondary address
D. prime address, secondary address
B


Instead of managing and maintaining many different types of security products and solutions, Joan wants to purchase a product that combines many technologies into one appliance. She would like to have centralized control, streamlined maintenance, and a reduction in stove pipe security solutions. Which of the following would best fit Joan's needs?
A. Dedicated appliance
B. Centralized hybrid firewall applications
C. Hybrid IDS\IPS integration
D. Unified threat management
D


Why is it important to have a clearly defined incident-handling process in place?
A. To avoid dealing with a computer and network threat in an ad hoc, reactive, and confusing manner
B. To provide a quick reaction to a threat so that a company can return to normal operations as soon as possible
C. To provide a uniform approach with certain expectations of the results
D. All of the above
D


Which of the following is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy and provides guidelines on the protection of privacy and transborder flows of personal data rules?
A. Council of Global Convention on Cybercrime
B. Council of Europe Convention on Cybercrime
C. Organisation for Economic Co-operation and Development
D. Organisation for Cybercrime Co-operation and Development
C


System ports allow different computers to communicate with each other's services and protocols. Internet Corporation for Assigned Names and Numbers has assigned registered ports to be ____ and dynamic ports to be ____.
A. 0-1024, 49152-65535
B. 1024-49151, 49152-65535
C. 1024-49152, 49153-65535
D. 0-1024, 1025-49151
B


When conducting a quantitative risk analysis, items are gathered and assigned numeric values so that cost/benefit analysis can be carried out. Which of the following provides the correct formula to understand the value of a safeguard?
A. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
B. (ALE before implementing safeguard) - (ALE during implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
C. (ALE before implementing safeguard) - (ALE while implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
D. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of asset) = value of safeguard to the company
A


Patty is giving a presentation next week to the executive staff of her company. She wants to illustrate the benefits of the company using specific cloud computing solutions. Which of the following does not properly describe one of these benefits
or advantages?
A. Organizations have more flexibility and agility in IT growth and functionality.
B. Cost of computing can be increased since it is a shared delivery model.
C. Location independence can be achieved because the computing is not centralized and tied to a physical data center.
D. Scalability and elasticity of resources can be accomplished in near real-time through automation.
B


Frank is the new manager of the in-house software designers and programmers. He has been telling his team that before design and programming on a new product begins, a formal architecture needs to be developed. He also needs this team to understand security issues as they pertain to soft- ware design. Frank has shown the team how to follow a systematic approach that allows them to understand how different compromises could take place with the software prod- ucts they develop.

Which of the following best describes what an architecture is in the context of this scenario?
A. Tool used to conceptually understand the structure and behavior of a complex entity through different views
B. Formal description and representation of a system and the components that make it up
C. Framework used to create individual architectures with specific views
D. Framework that is necessary to identify needs and meet all of the stakeholder requirements
A


Frank is the new manager of the in-house software designers and programmers. He has been telling his team that before design and programming on a new product begins, a formal architecture needs to be developed. He also needs this team to understand security issues as they pertain to soft- ware design. Frank has shown the team how to follow a systematic approach that allows them to understand how different compromises could take place with the software prod- ucts they develop.

Which of the following best describes the approach Frank has shown his team as outlined in the scenario?
A. Attack surface analysis
B. Threat modeling
C. Penetration testing
D. Double-blind penetration testing
B


Barry was told that the IDS product that is being used on the network has heuristic capabilities. Which of the following best describes this functionality?
A. Gathers packets and reassembles the fragments before assigning anomaly values
B. Gathers data to calculate the probability of an attack taking place
C. Gathers packets and compares their payload values to a signature engine
D. Gathers packet headers to determine if something suspicious is taking place within the network traffic
B


Bringing in external auditors has advantages over using an internal team. Which
of the following is not true about using external auditors?
A. They are required by certain governmental regulations.
B. They bring experience gained by working in many other organizations.
C. They know the organization's processes and technology better than anyone else.
D. They are less influenced by internal culture and politics.
C


Don is a senior manager of an architectural firm. He has just found out that a key contract was renewed, allowing the company to continue developing an operating system that was idle for several months. Excited to get started, Don begins work on the operating system privately, but cannot tell his staff until the news is announced publicly in a few days. However, as Don begins making changes in the software, various staff members notice changes in their connected systems, even though they work in a lower security level. What kind of model could be used to ensure this does not happen?
A. Biba
B. Bell-LaPadula
C. Noninterference
D. Clark-Wilson
C


Betty has received several e-mail messages from unknown sources that try and entice her to click a specific link using a "Click Here" approach. Which of the following best describes what is most likely taking place in this situation?
A. DNS pharming attack
B. Embedded hyperlink is obfuscated
C. Malware back-door installation
D. Bidirectional injection attack
B


Rebecca is an internal auditor for a large retail company. The company has a number of web applications that run critical business processes with customers and partners around the world. Her company would like to ensure the security of technical controls on these processes. Which of the following would not be a good approach to auditing these technical controls?
A. Log reviews
B. Code reviews
C. Personnel background checks
D. Misuse case testing
C


Which of the following multiplexing technologies analyzes statistics related to the typical workload of each input device and makes real-time decisions on how much time each device should be allocated for data transmission?
A. Time-division multiplexing
B. Wave-division multiplexing
C. Frequency-division multiplexing
D. Statistical time-division multiplexing
D


In a VoIP environment, the Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) are commonly used. Which of the following best describes the difference between these two protocols?
A. RTCP provides a standardized packet format for delivering audio and video over IP networks. RTP provides out-of-band statistics and control
information to provide feedback on QoS levels.
B. RTP provides a standardized packet format for delivering data over IP networks. RTCP provides control information to provide feedback on QoS levels.
C. RTP provides a standardized packet format for delivering audio and video over MPLS networks. RTCP provides control information to provide
feedback on QoS levels.
D. RTP provides a standardized packet format for delivering audio and video over IP networks. RTCP provides out-of-band statistics and control
information to provide feedback on QoS levels.
D


ISO/IEC 27031:2011 is an international standard for business continuity that organizations can follow. Which of the following is a correct characteristic of this standard?
A. Guidelines for information and communications technology readiness for business continuity
B. ISO/IEC standard that is a component of the overall BS 7999 series
C. Standard that was developed by NIST and evolved to be an international standard
D. Component of the Safe Harbor requirements
A


A preferred technique of attackers is to become "normal" privileged users of the systems they compromise as soon as possible. This can normally be accomplished in all the following ways except which one?
A. Compromising an existing privileged account
B. Creating a new privileged account
C. Deleting the /etc/passwd file
D. Elevating the privileges of an existing account
C


IPSec's main protocols are AH and ESP. Which of the following services does AH provide?
A. Confidentiality and authentication
B. Confidentiality and availability
C. Integrity and accessibility
D. Integrity and authentication
D


When multiple databases exchange transactions, each database is updated. This can happen many times and in many different ways. To protect the integrity of the data, databases should incorporate a concept known as an ACID test. What does this acronym stand for?
A. Availability, confidentiality, integrity, durability
B. Availability, consistency, integrity, durability
C. Atomicity, confidentiality, isolation, durability
D. Atomicity, consistency, isolation, durability
D


Jim works for a large energy company. His senior management just conducted a meeting with Jim's team with the purpose of reducing IT costs without degrading their security posture. The senior management decided to move all administrative systems to a cloud provider. These systems are proprietary applications currently running on Linux servers.

Which of the following services would allow Jim to transition all administrative custom applications to the cloud while leveraging the service provider for security and patching of the cloud platforms?
A. IaaS
B. PaaS
C. SaaS
D. IDaaS
B


Jim works for a large energy company. His senior management just conducted a meeting with Jim's team with the purpose of reducing IT costs without degrading their security posture. The senior management decided to move all administrative systems to a cloud provider. These systems are proprietary applications currently running on Linux servers.

Which of the following would not be an issue that Jim would have to consider in transitioning administrative services to the cloud?
A. Privacy and data breach laws in the country where the cloud servers are located
B. Loss of efficiencies, performance, reliability, scalability, and security
C. Security provisions in the terms of service
D. Total cost of ownership compared to the current systems
B


Henry is the team leader of a group of software designers. They are at a stage in their software development project where they need to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege level as much as possible, and eliminate unnecessary services. Which of the following best describes the first step the team needs to carry out to accomplish these tasks?
A. Attack surface analysis
B. Software development life cycle
C. Risk assessment
D. Unit testing
A


Jenny needs to engage a new software development company to create he company's internal banking software. It will need to be created specifically for her company's environment, so it must be proprietary in nature. Which of the following would be useful for Jenny to use as a gauge to determine how advanced and mature the various software development companies are in their processes?
A. SaS 70
B. Capability Maturity Model Integration level
C. Auditing results
D. Key performance metrics
B


Which of the following is a representation of the logical relationship between elements of data and dictates the degree of association among elements, methods of access, processing alternatives, and the organization of data elements?
A. Data element
B. Array
C. Secular component
D. Data structure
D


Kerberos is a commonly used access control and authentication technology. It is important to understand what the technology can and cannot do and its potential downfalls. Which of the following is not a potential security issue that must be addressed when using Kerberos?
i. The KDC can be a single point of failure.
ii. The KDC must be scalable.
iii. Secret keys are temporarily stored on the users' workstations.
iv. Kerberos is vulnerable to password guessing.
A. i, iv
B. iii
C. All of them
D. None of them
D


If the ALE for a specific asset is $100,000, and after implementation of the control the new ALE is $45,000 and the annual cost of the control is $30,000, should the company implement this control?
A. Yes
B. No
C. Not enough information
D. It depends on the ARO
A


ISO/IEC 27000 is a growing family of ISO/IEC information security management system (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?
A. ISO/IEC 27002: Code of practice for information security management
B. ISO/IEC 27003: Guideline for ISMS implementation
C. ISO/IEC 27004: Guideline for information security management measurement and metrics framework
D. ISO/IEC 27005: Guideline for bodies providing audit and certification of information security management systems
D


When a CPU is passed an instruction set and data to be processed and the program status word (PSW) register contains a value indicating that execution should take place in privileged mode, which of the following would be considered true?
A. Operating system is executing in supervisory mode
B. Request came from a trusted process
C. Functionality that is available in user mode is not available
D. An untrusted process submitted the execution request
B


Encryption and decryption can take place at different layers of an Operating system, application, and network stack. End-to-end encryption happens within the ____ layer. IPSec encryption takes place at the ____ layers. PPTP encryption takes place at the ____ layer. Link encryption takes place at the ____ and ____ layers.
A. applications, transport, data link, data link, physical
B. applications, transport, network, data link, physical
C. applications, network, data link, data link, physical
D. network, transport, data link, data link, physical
C


Which of the following best describes the difference between hierarchical storage management (HSM) and storage area network (SAN) technologies?
A. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems.
B. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems.
C. HSM and SAN are one and the same. The difference is in the implementation.
D. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.
A


Which legal system is characterized by its reliance on previous interpretations of the law?
A. Tort
B. Customary
C. Common
D. Civil (code)
C


In order to be admissible in court, evidence should normally be which of the following?
A. Subpoenaed
B. Relevant
C. Motioned
D. Adjudicated
B


A fraud analyst with a national insurance company uses database tools every day to help identify violations and identify relationships between the captured data through the uses of rule discovery. These tools help identify relationships among a wide variety of information types. What kind of knowledge discovery in database (KDD) is this considered?
A. Probability
B. Statistical
C. Classification
D. Behavioral
B


Which of the following is an XML-based protocol that defines the schema of how web service communication takes place over HTTP transmissions?
A. Service-Oriented Protocol
B. Active X Protocol
C. Simple Object Access Protocol
D. JVEE
C


Which of the following has an incorrect definition mapping?
i. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Team-oriented approach that assesses organizational and
IT risks through facilitated workshops
ii. AS/NZS 4360 Australia and New Zealand business risk management assessment approach
iii. ISO/IEC 27005 International standard for the implementation of a risk management program that integrates into an information security management system (ISMS)
iv. Failure Modes and Effect Analysis (FMEA) Approach that dissects a component into its basic functions to identify flaws and those flaws' effects
v. Fault tree analysis Approach to map specific flaws to root causes in complex systems

A. None of them
B. ii
C. iii, iv
D. v
A


For an enterprise security architecture to be successful in its development and implementation, which of the following items must be understood and followed?
i. Strategic alignment
ii. Process enhancement
iii. Business enablement
iv. Security effectiveness

A. i, ii
B. ii, iii
C. i, ii, iii, iv
D. iii, iv
C


Which of the following best describes the purpose of the Organisation for Economic Co-operation and Development (OECD)?
A. An international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
B. A national organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
C. An international organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized econom
D. A national organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized economy
A


There are many enterprise architecture models that have been developed over the years for specific purposes. Some of them can be used to provide structure for information security processes and technology to be integrated throughout an organization. Which of the following provides an incorrect mapping between the architect type and the associated definition?
A. Zachman Framework Model and methodology for the development of information security enterprise architectures
B. TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group
C. DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals
D. MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence
A


Which of the following best describes the difference between the role of the ISO/ IEC 27000 series and COBIT? A. COBIT provides a high-level overview of security program requirements, while the ISO/IEC 27000 series provides the objectives of the individual security controls.
B. The ISO/IEC 27000 series provides a high-level overview of security program requirements, while COBIT provides the objectives of the individual security controls.
C. COBIT is process oriented, and the ISO/IEC 27000 series is solution oriented.
D. The ISO/IEC 27000 series is process oriented, and COBIT is solution oriented.
B


The Capability Maturity Model Integration (CMMI) approach is being used more frequently in security program and enterprise development. Which of the following provides an incorrect characteristic of this model?
A. It provides a pathway for how incremental improvement can take place.
B. It provides structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes.
C. It was created for process improvement and developed by Carnegie Mellon.
D. It was built upon the SABSA model.
D


If Joe wanted to use a risk assessment methodology that allows the various business owners to identify risks and know how to deal with them, what methodology would he use?
A. Qualitative
B. COSO
C. FRAP
D. OCTAVE
D


Information security is a field that is maturing and becoming more organized and standardized. Organizational security models should be based upon a formal architecture framework. Which of the following best describes what a formal architecture framework is and why it would be used?
A. Mathematical model that defines the secure states that various software components can enter and still provide the necessary protection
B. Conceptual model that is organized into multiple views addressing each of the stakeholder's concerns
C. Business enterprise framework that is broken down into six conceptual levels to ensure security is deployed and managed in a controllable manner
D. Enterprise framework that allows for proper security governance
B


Which of the following provides a true characteristic of a fault tree analysis?
A. Fault trees are assigned qualitative values to faults that can take place over a series of business processes.
B. Fault trees are assigned failure mode values.
C. Fault trees are labeled with actual numbers pertaining to failure probabilities.
D. Fault trees are used in a stepwise approach to software debugging.
C


Several models and frameworks have been developed by different organizations over the years to help businesses carry out processes in a more efficient and effective manner. Which of the following provides the correct definition mapping of one of these items?
i. COSOA framework and methodology for enterprise security architecture and service management
ii. ITIL Processes to allow for IT service management developed by the United Kingdom's Office of Government Commerce
iii. Six Sigma Business management strategy that can be used to carry out process improvement
iv. Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon

A. i
B. i, iii
C. ii, iv
D. ii, iii, iv
D


It is important that organizations ensure that their security efforts are effective and measurable. Which of the following is not a common method used to track the effectiveness of security efforts?
A. Service level agreement
B. Return on investment
C. Balanced scorecard system
D. Provisioning system
D


Capability Maturity Model Integration (CMMI) is a process improvement approach that is used to help organizations improve their performance. The CMMI model may also be used as a framework for appraising the process maturity of the organization. Which of the following is an incorrect mapping of the levels that may be assigned to an organization based upon this model?
i. Maturity Level 2 - Managed or Repeatable
ii. Maturity Level 3 - Defined
iii. Maturity Level 4 - Quantitatively Managed
iv. Maturity Level 5 - Optimizing

A. i
B. i, ii
C. All of them
D. None of them
D


An organization's information system risk management (ISRM) policy should address many items to provide clear direction and structure. Which of the following is not a core item that should be covered in this type of policy?
i. The objectives of the IRM team
ii. The level of risk the organization will accept and what is considered an acceptable level of risk
iii. Formal processes of risk identification
iv. The connection between the IRM policy and the organization's strategic planning processes
v. Responsibilities that fall under IRM and the roles to fulfill them
vi. The mapping of risk to specific physical controls
vii. The approach toward changing staff behaviors and resource allocation in response to risk analysis
viii. The mapping of risks to performance targets and budgets ix. Key indicators to monitor the effectiveness of controls

A. ii, v, ix
B. vi
C. v
D. vii, ix
B


More organizations are outsourcing business functions to allow them to focus on their core business functions. Companies use hosting companies to maintain websites and e-mail servers, service providers for various telecommunication connections, disaster recovery companies for co-location capabilities, cloud computing providers for infrastructure or application services, developers for software creation, and security companies to carry out vulnerability management. Which of the following items should be included during the analysis of an outsourced partner or vendor?
i. Conduct onsite inspection and interviews
ii. Review contracts to ensure security and protection levels are agreed upon
iii. Ensure service level agreements are in place
iv. Review internal and external audit reports and third-party reviews
v. Review references and communicate with former and existing customers
vi. Review Better Business Bureau reports

A. ii, iii, iv
B. iv, v, vi
C. All of them
D. i, ii, iii
C


Which of the following is normally not an element of e-Discovery?
A. Identification
B. Preservation
C. Production
D. Remanence
D


A financial institution has developed its internal security program based upon the ISO/IEC 27000 series. The security officer has been told that metrics need to be developed and integrated into this program so that effectiveness can be gauged. Which of the following standards should be followed to provide this type of guidance and functionality?
A. ISO/IEC 27002
B. ISO/IEC 27003
C. ISO/IEC 27004
D. ISO/IEC 27005
C


Which of the following is not an advantage of using content distribution networks?
A. Improved responsiveness to regional users
B. Resistance to ARP spoofing attacks
C. Customization of content for regional users
D. Resistance to DDoS attacks
B


Sue has been asked to install a web access management (WAM) product for her company's environment. What is the best description for what WAMs are commonly used for?
A. Control external entities requesting access to internal objects
B. Control internal entities requesting access to external objects
C. Control external entities requesting access through X.500 databases
D. Control internal entities requesting access through X.500 databases
A


A user's digital identity is commonly made up of more than just a username. Which of the following is not a common item that makes up a user's identity?
A. Entitlements
B. Traits
C. Figures
D. Attributes
C


Which of the following is a true statement pertaining to markup languages?
A. HyperText Markup Language (HTML) came from Generalized Markup Language (GML), which came from the Standard Generalized Markup Language (SGML).
B. HyperText Markup Language (HTML) came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML).
C. Standard Generalized Markup Language (SGML) came from the HyperText Markup Language (HTML), which came from the Generalized Markup Language (GML).
D. Standard Generalized Markup Language (SGML) came from the Generalized Markup Language (GML), which came from the HyperText Markup Language (HTML).
B


What is Extensible Markup Language (XML), and why was it created?
A. A specification that is used to create various types of markup languages for specific industry requirements
B. A specification that is used to create static and dynamic websites
C. A specification that outlines a detailed markup language dictating all formats of all companies that use it
D. A specification that does not allow for interoperability for the sake of security
A


Which access control policy is enforced in an environment that uses containers and implicit permission inheritance using a nondiscretionary model?
A. Rule-based
B. Role-based
C. Identity-based
D. Mandatory
B


Which of the following centralized access control protocols would a security professional choose if her network consisted of multiple protocols, including Mobile IP, and had users connecting via wireless and wired transmissions?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos
C


Jay is the security administrator at a credit card processing company. The company has many identity stores, which are not properly synchronized. Jay is going to oversee the process of centralizing and synchronizing the identity data within the company. He has determined that the data in the HR database will be considered the most up-to-date data, which cannot be overwritten by the software in other identity stores during their synchronization processes. Which of the following best describes the role of this database in the identity management structure of the company?
A. Authoritative system of record
B. Infrastructure source server
C. Primary identity store
D. Hierarchical database primary
A


Proper access control requires a structured user provisioning process. Which of the following best describes user provisioning?
A. The creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
B. The creation, maintenance, activation, and delegation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to compliance processes
C. The maintenance of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
D. The creation and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
A


A user's identity can be a collection of her ____ (department, role in company, shift time, clearance); her ____ (resources available to her, authoritative rights in the company); and her ____ (biometricinformation, height, sex,).
A. attributes, access, traits
B. attributes, entitlements, access
C. attributes, characteristics, traits
D. attributes, entitlements, traits
D


John needs to ensure that his company's application can accept provisioning data from the company's partner's application in a standardized method. Which of the following best describes the technology that John should implement?
A. Service Provisioning Markup Language
B. Extensible Provisioning Markup Language
C. Security Assertion Markup Language
D. Security Provisioning Markup Language
A


Lynn logs into a website and purchases an airline ticket for her upcoming trip. The website also offers her pricing and package deals for hotel rooms and rental cars while she is completing her purchase. The airline, hotel, and rental companies are all separate and individual companies. Lynn decides to purchase her hotel room through the same website at the same time. The website is using Security Assertion Markup Language to allow for this type of federated identity management functionality. In this example which entity is the principal, which entity is the identity provider, and which entity is the service provider?
A. Portal, Lynn, hotel company
B. Lynn, airline company, hotel company
C. Lynn, hotel company, airline company
D. Portal, Lynn, airline company
B


John is the new director of software development within his company. Several proprietary applications offer individual services to the employees, but the employees have to log into each and every application independently to gain access to these discrete services. John would like to provide a way that allows each of the services provided by the various applications to be centrally accessed and controlled. Which of the following best describes the architecture that John should deploy?
A. Service-oriented architecture
B. Web services architecture
C. Single sign-on architecture
D. Hierarchical service architecture
A


Which security model enforces the principle that the security levels of an object should never change and is known as the "strong tranquility" property?
A. Biba
B. Bell-LaPadula
C. Brewer-Nash
D. Noninterference
B


Khadijah is leading a software development team for her company. She knows the importance of conducting an attack surface analysis and developing a threat model. During which phase of the software development life cycle should she perform these actions?
A. Requirements gathering
B. Testing and validation
C. Release and maintenance
D. Design
D


There is a specific terminology taxonomy used in the discipline of formal architecture framework development and implementation. Which of the following terms has an incorrect definition?
i. Architecture Fundamental organization of a system embodied in its components, their relationships to each other and to the environment, and the principles guiding its design and evolution.
ii. Architectural description (AD) Representation of a whole system from the perspective of a related set of concerns.
iii. Stakeholder Individual, team, or organization (or classes thereof ) with interests in, or concerns relative to, a system.
iv. View Collection of document types to convey an architecture in a formal manner.
v. Viewpoint A specification of the conventions for constructing and using a view. A template from which to develop individual views by establishing the purposes and audience for a view and the techniques for its creation and analysis.

A. i, iii
B. ii, iv
C. iv, v
D. ii
B


Operating systems may not work on systems with specific processors. Which of the following best describes why one operating system may work on an Intel processor but not on an AMD processor?
A. The operating system was not developed to work within the architecture of a specific processor and cannot use that specific processor instruction set.
B. The operating system was developed before the new processor architecture was released, and thus is not backward compatible.
C. The operating system is programmed to use a different instruction set.
D. The operating system is platform dependent, and thus can work only on one specific processor family.
A


Which of the following best describes how an address bus and a data bus are used for instruction execution?
A. The CPU sends a "fetch" request on the data bus, and the data residing at the requested address is returned on the address bus.
B. The CPU sends a "get" request on the address bus, and the data residing at the requested address is returned on the data bus.
C. The CPU sends a "fetch" request on the address bus, and the data residing at the requested address is returned on the data bus.
D. The CPU sends a "get" request on the data bus, and the data residing at the requested address is returned on the address bus.
C


An operating system has many different constructs to keep all of the different execution components in the necessary synchronization. One construct the operating system maintains is a process table. Which of the following best describes the role of a process table within an operating system?
A. The table contains information about each process that the CPU uses during the execution of the individual processes' instructions.
B. The table contains memory boundary addresses to ensure that processes do not corrupt each other's data
C. The table contains condition bits that the CPU uses during state transitions.
D. The table contains I/O and memory addresses.
A


Hanna is a security manager of a company that relies heavily on one specific operating system. The operating system is used in the employee workstations and is embedded within devices that support the automated production line software. She has uncovered that the operating system has a vulnerability that could allow an attacker to force applications to not release memory segments after execution. Which of the following best describes the type of threat this vulnerability
introduces?
A. Injection attacks
B. Memory corruption
C. Denial of service
D. Software locking
C


Which of the following architecture frameworks has a focus on command, control, communications, computers, intelligence, surveillance, and
reconnaissance systems and processes?
A. DoDAF
B. TOGAF
C. CMMI
D. MODAF
A


Many operating systems implement address space layout randomization (ASLR). Which of the following best describes this type of technology?
A. Randomly arranging memory address values
B. Restricting the types of processes that can execute instructions in privileged mode
C. Running privileged instructions in virtual machines
D. Randomizing return pointer values
A


A company needs to implement a CCTV system that will monitor a large area of the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length
A


What is the name of a water sprinkler system that keeps pipes empty and doesn't release water until a certain temperature is met and a "delay mechanism" is instituted?
A. Wet
B. Preaction
C. Delayed
D. Dry
B


There are different types of fire suppression systems. Which of the following answers best describes the difference between a deluge and a preaction system?
A. A deluge system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A preaction system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
B. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
C. A dry pipe system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
D. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
B


Which of the following best describes why Crime Prevention Through Environmental Design (CPTED) would integrate block parties and civic meetings?
A. These activities are designed to get people to work together to increase the overall crime and criminal behavior in the area.
B. These activities are designed to get corporations to work together to increase the overall awareness of acceptable and unacceptable activities in the area.
C. These activities are designed to get people to work together to increase the three strategies of this design model.
D. These activities are designed to get people to work together to increase the overall awareness of acceptable and unacceptable activities in the area.
D


Which of the following frameworks is a two-dimensional model that uses six basic communication interrogatives intersecting with different viewpoints to give
a holistic understanding of the enterprise?
A. SABSA
B. TOGAF
C. CMMI
D. Zachman
D


Not every data transmission incorporates the session layer. Which of the following best describes the functionality of the session layer?
A. End-to-end data transmission
B. Application client/server communication mechanism in a distributed environment
C. Application-to-computer physical communication
D. Provides application with the proper syntax for transmission
B


What is the purpose of the Logical Link Control (LLC) layer in the OSI model?
A. Provides a standard interface for the network layer protocol
B. Provides the framing functionality of the data link layer
C. Provides addressing of the packet during encapsulation
D. Provides the functionality of converting bits into electrical signals
A


Which of the following best describes why classless interdomain routing (CIDR) was created?
A. To allow IPv6 traffic to tunnel through IPv4 networks
B. To allow IPSec to be integrated into IPv4 traffic
C. To allow an address class size to meet an organization's need
D. To allow IPv6 to tunnel IPSec traffic
C


John is a security engineer at a company that develops highly confidential products for various government agencies. While his company has VPNs set up to protect traffic that travels over the Internet and other nontrusted networks, he knows that internal traffic should also be protected. Which of the following is the best type of approach John's company should take?
A. Implement a data link technology that provides 802.1AE security functionality.
B. Implement a network-level technology that provides 802.1AE security functionality.
C. Implement TLS over L2TP.
D. Implement IPSec over L2TP.
A


IEEE ____ provides a unique ID for a device. IEEE ____ provides data encryption, integrity, and origin authentication functionality. IEEE ____ carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE ___ framework.
A. 802.1AF, 802.1AE, 802.1AR, 802.1X EAP-TLS
B. 802.1AT, 802.1AE, 802.1AM, 802.1X EAP-SSL
C. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-SSL
D. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-TLS
D


Bob has noticed that one of the network switches has been acting strangely over the last week. Bob installed a network protocol analyzer to monitor the traffic going to the specific switch. He has identified UDP traffic coming from an outside source using the destination port 161. Which of the following best describes what is most likely taking place?
A. An attacker is modifying the switch SNMP MIB.
B. An attacker is carrying out a selective DoS attack.
C. An attacker is manipulating the ARP cache.
D. An attacker is carrying out an injection attack.
A


Larry is a seasoned security professional and knows the potential dangers associated with using an ISP's DNS server for Internet connectivity. When Larry stays at a hotel or uses his laptop in any type of environment he does not fully trust, he updates values in his HOSTS file. Which of the following best describes why Larry carries out this type of task?
A. Reduces the risk of an attacker sending his system a corrupt ARP address that points his system to a malicious website.
B. Ensures his host-based IDS is properly updated.
C. Reduces the risk of an attacker sending his system an incorrect IP address-to- host mapping that points his system to a malicious website.
D. Ensures his network-based IDS is properly synchronized with his host-based IDS.
C


John has uncovered a rogue system on the company network that emulates a switch. The software on this system is being used by an attacker to modify frame tag values. Which of the following best describes the type of attack that has most likely been taking place?
A. DHCP snooping
B. VLAN hopping
C. Network traffic shaping
D. Network traffic hopping
B


Frank is a new security manager for a large financial institution. He has been told that the organization needs to reduce the total cost of ownership for many components of the network and infrastructure. The organization currently maintains many distributed networks, software packages, and applications. Which of the following best describes the cloud services that are most likely provided by service providers for Frank to choose from?
A. Infrastructure as a Service provides an environment similar to an operating system, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application- based functionality.
B. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality.
C. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides application-based functionality, and Software as a Service provides specific operating system functionality.
D. Infrastructure as a Service provides an environment similar to a database, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality.
B


Terry is told by his boss that he needs to implement a networked-switched infrastructure that allows several systems to be connected to any storage device. What does Terry need to roll out?
A. Electronic vaulting
B. Hierarchical storage management
C. Storage area network
D. Remote journaling
C


On a Tuesday morning, Jami is summoned to the office of the security director, where she finds six of her peers from other departments. The security director gives them instructions about an event that will be taking place in two weeks. Each of the individuals will be responsible for removing specific systems from the facility, bringing them to the offsite facility, and implementing them. Each individual will need to test the installed systems and ensure the configurations are correct for production activities. What event is Jami about to take part in?
A. Parallel test
B. Full-interruption test
C. Simulation test
D. Structured walk-through test
A


While DRP and BCP are directed at the development of "plans," is the holistic management process that should cover both of them. It provides a framework for integrating resilience with the capability for effective responses that protects the interests of the organization's key stakeholders.
A. continuity of operations
B. business continuity management
C. risk management
D. enterprise management architecture
B


The "Safe Harbor" privacy framework was created to:
A. Ensure that personal information should be collected only for a stated purpose
by lawful and fair means and with the knowledge or consent of the subject
B. Provide a streamlined means for U.S. organizations to comply with European privacy laws
C. Require the federal government to release to citizens the procedures for how records are collected, maintained, used, and distributed
D. None of the above
B


The European Union's Directive on Data Protection forbids the transfer of individually identifiable information to a country outside the EU, unless:
A. The receiving country grants individuals adequate privacy protection.
B. The receiving country pays a fee to the EU.
C. There are no exceptions; no information is ever transferred.
D. The receiving country is a member of the Fair Trade Organization.
A


The main goal of the Wassenaar Arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. How does this relate to technology
A. Cryptography is a dual-use tool.
B. Technology is used in weaponry systems.
C. Military actions directly relate to critical infrastructure systems.
D. Critical infrastructure systems can be at risk under this agreement.
A


Which world legal system of law is used in continental European countries, such as France and Spain, and is rule-based law, not precedence based?
A. Civil (code) law system
B. Common law system
C. Customary law system
D. Mixed law system
A


Which of the following is not a correct characteristic of the Failure Modes and Effect Analysis (FMEA) method?
A. Determining functions and identifying functional failures
B. Assessing the causes of failure and their failure effects through a structured process
C. Structured process carried out by an identified team to address high-level security compromises
D. Identifying where something is most likely going to break and either fixing the flaws that could cause this issue or implementing controls to reduce the impact of the break
C


A risk analysis can be carried out through qualitative or quantitative means. It is important to choose the right approach to meet the organization's goals. In a quantitative analysis, which of the following items would not be assigned a numeric value?
i. Asset value
ii. Threat frequency
iii. Severity of vulnerability
iv. Impact damage
v. Safeguard costs
vi. Safeguard effectiveness
vii. Probability

A. All of them
B. None of them
C. ii
D. vii
B


Uncovering restricted information by using permissible data is referred to as ____.
A. inference
B. data mining
C. perturbation
D. cell suppression
A


Tim recently started working at an organization with no defined security processes. One of the areas he'd like to improve is software patching. Consistent with the organizational culture, he is considering a decentralized or unmanaged model for patching. Which of the following is not one of the risks his organization would face with such a model?
A. This model typically requires users to have admin credentials, which violates the principle of least privilege.
B. It will be easier to ensure that all software is updated, since they will be configured to do so automatically.
C. It may be difficult (or impossible) to attest to the status of every application in the organization.
D. Having each application or service independently download the patches will lead to network congestion.
B


An attacker can modify the client-side JavaScript that provides structured layout and HTML representation. This commonly takes place through form fields within compromised web servers. Which of the following best describes this type of attack?
A. Injection attack
B. DOM-based XSS
C. Persistent XSS
D. Session hijacking
B


COBIT and COSO can be used together, but have different goals and focuses. Which of the following is incorrect as it pertains to these two models?
i. COSO is a model for corporate governance, and COBIT is a model for IT governance.
ii. COSO deals more at the strategic level, while COBIT focuses more at the operational level.
iii. COBIT is a way to meet many of the COSO objectives, but only from the IT perspective.
iv. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures.

A. None
B. All
C. i, ii
D. ii, iii
A


Ron is in charge of updating his company's business continuity and disaster recovery plans and processes. After conducting a business impact analysis, his team has told him that if the company's e-commerce payment gateway was unable to process payments for 24 hours or more, this could drastically affect the survivability of the company. The analysis indicates that after an outage, the payment gateway and payment processing should be restored within 13 hours. Ron's team needs to integrate solutions that provide redundancy, fault tolerance, and failover capability

In the scenario, what does the 24-hour time period represent and what does the 13-hour time period represent?
A. Maximum tolerable downtime, recovery time objective
B. Recovery time objective, maximum tolerable downtime
C. Maximum tolerable downtime, recovery data period
D. Recovery time objective, data recovery period
A


Ron is in charge of updating his company's business continuity and disaster recovery plans and processes. After conducting a business impact analysis, his team has told him that if the company's e-commerce payment gateway was unable to process payments for 24 hours or more, this could drastically affect the survivability of the company. The analysis indicates that after an outage, the payment gateway and payment processing should be restored within 13 hours. Ron's team needs to integrate solutions that provide redundancy, fault tolerance, and failover capability

Which of the following best describes the type of solution Ron's team needs to
implement?
A. RAID and clustering
B. Storage area networks
C. High availability
D. Grid computing and clustering
C


16. Application of training and education is a common method of which risk control strategy?
a. mitigation
b. defense
c. acceptance
d. transferal
b


17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
a. acceptance
b. avoidance
c. transference
d. mitigation
d






00:02
01:10
18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan
b. business continuity plan
c. disaster recovery plan
d. damage control plan
a


19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
c


20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
a. residual risk
b. risk appetite
c. risk assurance
d. risk termination
b


21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
c


22. Which of the following affects the cost of a control?
a. liability insurance
b. CBA report
c. asset resale
d. maintenance
d


23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
a. annualized cost of the safeguard
b. single loss expectancy
c. value to adversaries
d. annualized loss expectancy
b


24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis
b. exposure factor
c. single loss expectancy
d. annualized rate of occurrence
a


25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
a. organizational feasibility
b. political feasibility
c. technical feasibility
d. operational feasibility
b


26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
a. conducting decision support
b. implementing controls
c. evaluating alternative strategies
d. measuring program effectiveness
c


27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components
b. quantitative valuation of safeguards
c. subjective prioritization of controls
d. risk analysis estimates
a


28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
a. OCTAVE
b. FAIR
c. Hybrid Measures
d. Delphi
d


29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
a. analysis and adjustment
b. review and reapplication
c. monitoring and measurement
d. evaluation and funding
c


30. Which of the following is not a step in the FAIR risk management framework?
a. identify scenario components
b. evaluate loss event frequency
c. assess control impact
d. derive and articulate risk
c


31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
a. probability calculation
b. documented control strategy
c. risk acceptance plan
d. mitigation plan
b


32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
a. feasibility analysis
b. asset valuation
c. cost avoidance
d. cost-benefit analysis
c


33. Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking
b. due care and due diligence
c. selective risk avoidance
d. the gold standard
c


34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
a. risk assessment
b. risk treatment
c. risk communication
d. risk determination
d


35. The NIST risk management approach includes all but which of the following elements?
a. inform
b. assess
c. frame
d. respond
a


15. Communications security involves the protection of which of the following?.
a. radio handsets
b. people, physical assets
c. the IT department
d. media, technology, and content
d


16. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
a. accountability
b. availability
c. authorization
d. authentication
b


Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
a. Integrity
b. Availability
c. Authentication
d. Confidentiality
d


18. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
a. accountability
b. authorization
c. identification
d. authentication
c


19. What do audit logs that track user activity on an information system provide?
a. identification
b. authorization
c. accountability
d. authentication
c


20. Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?
a. leading
b. controlling
c. organizing
d. planning
d


21. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
a. organization
b. planning
c. controlling
d. leading
a


22. In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
a. zombie-in-the-middle
b. sniff-in-the-middle
c. server-in-the-middle
d. man-in-the-middle
d


23. Which of the following is the first step in the problem-solving process?
a. Analyze and compare the possible solutions
b. Develop possible solutions
c. Recognize and define the problem
d. Select, implement and evaluate a solution
c


24. Which of the following is NOT a step in the problem-solving process?
a. Select, implement and evaluate a solution
b. Analyze and compare possible solutions
c. Build support among management for the candidate solution
d. Gather facts and make assumptions
c


25. Which of the following is NOT a primary function of Information Security Management?a. planning
b. protection
c. projects
d. performance
d


26. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
a. planning
b. policy
c. programs
d. people
b


27. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
a. protection
b. people
c. projects
d. policy
b


28. Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
a. bypass
b. theftc.
trespass
d. security
c


29. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
a. Viruses
b. Worms
c. Spam
d. Trojan horses
d


30. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
a. false alarms
b. polymorphisms
c. hoaxes
d. urban legends
c


31. Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
a. threats
b. education
c. hugs
d. paperwork
b


32. "4-1-9" fraud is an example of a ____________________ attack.
a. social engineering
b. virus
c. worm
d. spam
a


33. Which type of attack involves sending a large number of connection or information requests to a target?
a. malicious code
b. denial-of-service (DoS)
c. brute force
d. spear fishing
b


34. Which of the following is not among the 'deadly sins of software security'?
a. Extortion sins
b. Implementation sins
c. Web application sins
d. Networking sins
a


35. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
a. SSL
b. SLA
c. MSL
d. MIN
b


36. Blackmail threat of informational disclosure is an example of which threat category?
a. Espionage or trespass
b. Information extortion
c. Sabotage or vandalism
d. Compromises of intellectual property
b




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
37. One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
a. hacktivist
b. phreak
c. hackcyber
d. cyberhack
a


38. A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
a. denial-of-service
b. distributed denial-of-service
c. virus
d. spam
b


39. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
a. brute force
b. DoS
c. back door
d. hoax
c


40. A short-term interruption in electrical power availability is known as a ____.
a. fault
b. brownout
c. blackout
d. lag
a


12. Which subset of civil law regulates the relationships among individuals and among individualsand organizations?
a. tort
b. criminal
c. private
d. public
c


13. Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
a. USA Patriot Act of 2001
b. American Recovery and Reinvestment Act
c. Health Information Technology for Economic and Clinical Health Act
d. National Information Infrastructure Protection Act of 1996
c


14. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
a. For purposes of commercial advantage
b. For private financial gain
c. For political advantage
d. In furtherance of a criminal act
c


15. Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
a. The Telecommunications Deregulation and Competition Act
b. National Information Infrastructure Protection Act
c. Computer Fraud and Abuse Act
d. The Computer Security Act
d


16. Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
a. The Electronic Communications Privacy Act of 1986
b. The Telecommunications Deregulation and Competition Act of 1996
c. National Information Infrastructure Protection Act of 1996
d. Federal Privacy Act of 1974
a


17. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
a. ECPA
b. Sarbanes-Oxley
c. HIPAA
d. Gramm-Leach-Bliley
c


18. Which law extends protection to intellectual property, which includes words published in electronic formats?
a. Freedom of Information Act
b. U.S. Copyright Law
c. Security and Freedom through Encryption Act
d. Sarbanes-Oxley Act
b


19. Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
a. Applied ethics
b. Meta-ethics
c. Normative ethics
d. Deontological ethics
d


20. Which of the following is an international effort to reduce the impact of copyright, trademark,and privacy infringement, especially via the removal of technological copyright protection measures?
a. U.S. Copyright Law
b. PCI DSS
c. European Council Cybercrime Convention
d. DMCA
d


21. Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
a. Applied ethics
b. Descriptive ethics
c. Normative ethics
d. Deontological ethics
b


22. Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
a. utilitarian
b. virtue
c. fairness or justice
d. common good
d


23. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
a. ignorance
b. malice
c. accident
d. intent
b


24. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
a. remediation
b. deterrence
c. persecution
d. rehabilitation
b


25. Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
a. (ISC)2
b. ACM
c. SANS
d. ISACA
a


26. Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
a. liability
b. restitution
c. due diligence
d. jurisdiction
b


27. Any court can impose its authority over an individual or organization if it can establish which of the following?
a. jurisprudence
b. jurisdiction
c. liability
d. sovereignty
b


10. Which of the following explicitly declares the business of the organization and its intended areas of operations?
a. vision statement
b. values statement
c. mission statement
d. business statement
c


11. Which type of planning is the primary tool in determining the long-term direction taken by an organization?
a. strategic
b. tactical
c. operational
d. managerial
a


12. Which of the following is true about planning?
a. Strategic plans are used to create tactical plans
b. Tactical plans are used to create strategic plans
c. Operational plans are used to create tactical plans
d. Operational plans are used to create strategic plans
a


13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
a. strategic
b. operational
c. organizational
d. tactical
d


14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
a. Strategic
b. Tactical
c. Organizational
d. Operational
d


15. The basic outcomes of InfoSec governance should include all but which of the following?
a. Value delivery by optimizing InfoSec investments in support of organizational objectives
b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
c. Time management by aligning resources with personnel schedules and organizational objectives
d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
c


16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
a. data owners
b. data custodians
c. data users
d. data generators
c


17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
a. Hold regular meetings with the CIO to discuss tactical InfoSec planning
b. Assign InfoSec to a key committee and ensure adequate support for that committee
c. Ensure the effectiveness of the corporation's InfoSec policy through review and approval
d. Identify InfoSec leaders, hold them accountable, and ensure support for them
a


18. Which of the following should be included in an InfoSec governance program?
a. An InfoSec development methodology
b. An InfoSec risk management methodology
c. An InfoSec project management assessment from an outside consultant
d. All of these are components of the InfoSec governance program
b


19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
a. Initiating
b. Establishing
c. Acting
d. Learning
a


20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
a. Initiating
b. Establishing
c. Acting
d. Learning
b


21. Which of the following is an information security governance responsibility of the Chief Security Officer?
a. Communicate policies and the program
b. Set security policy, procedures, programs and training
c. Brief the board, customers and the public
d. Implement policy, report security vulnerabilities and breaches
b


22. ISO 27014:2013 is the ISO 27000 series standard for ____________.
a. Governance of Information Security
b. Information Security Management
c. Risk Management
d. Policy Management
a


23. Which of the following is a key advantage of the bottom-up approach to security implementation?
a. strong upper-management support
b. a clear planning and implementation process
c. utilizes the technical expertise of the individual administrators
d. coordinated planning from upper management
c


24. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
a. software engineering
b. joint application design
c. sequence-driven policies
d. event-driven procedures
b


25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
a. modular continuous
b. elementary cyclical
c. time-boxed circular
d. traditional waterfall
d


26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
a. data owners
b. data custodians
c. data users
d. data generators
a


27. What is the first phase of the SecSDLC?
a. analysis
b. investigation
c. logical design
d. physical design
b


28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
a. chief information security officer
b. security technician
c. security manager
d. chief technology office
a


29. In which phase of the SecSDLC does the risk management task occur?
a. physical design
b. implementation
c. investigation
d. analysis
d


30. An example of a stakeholder of a company includes all of the following except:
a. employees
b. the general public
c. stockholders
d. management
b


31. A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
a. champion
b. end user
c. team leader
d. policy developer
c


32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
a. chief information security officer
b. security technician
c. security manager
d. chief technology officer
c


33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
a. champion
b. end user
c. team leader
d. policy developer
a


34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
a. Board Risk Committee
b. Board Finance Committee
c. Board Audit Committee
d. Chairman of the Board
a


35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
a. vulnerability assessment
b. penetration testing
c. exploit identification
d. safeguard neutralization
b


37. The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.
a. vulnerability assessment
b. penetration testing
c. exploit identification
d. safeguard neutralization
a


38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.
a. enterprise risk management.
b. joint application design
c. security policy review
d. disaster recovery planning
a


39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
a. system controls
b. technical controls
c. operational controls
d. managerial controls
d


11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
a. policy should never conflict with law
b. policy must be able to stand up in court if challenged
c. policy should be agreed upon by all employees and management
d. policy must be properly supported and administered
c


13. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
a. Enterprise information security policy
b. User-specific security policies
c. Issue-specific security policies
d. System-specific security policies
b


14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
a. appeals process
b. legal recourse
c. what must be done to comply
d. the proper operation of equipment
d


15. Which policy is the highest level of policy and is usually created first?
a. SysSP
b. USSP
c. ISSP
d. EISP
d


16. Which type of document is a more detailed statement of what must be done to comply with a policy?
a. procedure
b. standard
c. guideline
d. practice
b


17. Which of the following is an element of the enterprise information security policy?
a. access control lists
b. information on the structure of the InfoSec organization
c. articulation of the organization's SDLC methodology
d. indemnification of the organization against liability
b


18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
a. issue-specific
b. enterprise information
c. system-specific
d. user-specific
a


19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
a. Policy Review and Modification
b. Limitations of Liability
c. Systems Management
d. Statement of Purpose
a


20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
a. Violations of Policy
b. Systems Management
c. Prohibited Usage of Equipment
d. Authorized Access and Usage of Equipment
a


21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
a. can suffer from poor policy dissemintation, enforcement, and review
b. may skip vulnerabilities otherwise reported
c. may be more expensive than necessary
d. implementation can be less difficult to manage
a


22. Which of the following are the two general groups into which SysSPs can be separated?
a. technical specifications and managerial guidance
b. business guidance and network guidance
c. user specifications and managerial guidance d. technical specifications and business guidance
a


23. What are the two general methods for implementing technical controls?
a. profile lists and configuration filters
b. firewall rules and access filters
c. user profiles and filters
d. access control lists and configuration rules
d


24. Which of the following is NOT an aspect of access regulated by ACLs?
a. what authorized users can access
b. where the system is located
c. how authorized users can access the system
d. when authorized users can access the system
b


25. Which of the following are instructional codes that guide the execution of the system when information is passing through it?
a. access control lists
b. user profiles
c. configuration rules
d. capability tables
c


26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
a. design
b. analysis
c. implementation
d. investigation
d


27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
a. design
b. implementation
c. investigation
d. analysis
a


28. A risk assessment is performed during which phase of the SecSDLC?
a. implementation
b. analysis
c. design
d. investigation
b


29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?a. policy developer
b. policy reviewer
c. policy enforcer
d. policy administrator
d


30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
a. policy administration
b. due diligence
c. adequate security measures
d. certification and accreditation
b


13. Which of the following variables is the most influential in determining how to structure an information security program?
a. Security capital budget
b. Organizational size
c. Security personnel budget
d. Organizational culture
d


14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
a. they have a larger security staff than a small organization
b. they have a larger security budget (as percent of IT budget) than a small organization
c. they have a smaller security budget (as percent of IT budget) than a large organization
d. they have larger information security needs than a small organization
d


15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
a. Risk management
b. Risk assessment
c. Systems testing
d. Vulnerability assessment
b


16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. Systems testing
b. Risk assessment
c. Incident response
d. Systems security administration
a


17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
a. compliance
b. policy
c. planning
d. systems security administration
c


18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
a. policy
b. centralized authentication
c. compliance audit
d. risk management
b


19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
a. A security technician
b. A security analyst
c. A security consultant
d. The security manager
a


20. GGG security is commonly used to describe which aspect of security?
a. technical
b. software
c. physical
d. theoretical
c


21. What is the SETA program designed to do?
a. reduce the occurrence of external attacks
b. improve operations
c. reduce the occurence of accidental security breaches
d. increase the efficiency of InfoSec staff
c


22. A SETA program consists of three elements: security education, security training, and which of the following?.
a. security accountability
b. security authentication
c. security awareness
d. security authorization
c


23. The purpose of SETA is to enhance security in all but which of the following ways?
a. by building in-depth knowledge
b. by adding barriers
c. by developing skills
d. by improving awareness
b


24. Advanced technical training can be selected or developed based on which of the following?
a. level of previous education
b. level of previous training
c. technology product
d. number of employees
c


25. Which of the following is the first step in the process of implementing training?
a. Identify training staff
b. Identify target audiences
c. Identify program scope, goals, and objectives
d. Motivate management and employees
c


26. Which of the following is an advantage of the one-on-one method of training?
a. Trainees can learn from each other
b. Very cost-effective
c. Customized
d. Maximizes use of company resources
c


27. Which of the following is a disadvantage of the one-on-one training method?
a. Inflexible
b. May not be responsive to the needs of all the trainees
c. Content may not be customized to the needs of the organization
d. Resource intensive, to the point of being inefficient
d


28. Which of the following is an advantage of the formal class method of training?
a. Personal
b. Self-paced, can go as fast or as slow as the trainee needs
c. Can be scheduled to fit the needs of the trainee
d. Interaction with trainer is possible
d


29. Which of the following is an advantage of the user support group form of training?
a. Usually conducted in an informal social setting
b. Formal training plan
c. Can be live, or can be archived and viewed at the trainee's convenience
d. Can be customized to the needs of the trainee
a


30. Which of the following is NOT a step in the process of implementing training?
a. administer the program
b. hire expert consultants
c. motivate management and employees
d. identify target audiences
b


31. __________ is a simple project management planning tool.
a. RFP
b. WBS
c. ISO 17799
d. SDLC
b


32. Which of the following is the most cost-effective method for disseminating security information and news to employees?
a. distance learning seminars
b. security-themed Web site
c. conference calls
d. security newsletter
d


33. Which of the following is true about a company's InfoSec awareness Web site?
a. it should contain large images to maintain interest
b. appearance doesn't matter if the information is there
c. it should be placed on the Internet for public use
d. it should be tested with multiple browsers
d


16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
a. General management must structure the IT and InfoSec functions
b. IT management must serve the IT needs of the broader organization
c. Legal management must develop corporate-wide standards
d. InfoSec management must lead the way with skill, professionalism, and flexibility
c


17. The identification and assessment of levels of risk in an organization describes which of the following?
a. Risk analysis
b. Risk identification
c. Risk management
d. Risk reduction
a


18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
a. Creating an inventory of information assets
b. Classifying and organizing information assets into meaningful groups
c. Assigning a value to each information asset
d. Calculating the severity of risks to which assets are exposed in their current setting
d


19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
a. Determining the likelihood that vulnerable systems will be attacked by specific threats
b. Calculating the severity of risks to which assets are exposed in their current setting
c. Assigning a value to each information asset
d. Documenting and reporting the findings of risk identification and assessment
c


20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
a. Part number
b. Serial number
c. MAC address
d. IP address
d


21. Which of the following is an attribute of a network device is physically tied to the network interface?
a. Serial number
b. MAC address
c. IP address
d. Model number
b


22. Which of the following attributes does NOT apply to software information assets?
a. Serial number
b. Controlling entity
c. Manufacturer name
d. Product dimensions
d


23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
a. Name
b. MAC address
c. Serial number
d. Manufacturer's model or part number
d


24. Data classification schemes should categorize information assets based on which of the following?
a. Value and uniqueness
b. Sensitivity and security needs
c. Cost and replacement value
d. Ease of reproduction and fragility
b


25. Classification categories must be mutually exclusive and which of the following?
a. Repeatable
b. Unique
c. Comprehensive
d. Selective
c


26. What is the final step in the risk identification process?
a. Assessing values for information assets
b. Classifying and categorizing assets
c. Identifying and inventorying assets
d. Listing assets in order of importance
d


27. Once an information asset is identified, categorized, and classified, what must also be assigned to it?
a. Asset tag
b. Relative value
c. Location ID
d. Threat risk
b


28. What should you be armed with to adequately assess potential weaknesses in each information asset?
a. Properly classified inventory
b. Audited accounting spreadsheet
c. Intellectual property assessment
d. List of known threats
a


29. Which of the following is an example of a technological obsolescence threat?
a. Hardware equipment failure
b. Unauthorized access
c. Outdated servers
d. Malware
c


30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
a. Cost of prevention
b. Cost of litigation
c. Cost of detection
d. Cost of identification
a


31. What is defined as specific avenues that threat agents can exploit to attack an information asset?
a. Liabilities
b. Defenses
c. Vulnerabilities
d. Weaknesses
c


32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
a. Risk exposure report
b. Threats-vulnerabilities-assets worksheet
c. Costs-risks-prevention database
d. Threat assessment catalog
b


33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
a. Vulnerability mitigation controls
b. Risk assessment estimate factors
c. Exploit likelihood equation
d. Attack analysis calculation
b


34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
a. Risk determination
b. Assessing potential loss
c. Likelihood and consequences
d. Uncertainty
...


35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
a. Uncertainty percentage
b. Asset impact
c. Risk-rating factor
d. Vulnerability likelihood
a


16. Application of training and education is a common method of which risk control strategy?
a. mitigation
b. defense
c. acceptance
d. transferal
b


17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
a. acceptance
b. avoidance
c. transference
d. mitigation
d


18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan
b. business continuity plan
c. disaster recovery plan
d. damage control plan
a


19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
c


20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
a. residual risk
b. risk appetite
c. risk assurance
d. risk termination
b


21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
c


22. Which of the following affects the cost of a control?
a. liability insurance
b. CBA report
c. asset resale
d. maintenance
d


23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
a. annualized cost of the safeguard
b. single loss expectancy
c. value to adversaries
d. annualized loss expectancy
b


24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis
b. exposure factor
c. single loss expectancy
d. annualized rate of occurrence
a


25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
a. organizational feasibility
b. political feasibility
c. technical feasibility
d. operational feasibility
b


26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
a. conducting decision support
b. implementing controls
c. evaluating alternative strategies
d. measuring program effectiveness
c


27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components
b. quantitative valuation of safeguards
c. subjective prioritization of controls
d. risk analysis estimates
a


28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
a. OCTAVE
b. FAIR
c. Hybrid Measures
d. Delphi
d


29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
a. analysis and adjustment
b. review and reapplication
c. monitoring and measurement
d. evaluation and funding
c


30. Which of the following is not a step in the FAIR risk management framework?
a. identify scenario components
b. evaluate loss event frequency
c. assess control impact
d. derive and articulate risk
c


31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
a. probability calculation
b. documented control strategy
c. risk acceptance plan
d. mitigation plan
b


32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
a. feasibility analysis
b. asset valuation
c. cost avoidance
d. cost-benefit analysis
c


33. Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking
b. due care and due diligence
c. selective risk avoidance
d. the gold standard
c


34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
a. risk assessment
b. risk treatment
c. risk communication
d. risk determination
d


35. The NIST risk management approach includes all but which of the following elements?
a. inform
b. assess
c. frame
d. respond
a


36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
a. penetration tester
b. gray-hat hacker
c. script kiddie
d. zebra team
a


12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
a. On-target model
b. Wood's model
c. Bull's-eye model
d. Bergeron and Berube model
c


4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.
a. true
b. false
a


11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures.
a. true
b. false
a


12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.
a. true
b. false
a


2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.
a. true
b. false
a


3. Deterrence is the best method for preventing an illegal or unethical activity.
a. true
b. false
a


5. Due diligence requires that an organization make a valid and ongoing effort to protect others.
a. true
b. false
a


6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies.
a. true
b. false
a


2. A clearly directed strategy flows from top to bottom rather than from bottom to top.
a. true
b. false
a


5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.
a. true
b. false
a


9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.
a. true
b. false
a


1. Policies must specify penalties for unacceptable behavior and define an appeals process.
a. true
b. false
a


2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.
a. true
b. false
a


7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management.
a. true
b. false
a


1. Small organizations spend more per user on security than medium- and large-sized organizations.
a. true
b. false
a


5. On-the-job training can result in substandard work performance while the trainee gets up to speed.
a. true
b. false
a


7. Planners need to estimate the effort required to complete each task, subtask, or action step.
a. true
b. false
a


9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable.
a. true
b. false
a


10. Each organization has to determine its own project management methodology for IT and information security projects.
a. true
b. false
a


5. On-the-job training can result in substandard work performance while the trainee gets up to speed.
a. true
b. false
a


7. Planners need to estimate the effort required to complete each task, subtask, or action step.
a. true
b. false
a


9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable.
a. true
b. false
a


10. Each organization has to determine its own project management methodology for IT and information security projects.
a. true
b. false
a


2. The InfoSec community often takes on the leadership role in addressing risk.
a. true
b. false
a


4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.
a. true
b. false
a


5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.
a. true
b. false
a


1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
a. true
b. false
a


3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
a. true
b. false
a


4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
a. true
b. false
a


5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
a. true
b. false
a


8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________
a. true
b. false
a


12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________
a. true
b. false
a


13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.
a. true
b. false
a


14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________
a. true
b. false
a


Information security management as a field is ever decreasing indemand and responsibility because most organizations spend increasingly largerpercentages of their IT budgets in attempting to manage risk and mitigate intrusions,not to mention the trend in many enterprises of moving all IT operations to an Internetconnectedinfrastructure, known as enterprise cloud computing.
a. true
b. false
b


Information security is a business problem in the sense that the entireorganization must frame and solve security problems based on its own strategicdrivers, not solely on technical controls aimed to mitigate one type of attack.
a. true
b. false
a


In defining required skills for information security managers, the ISC hasarrived at an agreement on ten domains of information security that is known as theCommon Body of Knowledge (CBK).
a. true
b. false
a


Threats to information systems come in many flavors, some withmalicious intent, others with supernatural powers or expected surprises.
a. true
b. false
b


Threats are exploited with a variety of attacks, some technical, others notso much.
a. true
b. false
a


The art of manipulating people into performing actions or divulging confidentialinformation, is known as:
a. Malware
b. Industrial espionage
c. Social engineering
d. Spam
e. Phishing
c


What describes activities such as theft of trade secrets, bribery, blackmail, andtechnological surveillance as well as spying on commercial organizations andsometimes governments?
a. Spam
b. Phishing
c. Hoaxes
d. Industrial espionage
e. Denial-of-service
d


What is the abuse of electronic messaging systems to indiscriminately send unsolicitedbulk messages, many of which contain hoaxes or other undesirable contents such aslinks to phishing sites?
a. Spamming
b. Phishing
c. Hoaxes
d. Distributed denial-of-service
e. All of the Above
a


What is the criminally fraudulent process of attempting to acquire sensitive informationsuch as usernames, passwords, and credit-card details by masquerading as atrustworthy entity in an electronic communication?
A. Splicing
B. Phishing
C. Bending
D. FSO
E. Cabling
b


What requires that an individual, program, or system process is not granted any moreaccess privileges than are necessary to perform the task?
A. Administrative controls
B. Principle of Least Privilege
C. Technical controls
D. Physical controls
E. Risk analysis
b


To give organizations a starting point to develop their own security management systems, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have developed a family of standards known as the Information Security Management System 27000 Family of Standards.
a. true
b. false
a


Training should also include creating company security policies and creating user roles that are specific to the organization.
a. true
b. false
a


The act of securing information has not been around for as long as the idea of storing information.
a. true
b. false
b


All personnel who come into contact with information systems need to be aware of the risks from improper use of those systems.
a. true
b. false
a


Each organization should not develop a company policy detailing the preferred use of company data or company software
a. true
b. false
b


1. _______ what is on the screen by photographing it?
A. Capture
B. Turn off
C. Document
D. Create
E. All of the above
c


2. _____the contents of the system's memory?
A. Turn off
B. Document
C. Create
D. Capture
E. All of the above
d


3. _____the computer?
A. Capture
B. Create
C. Document
D. Distribute
E. Turn off
e


4. _____a forensic image of the system's hard drive?
A. Create
B. Turn off
C. Capture
D. Document
E. All of the above
a


5. Devices that can be used to copy proprietary company data off the internal network areknown as:
A. Remote control software
B. Email
C. USB storage
D. General Internet use
E. Risk analysis
c


Security policies and procedures do not constitute the main part of anyorganization's security.
a. true
b. false
b


Various security-related roles do not need to be maintained and well defined.
a. true
b. false
b


End users have a responsibility to protect information assets on a dailybasis through adherence to the security policies that have been set and communicated.
a. true
b. false
a


Top management does not play an important role in protecting the information assets in an organization.
a. true
b. false
b


The security officer "directs, coordinates, plans, and organizes information security activities throughout the organization.
a. true
b. false
a


1. Who are responsible for ensuring that the information security policies and procedureshave been adhered to?
A. Information owners
B. Information system auditors
C. Security officers
D. Executive management
E. All of the above
b


2. Who is responsible for building IT security controls into the design andimplementations of the systems?
A. Information owners
B. Information system auditors
C. IT personnel
D. Systems Administrator
E. All of the above
c


3. Who is responsible for configuring the hardware and the operating system to ensurethat the information systems and their contents are available for business as and whenneeded?
A. Information System Auditor
B. Information Owners
C. Systems Administrator
D. Security Officer
E. Executive Management
c


4. What analyzes the impact of outage on critical business function operations?
A. Risk assessment
B. Recovery strategy identification
C. Recovery strategy selection
D. Business impact analysis
E. All of the above
d


5. What documents the processes, equipment, and facilities required to restore theIT assets?
A. Contingency plan development
B. User training
C. Plan verification
D. Plan maintenance
E. Recovery strategy selection
a


A digital identity is a representation of an entity in a general context.
a. true
b. false
b


Identity management refers to "the process of representing, using,maintaining, deprovisioning and authenticating entities as digital identities in computernetworks."
a. true
b. false
a


Privacy is a central issue, due to the fact that the official authorities ofalmost all countries have legal strict policies related to identity.
a. true
b. false
a


The evolution of the identity management system is away from thesimplification of user experience and reinforcing authentication.
a. true
b. false
b


The security is also compromised with the proliferation of the user'spassword and even by it's strength.
a. true
b. false
b


The main identity management system deployed currently in the world of the Internetis known as the?
A. Federated identity management model
B. Identity life cycle
C. Aggregate identity
D. Executive management modelE. Silo model
b


2. ________________ in centralized identity infrastructures, can't solve the problem ofcross-organizational authentication and authorization?
A. Centrally managed repositories
B. Information system auditors
C. IT personnel
D. Systems Administrators
E. All of the above
a


3. A relatively simple ____________ model is to build a platform that centralizesidentities?
A. Common user identity management
B. Simple centralized identity management
C. Unique identity management
D. Meta directory
E. Executive Management
b


4. What provides an abstraction boundary between application and the actualimplementation?
A. Single point of administration
B. Redundant directory information
C. Single point of reference
D. Business impact analysis
E. All of the above
c


5. What directories are not located in the same physical structure as the Web homedirectory, but look as if they were to Web clients?
A. Single Sign-On
B. SeamlessC. Session
D. Virtual
E. Flexible
d


1. True or False? Information security concerns itself with the integrity and availability ofinformation systems and the information or data they contain and process.
a. true
b. false
...


True or False? Having physical access to a computer system allows an adversary tobypass most security protections put in place to prevent unauthorized access.
a. true
b. false
a


3. True or False? An insider is an individual who, due to their role in the organization,has some level of authorized access to the IS environment and systems.
a. true
b. false
a


4. True or False? An outsider is considered anyone who does not have authorized accessprivileges to an information system or environment.
a. true
b. false
a


5. True or False? Malware can be generally defined as "a set of instructions that run onyour computer and make your system do something that allow an attacker to make itdo what he wants it to do."
a. true
b. false
a


1. What is a self-replicating code that attaches itself to another program?
A. Worm
B. Virus
C. Backdoor
D. Trojan Horse
E. User-level Rootkit
b


2. What is a self-replicating code that propagates over a network, usually without human interaction?
A. Backdoor
B. Virus
C. Worm
D. Trojan Horse
E. User-level Rootkit
c


3. What is a program that bypasses standard security controls to provide an attacker access, often in a stealthy way?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
d


4. What is a program that masquerades as a legitimate, useful program while also performing malicious functions in the background?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


5. What is the Trojan/ backdoor code that modifies operating system software so the attacker can maintain privileged access on a machine but remain hidden?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
e


1. True or False? Network firewalls are a vital component for maintaining a secure environment and are often the first line of defense against attack.
a. true
b. false
a


2. True or False? When a packet arrives at a firewall, a hacker policy is applied to determine the appropriate action.
a. true
b. false
b


3. True or False? Multiple rules of a single firewall policy may match a packet— for example, a packet could match rules 2, 6, and 7 of the policy.
a. true
b. false
b


4. True or False? For most firewalls, the first rule that matches a packet is not typically applied.
a. true
b. false
b


5. True or False? Given that a network firewall will not inspect all packets transmitted between multiple networks, these devices need to determine the appropriate match with minimal delay.
a. true
b. false
a


1. What refers to how often the rule is a match?
A. Worm
B. Virus
C. Backdoor
D. More popular
E. User-level Rootkit
d


2. What is the most basic type of a firewall since it only filters at the network andtransport layers (layers two and three)?
A. Backdoor
B. Virus
C. Worm
D. Packet filter
E. User-level Rootkit
d


3. What perform the same operations as packet filters, but also maintain state about thepackets that have arrived?
A. Stateful firewalls
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


4. What can filter traffic at the network, transport, and application layer?
A. Application layer firewalls
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


5. What can also be categorized based on where they are implemented or what they areintended to protect—host or network?
A. Trojan Horse
B. Firewalls
C. Worm
D. Backdoor
E. User-level Rootkit
b


1. True or False? Penetration testing is the exploitation of vulnerabilities absent in anorganization's network.
a. true
b. false
b


2. True or False? Some sources classify penetration testing into two types—internal andexternal—and then talk about the "variations" of these types of tests based on theamount of information the test team has been given about the organization prior tostarting the test.
a. true
b. false
a


True or False? When a penetration test is conducted against Internet-facing hosts, it isknown as external testing.
a. true
b. false
a


True or False? There are three phases in a penetration test, and they mimic the phasesthat an attacker would use to conduct a real attack.
a. true
b. false
a


5. True or False? The pre-attack phase consists of the penetration team's or hacker'sattempts to investigate or explore the potential target.
a. true
b. false
a


1. What stage involves the actual compromise of the target?
A. Worm Phase
B. Virus Phase
C. Backdoor Phase
D. More popular Phase
E. Attack Phase
e


2. What is unique to the penetration test team?A. Backdoor Phase
B. Virus Phase
C. Post-Attack Phase
D. Packet filter Phase
E. User-level Rootkit Phase
c


3. What is simply a way to ensure that a particular activity is conducted in a standardmanner, with documented and repeatable results?
A. Stateful firewalls
B. Virus
C. Methodology
D. Backdoor
E. User-level Rootkit
c


4. What have been developed by particular entities offering network security services orcertifications?
A. Application layer firewalls
B. Proprietary methodologies
C. Worms
D. Backdoors
E. User-level Rootkit
b


5. What test is a systematic analysis of all security controls in place at the testedorganization?
A. Trojan Horse
B. Firewalls
C. Worm
D. Comprehensive penetration
E. User-level Rootkit
d



True
4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.


True
11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________


True
12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________


True
2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.


True
3. Deterrence is the best method for preventing an illegal or unethical activity. ____________


True
5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________


True
6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________


True
2. A clearly directed strategy flows from top to bottom rather than from bottom to top.


True
5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.


True
9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.


True
1. Policies must specify penalties for unacceptable behavior and define an appeals process.


True
2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.


True
7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________


True
1. Small organizations spend more per user on security than medium- and large-sized organizations.


True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.


True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.


True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________


True
10. Each organization has to determine its own project management methodology for IT and information security projects.


True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.


True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.


True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________


True
10. Each organization has to determine its own project management methodology for IT and information security projects.


True
2. The InfoSec community often takes on the leadership role in addressing risk.


True
4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.


True
5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.


True
1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.


True
3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.


True
4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.


True
5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.


True
8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________


True
12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________


True
13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.


True
14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________




b
16. Application of training and education is a common method of which risk control strategy?
a. mitigation b. defense
c. acceptance d. transferal


d
17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
a. acceptance b. avoidance
c. transference d. mitigation


a
18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan b. business continuity plan
c. disaster recovery plan d. damage control plan


c
19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability


b
20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
a. residual risk b. risk appetite
c. risk assurance d. risk termination


c
21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.


d
22. Which of the following affects the cost of a control?
a. liability insurance b. CBA report
c. asset resale d. maintenance


b
23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
a. annualized cost of the safeguard b. single loss expectancy
c. value to adversaries d. annualized loss expectancy


a
24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis b. exposure factor
c. single loss expectancy d. annualized rate of occurrence


b
25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
a. organizational feasibility b. political feasibility
c. technical feasibility d. operational feasibility


c
26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
a. conducting decision support b. implementing controls
c. evaluating alternative strategies d. measuring program effectiveness


a
27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components b. quantitative valuation of safeguards
c. subjective prioritization of controls d. risk analysis estimates




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
d
28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
a. OCTAVE b. FAIR
c. Hybrid Measures d. Delphi


c
29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
a. analysis and adjustment b. review and reapplication
c. monitoring and measurement d. evaluation and funding


c
30. Which of the following is not a step in the FAIR risk management framework?
a. identify scenario components b. evaluate loss event frequency
c. assess control impact d. derive and articulate risk


b
31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
a. probability calculation b. documented control strategy
c. risk acceptance plan d. mitigation plan


c
32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
a. feasibility analysis b. asset valuation
c. cost avoidance d. cost-benefit analysis


c
33. Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking b. due care and due diligence
c. selective risk avoidance d. the gold standard


d
34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
a. risk assessment b. risk treatment
c. risk communication d. risk determination


a
35. The NIST risk management approach includes all but which of the following elements?
a. inform b. assess
c. frame d. respond


d
Chapter 1

15. Communications security involves the protection of which of the following?.
a. radio handsets b. people, physical assets
c. the IT department d. media, technology, and content


b
16. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
a. accountability b. availability
c. authorization d. authentication




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
d
17. Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
a. Integrity b. Availability
c. Authentication d. Confidentiality


d
18. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
a. accountability b. authorization
c. identification d. authentication


c
19. What do audit logs that track user activity on an information system provide?
a. identification b. authorization
c. accountability d. authentication


d
20. Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?
a. leading b. controlling
c. organizing d. planning


a
21. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
a. organization b. planning
c. controlling d. leading


d
22. In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
a. zombie-in-the-middle b. sniff-in-the-middle
c. server-in-the-middle d. man-in-the-middle


c
23. Which of the following is the first step in the problem-solving process?
a. Analyze and compare the possible solutions
b. Develop possible solutions
c. Recognize and define the problem
d. Select, implement and evaluate a solution


c
24. Which of the following is NOT a step in the problem-solving process?
a. Select, implement and evaluate a solution
b. Analyze and compare possible solutions
c. Build support among management for the candidate solution
d. Gather facts and make assumptions


d
25. Which of the following is NOT a primary function of Information Security Management?
a. planning b. protection
c. projects d. performance


b
26. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
a. planning b. policy
c. programs d. people




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
b
27. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
a. protection
b. people
c. projects
d. policy


c
28. Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
a. bypass b. theft
c. trespass d. security


d
29. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
a. Viruses b. Worms
c. Spam d. Trojan horses


c
30. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
a. false alarms b. polymorphisms
c. hoaxes d. urban legends


b
31. Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
a. threats b. education
c. hugs d. paperwork


a
32. "4-1-9" fraud is an example of a ____________________ attack.
a. social engineering b. virus
c. worm d. spam


b
33. Which type of attack involves sending a large number of connection or information requests to a target?
a. malicious code b. denial-of-service (DoS)
c. brute force d. spear fishing


a
34. Which of the following is not among the 'deadly sins of software security'?
a. Extortion sins
b. Implementation sins
c. Web application sins
d. Networking sins


b
35. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
a. SSL b. SLA
c. MSL d. MIN


b
36. Blackmail threat of informational disclosure is an example of which threat category?
a. Espionage or trespass b. Information extortion
c. Sabotage or vandalism d. Compromises of intellectual property




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
a
37. One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
a. hacktivist b. phreak
c. hackcyber d. cyberhack


b
38. A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
a. denial-of-service b. distributed denial-of-service
c. virus d. spam


c
39. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
a. brute force b. DoS
c. back door d. hoax


a
40. A short-term interruption in electrical power availability is known as a ____.
a. fault
b. brownout
c. blackout d. lag


c
Chapter 2

12. Which subset of civil law regulates the relationships among individuals and among individuals
and organizations?
a. tort b. criminal
c. private d. public


c
13. Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
a. USA Patriot Act of 2001
b. American Recovery and Reinvestment Act
c. Health Information Technology for Economic and Clinical Health Act
d. National Information Infrastructure Protection Act of 1996


c
14. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
a. For purposes of commercial advantage
b. For private financial gain
c. For political advantage
d. In furtherance of a criminal act


d
15. Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
a. The Telecommunications Deregulation and Competition Act
b. National Information Infrastructure Protection Act
c. Computer Fraud and Abuse Act
d. The Computer Security Act


a
16. Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
a. The Electronic Communications Privacy Act of 1986
b. The Telecommunications Deregulation and Competition Act of 1996
c. National Information Infrastructure Protection Act of 1996
d. Federal Privacy Act of 1974


c
17. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
a. ECPA
b. Sarbanes-Oxley
c. HIPAA
d. Gramm-Leach-Bliley




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
b
18. Which law extends protection to intellectual property, which includes words published in electronic formats?
a. Freedom of Information Act b. U.S. Copyright Law
c. Security and Freedom through Encryption Act d. Sarbanes-Oxley Act


d
19. Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
a. Applied ethics b. Meta-ethics
c. Normative ethics d. Deontological ethics


d
20. Which of the following is an international effort to reduce the impact of copyright, trademark,
and privacy infringement, especially via the removal of technological copyright protection measures?
a. U.S. Copyright Law
b. PCI DSS
c. European Council Cybercrime Convention
d. DMCA


b
21. Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
a. Applied ethics b. Descriptive ethics
c. Normative ethics d. Deontological ethics


d
22. Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
a. utilitarian b. virtue
c. fairness or justice d. common good


b
23. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
a. ignorance b. malice
c. accident d. intent


b
24. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
a. remediation b. deterrence
c. persecution d. rehabilitation


a
25. Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
a. (ISC)2 b. ACM
c. SANS d. ISACA


b
26. Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
a. liability b. restitution
c. due diligence d. jurisdiction


b
27. Any court can impose its authority over an individual or organization if it can establish which of the following?
a. jurisprudence b. jurisdiction
c. liability d. sovereignty


c
Chapter 3

10. Which of the following explicitly declares the business of the organization and its intended areas of operations?
a. vision statement b. values statement
c. mission statement d. business statement


a
11. Which type of planning is the primary tool in determining the long-term direction taken by an organization?
a. strategic b. tactical
c. operational d. managerial


a
12. Which of the following is true about planning?
a. Strategic plans are used to create tactical plans
b. Tactical plans are used to create strategic plans
c. Operational plans are used to create tactical plans
d. Operational plans are used to create strategic plans


d
13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
a. strategic b. operational
c. organizational d. tactical


d
14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
a. Strategic b. Tactical
c. Organizational d. Operational


c
15. The basic outcomes of InfoSec governance should include all but which of the following?
a. Value delivery by optimizing InfoSec investments in support of organizational objectives
b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
c. Time management by aligning resources with personnel schedules and organizational objectives
d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively


c
16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
a. data owners
b. data custodians
c. data users
d. data generators


a
17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
a. Hold regular meetings with the CIO to discuss tactical InfoSec planning
b. Assign InfoSec to a key committee and ensure adequate support for that committee
c. Ensure the effectiveness of the corporation's InfoSec policy through review and approval
d. Identify InfoSec leaders, hold them accountable, and ensure support for them


b
18. Which of the following should be included in an InfoSec governance program?
a. An InfoSec development methodology
b. An InfoSec risk management methodology
c. An InfoSec project management assessment from an outside consultant
d. All of these are components of the InfoSec governance program


a
19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
a. Initiating b. Establishing
c. Acting d. Learning


b
20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
a. Initiating b. Establishing
c. Acting d. Learning


b
21. Which of the following is an information security governance responsibility of the Chief Security Officer?
a. Communicate policies and the program
b. Set security policy, procedures, programs and training
c. Brief the board, customers and the public
d. Implement policy, report security vulnerabilities and breaches


a
22. ISO 27014:2013 is the ISO 27000 series standard for ____________.
a. Governance of Information Security
b. Information Security Management
c. Risk Management
d. Policy Management


c
23. Which of the following is a key advantage of the bottom-up approach to security implementation?
a. strong upper-management support
b. a clear planning and implementation process
c. utilizes the technical expertise of the individual administrators
d. coordinated planning from upper management


b
24. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
a. software engineering b. joint application design
c. sequence-driven policies d. event-driven procedures


d
25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
a. modular continuous b. elementary cyclical
c. time-boxed circular d. traditional waterfall


a
26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
a. data owners
b. data custodians
c. data users
d. data generators


b
27. What is the first phase of the SecSDLC?
a. analysis b. investigation
c. logical design d. physical design


a
28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
a. chief information security officer
b. security technician
c. security manager
d. chief technology officer


d
29. In which phase of the SecSDLC does the risk management task occur?
a. physical design b. implementation
c. investigation d. analysis


b
30. An example of a stakeholder of a company includes all of the following except:
a. employees
b. the general public
c. stockholders
d. management


c
31. A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
a. champion
b. end user
c. team leader
d. policy developer


c
32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
a. chief information security officer
b. security technician
c. security manager
d. chief technology officer


a
33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
a. champion
b. end user
c. team leader
d. policy developer


a
34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
a. Board Risk Committee
b. Board Finance Committee
c. Board Audit Committee
d. Chairman of the Board


b
35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
a. vulnerability assessment
b. penetration testing
c. exploit identification
d. safeguard neutralization


a
37. The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.
a. vulnerability assessment
b. penetration testing
c. exploit identification
d. safeguard neutralization


a
38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.
a. enterprise risk management.
b. joint application design
c. security policy review
d. disaster recovery planning


d
39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
a. system controls b. technical controls
c. operational controls d. managerial controls


c
Chapter 4

11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
a. policy should never conflict with law b. policy must be able to stand up in court if challenged
c. policy should be agreed upon by all employees and management d. policy must be properly supported and administered


b
13. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
a. Enterprise information security policy
b. User-specific security policies
c. Issue-specific security policies
d. System-specific security policies


d
14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
a. appeals process b. legal recourse
c. what must be done to comply d. the proper operation of equipment


d
15. Which policy is the highest level of policy and is usually created first?
a. SysSP b. USSP
c. ISSP d. EISP


b
16. Which type of document is a more detailed statement of what must be done to comply with a policy?
a. procedure b. standard
c. guideline d. practice


b
17. Which of the following is an element of the enterprise information security policy?
a. access control lists
b. information on the structure of the InfoSec organization
c. articulation of the organization's SDLC methodology
d. indemnification of the organization against liability


a
18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
a. issue-specific b. enterprise information
c. system-specific d. user-specific


a
19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
a. Policy Review and Modification
b. Limitations of Liability
c. Systems Management
d. Statement of Purpose


a
20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
a. Violations of Policy
b. Systems Management
c. Prohibited Usage of Equipment
d. Authorized Access and Usage of Equipment


a
21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
a. can suffer from poor policy dissemintation, enforcement, and review
b. may skip vulnerabilities otherwise reported
c. may be more expensive than necessary
d. implementation can be less difficult to manage


a
22. Which of the following are the two general groups into which SysSPs can be separated?
a. technical specifications and managerial guidance b. business guidance and network guidance
c. user specifications and managerial guidance d. technical specifications and business guidance


d
23. What are the two general methods for implementing technical controls?
a. profile lists and configuration filters
b. firewall rules and access filters
c. user profiles and filters
d. access control lists and configuration rules


b
24. Which of the following is NOT an aspect of access regulated by ACLs?
a. what authorized users can access b. where the system is located
c. how authorized users can access the system d. when authorized users can access the system


c
25. Which of the following are instructional codes that guide the execution of the system when information is passing through it?
a. access control lists b. user profiles
c. configuration rules d. capability tables


d
26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
a. design b. analysis
c. implementation d. investigation


a
27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
a. design b. implementation
c. investigation d. analysis


b
28. A risk assessment is performed during which phase of the SecSDLC?
a. implementation b. analysis
c. design d. investigation


d
29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
a. policy developer b. policy reviewer
c. policy enforcer d. policy administrator


b
30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
a. policy administration b. due diligence
c. adequate security measures d. certification and accreditation


d
Chapter 5

13. Which of the following variables is the most influential in determining how to structure an information security program?
a. Security capital budget b. Organizational size
c. Security personnel budget d. Organizational culture


d
14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
a. they have a larger security staff than a small organization
b. they have a larger security budget (as percent of IT budget) than a small organization
c. they have a smaller security budget (as percent of IT budget) than a large organization
d. they have larger information security needs than a small organization


b
15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
a. Risk management b. Risk assessment
c. Systems testing d. Vulnerability assessment


a
16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. Systems testing b. Risk assessment
c. Incident response d. Systems security administration


c
17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
a. compliance b. policy
c. planning d. systems security administration


b
18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
a. policy
b. centralized authentication
c. compliance audit
d. risk management


a
19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
a. A security technician b. A security analyst
c. A security consultant d. The security manager


c
20. GGG security is commonly used to describe which aspect of security?
a. technical b. software
c. physical d. theoretical


c
21. What is the SETA program designed to do?
a. reduce the occurrence of external attacks
b. improve operations
c. reduce the occurence of accidental security breaches
d. increase the efficiency of InfoSec staff


c
22. A SETA program consists of three elements: security education, security training, and which of the following?.
a. security accountability b. security authentication
c. security awareness d. security authorization


b
23. The purpose of SETA is to enhance security in all but which of the following ways?
a. by building in-depth knowledge
b. by adding barriers
c. by developing skills
d. by improving awareness


c
24. Advanced technical training can be selected or developed based on which of the following?
a. level of previous education b. level of previous training
c. technology product d. number of employees


c
25. Which of the following is the first step in the process of implementing training?
a. Identify training staff
b. Identify target audiences
c. Identify program scope, goals, and objectives
d. Motivate management and employees


c
26. Which of the following is an advantage of the one-on-one method of training?
a. Trainees can learn from each other b. Very cost-effective
c. Customized d. Maximizes use of company resources


d
27. Which of the following is a disadvantage of the one-on-one training method?
a. Inflexible
b. May not be responsive to the needs of all the trainees
c. Content may not be customized to the needs of the organization
d. Resource intensive, to the point of being inefficient


d
28. Which of the following is an advantage of the formal class method of training?
a. Personal
b. Self-paced, can go as fast or as slow as the trainee needs
c. Can be scheduled to fit the needs of the trainee
d. Interaction with trainer is possible


a
29. Which of the following is an advantage of the user support group form of training?
a. Usually conducted in an informal social setting
b. Formal training plan
c. Can be live, or can be archived and viewed at the trainee's convenience
d. Can be customized to the needs of the trainee


b
30. Which of the following is NOT a step in the process of implementing training?
a. administer the program
b. hire expert consultants
c. motivate management and employees
d. identify target audiences


b
31. __________ is a simple project management planning tool.
a. RFP b. WBS
c. ISO 17799 d. SDLC


d
32. Which of the following is the most cost-effective method for disseminating security information and news to employees?
a. distance learning seminars b. security-themed Web site
c. conference calls d. security newsletter


d
33. Which of the following is true about a company's InfoSec awareness Web site?
a. it should contain large images to maintain interest
b. appearance doesn't matter if the information is there
c. it should be placed on the Internet for public use
d. it should be tested with multiple browsers


c
Chapter 6

16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
a. General management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization
c. Legal management must develop corporate-wide standards d. InfoSec management must lead the way with skill, professionalism, and flexibility


a
17. The identification and assessment of levels of risk in an organization describes which of the following?
a. Risk analysis b. Risk identification
c. Risk management d. Risk reduction


d
18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
a. Creating an inventory of information assets
b. Classifying and organizing information assets into meaningful groups
c. Assigning a value to each information asset
d. Calculating the severity of risks to which assets are exposed in their current setting


c
19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
a. Determining the likelihood that vulnerable systems will be attacked by specific threats
b. Calculating the severity of risks to which assets are exposed in their current setting
c. Assigning a value to each information asset
d. Documenting and reporting the findings of risk identification and assessment


d
20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
a. Part number b. Serial number
c. MAC address d. IP address


b
21. Which of the following is an attribute of a network device is physically tied to the network interface?
a. Serial number b. MAC address
c. IP address d. Model number


d
22. Which of the following attributes does NOT apply to software information assets?
a. Serial number b. Controlling entity
c. Manufacturer name d. Product dimensions


d
23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
a. Name b. MAC address
c. Serial number d. Manufacturer's model or part number


b
24. Data classification schemes should categorize information assets based on which of the following?
a. Value and uniqueness b. Sensitivity and security needs
c. Cost and replacement value d. Ease of reproduction and fragility


c
25. Classification categories must be mutually exclusive and which of the following?
a. Repeatable b. Unique
c. Comprehensive d. Selective


d
26. What is the final step in the risk identification process?
a. Assessing values for information assets b. Classifying and categorizing assets
c. Identifying and inventorying assets d. Listing assets in order of importance


b
27. Once an information asset is identified, categorized, and classified, what must also be assigned to it?
a. Asset tag b. Relative value
c. Location ID d. Threat risk


a
28. What should you be armed with to adequately assess potential weaknesses in each information asset?
a. Properly classified inventory b. Audited accounting spreadsheet
c. Intellectual property assessment d. List of known threats


c
29. Which of the following is an example of a technological obsolescence threat?
a. Hardware equipment failure b. Unauthorized access
c. Outdated servers d. Malware


a
30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
a. Cost of prevention b. Cost of litigation
c. Cost of detection d. Cost of identification


c
31. What is defined as specific avenues that threat agents can exploit to attack an information asset?
a. Liabilities b. Defenses
c. Vulnerabilities d. Weaknesses


b
32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
a. Risk exposure report b. Threats-vulnerabilities-assets worksheet
c. Costs-risks-prevention database d. Threat assessment catalog


b
33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
a. Vulnerability mitigation controls b. Risk assessment estimate factors
c. Exploit likelihood equation d. Attack analysis calculation


d
34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
a. Risk determination b. Assessing potential loss
c. Likelihood and consequences d. Uncertainty


a
35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
a. Uncertainty percentage b. Asset impact
c. Risk-rating factor d. Vulnerability likelihood


b
Chapter 7

16. Application of training and education is a common method of which risk control strategy?
a. mitigation b. defense
c. acceptance d. transferal


d
17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
a. acceptance b. avoidance
c. transference d. mitigation


a
18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan b. business continuity plan
c. disaster recovery plan d. damage control plan


c
19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability


b
20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
a. residual risk b. risk appetite
c. risk assurance d. risk termination


c
21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.


d
22. Which of the following affects the cost of a control?
a. liability insurance b. CBA report
c. asset resale d. maintenance


b
23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
a. annualized cost of the safeguard b. single loss expectancy
c. value to adversaries d. annualized loss expectancy


a
24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis b. exposure factor
c. single loss expectancy d. annualized rate of occurrence


b
25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
a. organizational feasibility b. political feasibility
c. technical feasibility d. operational feasibility


c
26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
a. conducting decision support b. implementing controls
c. evaluating alternative strategies d. measuring program effectiveness


a
27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components b. quantitative valuation of safeguards
c. subjective prioritization of controls d. risk analysis estimates


d
28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
a. OCTAVE b. FAIR
c. Hybrid Measures d. Delphi


c
29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
a. analysis and adjustment b. review and reapplication
c. monitoring and measurement d. evaluation and funding


c
30. Which of the following is not a step in the FAIR risk management framework?
a. identify scenario components b. evaluate loss event frequency
c. assess control impact d. derive and articulate risk


b
31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
a. probability calculation b. documented control strategy
c. risk acceptance plan d. mitigation plan


c
32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
a. feasibility analysis b. asset valuation
c. cost avoidance d. cost-benefit analysis


c
33. Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking b. due care and due diligence
c. selective risk avoidance d. the gold standard


d
34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
a. risk assessment b. risk treatment
c. risk communication d. risk determination


a
35. The NIST risk management approach includes all but which of the following elements?
a. inform b. assess
c. frame d. respond


a
36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
a. penetration tester
b. gray-hat hacker
c. script kiddie
d. zebra team


c
12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
a. On-target model b. Wood's model
c. Bull's-eye model d. Bergeron and Berube model


True
4. A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected.


True
11. A(n) polymorphic threat is one that over time changes the way it appears to antivirus software programs, making it undetectable by techniques that look for pre-configured signatures. _________________________


True
12. The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________


True
2. The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes.


True
3. Deterrence is the best method for preventing an illegal or unethical activity. ____________


True
5. Due diligence requires that an organization make a valid and ongoing effort to protect others. ____________


True
6. The Gramm-Leach-Bliley (GLB) Act (also known as the Financial Services Modernization Act of 1999) contains a number of provisions that affect banks, securities firms, and insurance companies. ___________


True
2. A clearly directed strategy flows from top to bottom rather than from bottom to top.


True
5. Penetration testing is often conducted by penetration testers—consultants or outsourced contractors who might be referred to as red teams.


True
9. Enterprise risk management is a valuable approach that can better align security functions with the business mission while offering opportunities to lower costs.


True
1. Policies must specify penalties for unacceptable behavior and define an appeals process.


True
2. One of the goals of an issue-specific security policy is to indemnify the organization against liability for an employee's inappropriate or illegal use of the system.


True
7. Information security policies are designed to provide structure in the workplace and explain the will of the organization's management. ____________


True
1. Small organizations spend more per user on security than medium- and large-sized organizations.


True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.


True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.


True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________


True
10. Each organization has to determine its own project management methodology for IT and information security projects.


True
5. On-the-job training can result in substandard work performance while the trainee gets up to speed.


True
7. Planners need to estimate the effort required to complete each task, subtask, or action step.


True
9. A task or subtask becomes a(n) action step when it can be completed by one individual or skill set and when it includes a single deliverable. _________________________


True
10. Each organization has to determine its own project management methodology for IT and information security projects.


True
2. The InfoSec community often takes on the leadership role in addressing risk.


True
4. The Australian and New Zealand Risk Management Standard 4360 uses qualitative methods to determine risk based on a threat's probability of occurrence and expected results of a successful attack.


True
5. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.


True
1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.


True
3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.


True
4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.


True
5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.


True
8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________


True
12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization is known as cost-benefit analysis (CBA). ____________


True
13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is known as the termination risk control strategy.


True
14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any prudent organization would do in similar circumstances. ____________


1. True or False? Information security management as a field is ever decreasing in
demand and responsibility because most organizations spend increasingly larger
percentages of their IT budgets in attempting to manage risk and mitigate intrusions,
not to mention the trend in many enterprises of moving all IT operations to an Internetconnected
infrastructure, known as enterprise cloud computing.
F


2. True or False? Information security is a business problem in the sense that the entire
organization must frame and solve security problems based on its own strategic
drivers, not solely on technical controls aimed to mitigate one type of attack.
T


3. True or False? In defining required skills for information security managers, the ISC has
arrived at an agreement on ten domains of information security that is known as the
Common Body of Knowledge (CBK).
T


4. True or False? Threats to information systems come in many flavors, some with
malicious intent, others with supernatural powers or expected surprises.
f


5. True or False? Threats are exploited with a variety of attacks, some technical, others not
so much.
t


1. The art of manipulating people into performing actions or divulging confidential
information, is known as:
A. Malware
B. Industrial espionage
C. Social engineering
D. Spam
E. Phishing
C


2. What describes activities such as theft of trade secrets, bribery, blackmail, and
technological surveillance as well as spying on commercial organizations and
sometimes governments?
A. Spam
B. Phishing
C. Hoaxes
D. Industrial espionage
E. Denial-of-service
D


3. What is the abuse of electronic messaging systems to indiscriminately send unsolicited
bulk messages, many of which contain hoaxes or other undesirable contents such as
links to phishing sites?
A. Spamming
B. Phishing
C. Hoaxes
D. Distributed denial-of-service
E. All of the Above
A


4. What is the criminally fraudulent process of attempting to acquire sensitive information
such as usernames, passwords, and credit-card details by masquerading as a
trustworthy entity in an electronic communication?
A. Splicing
B. Phishing
C. Bending
D. FSO
E. Cabling
B


5. What requires that an individual, program, or system process is not granted any more
access privileges than are necessary to perform the task?
A. Administrative controls
B. Principle of Least Privilege
C. Technical controls
D. Physical controls
E. Risk analysis
B


1. True or False? To give organizations a starting point to develop their own security management systems, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have developed a family of standards known as the Information Security Management System 27000 Family of Standards.
T


2. True or False? Training should also include creating company security policies and creating user roles that are specific to the organization.
T


3. True or False? The act of securing information has not been around for as long as the idea of storing information.
F


4. True or False? All personnel who come into contact with information systems need to be aware of the risks from improper use of those systems.
T


5. True or False? Each organization should not develop a company policy detailing the preferred use of company data or company software
F


1. _______ what is on the screen by photographing it?
A. Capture
B. Turn off
C. Document
D. Create
E. All of the above
C


2. _____the contents of the system's memory?
A. Turn off
B. Document
C. Create
D. Capture
E. All of the above
D


3. _____the computer?
A. Capture
B. Create
C. Document
D. Distribute
E. Turn off
E


4. _____a forensic image of the system's hard drive?
A. Create
B. Turn off
C. Capture
D. Document
E. All of the above
A


5. Devices that can be used to copy proprietary company data off the internal network are
known as:
A. Remote control software
B. Email
C. USB storage
D. General Internet use
E. Risk analysis
C


1. True or False? Security policies and procedures do not constitute the main part of any
organization's security.
F


2. True or False? Various security-related roles do not need to be maintained and well
defined.
F


3. True or False? End users have a responsibility to protect information assets on a daily
basis through adherence to the security policies that have been set and communicated.
T


4. True or False? Top management does not play an important role in protecting the
information assets in an organization.
F


5. True or False? The security officer "directs, coordinates, plans, and organizes
information security activities throughout the organization.
T


1. Who are responsible for ensuring that the information security policies and procedures
have been adhered to?
A. Information owners
B. Information system auditors
C. Security officers
D. Executive management
E. All of the above
B


2. Who is responsible for building IT security controls into the design and
implementations of the systems?
A. Information owners
B. Information system auditors
C. IT personnel
D. Systems Administrator
E. All of the above
C


3. Who is responsible for configuring the hardware and the operating system to ensure
that the information systems and their contents are available for business as and when
needed?
A. Information System Auditor
B. Information Owners
C. Systems Administrator
D. Security Officer
E. Executive Management
C


4. What analyzes the impact of outage on critical business function operations?
A. Risk assessment
B. Recovery strategy identification
C. Recovery strategy selection
D. Business impact analysis
E. All of the above
D


5. What documents the processes, equipment, and facilities required to restore the
IT assets?
A. Contingency plan development
B. User training
C. Plan verification
D. Plan maintenance
E. Recovery strategy selection
A


1. True or False? A digital identity is a representation of an entity in a general context.
f


2. True or False? Identity management refers to "the process of representing, using,
maintaining, deprovisioning and authenticating entities as digital identities in computer
networks."
t


3. True or False? Privacy is a central issue, due to the fact that the official authorities of
almost all countries have legal strict policies related to identity.
t


4. True or False? The evolution of the identity management system is away from the
simplification of user experience and reinforcing authentication.
f


5. True or False? The security is also compromised with the proliferation of the user's
password and even by it's strength.
f


1. The main identity management system deployed currently in the world of the Internet
is known as the?
A. Federated identity management model
B. Identity life cycle
C. Aggregate identity
D. Executive management model
E. Silo model
b


2. ________________ in centralized identity infrastructures, can't solve the problem of
cross-organizational authentication and authorization?
A. Centrally managed repositories
B. Information system auditors
C. IT personnel
D. Systems Administrators
E. All of the above
a


3. A relatively simple ____________ model is to build a platform that centralizes
identities?
A. Common user identity management
B. Simple centralized identity management
C. Unique identity management
D. Meta directory
E. Executive Management
b


4. What provides an abstraction boundary between application and the actual
implementation?
A. Single point of administration
B. Redundant directory information
C. Single point of reference
D. Business impact analysis
E. All of the above
c


5. What directories are not located in the same physical structure as the Web home
directory, but look as if they were to Web clients?
A. Single Sign-On
B. Seamless
C. Session
D. Virtual
E. Flexible
d


1. True or False? Information security concerns itself with the integrity and availability of
information systems and the information or data they contain and process.
f


2. True or False? Having physical access to a computer system allows an adversary to
bypass most security protections put in place to prevent unauthorized access.
t


3. True or False? An insider is an individual who, due to their role in the organization,
has some level of authorized access to the IS environment and systems.
t


4. True or False? An outsider is considered anyone who does not have authorized access
privileges to an information system or environment.
t


5. True or False? Malware can be generally defined as "a set of instructions that run on
your computer and make your system do something that allow an attacker to make it
do what he wants it to do."
t


1. What is a self-replicating code that attaches itself to another program?
A. Worm
B. Virus
C. Backdoor
D. Trojan Horse
E. User-level Rootkit
b


2. What is a self-replicating code that propagates over a network, usually without human
interaction?
A. Backdoor
B. Virus
C. Worm
D. Trojan Horse
E. User-level Rootkit
c


3. What is a program that bypasses standard security controls to provide an attacker
access, often in a stealthy way?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
d


4. What is a program that masquerades as a legitimate, useful program while also
performing malicious functions in the background?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


5. What is the Trojan/ backdoor code that modifies operating system software so the
attacker can maintain privileged access on a machine but remain hidden?
A. Trojan Horse
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
e


1. True or False? Network firewalls are a vital component for maintaining a secure
environment and are often the first line of defense against attack.
t


2. True or False? When a packet arrives at a firewall, a hacker policy is applied to
determine the appropriate action.
f


3. True or False? Multiple rules of a single firewall policy may match a packet—for
example, a packet could match rules 2, 6, and 7 of the policy.
f


4. True or False? For most firewalls, the first rule that matches a packet is not typically
applied.
f


5. True or False? Given that a network firewall will not inspect all packets transmitted
between multiple networks, these devices need to determine the appropriate match
with minimal delay.
t


1. What refers to how often the rule is a match?
A. Worm
B. Virus
C. Backdoor
D. More popular
E. User-level Rootkit
d


2. What is the most basic type of a firewall since it only filters at the network and
transport layers (layers two and three)?
A. Backdoor
B. Virus
C. Worm
D. Packet filter
E. User-level Rootkit
d


3. What perform the same operations as packet filters, but also maintain state about the
packets that have arrived?
A. Stateful firewalls
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


4. What can filter traffic at the network, transport, and application layer?
A. Application layer firewalls
B. Virus
C. Worm
D. Backdoor
E. User-level Rootkit
a


5. What can also be categorized based on where they are implemented or what they are
intended to protect—host or network?
A. Trojan Horse
B. Firewalls
C. Worm
D. Backdoor
E. User-level Rootkit
b


1. True or False? Penetration testing is the exploitation of vulnerabilities absent in an
organization's network.
f


2. True or False? Some sources classify penetration testing into two types—internal and
external—and then talk about the "variations" of these types of tests based on the
amount of information the test team has been given about the organization prior to
starting the test.
t


3. True or False? When a penetration test is conducted against Internet-facing hosts, it is
known as external testing.
t


4. True or False? There are three phases in a penetration test, and they mimic the phases
that an attacker would use to conduct a real attack.
t


5. True or False? The pre-attack phase consists of the penetration team's or hacker's
attempts to investigate or explore the potential target.
t


1. What stage involves the actual compromise of the target?
A. Worm Phase
B. Virus Phase
C. Backdoor Phase
D. More popular Phase
E. Attack Phase
e


2. What is unique to the penetration test team?
A. Backdoor Phase
B. Virus Phase
C. Post-Attack Phase
D. Packet filter Phase
E. User-level Rootkit Phase
c


3. What is simply a way to ensure that a particular activity is conducted in a standard
manner, with documented and repeatable results?
A. Stateful firewalls
B. Virus
C. Methodology
D. Backdoor
E. User-level Rootkit
c


4. What have been developed by particular entities offering network security services or
certifications?
A. Application layer firewalls
B. Proprietary methodologies
C. Worms
D. Backdoors
E. User-level Rootkit
b


5. What test is a systematic analysis of all security controls in place at the tested
organization?
A. Trojan Horse
B. Firewalls
C. Worm
D. Comprehensive penetration
E. User-level Rootkit
d


When can executives be charged with negligence?
A. If they follow the transborder laws
B. If they do not properly report and prosecute attackers
C. If they properly inform users that they may be monitored
D. If they do not practice due care when protecting resources
D


To better deal with computer crime, several legislative bodies have taken what
steps in their strategy?
A. Expanded several privacy laws
B. Broadened the definition of property to include data
C. Required corporations to have computer crime insurance
D. Redefined transborder issues
B






00:02
01:10
Which factor is the most important item when it comes to ensuring security is successful in an organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees
A


Which of the following standards would be most useful to you in ensuring your information security management system follows industry best practices?
A. NIST SP 800-53
B. Six Sigma
C. ISO/IEC 27000 series
D. COSO IC
C


Which of the following is true about data breaches?
A. They are exceptionally rare.
B. They always involve personally identifiable information (PII).
C. They may trigger legal or regulatory requirements.
D. The United States has no laws pertaining to data breaches.
C


When is it acceptable to not take action on an identified risk?
A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and
potential loss.
D


Which is the most valuable technique when determining if a specific security
control should be implemented?
A. Risk analysis
B. Cost/benefit analysis
C. ALE results
D. Identifying the vulnerabilities and threats causing the risk
B


Which best describes the purpose of the ALE calculation?
A. Quantifies the security level of the environment
B. Estimates the loss possible for a countermeasure
C. Quantifies the cost/benefit result
D. Estimates the loss potential of a threat in a span of a year
D


How do you calculate residual risk?
A. Threats × risks × asset value
B. (Threats × asset value × vulnerability) × risks
C. SLE × frequency = ALE
D. (Threats × vulnerability × asset value) × controls gap
D


Why should the team that will perform and review the risk analysis information
be made up of people in different departments?
A. To make sure the process is fair and that no one is left out.
B. It shouldn't. It should be a small group brought in from outside the
organization because otherwise the analysis is biased and unusable.
C. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible.
D. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.
C


Which best describes a quantitative risk analysis?
A. A scenario-based analysis to research different security threats
B. A method used to apply severity levels to potential loss, probability of loss, and risks
C. A method that assigns monetary values to components in the risk assessment
D. A method that is based on gut feelings and opinions
C


Why is a truly quantitative risk analysis not possible to achieve?
A. It is possible, which is why it is used.
B. It assigns severity levels. Thus, it is hard to translate into monetary values.
C. It is dealing with purely quantitative elements.
D. Quantitative measures must be applied to qualitative elements.
D


What is COBIT and where does it fit into the development of information security systems and security programs?
A. Lists of standards, procedures, and policies for security program development
B. Current version of ISO 17799
C. A framework that was developed to deter organizational internal fraud
D. Open standards for control objectives
D


What is the ISO/IEC 27799 standard?
A. A standard on how to protect personal health information
B. The new version of BS 17799
C. Definitions for the new ISO 27000 series
D. The new version of NIST SP 800-60
A


OCTAVE, NIST SP 800-30, and AS/NZS 4360 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods?
A. NIST SP 800-30 and OCTAVE are corporate based, while AS/NZS is international.
B. NIST SP 800-30 is IT based, while OCTAVE and AS/NZS 4360 are
corporate based.
C. AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based.
D. NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is international.
B


What is one of the first steps in developing a business continuity plan?
A. Identify a backup solution.
B. Perform a simulation test.
C. Perform a business impact analysis.
D. Develop a business resumption plan.
C


The purpose of initiating emergency procedures right after a disaster takes place is
to prevent loss of life and injuries, and to _______________.
A. secure the area to ensure that no looting or fraud takes place
B. mitigate further damage
C. protect evidence and clues
D. investigate the extent of the damages
B


Which of the following would you use to control the public distribution, reproduction,
display, and adaptation of an original white paper written by your staff?
A. Copyright
B. Trademark
C. Patent
D. Trade secret
B


Many privacy laws dictate which of the following rules?
A. Individuals have a right to remove any data they do not want others to know.
B. Agencies do not need to ensure that the data is accurate.
C. Agencies need to allow all government agencies access to the data.
D. Agencies cannot use collected data for a purpose different from what they
were collected for.
D


The term used to denote a potential cause of an unwanted incident, which may
result in harm to a system or organization is
A. Vulnerability
B. Exploit
C. Threat
D. Attacker
C


A CISSP candidate signs an ethics statement prior to taking the CISSP
examination. Which of the following would be a violation of the (ISC) 2 Code of Ethics that could cause the candidate to lose his or her certification?
A. E-mailing information or comments about the exam to other CISSP
candidates
B. Submitting comments on the questions of the exam to (ISC) 2
C. Submitting comments to the board of directors regarding the test and content of the class
D. Conducting a presentation about the CISSP certification and what the certification means
A


Which of the following has an incorrect definition mapping?
i. Civil (code) law: Based on previous interpretations of laws
ii. Common law: Rule-based law, not precedence-based
iii. Customary law: Deals mainly with personal conduct and patterns of behavior
iv. Religious law: Based on religious beliefs of the region
A. i, iii
B. i, ii, iii
C. i, ii
D. iv
C




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
Which of the following statements is true about the information life cycle?
A. The information life cycle begins with its archival and ends with its classification.
B. Most information must be retained indefinitely.
C. The information life cycle begins with its acquisition/creation and ends with its disposal/destruction.
D. Preparing information for use does not typically involve adding metadata to it.
C


Ensuring data consistency is important for all the following reasons, except
A. Replicated data sets can become desynchronized.
B. Multiple data items are commonly needed to perform a transaction.
C. Data may exist in multiple locations within our information systems.
D. Multiple users could attempt to modify data simultaneously.
B


Which of the following makes the most sense for a single organization's
classification levels for data?
A. Unclassified, Secret, Top Secret
B. Public, Releasable, Unclassified
C. Sensitive, Sensitive But Unclassified (SBU), Proprietary
D. Proprietary, Trade Secret, Private
A


Which of the following is the most important criterion in determining the
classification of data?
A. The level of damage that could be caused if the data were disclosed
B. The likelihood that the data will be accidentally or maliciously disclosed
C. Regulatory requirements in jurisdictions within which the organization is
not operating
D. The cost of implementing controls for the data
A


The effect of data aggregation on classification levels is best described by which of the following?
A. Data classification standards apply to all the data within an organization.
B. Aggregation is a disaster recovery technique with no effect on classification.
C. A low-classification aggregation of data can be deconstructed into higher-classification data items.
D. Items of low-classification data combine to create a higher-classification set.
D


A transition into the disposal phase of the information life cycle is most commonly triggered by
A. Senior management
B. Insufficient storage
C. Acceptable use policies
D. Data retention policies
D


During which phase or phases of the information life cycle can cryptography be an effective control?
A. Use
B. Archival
C. Disposal
D. All the above
D


Who bears ultimate responsibility for the protection of assets within the organization?
A. Data owners
B. Cyber insurance providers
C. Senior management
D. Security professionals
C


Information classification is most closely related to which of the following?
A. The source of the information
B. The information's destination
C. The information's value
D. The information's age
C


The data owner is most often described by all of the following except
A. Manager in charge of a business unit
B. Ultimately responsible for the protection of the data
C. Financially liable for the loss of the data
D. Ultimately responsible for the use of the data
C




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
Data at rest is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
D


Data in motion is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
C


Data in use is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
B


Who has the primary responsibility of determining the classification level for information?
A. The functional manager
B. Senior management
C. The owner
D. The user
C


If different user groups with different security access levels need to access the same information, which of the following actions should management take?
A. Decrease the security level on the information to ensure accessibility and usability of the information.
B. Require specific written approval each time an individual needs to access the information.
C. Increase the security controls on the information.
D. Decrease the classification label on the information.
C


What should management consider the most when classifying data?
A. The type of employees, contractors, and customers who will be accessing the data
B. Availability, integrity, and confidentiality
C. Assessing the risk level and disabling countermeasures
D. The access controls that will be protecting the data
B


Who is ultimately responsible for making sure data is classified and protected?
A. Data owners
B. Users
C. Administrators
D. Management
D


Which of the following requirements should the data retention policy address?
A. Legal
B. Regulatory
C. Operational
D. All the above
D


Which of the following is not addressed by the data retention policy?
A. What data to keep
B. For whom data is kept
C. How long data is kept
D. Where data is kept
B


Which of the following best describes an application of cryptography to protect data at rest?
A. VPN
B. Degaussing
C. Whole-disk encryption
D. Up-to-date antivirus software
C




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
Which of the following best describes an application of cryptography to protect data in motion?
A. Testing software against side-channel attacks
B. TLS
C. Whole-disk encryption
D. EDLP
B


Which of the following best describes the mitigation of data remanence by a
physical destruction process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
D


Which of the following best describes the mitigation of data remanence by a
degaussing destruction process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
C


Which of the following best describes the mitigation of data remanence by an
overwriting process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
A


What is the final step in authorizing a system for use in an environment?
A. Certification
B. Security evaluation and rating
C. Accreditation
D. Verification
C


What feature enables code to be executed without the usual security checks?
A. Temporal isolation
B. Maintenance hook
C. Race conditions
D. Process multiplexing
B


If a component fails, a system should be designed to do which of the following?
A. Change to a protected execution domain
B. Change to a problem state
C. Change to a more secure state
D. Release all data held in volatile memory
C


The trusted computing base (TCB) contains which of the following?
A. All trusted processes and software components
B. All trusted security policies and implementation mechanisms
C. All trusted software and design mechanisms
D. All trusted software and hardware components
D


What is the imaginary boundary that separates components that maintain security from components that are not security related?
A. Reference monitor
B. Security kernel
C. Security perimeter
D. Security policy
D


What is the best description of a security kernel from a security point of view?
A. Reference monitor
B. Resource manager
C. Memory mapper
D. Security perimeter
A




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
In secure computing systems, why is there a logical form of separation used between processes?
A. Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources.
B. Processes are contained within their own security perimeter so they can only access protection levels above them.
C. Processes are contained within their own security perimeter so they can only access protection levels equal to them.
D. The separation is hardware and not logical in nature.
A


What type of rating is used within the Common Criteria framework?
A. PP
B. EPL
C. EAL
D. A-D
C


Which of the following is a true statement pertaining to memory addressing?
A. The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value.
B. The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value.
C. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value.
D. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value.
A


Which of the following is an incorrect description pertaining to the common components that make up computer systems?
i. General registers are commonly used to hold temporary processing data, while special registers are used to hold process-characteristic data as in condition bits.
ii. A processor sends a memory address and a "read" request down an address bus and a memory address and a "write" request down an I/O bus.
iii. Process-to-process communication commonly takes place through memory stacks, which are made up of individually addressed buffer locations.
iv. A CPU uses a stack return pointer to keep track of the next instruction sets it needs to process.
A. i
B. i, ii
C. ii, iii
D. ii, iv
D


What is the goal of cryptanalysis?
A. To determine the strength of an algorithm
B. To increase the substitution functions in a cryptographic algorithm
C. To decrease the transposition functions in a cryptographic algorithm
D. To determine the permutations used
A


Why has the frequency of successful brute-force attacks increased?
A. The use of permutations and transpositions in algorithms has increased.
B. As algorithms get stronger, they get less complex, and thus more susceptible to attacks.
C. Processor speed and power have increased.
D. Key length reduces over time.
C


Which of the following is not a property or characteristic of a one-way hash function?
A. It converts a message of arbitrary length into a value of fixed length.
B. Given the digest value, it should be computationally infeasible to find the corresponding message.
C. It should be impossible or rare to derive the same digest from two different messages.
D. It converts a message of fixed length to an arbitrary length value.
D


What would indicate that a message had been modified?
A. The public key has been altered.
B. The private key has been altered.
C. The message digest has been altered.
D. The message has been encrypted properly.
C


Which of the following is a U.S. federal government algorithm developed for creating secure message digests?
A. Data Encryption Algorithm
B. Digital Signature Standard
C. Secure Hash Algorithm
D. Data Signature Algorithm
C


Which of the following best describes the difference between HMAC and CBC-MAC?
A. HMAC creates a message digest and is used for integrity; CBC-MAC is used to encrypt blocks of data for confidentiality.
B. HMAC uses a symmetric key and a hashing algorithm; CBC-MAC uses the first block for the checksum.
C. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.
D. HMAC encrypts a message with a symmetric key and then puts the result through a hashing algorithm; CBC-MAC encrypts the whole message.
C


What is an advantage of RSA over DSA?
A. It can provide digital signature and encryption functionality.
B. It uses fewer resources and encrypts faster because it uses symmetric keys.
C. It is a block cipher rather than a stream cipher.
D. It employs a one-time encryption pad.
A


What is used to create a digital signature?
A. The receiver's private key
B. The sender's public key
C. The sender's private key
D. The receiver's public key
C


Which of the following best describes a digital signature?
A. A method of transferring a handwritten signature to an electronic document
B. A method to encrypt confidential information
C. A method to provide an electronic signature and encryption
D. A method to let the receiver of the message prove the source and integrity of a message
D


How many bits make up the effective length of the DES key?
A. 56
B. 64
C. 32
D. 16
A


Why would a certificate authority revoke a certificate?
A. If the user's public key has become compromised
B. If the user changed over to using the PEM model that uses a web of trust
C. If the user's private key has become compromised
D. If the user moved to a new location
C


What does DES stand for?
A. Data Encryption System
B. Data Encryption Standard
C. Data Encoding Standard
D. Data Encryption Signature
B


Which of the following best describes a certificate authority?
A. An organization that issues private keys and the corresponding algorithms
B. An organization that validates encryption processes
C. An organization that verifies encryption keys
D. An organization that issues certificates
D


What does DEA stand for?
A. Data Encoding Algorithm
B. Data Encoding Application
C. Data Encryption Algorithm
D. Digital Encryption Algorithm
C


Who was involved in developing the first public key algorithm?
A. Adi Shamir
B. Ross Anderson
C. Bruce Schneier
D. Martin Hellman
D


What process usually takes place after creating a DES session key?
A. Key signing
B. Key escrow
C. Key clustering
D. Key exchange
D


DES performs how many rounds of transposition/permutation and substitution?
A. 16
B. 32
C. 64
D. 56
A


Which of the following is a true statement pertaining to data encryption when it
is used to protect data?
A. It verifies the integrity and accuracy of the data.
B. It requires careful key management.
C. It does not require much system overhead in resources.
D. It requires keys to be escrowed.
B


If different keys generate the same ciphertext for the same message, what is
this called?
A. Collision
B. Secure hashing
C. MAC
D. Key clustering
D


What is the definition of an algorithm's work factor?
A. The time it takes to encrypt and decrypt the same plaintext
B. The time it takes to break the encryption
C. The time it takes to implement 16 rounds of computation
D. The time it takes to apply substitution functions
D


What is the primary purpose of using one-way hashing on user passwords?
A. It minimizes the amount of primary and secondary storage needed to store passwords.
B. It prevents anyone from reading passwords in plaintext.
C. It avoids excessive processing required by an asymmetric algorithm.
D. It prevents replay attacks.
B


Which of the following is based on the fact that it is hard to factor large numbers into two original prime numbers?
A. ECC
B. RSA
C. DES
D. Diffie-Hellman
B


Which of the following describes the difference between the Data Encryption Standard and the Rivest-Shamir-Adleman algorithm?
A. DES is symmetric, while RSA is asymmetric.
B. DES is asymmetric, while RSA is symmetric.
C. They are hashing algorithms, but RSA produces a 160-bit hashing value.
D. DES creates public and private keys, while RSA encrypts messages.
A


Which of the following uses a symmetric key and a hashing algorithm?
A. HMAC
B. Triple-DES
C. ISAKMP-OAKLEY
D. RSA
A


The generation of keys that are made up of random values is referred to as Key Derivation Functions (KDFs). What values are not commonly used in this key generation process?
A. Hashing values
B. Asymmetric values
C. Salts
D. Passwords
B


When should a Class C fire extinguisher be used instead of a Class A fire extinguisher?
A. When electrical equipment is on fire
B. When wood and paper are on fire
C. When a combustible liquid is on fire
D. When the fire is in an open area
A


Which of the following is not a main component of CPTED?
A. Natural access control
B. Natural surveillance
C. Territorial reinforcement
D. Target hardening
D


Which problems may be caused by humidity in an area with electrical devices?
A. High humidity causes excess electricity, and low humidity causes corrosion.
B. High humidity causes corrosion, and low humidity causes static electricity.
C. High humidity causes power fluctuations, and low humidity causes static electricity.
D. High humidity causes corrosion, and low humidity causes power fluctuations.
B


What does positive pressurization pertaining to ventilation mean?
A. When a door opens, the air comes in.
B. When a fire takes place, the power supply is disabled.
C. When a fire takes place, the smoke is diverted to one room.
D. When a door opens, the air goes out.
D


Which of the following answers contains a category of controls that does not belong in a physical security program?
A. Deterrence and delaying
B. Response and detection
C. Assessment and detection
D. Delaying and lighting
D


How does TKIP provide more protection for WLAN environments?
A. It uses the AES algorithm.
B. It decreases the IV size and uses the AES algorithm.
C. It adds more keying material.
D. It uses MAC and IP filtering.
C


Which of the following is not a characteristic of the IEEE 802.11a standard?
A. It works in the 5-GHz range.
B. It uses the OFDM spread spectrum technology.
C. It provides 52 Mbps in bandwidth.
D. It covers a smaller distance than 802.11b.
C


Why are switched infrastructures safer environments than routed networks?
A. It is more difficult to sniff traffic since the computers have virtual private connections.
B. They are just as unsafe as nonswitched environments.
C. The data link encryption does not permit wiretapping.
D. Switches are more intelligent than bridges and implement security mechanisms.
A


Which of the following protocols is considered connection-oriented?
A. IP
B. ICMP
C. UDP
D. TCP
D


Which of the following can take place if an attacker can insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the data link layer?
A. Open relay manipulation
B. VLAN hopping attack
C. Hypervisor denial-of-service attack
D. Smurf attack
B


Which of the following proxies cannot make access decisions based upon protocol commands?
A. Application
B. Packet filtering
C. Circuit
D. Stateful
C


Which of the following is a bridge-mode technology that can monitor individual traffic links between virtual machines or can be integrated within a hypervisor component?
A. Orthogonal frequency division
B. Unified threat management modem
C. Virtual firewall
D. Internet Security Association and Key Management Protocol
C


Which of the following shows the layer sequence as layers 2, 5, 7, 4, and 3?
A. Data link, session, application, transport, and network
B. Data link, transport, application, session, and network
C. Network, session, application, network, and transport
D. Network, transport, application, session, and presentation
A


Which of the following technologies integrates previously independent security solutions with the goal of providing simplicity, centralized control, and streamlined processes?
A. Network convergence
B. Security as a service
C. Unified threat management
D. Integrated convergence management
C


Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec?
A. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks.
B. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity.
C. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange.
D. Internet Key Exchange provides authenticated keying material for use with encryption algorithms.
D


Systems that are built on the OSI framework are considered open systems. What does this mean?
A. They do not have authentication mechanisms configured by default.
B. They have interoperability issues.
C. They are built with internationally accepted protocols and standards so they can easily communicate with other systems.
D. They are built with international protocols and standards so they can choose what types of systems they will communicate with.
C


Which of the following protocols work in the following layers: application, data link, network, and transport?
A. FTP, ARP, TCP, and UDP
B. FTP, ICMP, IP, and UDP
C. TFTP, ARP, IP, and UDP
D. TFTP, RARP, IP, and ICMP
C


What takes place at the data link layer?
A. End-to-end connection
B. Dialog control
C. Framing
D. Data syntax
C


What takes place at the session layer?
A. Dialog control
B. Routing
C. Packet sequencing
D. Addressing
A


Which best describes the IP protocol?
A. A connectionless protocol that deals with dialog establishment, maintenance, and destruction
B. A connectionless protocol that deals with the addressing and routing of packets
C. A connection-oriented protocol that deals with the addressing and routing of packets
D. A connection-oriented protocol that deals with sequencing, error detection, and flow control
B


Which of the following is not a characteristic of the Protected Extensible Authentication Protocol?
A. Authentication protocol used in wireless networks and point-to-point connections
B. Designed to provide authentication for 802.11 WLANs
C. Designed to support 802.1X port access control and Transport Layer Security
D. Designed to support password-protected connections
D


The ______________ is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP.
A. Session Initiation Protocol
B. Real-time Transport Protocol
C. SS7
D. VoIP
A


Which of the following is not one of the stages of the DHCP lease process?
i. Discover
ii. Offer
iii. Request
iv. Acknowledgment
A. All of them
B. None of them
C. i, ii
D. ii, iii
B


An effective method to shield networks from unauthenticated DHCP clients is
through the use of _______________ on network switches.
A. DHCP snooping
B. DHCP protection
C. DHCP shielding
D. DHCP caching
A


Wireless LAN technologies have gone through different versions over the years
to address some of the inherent security issues within the original IEEE 802.11
standard. Which of the following provides the correct characteristics of Wi-Fi
Protected Access 2 (WPA2)?
A. IEEE 802.1X, WEP, MAC
B. IEEE 802.1X, EAP, TKIP
C. IEEE 802.1X, EAP, WEP
D. IEEE 802.1X, EAP, CCMP
D


Alice wants to send a message to Bob, who is several network hops away from her. What is the best approach to protecting the confidentiality of the message?
A. PPTP
B. S/MIME
C. Link encryption
D. SSH
B


Charlie uses PGP on his Linux-based email client. His friend Dave uses S/MIME on his Windows-based email. Charlie is unable to send an encrypted email to Dave. What is the likely reason?
A. PGP and S/MIME are incompatible
B. Each has a different secret key
C. Each is using a different CA
D. There is not enough information to determine the likely reason
A


1. Which of the following statements correctly describes biometric methods?
A. They are the least expensive and provide the most protection.
B. They are the most expensive and provide the least protection.
C. They are the least expensive and provide the least protection.
D. They are the most expensive and provide the most protection.
B


2. Which of the following statements correctly describes passwords?
A. They are the least expensive and most secure.
B. They are the most expensive and least secure.
C. They are the least expensive and least secure.
D. They are the most expensive and most secure.
C


3. How is a challenge/response protocol utilized with token device implementations?
A. This protocol is not used; cryptography is used.
B. An authentication service generates a challenge, and the smart token generates a response based on the challenge.
C. The token challenges the user for a username and password.
D. The token challenges the user's password against a database of stored credentials.
D


4. Which access control method is considered user-directed?
A. Nondiscretionary
B. Mandatory
C. Identity-based
D. Discretionary
B


5. Which item is not part of a Kerberos authentication implementation?
A. Message authentication code
B. Ticket granting service
C. Authentication service
D. Users, programs, and services
A


6. If a company has a high turnover rate, which access control structure is best?
A. Role-based
B. Decentralized
C. Rule-based
D. Discretionary
A


7. The process of mutual authentication involves _______________.
A. a user authenticating to a system and the system authenticating to the user
B. a user authenticating to two systems at the same time
C. a user authenticating to a server and then to a process
D. a user authenticating, receiving a ticket, and then authenticating to a service
A


8. In discretionary access control security, who has delegation authority to grant access to data?
A. User
B. Security officer
C. Security policy
D. Owner
D


9. Which could be considered a single point of failure within a single sign-on implementation?
A. Authentication server
B. User's workstation
C. Logon credentials
D. RADIUS
A


10. What role does biometrics play in access control?
A. Authorization
B. Authenticity
C. Authentication
D. Accountability
C


11. Who or what determines if an organization is going to operate under a discretionary, mandatory, or nondiscretionary access control model?
A. Administrator
B. Security policy
C. Culture
D. Security levels
B


12. Which of the following best describes what role-based access control offers companies in reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and cannot access resources.
B. It provides a centralized approach for access control, which frees up department managers.
C. User membership in roles can be easily revoked and new ones established as job assignments dictate.
D. It enforces enterprise-wide security policies, standards, and guidelines.
C


13. Which of the following is the best description of directories that are used in identity management technology?
A. Most are hierarchical and follow the X.500 standard.
B. Most have a flat architecture and follow the X.400 standard.
C. Most have moved away from LDAP.
D. Many use LDAP.
A


14. Which of the following is not part of user provisioning?
A. Creation and deactivation of user accounts
B. Business process implementation
C. Maintenance and deactivation of user objects and attributes
D. Delegating user administration
B


15. What is the technology that allows a user to remember just one password?
A. Password generation
B. Password dictionaries
C. Password rainbow tables
D. Password synchronization
D


16. Which of the following is not considered an anomaly-based intrusion protection system?
A. Statistical anomaly-based
B. Protocol anomaly-based
C. Temporal anomaly-based
D. Traffic anomaly-based
C


20. Which of the following has the correct term-to-definition mapping?
i. Brute-force attacks: Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
ii. Dictionary attacks: Files of thousands of words are compared to the user's password until a match is found.
iii. Social engineering: An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.
iv. Rainbow table: An attacker uses a table that contains all possible passwords already in a hash format.
A. i, ii
B. i, ii, iv
C. i, ii, iii, iv
D. i, ii, iii
C


Internal audits are the preferred approach when which of the following is true?
A. The organization lacks the organic expertise to conduct them.
B. Regulatory requirements dictate the use of a third-party auditor.
C. The budget for security testing is limited or nonexistent.
D. There is concern over the spillage of proprietary or confidential information.
C


All of the following are steps in the security audit process except which one?
A. Document the results.
B. Convene a management review.
C. Involve the right business unit leaders.
D. Determine the scope.
B


Which of the following is an advantage of using third-party auditors? A. They may have knowledge that an organization wouldn't otherwise be able to leverage.
B. Their cost.
C. The requirement for NDAs and supervision.
D. Their use of automated scanners and reports.
A


Choose the term that describes an audit report that covers the information security controls of a service organization and is intended for public release.
A. SOC 1
B. SOC 2
C. SOC 3
D. Both B and C.
C


Which of the following is true of a vulnerability assessment?
A. The aim is to identify as many vulnerabilities as possible.
B. It is not concerned with the effects of the assessment on other systems.
C. It is a predictive test aimed at assessing the future performance of a system.
D. Ideally the assessment is fully automated with no human involvement.
A


An assessment whose goal is to assess the susceptibility of an organization to social engineering attacks is best classified as
A. Physical testing
B. Personnel testing
C. Vulnerability testing
D. Network testing
B


Which of the following is an assessment that affords the auditor detailed knowledge of the system's architecture before conducting the test?
A. White box testing
B. Gray box testing
C. Black box testing
D. Zero knowledge testing
A


Vulnerability scans normally involve all of the following except which one?
A. The identification of active hosts on the network
B. The identification of malware on all hosts
C. The identification of misconfigured settings
D. The identification of operating systems
B


Security event logs can best be protected from tampering by which one of the following?
A. Encrypting the contents using asymmetric key encryption
B. Ensuring every user has administrative rights on their own workstations
C. Using remote logging over simplex communications media
D. Storing the event logs on DVD-RW
C


Synthetic transactions are best described as
A. Real user monitoring (RUM)
B. Transactions that fall outside the normal purpose of a system
C. Transactions that are synthesized from multiple users' interactions with the system
D. A way to test the behavior and performance of critical services
D


Suppose you want to study the actions an adversary may attempt against your system and test the effectiveness of the controls you have emplaced to mitigate the associated risks. Which of the following approaches would best allow you to accomplish this goal?
A. Misuse case testing
B. Use case testing
C. Real user monitoring (RUM)
D. Fuzzing
A


Code reviews include all the following except which one?
A. Ensuring the code conforms to applicable coding standards
B. Discussing bugs, design issues, and anything else that comes up about the code
C. Agreeing on a "disposition" for the code
D. Fuzzing the code
D


Interface testing could involve which of the following?
A. The application programming interface (API)
B. The graphical user interface (GUI)
C. Both of the above
D. None of the above
C


One of the actions that attackers typically attempt after compromising a system is to acquire the ability to mimic a normal privileged user. What is one way in which they may accomplish this?
A. Rebooting the compromised host
B. Exporting the password hash table
C. Pivoting from the compromised host to another target
D. Adding a privileged user account
D


Which of the following is not normally an element of user accounts management audits?
A. Password hashing
B. Signed AUPs
C. Privileged accounts
D. Suspended accounts
A


How might one test adherence to the user accounts policy?
A. User self-reporting
B. Penetration testing
C. Management review
D. User records auditing
D


Which operating systems allows users to temporarily elevate their privileges in order to launch an application at a higher privilege level?
A. All major desktop operating systems
B. Recent versions of Windows
C. Linux and Windows
D. Recent versions of Mac OS X
A


All of the following are normally legitimate reasons to suspend rather than delete user accounts except which one?
A. Regulatory compliance
B. Protection of the user's privacy
C. Investigation of a subsequently discovered event
D. Data retention policy
B


Data backup verification efforts should
A. Have the smallest scope possible
B. Be based on the threats to the organization
C. Maximize impact on business
D. Focus on user data
B


Why would an organization need to periodically test disaster recovery and business continuity plans if they've already been shown to work?
A. Environmental changes may render them ineffective over time.
B. It has low confidence in the abilities of the testers.
C. To appease senior leadership.
D. Resources may not be available in the future to test again.
A


All of the following are types of tests for disaster recovery and business continuity plans except which one?
A. Structured walk-through test
B. Simulation test
C. Null hypothesis test
D. Full-interruption test
C


What is the difference between security training and security awareness training?
A. Security training is focused on skills, while security awareness training is focused on recognizing and responding to issues.
B. Security training must be performed, while security awareness training is an aspirational goal.
C. Security awareness training is focused on security personnel, while security training is geared toward all users.
D. There is no difference. These terms refer to the same process.
A


Which of the following is not a form of social engineering?
A. Pretexting
B. Fishing
C. Whaling
D. Blackmailing
B


What is a key performance indicator (KPI)?
A. Any attribute of the ISMS that can be described as a value
B. The value of a factor at a particular point in time
C. A derived value that is generated by comparing multiple measurements against each other or against a baseline
D. An interpretation of one or more metrics that describes the effectiveness of the ISMS
D


Which of the following is true about key risk indicators (KRIs)?
A. They tell managers where an organization stands with regard to its goals.
B. They are inputs to the calculation of single loss expectancy (SLE).
C. They tell managers where an organization stands with regard to its risk appetite.
D. An interpretation of one or more metrics that describes the effectiveness of the ISMS.
C


Which of the following is true of management reviews?
A. They happen periodically and include results of audits as a key input.
B. They happen in an ad hoc manner as the needs of the organization dictate.
C. They are normally conducted by mid-level managers, but their reports are presented to the key business leaders.
D. They are focused on assessing the management of the information systems.
A


What is the difference between due care and due diligence?
A. Due care is the continual effort to ensure that the right thing takes place, and due diligence is the continual effort to stay compliant with regulations.
B. Due care is based on the prudent person concept, whereas due diligence is not.
C. They mean the same thing.
D. Due diligence involves investigating the risks, whereas due care involves carrying out the necessary steps to mitigate these risks.
D


Why should employers make sure employees take their vacations?
A. They have a legal obligation.
B. It is part of due diligence.
C. It is a way for fraud to be uncovered.
D. To ensure the employee does not get burnt out.
C


Which of the following best describes separation of duties and job rotation?
A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot perform a high-risk task alone.
B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position.
C. They are the same thing, but with different titles.
D. They are administrative controls that enforce access control and protect the
B


If a programmer is restricted from updating and modifying production code, what is this an example of?
A. Rotation of duties
B. Due diligence
C. Separation of duties
D. Controlling input values
C


Why is it important to control and audit input and output values?
A. Incorrect values can cause mistakes in data processing and be evidence of fraud.
B. Incorrect values can be the fault of the programmer and do not comply with the due care clause.
C. Incorrect values can be caused by brute-force attacks.
D. Incorrect values are not security issues.
A


What is the difference between least privilege and need to know?
A. A user should have least privilege that restricts her need to know.
B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources.
C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know.
D. They are two different terms for the same issue.
C


Which of the following would not require updated documentation?
A. An antivirus signature update
B. Reconfiguration of a server
C. A change in security policy
D. The installation of a patch to a production server
A


A company needs to implement a CCTV system that will monitor a large area outside the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length
A


Which of the following is not a true statement about CCTV lenses?
A. Lenses that have a manual iris should be used in outside monitoring.
B. Zoom lenses will carry out focus functionality automatically.
C. Depth of field increases as the size of the lens opening decreases.
D. Depth of field increases as the focal length of the lens decreases.
A


What is true about a transponder?
A. It is a card that can be read without sliding it through a card reader.
B. It is a biometric proximity device.
C. It is a card that a user swipes through a card reader to gain access to a facility.
D. It exchanges tokens with an authentication server.
A


When is a security guard the best choice for a physical access control mechanism?
A. When discriminating judgment is required
B. When intrusion detection is required
C. When the security budget is low
D. When access controls are in place
A


Which of the following is not a characteristic of an electrostatic intrusion detection system?
A. It creates an electrostatic field and monitors for a capacitance change.
B. It can be used as an intrusion detection system for large areas.
C. It produces a balance between the electric capacitance and inductance of an object.
D. It can detect if an intruder comes within a certain range of an object.
B


What is a common problem with vibration-detection devices used for perimeter security?
A. They can be defeated by emitting the right electrical signals in the protected area.
B. The power source is easily disabled.
C. They cause false alarms.
D. They interfere with computing devices.
C


Which of the following is not considered a delaying mechanism?
A. Locks
B. Defense-in-depth measures
C. Warning signs
D. Access controls
C


What are the two general types of proximity identification devices?
A. Biometric devices and access control devices
B. Swipe card devices and passive devices
C. Preset code devices and wireless devices
D. User-activated devices and system sensing devices
D


Which is not a drawback to installing intrusion detection and monitoring systems?
A. It's expensive to install.
B. It cannot be penetrated.
C. It requires human response.
D. It's subject to false alarms.
B


What is a cipher lock?
A. A lock that uses cryptographic keys
B. A lock that uses a type of key that cannot be reproduced
C. A lock that uses a token and perimeter reader
D. A lock that uses a keypad
D


If a cipher lock has a door delay option, what does that mean?
A. After a door is open for a specific period, the alarm goes off.
B. It can only be opened during emergency situations.
C. It has a hostage alarm capability.
D. It has supervisory override capability.
A


Which of the following best describes the difference between a warded lock and
a tumbler lock?
A. A tumbler lock is more simplistic and easier to circumvent than a warded lock.
B. A tumbler lock uses an internal bolt, and a warded lock uses internal cylinders.
C. A tumbler lock has more components than a warded lock.
D. A warded lock is mainly used externally, and a tumbler lock is used internally.
C


All of the following are best practices for controlling the software that is installed and authorized to run in our systems except which?
A. Application whitelisting
B. Code reviews
C. Gold Masters
D. Least privilege
B


You come across an advanced piece of polymorphic malware that uses a custom communications protocol for network traffic. This protocol has a distinctive signature in its header. Which tool is best suited to mitigate this malware by preventing the packets from traversing the network?
A. Antimalware
B. Stateful firewall
C. Intrusion detection system (IDS)
D. Intrusion prevention system (IPS)
D


Which best describes a hot-site facility versus a warm- or cold-site facility?
A. A site that has disk drives, controllers, and tape drives
B. A site that has all necessary PCs, servers, and telecommunications
C. A site that has wiring, central air-conditioning, and raised flooring
D. A mobile site that can be brought to the company's parking lot
B


Which is the best description of remote journaling?
A. Backing up bulk data to an offsite facility
B. Backing up transaction logs to an offsite facility
C. Capturing and saving transactions to two mirrored servers in-house
D. Capturing and saving transactions to different media types
B


Which of the following is something that should be required of an offsite backup facility that stores backed-up media for companies?
A. The facility should be within to minutes of the original facility to ensure easy access.
B. The facility should contain all necessary PCs and servers and should have raised flooring.
C. The facility should be protected by an armed guard.
D. The facility should protect against unauthorized access and entry.
D


Which of the following does not describe a reciprocal agreement?
A. The agreement is enforceable.
B. It is a cheap solution.
C. It may be able to be implemented right after a disaster.
D. It could overwhelm a current data processing site.
A


Which of the following describes a cold site?
A. Fully equipped and operational in a few hours
B. Partially equipped with data processing equipment
C. Expensive and fully configured
D. Provides environmental measures but no equipment
D


After a computer forensic investigator seizes a computer during a crime investigation, what is the next step?
A. Label and put it into a container, and then label the container
B. Dust the evidence for fingerprints
C. Make an image copy of the disks
D. Lock the evidence in the safe
C


Which of the following is a necessary characteristic of evidence for it to be admissible?
A. It must be real.
B. It must be noteworthy.
C. It must be reliable.
D. It must be important.
C


If a company deliberately planted a flaw in one of its systems in the hope of detecting an attempted penetration and exploitation of this flaw, what would this be called?
A. Incident recovery response
B. Entrapment
C. Illegal
D. Enticement
D


An application is downloaded from the Internet to perform disk cleanup and to delete unnecessary temporary files. The application is also recording network login data and sending it to another party. This application is best described as which of the following?
A. A virus
B. A Trojan horse
C. A worm
D. A logic bomb
B


Which of the following best describes the term DevOps?
A. The practice of incorporating development, IT, and quality assurance (QA) staff into software development projects.
B. A multidisciplinary development team with representatives from many or all the stakeholder populations.
C. The operationalization of software development activities to support just-in- time delivery.
D. A software development methodology that relies more on the use of operational prototypes than on extensive upfront planning.
A


A system has been patched many times and has recently become infected with a dangerous virus. If antimalware software indicates that disinfecting a file may damage it, what is the correct action?
A. Disinfect the file and contact the vendor
B. Back up the data and disinfect the file
C. Replace the file with the file saved the day before
D. Restore an uninfected version of the patched file from backup media
D


What is the purpose of polyinstantiation?
A. To restrict lower-level subjects from accessing low-level information
B. To make a copy of an object and modify the attributes of the second copy
C. To create different objects that will react in different ways to the same input
D. To create different objects that will take on inheritance attributes from their class
B


Database views provide what type of security control?
A. Detective
B. Corrective
C. Preventive
D. Administrative
C


Which of the following techniques or set of techniques is used to deter database inference attacks?
A. Partitioning, cell suppression, and noise and perturbation
B. Controlling access to the data dictionary
C. Partitioning, cell suppression, and small query sets
D. Partitioning, noise and perturbation, and small query sets
A


When should security first be addressed in a project?
A. During requirements development
B. During integration testing
C. During design specifications
D. During implementation
A


An online transaction processing (OLTP) system that detects an invalid transaction should do which of the following?
A. Roll back and rewrite over original data
B. Terminate all transactions until properly addressed
C. Write a report to be reviewed
D. Checkpoint each data entry
C


Which of the following are rows and columns within relational databases?
A. Rows and tuples
B. Attributes and rows
C. Keys and views
D. Tuples and attributes
D


Databases can record transactions in real time, which usually updates more than one database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement thecharacteristics of what's known as the ACID test. Which of the following are incorrect characteristics of the ACID test?
i. Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect.
ii. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases.
iii. Isolation Transactions execute in isolation until completed, without interacting with other transactions.
iv. Durability Once the transaction is verified as inaccurate on all systems, it is committed and the databases cannot be rolled back.
A. i, ii
B. ii. iii
C. ii, iv
D. iv
D


The software development life cycle has several phases. Which of the following lists these phases in the correct order?
A. Requirements gathering, design, development, maintenance, testing, release
B. Requirements gathering, design, development, testing, release
C. Prototyping, build and fix, increment, test, maintenance
D. Prototyping, testing, requirements gathering, integration, testing
B


__________ is a software testing technique that provides invalid, unexpected, or random data to the input interfaces of a program.
A. Agile testing
B. Structured testing
C. Fuzzing
D. EICAR
C


Which of the following is the second level of the Capability Maturity Model
Integration?
A. Repeatable
B. Defined
C. Managed
D. Optimizing
A


One of the characteristics of object-oriented programming is deferred commitment. Which of the following is the best description for this characteristic?
A. The building blocks of software are autonomous objects, cooperating through the exchange of messages.
B. The internal components of an object can be redefined without changing other parts of the system.
C. Classes are reused by other programs, though they may be refined through inheritance.
D. Object-oriented analysis, design, and modeling map to business needs and solutions.
D


Which of the following attack types best describes what commonly takes place when you insert specially crafted and excessively long data into an input field?
A. Traversal attack
B. Unicode encoding attack
C. URL encoding attack
D. Buffer overflow attack
B


Which of the following has an incorrect attack to definition mapping?
A. EBJ XSS attack Content processing stages performed by the client, typically in client-side Java.
B. Nonpersistent XSS attack Improper sanitation of response from a web client.
C. Persistent XSS attack Data provided by attackers is saved on the server.
D. DOM-based XSS attack Content processing stages performed by the client, typically in client-side JavaScript.
A


John is reviewing database products. He needs a product that can manipulate a standard set of data for his company's business logic needs. Which of the following should the necessary product implement?
A. Relational database
B. Object-relational database
C. Network database
D. Dynamic-static
B


Which of the following is not very useful in assessing the security of acquired software?
A. The reliability and maturity of the vendor
B. The NIST's National Software Reference Library
C. Third-party vulnerability assessments
D. In-house code reviews
B


Aaron is a security manager who needs to develop a solution to allow his company's mobile devices to be authenticated in a standardized and centralized manner using digital certificates. The applications these mobile clients use require a TCP connection. Which of the following is the best solution for Aaron to implement?
A. SESAME using PKI
B. RADIUS using EAP
C. Diameter using EAP
D. RADIUS using TTLS
C


Terry is a security manager for a credit card processing company. His company uses internal DNS servers, which are placed within the LAN, and external DNS servers, which are placed in the DMZ. The company also relies upon DNS servers provided by its service provider. Terry has found out that attackers have been able to manipulate several DNS server caches to point employee traffic to malicious websites. Which of the following best describes the solution this company should implement?
A. IPSec
B. PKI
C. DNSSEC
D. MAC-based security
C


It is important to deal with the issue of "reasonable expectation of privacy" (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of privacy is used when defining the scope of the privacy protections provided by the
A. Federal Privacy Act
B. PATRIOT Act
C. Fourth Amendment of the Constitution
D. Bill of Rights
C


Which of the following best describes what role-based access control offers companies in reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and cannot access resources.
B. It provides a centralized approach for access control, which frees up department managers.
C. User membership in roles can be easily revoked and new ones established as job assignments dictate.
D. It enforces an enterprise-wide security policy, standards, and guidelines.
C


Mark works for a large corporation operating in multiple countries worldwide. He is reviewing his company's policies and procedures dealing with data breaches. Which of the following is an issue that he must take into consideration?
A. Each country may or may not have unique notification requirements.
B. All breaches must be announced to affected parties within 24 hours.
C. Breach notification is a "best effort" process and not a guaranteed process.
D. Breach notifications are avoidable if all PII is removed from data stores.
A


A software development company released a product that committed several errors that were not expected once deployed in their customers' environments. All of the software code went through a long list of tests before being released. The team manager found out that after a small change was made to the code, the program was not tested before it was released. Which of the following tests was most likely not conducted?
A. Unit
B. Compiled
C. Integration
D. Regression
D


It is important to choose the right risk analysis methodology to meet the goals of the organization's needs. Which of the following best describes when the risk management standard AS/NZS 4360 should be used?
A. When there is a need to assess items of an organization that are directly related to information security
B. When there is a need to assess items of an organization that are not just restricted to information security
C. When a qualitative method is needed to prove the compliance levels as they pertain to regulations
D. When a qualitative method is needed to prove the compliance levels as they pertain to laws
B


Companies should follow certain steps in selecting and implementing a new computer product. Which of the following sequences is ordered correctly?
A. Evaluation, accreditation, certification
B. Evaluation, certification, accreditation
C. Certification, evaluation, accreditation
D. Certification, accreditation, evaluation
B


The confidentiality of sensitive data is protected in different ways depending on the state of the data. Which of the following is the best approach to protecting data in transit?
A. SSL
B. VPN
C. IEEE 802.1x
D. Whole-disk encryption
B


There are different categories for evidence depending upon what form it is in and possibly how it was collected. Which of the following is considered supporting evidence?
A. Best evidence
B. Corroborative evidence
C. Conclusive evidence
D. Direct evidence
B


A(n) _____ is the graphical representation of data commonly used on websites. It is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot.
A. Anti-spoofing symbol
B. CAPTCHA
C. Spam anti-spoofing symbol
D. CAPCHAT
B


Mark has been asked to interview individuals to fulfill a new position in his company, chief privacy officer (CPO). What is the function of this type of position?
A. Ensuring that company financial information is correct and secure
B. Ensuring that customer, company, and employee data is protected
C. Ensuring that security policies are defined and enforced
D. Ensuring that partner information is kept safe
B


A risk management program must be developed properly and in the right sequence. Which of the following provides the correct sequence for the steps listed?
Develop a risk management team
Calculate the value of each asset
Identify the vulnerabilities and threats that can affect the identified assets
Identify company assets to be assessed
A. 1, 3, 2, 4
B. 2, 1, 4, 3
C. 3, 1, 4, 2
D. 1, 4, 2, 3
D


Jack needs to assess the performance of a critical web application that his company recently upgraded. Some of the new features are very profitable, but not frequently used. He wants to ensure that the user experience is positive, but doesn't want to wait for the users to report problems. Which of the following techniques should Jack use?
A. Real user monitoring
B. Synthetic transactions
C. Log reviews
D. Management review
B


Which of the following best describes a technical control for dealing with the risks presented by data remanence?
A. Encryption
B. Data retention policies
C. File deletion
D. Using solid-state drives (SSD)
A


George is the security manager of a large bank, which provides online banking and other online services to its customers. George has recently found out that some of the bank's customers have complained about changes to their bank accounts that they did not make. George worked with the security team and found out that all changes took place after proper authentication steps were completed. Which of the following describes what most likely took place in this situation?
A. Web servers were compromised through cross-scripting attacks.
B. TLS connections were decrypted through a man-in-the-middle attack.
C. Personal computers were compromised with Trojan horses that installed keyloggers.
D. Web servers were compromised and masquerading attacks were carried out.
C


Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the suite provides different functionality. Which of the following is not a function or characteristic of IPSec?
A. Encryption
B. Link layer protection
C. Authentication
D. Protection of packet payloads and the headers
B


In what order would a typical PKI infrastructure perform the following transactions?
Receiver decrypts and obtains session key.
Sender requests receiver's public key.
Public key is sent from a public directory.
Sender sends a session key encrypted with receiver's public key.
A. 4, 3, 2, 1
B. 2, 1, 3, 4
C. 2, 3, 4, 1
D. 2, 4, 3, 1
C


Which of the following is not a concern of a security professional considering adoption of Internet of Things (IoT) devices?
A. Weak or nonexistent authentication mechanisms
B. Vulnerability of data at rest and data in motion
C. Difficulty of deploying patches and updates
D. High costs associated with connectivity
D


What type of rating system is used within the Common Criteria structure?
A. PP
B. EPL
C. EAL
D. A-D
C


31.____, a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies.
____ is an XML-based framework being developed by OASISfor exchanging user, resource, and service provisioning information between cooperating organizations.
A. Service Provisioning Markup Language (SPML), Extensible Access Control Markup Language (XACML)
B. Extensible Access Control Markup Language (XACML), Service Provisioning Markup Language (SPML)
C. Extensible Access Control Markup Language (XACML), Security Assertion Markup Language (SAML)
D. Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML)
B


Doors configured in fail-safe mode assume what position in the event of a powerfailure?
A. Open and locked
B. Closed and locked
C. Closed and unlocked
D. Open
C


Next-generation firewalls combine the best attributes of other types of firewalls. Which of the following is not a common characteristic of these firewall types?
A. Integrated intrusion prevention system
B. Sharing signatures with cloud-based aggregators
C. Automated incident response
D. High cost
C


The purpose of security awareness training is to expose personnel to security issues so that they may be able to recognize them and better respond to them. Which of the following is not normally a topic covered in security awareness training?
A. Social engineering
B. Phishing
C. Whaling
D. Trolling
D


A ____ is the amount of time it should take to recover from a is the amount of data, measured in time, that can
disaster, and a ____ be lost and be tolerable from that same event.
A. recovery time objective, recovery point objective
B. recovery point objective, recovery time objective
C. maximum tolerable downtime, work recovery time
D. work recovery time, maximum tolerable downtime
A


In the structure of Extensible Access Control Markup Language (XACML), a Subject element is the ____ , a Resource element is the ____ , and an Action element is the ____.
A. requesting entity, requested entity, types of access
B. requested entity, requesting entity, types of access
C. requesting entity, requested entity, access control
D. requested entity, requesting entity, access control
A


The Mobile IP protocol allows location-independent routing of IP datagrams on the Internet. Each mobile node is identified by its ____, disregarding its current location in the Internet. While away from its home network, a mobile node is associated with a ____.
A. prime address, care-of address
B. home address, care-of address
C. home address, secondary address
D. prime address, secondary address
B


Instead of managing and maintaining many different types of security products and solutions, Joan wants to purchase a product that combines many technologies into one appliance. She would like to have centralized control, streamlined maintenance, and a reduction in stove pipe security solutions. Which of the following would best fit Joan's needs?
A. Dedicated appliance
B. Centralized hybrid firewall applications
C. Hybrid IDS\IPS integration
D. Unified threat management
D


Why is it important to have a clearly defined incident-handling process in place?
A. To avoid dealing with a computer and network threat in an ad hoc, reactive, and confusing manner
B. To provide a quick reaction to a threat so that a company can return to normal operations as soon as possible
C. To provide a uniform approach with certain expectations of the results
D. All of the above
D


Which of the following is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy and provides guidelines on the protection of privacy and transborder flows of personal data rules?
A. Council of Global Convention on Cybercrime
B. Council of Europe Convention on Cybercrime
C. Organisation for Economic Co-operation and Development
D. Organisation for Cybercrime Co-operation and Development
C


System ports allow different computers to communicate with each other's services and protocols. Internet Corporation for Assigned Names and Numbers has assigned registered ports to be ____ and dynamic ports to be ____.
A. 0-1024, 49152-65535
B. 1024-49151, 49152-65535
C. 1024-49152, 49153-65535
D. 0-1024, 1025-49151
B


When conducting a quantitative risk analysis, items are gathered and assigned numeric values so that cost/benefit analysis can be carried out. Which of the following provides the correct formula to understand the value of a safeguard?
A. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
B. (ALE before implementing safeguard) - (ALE during implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
C. (ALE before implementing safeguard) - (ALE while implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
D. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of asset) = value of safeguard to the company
A


Bringing in external auditors has advantages over using an internal team. Which of the following is not true about using external auditors?
A. They are required by certain governmental regulations.
B. They bring experience gained by working in many other organizations.
C. They know the organization's processes and technology better than anyone else.
D. They are less influenced by internal culture and politics.
C


Which of the following multiplexing technologies analyzes statistics related to the typical workload of each input device and makes real-time decisions on how much time each device should be allocated for data transmission?
A. Time-division multiplexing
B. Wave-division multiplexing
C. Frequency-division multiplexing
D. Statistical time-division multiplexing
D


In a VoIP environment, the Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) are commonly used. Which of the following best describes the difference between these two protocols?
A. RTCP provides a standardized packet format for delivering audio and video over IP networks. RTP provides out-of-band statistics and control information to provide feedback on QoS levels.
B. RTP provides a standardized packet format for delivering data over IP networks. RTCP provides control information to provide feedback on QoS levels.
C. RTP provides a standardized packet format for delivering audio and video over MPLS networks. RTCP provides control information to provide feedback on QoS levels.
D. RTP provides a standardized packet format for delivering audio and video over IP networks. RTCP provides out-of-band statistics and control information to provide feedback on QoS levels.
D


ISO/IEC 27031:2011 is an international standard for business continuity that organizations can follow. Which of the following is a correct characteristic of this standard?
A. Guidelines for information and communications technology readiness for business continuity
B. ISO/IEC standard that is a component of the overall BS 7999 series
C. Standard that was developed by NIST and evolved to be an international standard
D. Component of the Safe Harbor requirements
A


A preferred technique of attackers is to become "normal" privileged users of the systems they compromise as soon as possible. This can normally be accomplished in all the following ways except which one?
A. Compromising an existing privileged account
B. Creating a new privileged account
C. Deleting the /etc/passwd file
D. Elevating the privileges of an existing account
C


IPSec's main protocols are AH and ESP. Which of the following services does AH provide?
A. Confidentiality and authentication
B. Confidentiality and availability
C. Integrity and accessibility
D. Integrity and authentication
D


When multiple databases exchange transactions, each database is updated. This can happen many times and in many different ways. To protect the integrity of the data, databases should incorporate a concept known as an ACID test. What does this acronym stand for?
A. Availability, confidentiality, integrity, durability
B. Availability, consistency, integrity, durability
C. Atomicity, confidentiality, isolation, durability
D. Atomicity, consistency, isolation, durability
D


Which of the following is a representation of the logical relationship between elements of data and dictates the degree of association among elements, methods of access, processing alternatives, and the organization of data elements?
A. Data element
B. Array
C. Secular component
D. Data structure
D


If the ALE for a specific asset is $100,000, and after implementation of the control the new ALE is $45,000 and the annual cost of the control is $30,000, should the company implement this control?
A. Yes
B. No
C. Not enough information
D. It depends on the ARO
A


ISO/IEC 27000 is a growing family of ISO/IEC information security management system (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?
A. ISO/IEC 27002: Code of practice for information security management
B. ISO/IEC 27003: Guideline for ISMS implementation
C. ISO/IEC 27004: Guideline for information security management measurement and metrics framework
D. ISO/IEC 27005: Guideline for bodies providing audit and certification of information security management systems
D


When a CPU is passed an instruction set and data to be processed and the program status word (PSW) register contains a value indicating that execution should take place in privileged mode, which of the following would be considered true?
A. Operating system is executing in supervisory mode
B. Request came from a trusted process
C. Functionality that is available in user mode is not available
D. An untrusted process submitted the execution request
B


Encryption and decryption can take place at different layers of an Operating system, application, and network stack. End-to-end encryption happens within the ____ layer. IPSec encryption takes place at the ____ layers. PPTP encryption takes place at the ____ layer. Link encryption takes place at the ____ and ____ layers.
A. applications, transport, data link, data link, physical
B. applications, transport, network, data link, physical
C. applications, network, data link, data link, physical
D. network, transport, data link, data link, physical
C


Which of the following best describes the difference between hierarchical storage management (HSM) and storage area network (SAN) technologies?
A. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems.
B. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems.
C. HSM and SAN are one and the same. The difference is in the implementation.
D. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.
A


Which legal system is characterized by its reliance on previous interpretations of the law?
A. Tort
B. Customary
C. Common
D. Civil (code)
C


In order to be admissible in court, evidence should normally be which of the following?
A. Subpoenaed
B. Relevant
C. Motioned
D. Adjudicated
B


A fraud analyst with a national insurance company uses database tools every day to help identify violations and identify relationships between the captured data through the uses of rule discovery. These tools help identify relationships among a wide variety of information types. What kind of knowledge discovery in database (KDD) is this considered?
A. Probability
B. Statistical
C. Classification
D. Behavioral
B


Which of the following is an XML-based protocol that defines the schema of how web service communication takes place over HTTP transmissions?
A. Service-Oriented Protocol
B. Active X Protocol
C. Simple Object Access Protocol
D. JVEE
C


Which of the following has an incorrect definition mapping?
i. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Team-oriented approach that assesses organizational and
IT risks through facilitated workshops
ii. AS/NZS 4360 Australia and New Zealand business risk management assessment approach
iii. ISO/IEC 27005 International standard for the implementation of a risk management program that integrates into an information security management system (ISMS)
iv. Failure Modes and Effect Analysis (FMEA) Approach that dissects a component into its basic functions to identify flaws and those flaws' effects
v. Fault tree analysis Approach to map specific flaws to root causes in complex systems

A. None of them
B. ii
C. iii, iv
D. v
A


For an enterprise security architecture to be successful in its development and implementation, which of the following items must be understood and followed?
i. Strategic alignment
ii. Process enhancement
iii. Business enablement
iv. Security effectiveness

A. i, ii
B. ii, iii
C. i, ii, iii, iv
D. iii, iv
C


Which of the following best describes the purpose of the Organisation for Economic Co-operation and Development (OECD)?
A. An international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
B. A national organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
C. An international organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized econom
D. A national organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized economy
A


There are many enterprise architecture models that have been developed over the years for specific purposes. Some of them can be used to provide structure for information security processes and technology to be integrated throughout an organization. Which of the following provides an incorrect mapping between the architect type and the associated definition?
A. Zachman Framework Model and methodology for the development of information security enterprise architectures
B. TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group
C. DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals
D. MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence
A


Which of the following best describes the difference between the role of the ISO/ IEC 27000 series and COBIT? A. COBIT provides a high-level overview of security program requirements, while the ISO/IEC 27000 series provides the objectives of the individual security controls.
B. The ISO/IEC 27000 series provides a high-level overview of security program requirements, while COBIT provides the objectives of the individual security controls.
C. COBIT is process oriented, and the ISO/IEC 27000 series is solution oriented.
D. The ISO/IEC 27000 series is process oriented, and COBIT is solution oriented.
B


The Capability Maturity Model Integration (CMMI) approach is being used more frequently in security program and enterprise development. Which of the following provides an incorrect characteristic of this model?
A. It provides a pathway for how incremental improvement can take place.
B. It provides structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes.
C. It was created for process improvement and developed by Carnegie Mellon.
D. It was built upon the SABSA model.
D


If Joe wanted to use a risk assessment methodology that allows the various business owners to identify risks and know how to deal with them, what methodology would he use?
A. Qualitative
B. COSO
C. FRAP
D. OCTAVE
D


Information security is a field that is maturing and becoming more organized and standardized. Organizational security models should be based upon a formal architecture framework. Which of the following best describes what a formal architecture framework is and why it would be used?
A. Mathematical model that defines the secure states that various software components can enter and still provide the necessary protection
B. Conceptual model that is organized into multiple views addressing each of the stakeholder's concerns
C. Business enterprise framework that is broken down into six conceptual levels to ensure security is deployed and managed in a controllable manner
D. Enterprise framework that allows for proper security governance
B


Which of the following provides a true characteristic of a fault tree analysis?
A. Fault trees are assigned qualitative values to faults that can take place over a series of business processes.
B. Fault trees are assigned failure mode values.
C. Fault trees are labeled with actual numbers pertaining to failure probabilities.
D. Fault trees are used in a stepwise approach to software debugging.
C


Several models and frameworks have been developed by different organizations over the years to help businesses carry out processes in a more efficient and effective manner. Which of the following provides the correct definition mapping of one of these items?
i. COSOA framework and methodology for enterprise security architecture and service management
ii. ITIL Processes to allow for IT service management developed by the United Kingdom's Office of Government Commerce
iii. Six Sigma Business management strategy that can be used to carry out process improvement
iv. Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon

A. i
B. i, iii
C. ii, iv
D. ii, iii, iv
D


It is important that organizations ensure that their security efforts are effective and measurable. Which of the following is not a common method used to track the effectiveness of security efforts?
A. Service level agreement
B. Return on investment
C. Balanced scorecard system
D. Provisioning system
D


Capability Maturity Model Integration (CMMI) is a process improvement approach that is used to help organizations improve their performance. The CMMI model may also be used as a framework for appraising the process maturity of the organization. Which of the following is an incorrect mapping of the levels that may be assigned to an organization based upon this model?
i. Maturity Level 2 - Managed or Repeatable
ii. Maturity Level 3 - Defined
iii. Maturity Level 4 - Quantitatively Managed
iv. Maturity Level 5 - Optimizing

A. i
B. i, ii
C. All of them
D. None of them
D


Which of the following is normally not an element of e-Discovery?
A. Identification
B. Preservation
C. Production
D. Remanence
D


A financial institution has developed its internal security program based upon the ISO/IEC 27000 series. The security officer has been told that metrics need to be developed and integrated into this program so that effectiveness can be gauged. Which of the following standards should be followed to provide this type of guidance and functionality?
A. ISO/IEC 27002
B. ISO/IEC 27003
C. ISO/IEC 27004
D. ISO/IEC 27005
C


Which of the following is not an advantage of using content distribution networks?
A. Improved responsiveness to regional users
B. Resistance to ARP spoofing attacks
C. Customization of content for regional users
D. Resistance to DDoS attacks
B


Sue has been asked to install a web access management (WAM) product for her company's environment. What is the best description for what WAMs are commonly used for?
A. Control external entities requesting access to internal objects
B. Control internal entities requesting access to external objects
C. Control external entities requesting access through X.500 databases
D. Control internal entities requesting access through X.500 databases
A


A user's digital identity is commonly made up of more than just a username. Which of the following is not a common item that makes up a user's identity?
A. Entitlements
B. Traits
C. Figures
D. Attributes
C


Which of the following is a true statement pertaining to markup languages?
A. HyperText Markup Language (HTML) came from Generalized Markup Language (GML), which came from the Standard Generalized Markup Language (SGML).
B. HyperText Markup Language (HTML) came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML).
C. Standard Generalized Markup Language (SGML) came from the HyperText Markup Language (HTML), which came from the Generalized Markup Language (GML).
D. Standard Generalized Markup Language (SGML) came from the Generalized Markup Language (GML), which came from the HyperText Markup Language (HTML).
B


What is Extensible Markup Language (XML), and why was it created?
A. A specification that is used to create various types of markup languages for specific industry requirements
B. A specification that is used to create static and dynamic websites
C. A specification that outlines a detailed markup language dictating all formats of all companies that use it
D. A specification that does not allow for interoperability for the sake of security
A


Which access control policy is enforced in an environment that uses containers and implicit permission inheritance using a nondiscretionary model?
A. Rule-based
B. Role-based
C. Identity-based
D. Mandatory
B


Which of the following centralized access control protocols would a security professional choose if her network consisted of multiple protocols, including Mobile IP, and had users connecting via wireless and wired transmissions?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos
C


Proper access control requires a structured user provisioning process. Which of the following best describes user provisioning?
A. The creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
B. The creation, maintenance, activation, and delegation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to compliance processes
C. The maintenance of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
D. The creation and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
A


A user's identity can be a collection of her ____ (department, role in company, shift time, clearance); her ____ (resources available to her, authoritative rights in the company); and her ____ (biometricinformation, height, sex,).
A. attributes, access, traits
B. attributes, entitlements, access
C. attributes, characteristics, traits
D. attributes, entitlements, traits
D


John needs to ensure that his company's application can accept provisioning data from the company's partner's application in a standardized method. Which of the following best describes the technology that John should implement?
A. Service Provisioning Markup Language
B. Extensible Provisioning Markup Language
C. Security Assertion Markup Language
D. Security Provisioning Markup Language
A


Which security model enforces the principle that the security levels of an object should never change and is known as the "strong tranquility" property?
A. Biba
B. Bell-LaPadula
C. Brewer-Nash
D. Noninterference
B


Khadijah is leading a software development team for her company. She knows the importance of conducting an attack surface analysis and developing a threat model. During which phase of the software development life cycle should she perform these actions?
A. Requirements gathering
B. Testing and validation
C. Release and maintenance
D. Design
D


Operating systems may not work on systems with specific processors. Which of the following best describes why one operating system may work on an Intel processor but not on an AMD processor?
A. The operating system was not developed to work within the architecture of a specific processor and cannot use that specific processor instruction set.
B. The operating system was developed before the new processor architecture was released, and thus is not backward compatible.
C. The operating system is programmed to use a different instruction set.
D. The operating system is platform dependent, and thus can work only on one specific processor family.
A


Which of the following best describes how an address bus and a data bus are used for instruction execution?
A. The CPU sends a "fetch" request on the data bus, and the data residing at the requested address is returned on the address bus.
B. The CPU sends a "get" request on the address bus, and the data residing at the requested address is returned on the data bus.
C. The CPU sends a "fetch" request on the address bus, and the data residing at the requested address is returned on the data bus.
D. The CPU sends a "get" request on the data bus, and the data residing at the requested address is returned on the address bus.
C


An operating system has many different constructs to keep all of the different execution components in the necessary synchronization. One construct the operating system maintains is a process table. Which of the following best describes the role of a process table within an operating system?
A. The table contains information about each process that the CPU uses during the execution of the individual processes' instructions.
B. The table contains memory boundary addresses to ensure that processes do not corrupt each other's data
C. The table contains condition bits that the CPU uses during state transitions.
D. The table contains I/O and memory addresses.
A


Which of the following architecture frameworks has a focus on command, control, communications, computers, intelligence, surveillance, and
reconnaissance systems and processes?
A. DoDAF
B. TOGAF
C. CMMI
D. MODAF
A


Many operating systems implement address space layout randomization (ASLR). Which of the following best describes this type of technology?
A. Randomly arranging memory address values
B. Restricting the types of processes that can execute instructions in privileged mode
C. Running privileged instructions in virtual machines
D. Randomizing return pointer values
A


A company needs to implement a CCTV system that will monitor a large area of the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length
A


What is the name of a water sprinkler system that keeps pipes empty and doesn't release water until a certain temperature is met and a "delay mechanism" is instituted?
A. Wet
B. Preaction
C. Delayed
D. Dry
B


Which of the following best describes why Crime Prevention Through Environmental Design (CPTED) would integrate block parties and civic meetings?
A. These activities are designed to get people to work together to increase the overall crime and criminal behavior in the area.
B. These activities are designed to get corporations to work together to increase the overall awareness of acceptable and unacceptable activities in the area.
C. These activities are designed to get people to work together to increase the three strategies of this design model.
D. These activities are designed to get people to work together to increase the overall awareness of acceptable and unacceptable activities in the area.
D


Which of the following frameworks is a two-dimensional model that uses six basic communication interrogatives intersecting with different viewpoints to give
a holistic understanding of the enterprise?
A. SABSA
B. TOGAF
C. CMMI
D. Zachman
D


Not every data transmission incorporates the session layer. Which of the following best describes the functionality of the session layer?
A. End-to-end data transmission
B. Application client/server communication mechanism in a distributed environment
C. Application-to-computer physical communication
D. Provides application with the proper syntax for transmission
B


What is the purpose of the Logical Link Control (LLC) layer in the OSI model?
A. Provides a standard interface for the network layer protocol
B. Provides the framing functionality of the data link layer
C. Provides addressing of the packet during encapsulation
D. Provides the functionality of converting bits into electrical signals
A


Which of the following best describes why classless interdomain routing (CIDR) was created?
A. To allow IPv6 traffic to tunnel through IPv4 networks
B. To allow IPSec to be integrated into IPv4 traffic
C. To allow an address class size to meet an organization's need
D. To allow IPv6 to tunnel IPSec traffic
C


IEEE ____ provides a unique ID for a device. IEEE ____ provides data encryption, integrity, and origin authentication functionality. IEEE ____ carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE ___ framework.
A. 802.1AF, 802.1AE, 802.1AR, 802.1X EAP-TLS
B. 802.1AT, 802.1AE, 802.1AM, 802.1X EAP-SSL
C. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-SSL
D. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-TLS
D


Bob has noticed that one of the network switches has been acting strangely over the last week. Bob installed a network protocol analyzer to monitor the traffic going to the specific switch. He has identified UDP traffic coming from an outside source using the destination port 161. Which of the following best describes what is most likely taking place?
A. An attacker is modifying the switch SNMP MIB.
B. An attacker is carrying out a selective DoS attack.
C. An attacker is manipulating the ARP cache.
D. An attacker is carrying out an injection attack.
A


John has uncovered a rogue system on the company network that emulates a switch. The software on this system is being used by an attacker to modify frame tag values. Which of the following best describes the type of attack that has most likely been taking place?
A. DHCP snooping
B. VLAN hopping
C. Network traffic shaping
D. Network traffic hopping
B


Terry is told by his boss that he needs to implement a networked-switched infrastructure that allows several systems to be connected to any storage device. What does Terry need to roll out?
A. Electronic vaulting
B. Hierarchical storage management
C. Storage area network
D. Remote journaling
C


While DRP and BCP are directed at the development of "plans," is the holistic management process that should cover both of them. It provides a framework for integrating resilience with the capability for effective responses that protects the interests of the organization's key stakeholders.
A. continuity of operations
B. business continuity management
C. risk management
D. enterprise management architecture
B


The "Safe Harbor" privacy framework was created to:
A. Ensure that personal information should be collected only for a stated purpose
by lawful and fair means and with the knowledge or consent of the subject
B. Provide a streamlined means for U.S. organizations to comply with European privacy laws
C. Require the federal government to release to citizens the procedures for how records are collected, maintained, used, and distributed
D. None of the above
B


The European Union's Directive on Data Protection forbids the transfer of individually identifiable information to a country outside the EU, unless:
A. The receiving country grants individuals adequate privacy protection.
B. The receiving country pays a fee to the EU.
C. There are no exceptions; no information is ever transferred.
D. The receiving country is a member of the Fair Trade Organization.
A


The main goal of the Wassenaar Arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. How does this relate to technology
A. Cryptography is a dual-use tool.
B. Technology is used in weaponry systems.
C. Military actions directly relate to critical infrastructure systems.
D. Critical infrastructure systems can be at risk under this agreement.
A


Which world legal system of law is used in continental European countries, such as France and Spain, and is rule-based law, not precedence based?
A. Civil (code) law system
B. Common law system
C. Customary law system
D. Mixed law system
A


Which of the following is not a correct characteristic of the Failure Modes and Effect Analysis (FMEA) method?
A. Determining functions and identifying functional failures
B. Assessing the causes of failure and their failure effects through a structured process
C. Structured process carried out by an identified team to address high-level security compromises
D. Identifying where something is most likely going to break and either fixing the flaws that could cause this issue or implementing controls to reduce the impact of the break
C


A risk analysis can be carried out through qualitative or quantitative means. It is important to choose the right approach to meet the organization's goals. In a quantitative analysis, which of the following items would not be assigned a numeric value?
i. Asset value
ii. Threat frequency
iii. Severity of vulnerability
iv. Impact damage
v. Safeguard costs
vi. Safeguard effectiveness
vii. Probability

A. All of them
B. None of them
C. ii
D. vii
B


Uncovering restricted information by using permissible data is referred to as ____.
A. inference
B. data mining
C. perturbation
D. cell suppression
A


An attacker can modify the client-side JavaScript that provides structured layout and HTML representation. This commonly takes place through form fields within compromised web servers. Which of the following best describes this type of attack?
A. Injection attack
B. DOM-based XSS
C. Persistent XSS
D. Session hijacking
B


COBIT and COSO can be used together, but have different goals and focuses. Which of the following is incorrect as it pertains to these two models?
i. COSO is a model for corporate governance, and COBIT is a model for IT governance.
ii. COSO deals more at the strategic level, while COBIT focuses more at the operational level.
iii. COBIT is a way to meet many of the COSO objectives, but only from the IT perspective.
iv. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures.

A. None
B. All
C. i, ii
D. ii, iii
A



If a programmer is restricted from updating and modifying production code, what is this an example of?
a. Rotation of duties
b. Separation of duties
c. Controlling input values
d. Due diligence
B


What is a cipher lock?
a. A lock that uses a token and perimeter reader
b. A lock that uses cryptographic keys
c. A lock that uses a keypad
d. A lock that uses a type of key that cannot be reproduced
C


What is the difference between least privilege and need to know?
a. A user should have least privilege that restricts her need to know.
b. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know.
c. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources.
d. They are two different terms for the same issue.
B


Which best describes a hot-site facility versus a warm- or cold-site facility?
a. A mobile site that can be brought to the company's parking lot
b. A site that has all necessary PCs, servers, and telecommunications
c. A site that has disk drives, controllers, and tape drives
d. A site that has wiring, central air-conditioning, and raised flooring
B


Which is the best description of remote journaling?
a. Capturing and saving transactions to two mirrored servers in-house
b. Capturing and saving transactions to different media types
c. Backing up bulk data to an offsite facility
d. Backing up transaction logs to an offsite facility
D


Pertaining to the CEO's security concerns, what should Lenny suggest the company put into place?
a. Security information and event management software, an intrusion detection system, and signature-based protection
b. An intrusion prevention system, security event management software, and war-dialing protection
c. Security event management software, an intrusion prevention system, and behavior-based intrusion detection
d. An intrusion prevention system, security event management software, and malware protection
C


What is the technology that allows a user to remember just one password?
a. Password generation
b. Password dictionaries
c. Password rainbow tables
d. Password synchronization
D


Which could be considered a single point of failure within a single sign-on implementation?
a. RADIUS
b. Authentication server
c. User's workstation
d. Logon credentials
B


Which item is not part of a Kerberos authentication implementation?
a. Authentication service
b. Ticket granting service
c. Users, programs, and services
d. Message authentication code
D


Which of the following best describes the type of environment Harry's team needs to set up?
a. Web services
b. Public key infrastructure
c. RADIUS
d. Service-oriented architecture
D


Which of the following best describes the types of languages and/or protocols that Harry needs to ensure are implemented?
a. Security Assertion Markup Language, Extensible Access Control Markup Language, Service Provisioning Markup Language
b. Service Provisioning Markup Language, Security Association Markup Language
c. Service Provisioning Markup Language, Simple Object Access Protocol, Extensible Access Control Markup Language
d. Extensible Access Control Markup Language, Security Assertion Markup Language, Simple Object Access Protocol
D


Alice wants to send a message to Bob, who is several network hops away from her. What is the best approach to protecting the confidentiality of the message?
a. PPTP
b. SSH
c. S/MIME
d. Link encryption
C


An effective method to shield networks from unauthenticated DHCP clients is through the use of _______________ on network switches.
a. DHCP snooping
b. DHCP caching
c. DHCP shielding
d. DHCP protection
A


Charlie uses PGP on his Linux-based email client. His friend Dave uses S/MIME on his Windows-based email. Charlie is unable to send an encrypted email to Dave. What is the likely reason?
a. There is not enough information to determine the likely reason
b. Each is using a different CA
c. PGP and S/MIME are incompatible
d. Each has a different secret key
C


What should Don's team put into place to stop the masquerading attacks that have been taking place?
a. Dynamic packet filter firewall
b. SRPC
c. ARP spoofing protection
d. Disable unnecessary ICMP traffic at edge routers
B


What type of client ports should Don make sure the institution's software is using when client-to-server communication needs to take place?
a. Registered
b. Well known
c. Dynamic
d. Free
C


How many bits make up the effective length of the DES key?
a. 16
b. 64
c. 32
d. 56
D


security from components that are not security related?
a. Security kernel
b. Security perimeter
c. Security policy
d. Security related
B


smaller number of computers, which still must carry the same processing load as the systems in the main building. Which of the following best describes the most important aspects of the products Mark needs to purchase for these purposes?
a. Systems must provide asymmetric multiprocessing capabilities and virtualized environments.
b. Systems must provide symmetric multiprocessing capabilities and virtualized environments.
c. Systems must provide multiprogramming multiprocessing capabilities and virtualized environments.
d. Systems must provide multiprogramming multiprocessing capabilities and symmetric multiprocessing environments.
A


What feature enables code to be executed without the usual security checks?
a. Temporal isolation
b. Maintenance disk
c. Race conditions
d. Maintenance hook
D


What is the definition of an algorithm's work factor?
a. The time it takes to apply substitution functions
b. The time it takes to implement 16 rounds of computation
c. The time it takes to encrypt and decrypt the same plaintext
d. The time it takes to break the encryption
D


During which phase or phases of the information life cycle can cryptography be an effective control?
a. Archival and Disposal
b. Use and Archival
c. Disposal and Use
d. All the them.
D




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
formation classification is most closely related to which of the following?
a. The source of the information
b. The information's age
c. The information's destination
d. None of them
D


What should management consider the most when classifying data?
a. Availability, integrity
b. Assessing the risk level and disabling countermeasures
c. Availability, integrity, and confidentiality
d. The type of employees, contractors, and customers who will be accessing the data
C


Which of the following makes the most sense for a single organization's classification levels for data?
a. Unclassified, Secret, Top Secret
b. Proprietary, Trade Secret, Private
c. Sensitive, Sensitive But Unclassified (SBU), Proprietary
d. Unclassified, Sensitive, Top Secret
A


Which of the following requirements should the data retention policy address?
a. Regulatory
b. Legal
c. Operational
d. All the them
D


Which of the following is the most important criterion in determining the classification of data?
a. Regulatory requirements in jurisdictions within which the organization is not operating
b. The cost of implementing controls for the data
c. The level of damage that could be caused if the data were disclosed
d. The level of damage that could be caused were disclosed
C


If different user groups with different security access levels need to access the same information, which of the following actions should management take?
a. Increase the controls on the information.
b. Increase the security controls on the information.
c. Decrease the classification label on the information.
d. Decrease the security level on the information to ensure accessibility and usability of the information.
B


The data owner is most often described by all of the following except
a. Financially liable for the loss of the data
b. Financially liable for the receive of the data
c. Ultimately responsible for the protection of the data
d. Manager in charge of a business unit
A


OCTAVE, NIST SP 800-30, and AS/NZS 4360 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods?
a. NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is international.
b.
NIST SP 800-30 is IT based, while OCTAVE and AS/NZS 4360 are
c. AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based.
d.
None of them.
D


15. Communications security involves the protection of which of the following?.
a. radio handsets
b. people, physical assets
c. the IT department
d. media, technology, and content
d


16. According to the C.I.A. triad, which of the following is a desirable characteristic for computer security?
a. accountability
b. availability
c. authorization
d. authentication
b






17. Which of the following is a C.I.A. characteristic that ensures that only those with sufficient privileges and a demonstrated need may access certain information?
a. Integrity
b. Availability
c. Authentication
d. Confidentiality
d


18. The use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections is an example of which process?
a. accountability
b. authorization
c. identification
d. authentication
d


19. What do audit logs that track user activity on an information system provide?
a. identification
b. authorization
c. accountability
d. authentication
c


20. Which of the following is the principle of management that develops, creates, and implements strategies for the accomplishment of objectives?
a. leading
b. controlling
c. organizing
d. planning
d


21. Which of the following is the principle of management dedicated to the structuring of resources to support the accomplishment of objectives?
a. organization
b. planning
c. controlling
d. leading
a


22. In the ____________________ attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network.
a. zombie-in-the-middle
b. sniff-in-the-middle
c. server-in-the-middle
d. man-in-the-middle
d


23. Which of the following is the first step in the problem-solving process?
a. Analyze and compare the possible solutions
b. Develop possible solutions
c. Recognize and define the problem
d. Select, implement and evaluate a solution
c


24. Which of the following is NOT a step in the problem-solving process?
a. Select, implement and evaluate a solution
b. Analyze and compare possible solutions
c. Build support among management for the candidate solution
d. Gather facts and make assumptions
c


25. Which of the following is NOT a primary function of Information Security Management?
a. planning
b. protection
c. projects
d. performance
d


26. Which of the following functions of Information Security Management seeks to dictate certain behavior within the organization through a set of organizational guidelines?
a. planning
b. policy
c. programs
d. people
b


27. Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program?
a. protection
b. people
c. projects
d. policy
b


28. Acts of ____________________ can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.
a. bypass
b. theft
c. trespass
d. security
c


29. ____________________ are malware programs that hide their true nature, and reveal their designed behavior only when activated.
a. Viruses
b. Worms
c. Spam
d. Trojan horses
d


30. As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus ____________________.
a. false alarms
b. polymorphisms
c. hoaxes
d. urban legends
c


31. Human error or failure often can be prevented with training, ongoing awareness activities, and ____________________.
a. threats
b. education
c. hugs
d. paperwork
b


32. "4-1-9" fraud is an example of a ____________________ attack.
a. social engineering
b. virus
c. worm
d. spam
a


33. Which type of attack involves sending a large number of connection or information requests to a target?
a. malicious code
b. denial-of-service (DoS)
c. brute force
d. spear fishing
b


34. Which of the following is not among the 'deadly sins of software security'?
a. Extortion sins
b. Implementation sins
c. Web application sins
d. Networking sins
a


35. Web hosting services are usually arranged with an agreement defining minimum service levels known as a(n) ____.
a. SSL
b. SLA
c. MSL
d. MIN
b


36. Blackmail threat of informational disclosure is an example of which threat category?
a. Espionage or trespass
b. Information extortion
c. Sabotage or vandalism
d. Compromises of intellectual property
b




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
37. One form of online vandalism is ____________________ operations, which interfere with or disrupt systems to protest the operations, policies, or actions of an organization or government agency.
a. hacktivist
b. phreak
c. hackcyber
d. cyberhack
a


38. A ____________________ is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
a. denial-of-service
b. distributed denial-of-service
c. virus d. spam
b


39. Which of the following is a feature left behind by system designers or maintenance staff that allows quick access to a system at a later time by bypassing access controls?
a. brute force
b. DoS
c. back door
d. hoax
c


40. A short-term interruption in electrical power availability is known as a ____.
a. fault
b. brownout
c. blackout
d. lag
a


12. Which subset of civil law regulates the relationships among individuals and among individuals
and organizations?
a. tort
b. criminal
c. private
d. public
c


13. Which law addresses privacy and security concerns associated with the electronic transmission of PHI?
a. USA Patriot Act of 2001
b. American Recovery and Reinvestment Act
c. Health Information Technology for Economic and Clinical Health Act
d. National Information Infrastructure Protection Act of 1996
c


14. The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following?
a. For purposes of commercial advantage
b. For private financial gain
c. For political advantage
d. In furtherance of a criminal act
c


15. Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system?
a. The Telecommunications Deregulation and Competition Act
b. National Information Infrastructure Protection Act
c. Computer Fraud and Abuse Act
d. The Computer Security Act
d


16. Which act is a collection of statutes that regulates the interception of wire, electronic, and oral communications?
a. The Electronic Communications Privacy Act of 1986
b. The Telecommunications Deregulation and Competition Act of 1996
c. National Information Infrastructure Protection Act of 1996
d. Federal Privacy Act of 1974
a


17. Which act requires organizations that retain health care information to use InfoSec mechanisms to protect this information, as well as policies and procedures to maintain them?
a. ECPA
b. Sarbanes-Oxley
c. HIPAA
d. Gramm-Leach-Bliley
c




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
18. Which law extends protection to intellectual property, which includes words published in electronic formats?
a. Freedom of Information Act
b. U.S. Copyright Law
c. Security and Freedom through Encryption Act
d. Sarbanes-Oxley Act
b


19. Which of the following is the study of the rightness or wrongness of intentions and motives as opposed to the rightness or wrongness of the consequences and is also known as duty- or obligation-based ethics?
a. Applied ethics
b. Meta-ethics
c. Normative ethics
d. Deontological ethics
d


20. Which of the following is an international effort to reduce the impact of copyright, trademark,
and privacy infringement, especially via the removal of technological copyright protection measures?
a. U.S. Copyright Law
b. PCI DSS
c. European Council Cybercrime Convention
d. DMCA
d


21. Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right?
a. Applied ethics
b. Descriptive ethics
c. Normative ethics
d. Deontological ethics
b


22. Which ethical standard is based on the notion that life in community yields a positive outcome for the individual, requiring each individual to contribute to that community?
a. utilitarian
b. virtue
c. fairness or justice
d. common good
d


23. There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them?
a. ignorance
b. malice
c. accident
d. intent
b


24. Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls.
a. remediation
b. deterrence
c. persecution
d. rehabilitation
b


25. Which of the following organizations put forth a code of ethics designed primarily for InfoSec professionals who have earned their certifications? The code includes the canon: Provide diligent and competent service to principals.
a. (ISC)2
b. ACM
c. SANS
d. ISACA
a


26. Which of the following is compensation for a wrong committed by an employee acting with or without authorization?
a. liability
b. restitution
c. due diligence
d. jurisdiction
b


27. Any court can impose its authority over an individual or organization if it can establish which of the following?
a. jurisprudence b. jurisdiction
c. liability d. sovereignty
b




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
10. Which of the following explicitly declares the business of the organization and its intended areas of operations?
a. vision statement
b. values statement
c. mission statement
d. business statement
c


11. Which type of planning is the primary tool in determining the long-term direction taken by an organization?
a. strategic
b. tactical
c. operational
d. managerial
a


12. Which of the following is true about planning?
a. Strategic plans are used to create tactical plans
b. Tactical plans are used to create strategic plans
c. Operational plans are used to create tactical plans
d. Operational plans are used to create strategic plans
a


13. Which level of planning breaks down each applicable strategic goal into a series of incremental objectives?
a. strategic
b. operational
c. organizational
d. tactical
d


14. Which type of planning is used to organize the ongoing, day-to-day performance of tasks?
a. Strategic
b. Tactical
c. Organizational
d. Operational
d


15. The basic outcomes of InfoSec governance should include all but which of the following?
a. Value delivery by optimizing InfoSec investments in support of organizational objectives
b. Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
c. Time management by aligning resources with personnel schedules and organizational objectives
d. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
c


16. Internal and external stakeholders such as customers, suppliers, or employees who interact with the information in support of their organization's planning and operations are known as ____________.
a. data owners
b. data custodians
c. data users
d. data generators
c


17. The National Association of Corporate Directors (NACD) recommends four essential practices for boards of directors. Which of the following is NOT one of these recommended practices?
a. Hold regular meetings with the CIO to discuss tactical InfoSec planning
b. Assign InfoSec to a key committee and ensure adequate support for that committee
c. Ensure the effectiveness of the corporation's InfoSec policy through review and approval
d. Identify InfoSec leaders, hold them accountable, and ensure support for them
a


18. Which of the following should be included in an InfoSec governance program?
a. An InfoSec development methodology
b. An InfoSec risk management methodology
c. An InfoSec project management assessment from an outside consultant
d. All of these are components of the InfoSec governance program
b


19. According to the Corporate Governance Task Force (CGTF), which phase in the IDEAL model and framework lays the groundwork for a successful improvement effort?
a. Initiating
b. Establishing
c. Acting
d. Learning
a




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
20. According to the Corporate Governance Task Force (CGTF), during which phase in the IDEAL model and framework does the organization plan the specifics of how it will reach its destination?
a. Initiating
b. Establishing
c. Acting
d. Learning
b


21. Which of the following is an information security governance responsibility of the Chief Security Officer?
a. Communicate policies and the program
b. Set security policy, procedures, programs and training
c. Brief the board, customers and the public
d. Implement policy, report security vulnerabilities and breaches
b


22. ISO 27014:2013 is the ISO 27000 series standard for ____________.
a. Governance of Information Security
b. Information Security Management
c. Risk Management
d. Policy Management
a


23. Which of the following is a key advantage of the bottom-up approach to security implementation?
a. strong upper-management support
b. a clear planning and implementation process
c. utilizes the technical expertise of the individual administrators
d. coordinated planning from upper management
c


24. Which of these is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the project's success?
a. software engineering
b. joint application design
c. sequence-driven policies
d. event-driven procedures
b


25. Which model of SecSDLC does the work product from each phase fall into the next phase to serve as its starting point?
a. modular continuous
b. elementary cyclical
c. time-boxed circular
d. traditional waterfall
d


26. Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as ____________.
a. data owners
b. data custodians
c. data users
d. data generators
a


27. What is the first phase of the SecSDLC?
a. analysis
b. investigation
c. logical design
d. physical design
b


28. The individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a(n) ____________.
a. chief information security officer
b. security technician
c. security manager
d. chief technology officer
a


29. In which phase of the SecSDLC does the risk management task occur?
a. physical design
b. implementation
c. investigation
d. analysis
d


30. An example of a stakeholder of a company includes all of the following except:
a. employees
b. the general public
c. stockholders
d. management
b


31. A project manager who understands project management, personnel management, and InfoSec technical requirements is needed to fill the role of a(n) ____________.
a. champion
b. end user
c. team leader
d. policy developer
c


32. The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians are known as a(n) ____________.
a. chief information security officer
b. security technician
c. security manager
d. chief technology officer
c


33. A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization is needed to fill the role of a(n) ____________ on a development team.
a. champion
b. end user
c. team leader
d. policy developer
a


34. When using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the ____________.
a. Board Risk Committee
b. Board Finance Committee
c. Board Audit Committee
d. Chairman of the Board
a


35. A set of security tests and evaluations that simulate attacks by a malicious external source is known as ____________.
a. vulnerability assessment
b. penetration testing
c. exploit identification
d. safeguard neutralization
b


37. The process of identifying and documenting specific and provable flaws in the organization's information asset environment is known as ____________.
a. vulnerability assessment
b. penetration testing
c. exploit identification
d. safeguard neutralization
a


38. A 2007 Deloitte report found that valuable approach that can better align security functions with the business mission while offering opportunities to lower costs is ____________.
a. enterprise risk management.
b. joint application design
c. security policy review
d. disaster recovery planning
a


39. Which of the following set the direction and scope of the security process and provide detailed instruction for its conduct?
a. system controls
b. technical controls
c. operational controls
d. managerial controls
d


11. Which of the following is NOT one of the basic rules that must be followed when shaping a policy?
a. policy should never conflict with law
b. policy must be able to stand up in court if challenged
c. policy should be agreed upon by all employees and management d. policy must be properly supported and administered
c


13. Which of the following is NOT among the three types of InfoSec policies based on NIST's Special Publication 800-14?
a. Enterprise information security policy
b. User-specific security policies
c. Issue-specific security policies
d. System-specific security policies
b


14. In addition to specifying the penalties for unacceptable behavior, what else must a policy specify?
a. appeals process
b. legal recourse
c. what must be done to comply
d. the proper operation of equipment
a


15. Which policy is the highest level of policy and is usually created first?
a. SysSP
b. USSP
c. ISSP
d. EISP
d


16. Which type of document is a more detailed statement of what must be done to comply with a policy?
a. procedure
b. standard
c. guideline
d. practice
b


17. Which of the following is an element of the enterprise information security policy?
a. access control lists
b. information on the structure of the InfoSec organization
c. articulation of the organization's SDLC methodology
d. indemnification of the organization against liability
b


18. Which type of security policy is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource?
a. issue-specific
b. enterprise information
c. system-specific
d. user-specific
a


19. Which section of an ISSP should outline a specific methodology for the review and modification of the ISSP?
a. Policy Review and Modification
b. Limitations of Liability
c. Systems Management
d. Statement of Purpose
a


20. Which of the following sections of the ISSP should provide instructions on how to report observed or suspected policy infractions?
a. Violations of Policy
b. Systems Management
c. Prohibited Usage of Equipment
d. Authorized Access and Usage of Equipment
a


21. Which of the following is a disadvantage of the individual policy approach to creating and managing ISSPs?
a. can suffer from poor policy dissemintation, enforcement, and review
b. may skip vulnerabilities otherwise reported
c. may be more expensive than necessary
d. implementation can be less difficult to manage
a


22. Which of the following are the two general groups into which SysSPs can be separated?
a. technical specifications and managerial guidance
b. business guidance and network guidance
c. user specifications and managerial guidance
d. technical specifications and business guidance
a


23. What are the two general methods for implementing technical controls?
a. profile lists and configuration filters
b. firewall rules and access filters
c. user profiles and filters
d. access control lists and configuration rules
d


24. Which of the following is NOT an aspect of access regulated by ACLs?
a. what authorized users can access
b. where the system is located
c. how authorized users can access the system
d. when authorized users can access the system
b


25. Which of the following are instructional codes that guide the execution of the system when information is passing through it?
a. access control lists
b. user profiles
c. configuration rules
d. capability tables
c


26. A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC?
a. design
b. analysis
c. implementation
d. investigation
d


27. In which phase of the SecSDLC must the team create a plan to distribute and verify the distribution of the policies?
a. design
b. implementation
c. investigation
d. analysis
a


28. A risk assessment is performed during which phase of the SecSDLC?
a. implementation
b. analysis
c. design
d. investigation
b


29. According to NIST SP 800-18, Rev. 1, which individual is responsible for the creation, revision, distribution, and storage of the policy?
a. policy developer
b. policy reviewer
c. policy enforcer
d. policy administrator
d


30. When an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates, what is it ensuring?
a. policy administration
b. due diligence
c. adequate security measures
d. certification and accreditation
b


13. Which of the following variables is the most influential in determining how to structure an information security program?
a. Security capital budget
b. Organizational size
c. Security personnel budget
d. Organizational culture
d


14. Which of the following is true about the security staffing, budget, and needs of a medium-sized organization?
a. they have a larger security staff than a small organization
b. they have a larger security budget (as percent of IT budget) than a small organization
c. they have a smaller security budget (as percent of IT budget) than a large organization
d. they have larger information security needs than a small organization
d


15. Which of the following functions includes identifying the sources of risk and may include offering advice on controls that can reduce risk?
a. Risk management
b. Risk assessment
c. Systems testing
d. Vulnerability assessment
b


16. Which of the following functions needed to implement the information security program evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness?
a. Systems testing
b. Risk assessment
c. Incident response
d. Systems security administration
a


17. Which function needed to implement the information security program includes researching, creating, maintaining, and promoting information security plans?
a. compliance
b. policy
c. planning
d. systems security administration
c


18. Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation?
a. policy
b. centralized authentication
c. compliance audit
d. risk management
b


19. Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems?
a. A security technician
b. A security analyst
c. A security consultant
d. The security manager
a


20. GGG security is commonly used to describe which aspect of security?
a. technical
b. software
c. physical
d. theoretical
c


21. What is the SETA program designed to do?
a. reduce the occurrence of external attacks
b. improve operations
c. reduce the occurence of accidental security breaches
d. increase the efficiency of InfoSec staff
c


22. A SETA program consists of three elements: security education, security training, and which of the following?.
a. security accountability
b. security authentication
c. security awareness
d. security authorization
c


23. The purpose of SETA is to enhance security in all but which of the following ways?
a. by building in-depth knowledge
b. by adding barriers
c. by developing skills
d. by improving awareness
b


24. Advanced technical training can be selected or developed based on which of the following?
a. level of previous education
b. level of previous training
c. technology product
d. number of employees
c


25. Which of the following is the first step in the process of implementing training?
a. Identify training staff
b. Identify target audiences
c. Identify program scope, goals, and objectives
d. Motivate management and employees
c


26. Which of the following is an advantage of the one-on-one method of training?
a. Trainees can learn from each other
b. Very cost-effective
c. Customized
d. Maximizes use of company resources
c


27. Which of the following is a disadvantage of the one-on-one training method?
a. Inflexible
b. May not be responsive to the needs of all the trainees
c. Content may not be customized to the needs of the organization
d. Resource intensive, to the point of being inefficient
d


28. Which of the following is an advantage of the formal class method of training?
a. Personal
b. Self-paced, can go as fast or as slow as the trainee needs
c. Can be scheduled to fit the needs of the trainee
d. Interaction with trainer is possible
d


29. Which of the following is an advantage of the user support group form of training?
a. Usually conducted in an informal social setting
b. Formal training plan
c. Can be live, or can be archived and viewed at the trainee's convenience
d. Can be customized to the needs of the trainee
a


30. Which of the following is NOT a step in the process of implementing training?
a. administer the program
b. hire expert consultants
c. motivate management and employees
d. identify target audiences
b


31. __________ is a simple project management planning tool.
a. RFP
b. WBS
c. ISO 17799
d. SDLC
b


32. Which of the following is the most cost-effective method for disseminating security information and news to employees?
a. distance learning seminars
b. security-themed Web site
c. conference calls
d. security newsletter
d


33. Which of the following is true about a company's InfoSec awareness Web site?
a. it should contain large images to maintain interest
b. appearance doesn't matter if the information is there
c. it should be placed on the Internet for public use
d. it should be tested with multiple browsers
d


16. Each manager in the organization should focus on reducing risk. This is often done within the context of one of the three communities of interest, which includes all but which of the following?
a. General management must structure the IT and InfoSec functions b. IT management must serve the IT needs of the broader organization
c. Legal management must develop corporate-wide standards
d. InfoSec management must lead the way with skill, professionalism, and flexibility
c


17. The identification and assessment of levels of risk in an organization describes which of the following?
a. Risk analysis
b. Risk identification
c. Risk management
d. Risk reduction
a


18. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?
a. Creating an inventory of information assets
b. Classifying and organizing information assets into meaningful groups
c. Assigning a value to each information asset
d. Calculating the severity of risks to which assets are exposed in their current setting
d


19. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk identification process?
a. Determining the likelihood that vulnerable systems will be attacked by specific threats
b. Calculating the severity of risks to which assets are exposed in their current setting
c. Assigning a value to each information asset
d. Documenting and reporting the findings of risk identification and assessment
c


20. Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult?
a. Part number
b. Serial number
c. MAC address
d. IP address
d


21. Which of the following is an attribute of a network device is physically tied to the network interface?
a. Serial number
b. MAC address
c. IP address
d. Model number
b


22. Which of the following attributes does NOT apply to software information assets?
a. Serial number
b. Controlling entity
c. Manufacturer name
d. Product dimensions
d


23. Which of the following distinctly identifies an asset and can be vital in later analysis of threats directed to specific models of certain devices or software components?
a. Name
b. MAC address
c. Serial number
d. Manufacturer's model or part number
d


24. Data classification schemes should categorize information assets based on which of the following?
a. Value and uniqueness
b. Sensitivity and security needs
c. Cost and replacement value
d. Ease of reproduction and fragility
b


25. Classification categories must be mutually exclusive and which of the following?
a. Repeatable
b. Unique
c. Comprehensive
d. Selective
c


26. What is the final step in the risk identification process?
a. Assessing values for information assets
b. Classifying and categorizing assets
c. Identifying and inventorying assets
d. Listing assets in order of importance
d


27. Once an information asset is identified, categorized, and classified, what must also be assigned to it?
a. Asset tag
b. Relative value
c. Location ID
d. Threat risk
b


28. What should you be armed with to adequately assess potential weaknesses in each information asset?
a. Properly classified inventory
b. Audited accounting spreadsheet
c. Intellectual property assessment
d. List of known threats
a


29. Which of the following is an example of a technological obsolescence threat?
a. Hardware equipment failure
b. Unauthorized access
c. Outdated servers
d. Malware
c


30. Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another?
a. Cost of prevention
b. Cost of litigation
c. Cost of detection
d. Cost of identification
a


31. What is defined as specific avenues that threat agents can exploit to attack an information asset?
a. Liabilities
b. Defenses
c. Vulnerabilities
d. Weaknesses
c


32. What should the prioritized list of assets and their vulnerabilities and the prioritized list of threats facing the organization be combined to create?
a. Risk exposure report
b. Threats-vulnerabilities-assets worksheet
c. Costs-risks-prevention database
d. Threat assessment catalog
b


33. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.
a. Vulnerability mitigation controls
b. Risk assessment estimate factors
c. Exploit likelihood equation
d. Attack analysis calculation
b


34. An estimate made by the manager using good judgement and experience can account for which factor of risk assessment?
a. Risk determination
b. Assessing potential loss
c. Likelihood and consequences
d. Uncertainty
d


35. Which of the following is NOT among the typical columns in the ranked vulnerability risk worksheet?
a. Uncertainty percentage
b. Asset impact
c. Risk-rating factor
d. Vulnerability likelihood
a


16. Application of training and education is a common method of which risk control strategy?
a. mitigation
b. defense
c. acceptance
d. transferal
b


17. Which of the following describes an organization's efforts to reduce damage caused by a realized incident or disaster?
a. acceptance
b. avoidance
c. transference
d. mitigation
d


18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach?
a. incident response plan
b. business continuity plan
c. disaster recovery plan
d. damage control plan
a


19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization has done all but which of the following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained from the information asset
d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
c


20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
a. residual risk
b. risk appetite
c. risk assurance
d. risk termination
b


21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
c. When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
c


22. Which of the following affects the cost of a control?
a. liability insurance
b. CBA report
c. asset resale
d. maintenance
d


23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
a. annualized cost of the safeguard
b. single loss expectancy
c. value to adversaries
d. annualized loss expectancy
b


24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis
b. exposure factor
c. single loss expectancy
d. annualized rate of occurrence
a


25. Which of the following determines acceptable practices based on consensus and relationships among the communities of interest.
a. organizational feasibility
b. political feasibility
c. technical feasibility
d. operational feasibility
b


26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
a. conducting decision support
b. implementing controls
c. evaluating alternative strategies
d. measuring program effectiveness
c


27. What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
a. qualitative assessment of many risk components
b. quantitative valuation of safeguards
c. subjective prioritization of controls
d. risk analysis estimates
a


28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
a. OCTAVE
b. FAIR
c. Hybrid Measures
d. Delphi
d


29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine their effectiveness and to estimate the remaining risk?
a. analysis and adjustment
b. review and reapplication
c. monitoring and measurement
d. evaluation and funding
c


30. Which of the following is not a step in the FAIR risk management framework?
a. identify scenario components
b. evaluate loss event frequency
c. assess control impact
d. derive and articulate risk
c


31. What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
a. probability calculation
b. documented control strategy
c. risk acceptance plan
d. mitigation plan
b


32. Which of the following describes the financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident?
a. feasibility analysis
b. asset valuation
c. cost avoidance
d. cost-benefit analysis
c


33. Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking
b. due care and due diligence
c. selective risk avoidance
d. the gold standard
c


34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of the following?
a. risk assessment
b. risk treatment
c. risk communication
d. risk determination
d


35. The NIST risk management approach includes all but which of the following elements?
a. inform
b. assess
c. frame
d. respond
a


36. An information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems is known as a(n) ____________.
a. penetration tester
b. gray-hat hacker
c. script kiddie
d. zebra team
a


12. Which of the following is a policy implementation model that addresses issues by moving from the general to the specific and is a proven mechanism for prioritizing complex changes?
a. On-target model
b. Wood's model
c. Bull's-eye model
d. Bergeron and Berube model
c


1. When can executives be charged with negligence?
A. If they follow the transborder laws
B. If they do not properly report and prosecute attackers
C. If they properly inform users that they may be monitored
D. If they do not practice due care when protecting resources
D


2. To better deal with computer crime, several legislative bodies have taken what
steps in their strategy?
A. Expanded several privacy laws
B. Broadened the definition of property to include data
C. Required corporations to have computer crime insurance
D. Redefined transborder issues
B


3. Which factor is the most important item when it comes to ensuring security is
successful in an organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees
A


4. Which of the following standards would be most useful to you in ensuring your
information security management system follows industry best practices?
A. NIST SP 800-53
B. Six Sigma
C. ISO/IEC 27000 series
D. COSO IC
C


5. Which of the following is true about data breaches?
A. They are exceptionally rare.
B. They always involve personally identifiable information (PII).
C. They may trigger legal or regulatory requirements.
D. The United States has no laws pertaining to data breaches.
C


6. When is it acceptable to not take action on an identified risk?
A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and
potential loss.
D


7. Which is the most valuable technique when determining if a specific security
control should be implemented?
A. Risk analysis
B. Cost/benefit analysis
C. ALE results
D. Identifying the vulnerabilities and threats causing the risk
B


8. Which best describes the purpose of the ALE calculation?
A. Quantifies the security level of the environment
B. Estimates the loss possible for a countermeasure
C. Quantifies the cost/benefit result
D. Estimates the loss potential of a threat in a span of a year
D


9. How do you calculate residual risk?
A. Threats × risks × asset value
B. (Threats × asset value × vulnerability) × risks
C. SLE × frequency = ALE
D. (Threats × vulnerability × asset value) × controls gap
D


10. Why should the team that will perform and review the risk analysis information
be made up of people in different departments?
A. To make sure the process is fair and that no one is left out.
B. It shouldn't. It should be a small group brought in from outside the
organization because otherwise the analysis is biased and unusable.
C. Because people in different departments understand the risks of their
department. Thus, it ensures the data going into the analysis is as close to
reality as possible.
D. Because the people in the different departments are the ones causing the risks,
so they should be the ones held accountable.
C


11. Which best describes a quantitative risk analysis?
A. A scenario-based analysis to research different security threats
B. A method used to apply severity levels to potential loss, probability of loss,
and risks
C. A method that assigns monetary values to components in the risk assessment
D. A method that is based on gut feelings and opinions
C


12. Why is a truly quantitative risk analysis not possible to achieve?
A. It is possible, which is why it is used.
B. It assigns severity levels. Thus, it is hard to translate into monetary values.
C. It is dealing with purely quantitative elements.
D. Quantitative measures must be applied to qualitative elements.
D


13. What is COBIT and where does it fit into the development of information
security systems and security programs?
A. Lists of standards, procedures, and policies for security program development
B. Current version of ISO 17799
C. A framework that was developed to deter organizational internal fraud
D. Open standards for control objectives
D


14. What is the ISO/IEC 27799 standard?
A. A standard on how to protect personal health information
B. The new version of BS 17799
C. Definitions for the new ISO 27000 series
D. The new version of NIST SP 800-60
A


15. OCTAVE, NIST SP 800-30, and AS/NZS 4360 are different approaches to
carrying out risk management within companies and organizations. What are the
differences between these methods?
A. NIST SP 800-30 and OCTAVE are corporate based, while AS/NZS is
international.
B. NIST SP 800-30 is IT based, while OCTAVE and AS/NZS 4360 are
corporate based.
C. AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based.
D. NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is
international.
B


16. The fact that the server has been in an unlocked room marked "Room 1" for the
last few years means the company was practicing which of the following?
A. Logical security
B. Risk management
C. Risk transference
D. Security through obscurity
D


17. The new reinforced lock and cage serve as which of the following?
A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls
B


18. The operating system access controls comprise which of the following?
A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls
A


19. How much does the firewall save the company in loss expenses?
A. $62,000
B. $3,000
C. $65,000
D. $30,000
A


20. What is the value of the firewall to the company?
A. $62,000
B. $3,000
C. -$62,000
D. -$3,000
D


21. Which of the following describes the company's approach to risk management?
A. Risk transference
B. Risk avoidance
C. Risk acceptance
D. Risk mitigation
D


22. What is the single loss expectancy (SLE) for the facility suffering from a fire?
A. $80,000
B. $480,000
C. $320,000
D. 60%
B


23. What is the annualized rate of occurrence (ARO)?
A. 1
B. 10
C. .1
D. .01
C


24. What is the annualized loss expectancy (ALE)?
A. $480,000
B. $32,000
C. $48,000
D. .6
C


25. The international standards bodies ISO and IEC developed a series of standards that
are used in organizations around the world to implement and maintain information
security management systems. The standards were derived from the British
Standard 7799, which was broken down into two main pieces. Organizations can
use this series of standards as guidelines, but can also be certified against them by
accredited third parties. Which of the following are incorrect mappings pertaining
to the individual standards that make up the ISO/IEC 27000 series?
i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC
27003 outlines the ISMS program's requirements.
ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC
27002 outlines the metrics framework.
iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/
IEC 27005 outlines risk management guidelines.
iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines
the implementation framework.
A. i, iii
B. i, ii
C. ii, iii, iv
D. i, ii, iii, iv
D


26. The information security industry is made up of various best practices, standards,
models, and frameworks. Some were not developed first with security in mind,
but can be integrated into an organizational security program to help in its
effectiveness and efficiency. It is important to know of all of these different
approaches so that an organization can choose the ones that best fit its business
needs and culture. Which of the following best describes the approach(es) that
should be put into place if an organization wants to integrate a way to improve its
security processes over a period of time?
i. Information Technology Infrastructure Library should be integrated because
it allows for the mapping of IT service process management, business drivers,
and security improvement.
ii. Six Sigma should be integrated because it allows for the defects of security
processes to be identified and improved upon.
iii. Capability Maturity Model Integration should be integrated because it
provides distinct maturity levels.
iv. The Open Group Architecture Framework should be integrated because it
provides a structure for process improvement.
A. i, iii
B. ii, iii, iv
C. ii, iii
D. ii, iv
C


27. Todd documents several fraud opportunities that the employees have at the
financial institution so that management understands these risks and allocates
the funds and resources for his suggested solutions. Which of the following
best describes the control Todd should put into place to be able to carry out
fraudulent investigation activity?
A. Separation of duties
B. Rotation of duties
C. Mandatory vacations
D. Split knowledge
C


28. If the financial institution wants to force collusion to take place for fraud to
happen successfully in this situation, what should Todd put into place?
A. Separation of duties
B. Rotation of duties
C. Social engineering
D. Split knowledge
A


29. Todd wants to be able to prevent fraud from taking place, but he knows
that some people may get around the types of controls he puts into place. In
those situations he wants to be able to identify when an employee is doing
something suspicious. Which of the following incorrectly describes what Todd is
implementing in this scenario and what those specific controls provide?
A. Separation of duties by ensuring that a supervisor must approve the cashing
of a check over $3,500. This is an administrative control that provides
preventative protection for Todd's organization.
B. Rotation of duties by ensuring that one employee only stays in one position for
up to three months at a time. This is an administrative control that provides
detective capabilities.
C. Security awareness training, which is a preventive administrative control that
can also emphasize enforcement.
D. Dual control, which is an administrative detective control that can ensure that
two employees must carry out a task simultaneously.
D


30. Which of the following best describes what Susan needs to ensure the operations
staff creates for proper configuration standardization?
A. Dual control
B. Redundancy
C. Training
D. Baselines
D


31. Which of the following is the best way for Susan to illustrate to her boss the
dangers of the current configuration issues?
A. Map the configurations to the compliancy requirements.
B. Compromise a system to illustrate its vulnerability.
C. Audit the systems.
D. Carry out a risk assessment.
D


32. Which of the following is one of the most likely solutions that Susan will come
up with and present to her boss?
A. Development of standards
B. Development of training
C. Development of monitoring
D. Development of testing
A




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
33. What is one of the first steps in developing a business continuity plan?
A. Identify a backup solution.
B. Perform a simulation test.
C. Perform a business impact analysis.
D. Develop a business resumption plan.
C


34. The purpose of initiating emergency procedures right after a disaster takes place is
to prevent loss of life and injuries, and to _______________.
A. secure the area to ensure that no looting or fraud takes place
B. mitigate further damage
C. protect evidence and clues
D. investigate the extent of the damages
B


35. Which of the following would you use to control the public distribution, reproduction,
display, and adaptation of an original white paper written by your staff?
A. Copyright
B. Trademark
C. Patent
D. Trade secret
B


36. Many privacy laws dictate which of the following rules?
A. Individuals have a right to remove any data they do not want others to know.
B. Agencies do not need to ensure that the data is accurate.
C. Agencies need to allow all government agencies access to the data.
D. Agencies cannot use collected data for a purpose different from what they
were collected for.
D


37. The term used to denote a potential cause of an unwanted incident, which may
result in harm to a system or organization is
A. Vulnerability
B. Exploit
C. Threat
D. Attacker
C


38. A CISSP candidate signs an ethics statement prior to taking the CISSP
examination. Which of the following would be a violation of the (ISC) 2 Code of
Ethics that could cause the candidate to lose his or her certification?
A. E-mailing information or comments about the exam to other CISSP
candidates
B. Submitting comments on the questions of the exam to (ISC) 2
C. Submitting comments to the board of directors regarding the test and content
of the class
D. Conducting a presentation about the CISSP certification and what the
certification means
A


39. Which of the following has an incorrect definition mapping?
i. Civil (code) law: Based on previous interpretations of laws
ii. Common law: Rule-based law, not precedence-based
iii. Customary law: Deals mainly with personal conduct and patterns of behavior
iv. Religious law: Based on religious beliefs of the region
A. i, iii
B. i, ii, iii
C. i, ii
D. iv
C

1. What is the final step in authorizing a system for use in an environment?
A. Certification
B. Security evaluation and rating
C. Accreditation
D. Verification
C


2. What feature enables code to be executed without the usual security checks?
A. Temporal isolation
B. Maintenance hook
C. Race conditions
D. Process multiplexing
b


3. If a component fails, a system should be designed to do which of the following?
A. Change to a protected execution domain
B. Change to a problem state
C. Change to a more secure state
D. Release all data held in volatile memory
c


4. The trusted computing base (TCB) contains which of the following?
A. All trusted processes and software components
B. All trusted security policies and implementation mechanisms
C. All trusted software and design mechanisms
D. All trusted software and hardware components
d


5. What is the imaginary boundary that separates components that maintain
security from components that are not security related?
A. Reference monitor
B. Security kernel
C. Security perimeter
D. Security policy
c


6. What is the best description of a security kernel from a security point of view?
A. Reference monitor
B. Resource manager
C. Memory mapper
D. Security perimeter
a


7. In secure computing systems, why is there a logical form of separation used
between processes?
A. Processes are contained within their own security domains so each does not
make unauthorized accesses to other processes or their resources.
B. Processes are contained within their own security perimeter so they can only
access protection levels above them.
C. Processes are contained within their own security perimeter so they can only
access protection levels equal to them.
D. The separation is hardware and not logical in nature.
a


8. What type of rating is used within the Common Criteria framework?
A. PP
B. EPL
C. EAL
D. A-D
c


9. Which of the following is a true statement pertaining to memory addressing?
A. The CPU uses absolute addresses. Applications use logical addresses. Relative
addresses are based on a known address and an offset value.
B. The CPU uses logical addresses. Applications use absolute addresses. Relative
addresses are based on a known address and an offset value.
C. The CPU uses absolute addresses. Applications use relative addresses. Logical
addresses are based on a known address and an offset value.
D. The CPU uses absolute addresses. Applications use logical addresses. Absolute
addresses are based on a known address and an offset value.
a


10. Pete is a new security manager at a financial institution that develops its own
internal software for specific proprietary functionality. The financial institution
has several locations distributed throughout the world and has bought several
individual companies over the last ten years, each with its own heterogeneous
environment. Since each purchased company had its own unique environment,
it has been difficult to develop and deploy internally developed software in an
effective manner that meets all the necessary business unit requirements. Which
of the following best describes a standard that Pete should ensure the software
development team starts to implement so that various business needs can be met?
A. ISO/IEC 42010
B. Common Criteria
C. ISO/IEC 43010
D. ISO/IEC 15408
a


11. Which of the following is an incorrect description pertaining to the common
components that make up computer systems?
i. General registers are commonly used to hold temporary processing data,
while special registers are used to hold process-characteristic data as in
condition bits.
ii. A processor sends a memory address and a "read" request down an address bus
and a memory address and a "write" request down an I/O bus.
iii. Process-to-process communication commonly takes place through memory
stacks, which are made up of individually addressed buffer locations.
iv. A CPU uses a stack return pointer to keep track of the next instruction sets it
needs to process.
A. i
B. i, ii
C. ii, iii
D. ii, iv
d


12. Mark is a security administrator who is responsible for purchasing new computer
systems for a co-location facility his company is starting up. The company has
several time-sensitive applications that require extensive processing capabilities.
The co-location facility is not as large as the main facility, so it can only fit a
smaller number of computers, which still must carry the same processing load as
the systems in the main building. Which of the following best describes the most
important aspects of the products Mark needs to purchase for these purposes?
A. Systems must provide symmetric multiprocessing capabilities and virtualized
environments.
B. Systems must provide asymmetric multiprocessing capabilities and virtualized
environments.
C. Systems must provide multiprogramming multiprocessing capabilities and
virtualized environments.
D. Systems must provide multiprogramming multiprocessing capabilities and
symmetric multiprocessing environments.
b


13. Which of the following best describes a characteristic of the software that may be
causing issues?
A. Cooperative multitasking
B. Preemptive multitasking
C. Maskable interrupt use
D. Nonmaskable interrupt use
a


14. Which of the following best describes why rebooting helps with system
performance in the situation described in this scenario?
A. Software is not using cache memory properly.
B. Software is carrying out too many mode transitions.
C. Software is working in ring 0.
D. Software is not releasing unused memory.
d


15. Which of the following best describes Steve's confusion?
A. Certification must happen first before the evaluation process can begin.
B. Accreditation is the acceptance from management, which must take place
before the evaluation process.
C. Evaluation, certification, and accreditation are carried out by different groups
with different purposes.
D. Evaluation requirements include certification and accreditation components.
c


16. Which of the following best describes an item the software development team needs
to address to ensure that drivers cannot be loaded in an unauthorized manner?
A. Improved security kernel processes
B. Improved security perimeter processes
C. Improved application programming interface processes
D. Improved garbage collection processes
a


17. Which of the following best describes some of the issues that the evaluation
testers most likely ran into while testing the submitted product?
A. Nonprotected ROM sections
B. Vulnerabilities that allowed malicious code to execute in protected memory
sections
C. Lack of a predefined and implemented trusted computing base
D. Lack of a predefined and implemented security kernel
b


18. John has been told that one of the applications installed on a web server within
the DMZ accepts any length of information that a customer using a web browser
inputs into the form the web server provides to collect new customer data. Which
of the following describes an issue that John should be aware of pertaining to this
type of vulnerability?
A. Application is written in the C programming language.
B. Application is not carrying out enforcement of the trusted computing base.
C. Application is running in ring 3 of a ring-based architecture.
D. Application is not interacting with the memory manager properly.
a


19. What is the goal of cryptanalysis?
A. To determine the strength of an algorithm
B. To increase the substitution functions in a cryptographic algorithm
C. To decrease the transposition functions in a cryptographic algorithm
D. To determine the permutations used
a


20. Why has the frequency of successful brute-force attacks increased?
A. The use of permutations and transpositions in algorithms has increased.
B. As algorithms get stronger, they get less complex, and thus more susceptible
to attacks.
C. Processor speed and power have increased.
D. Key length reduces over time.
c


21. Which of the following is not a property or characteristic of a one-way hash
function?
A. It converts a message of arbitrary length into a value of fixed length.
B. Given the digest value, it should be computationally infeasible to find the
corresponding message.
C. It should be impossible or rare to derive the same digest from two different
messages.
D. It converts a message of fixed length to an arbitrary length value.
d


22. What would indicate that a message had been modified?
A. The public key has been altered.
B. The private key has been altered.
C. The message digest has been altered.
D. The message has been encrypted properly.
c


23. Which of the following is a U.S. federal government algorithm developed for
creating secure message digests?
A. Data Encryption Algorithm
B. Digital Signature Standard
C. Secure Hash Algorithm
D. Data Signature Algorithm
c


24. Which of the following best describes the difference between HMAC and
CBC-MAC?
A. HMAC creates a message digest and is used for integrity; CBC-MAC is used
to encrypt blocks of data for confidentiality.
B. HMAC uses a symmetric key and a hashing algorithm; CBC-MAC uses the
first block for the checksum.
C. HMAC provides integrity and data origin authentication; CBC-MAC uses a
block cipher for the process of creating a MAC.
D. HMAC encrypts a message with a symmetric key and then puts the result
through a hashing algorithm; CBC-MAC encrypts the whole message.
c


25. What is an advantage of RSA over DSA?
A. It can provide digital signature and encryption functionality.
B. It uses fewer resources and encrypts faster because it uses symmetric keys.
C. It is a block cipher rather than a stream cipher.
D. It employs a one-time encryption pad.
a


26. What is used to create a digital signature?
A. The receiver's private key
B. The sender's public key
C. The sender's private key
D. The receiver's public key
c


27. Which of the following best describes a digital signature?
A. A method of transferring a handwritten signature to an electronic document
B. A method to encrypt confidential information
C. A method to provide an electronic signature and encryption
D. A method to let the receiver of the message prove the source and integrity of
a message
d


28. How many bits make up the effective length of the DES key?
A. 56
B. 64
C. 32
D. 16
a


29. Why would a certificate authority revoke a certificate?
A. If the user's public key has become compromised
B. If the user changed over to using the PEM model that uses a web of trust
C. If the user's private key has become compromised
D. If the user moved to a new location
c


30. What does DES stand for?
A. Data Encryption System
B. Data Encryption Standard
C. Data Encoding Standard
D. Data Encryption Signature
b


31. Which of the following best describes a certificate authority?
A. An organization that issues private keys and the corresponding algorithms
B. An organization that validates encryption processes
C. An organization that verifies encryption keys
D. An organization that issues certificates
d


32. What does DEA stand for?
A. Data Encoding Algorithm
B. Data Encoding Application
C. Data Encryption Algorithm
D. Digital Encryption Algorithm
c


33. Who was involved in developing the first public key algorithm?
A. Adi Shamir
B. Ross Anderson
C. Bruce Schneier
D. Martin Hellman
d


34. What process usually takes place after creating a DES session key?
A. Key signing
B. Key escrow
C. Key clustering
D. Key exchange
d


35. DES performs how many rounds of transposition/permutation and substitution?
A. 16
B. 32
C. 64
D. 56
a


36. Which of the following is a true statement pertaining to data encryption when it
is used to protect data?
A. It verifies the integrity and accuracy of the data.
B. It requires careful key management.
C. It does not require much system overhead in resources.
D. It requires keys to be escrowed.
b


37. If different keys generate the same ciphertext for the same message, what is
this called?
A. Collision
B. Secure hashing
C. MAC
D. Key clustering
d


38. What is the definition of an algorithm's work factor?
A. The time it takes to encrypt and decrypt the same plaintext
B. The time it takes to break the encryption
C. The time it takes to implement 16 rounds of computation
D. The time it takes to apply substitution functions
b


39. What is the primary purpose of using one-way hashing on user passwords?
A. It minimizes the amount of primary and secondary storage needed to store
passwords.
B. It prevents anyone from reading passwords in plaintext.
C. It avoids excessive processing required by an asymmetric algorithm.
D. It prevents replay attacks.
b


40. Which of the following is based on the fact that it is hard to factor large numbers
into two original prime numbers?
A. ECC
B. RSA
C. DES
D. Diffie-Hellman
b


41. Which of the following describes the difference between the Data Encryption
Standard and the Rivest-Shamir-Adleman algorithm?
A. DES is symmetric, while RSA is asymmetric.
B. DES is asymmetric, while RSA is symmetric.
C. They are hashing algorithms, but RSA produces a 160-bit hashing value.
D. DES creates public and private keys, while RSA encrypts messages.
a


42. Which of the following uses a symmetric key and a hashing algorithm?
A. HMAC
B. Triple-DES
C. ISAKMP-OAKLEY
D. RSA
a


43. The generation of keys that are made up of random values is referred to as Key
Derivation Functions (KDFs). What values are not commonly used in this key
generation process?
A. Hashing values
B. Asymmetric values
C. Salts
D. Passwords
b


44. When should a Class C fire extinguisher be used instead of a Class A fire
extinguisher?
A. When electrical equipment is on fire
B. When wood and paper are on fire
C. When a combustible liquid is on fire
D. When the fire is in an open area
a


45. Which of the following is not a main component of CPTED?
A. Natural access control
B. Natural surveillance
C. Territorial reinforcement
D. Target hardening
d


46. Which problems may be caused by humidity in an area with electrical devices?
A. High humidity causes excess electricity, and low humidity causes corrosion.
B. High humidity causes corrosion, and low humidity causes static electricity.
C. High humidity causes power fluctuations, and low humidity causes static
electricity.
D. High humidity causes corrosion, and low humidity causes power fluctuations.
b


47. What does positive pressurization pertaining to ventilation mean?
A. When a door opens, the air comes in.
B. When a fire takes place, the power supply is disabled.
C. When a fire takes place, the smoke is diverted to one room.
D. When a door opens, the air goes out.
d


48. Which of the following answers contains a category of controls that does not
belong in a physical security program?
A. Deterrence and delaying
B. Response and detection
C. Assessment and detection
D. Delaying and lighting
d



When can executives be charged with negligence?
A. If they follow the transborder laws
B. If they do not properly report and prosecute attackers
C. If they properly inform users that they may be monitored
D. If they do not practice due care when protecting resources
D


To better deal with computer crime, several legislative bodies have taken what
steps in their strategy?
A. Expanded several privacy laws
B. Broadened the definition of property to include data
C. Required corporations to have computer crime insurance
D. Redefined transborder issues
B


Which factor is the most important item when it comes to ensuring security is
successful in an organization?
A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees
A


Which of the following standards would be most useful to you in ensuring your
information security management system follows industry best practices?
A. NIST SP 800-53
B. Six Sigma
C. ISO/IEC 27000 series
D. COSO IC
C


Which of the following is true about data breaches?
A. They are exceptionally rare.
B. They always involve personally identifiable information (PII).
C. They may trigger legal or regulatory requirements.
D. The United States has no laws pertaining to data breaches.
C


When is it acceptable to not take action on an identified risk?
A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and
potential loss.
D


Which is the most valuable technique when determining if a specific security
control should be implemented?
A. Risk analysis
B. Cost/benefit analysis
C. ALE results
D. Identifying the vulnerabilities and threats causing the risk
B


Which best describes the purpose of the ALE calculation?
A. Quantifies the security level of the environment
B. Estimates the loss possible for a countermeasure
C. Quantifies the cost/benefit result
D. Estimates the loss potential of a threat in a span of a year
D


How do you calculate residual risk?
A. Threats × risks × asset value
B. (Threats × asset value × vulnerability) × risks
C. SLE × frequency = ALE
D. (Threats × vulnerability × asset value) × controls gap
D


Why should the team that will perform and review the risk analysis information
be made up of people in different departments?
A. To make sure the process is fair and that no one is left out.
B. It shouldn't. It should be a small group brought in from outside the
organization because otherwise the analysis is biased and unusable.
C. Because people in different departments understand the risks of their
department. Thus, it ensures the data going into the analysis is as close to
reality as possible.
D. Because the people in the different departments are the ones causing the risks,
so they should be the ones held accountable.
C


Which best describes a quantitative risk analysis?
A. A scenario-based analysis to research different security threats
B. A method used to apply severity levels to potential loss, probability of loss,
and risks
C. A method that assigns monetary values to components in the risk assessment
D. A method that is based on gut feelings and opinions
C


Why is a truly quantitative risk analysis not possible to achieve?
A. It is possible, which is why it is used.
B. It assigns severity levels. Thus, it is hard to translate into monetary values.
C. It is dealing with purely quantitative elements.
D. Quantitative measures must be applied to qualitative elements.
D







Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
What is COBIT and where does it fit into the development of information
security systems and security programs?
A. Lists of standards, procedures, and policies for security program development
B. Current version of ISO 17799
C. A framework that was developed to deter organizational internal fraud
D. Open standards for control objectives
D


What is the ISO/IEC 27799 standard?
A. A standard on how to protect personal health information
B. The new version of BS 17799
C. Definitions for the new ISO 27000 series
D. The new version of NIST SP 800-60
A


OCTAVE, NIST SP 800-30, and AS/NZS 4360 are different approaches to
carrying out risk management within companies and organizations. What are the
differences between these methods?
A. NIST SP 800-30 and OCTAVE are corporate based, while AS/NZS is
international.
B. NIST SP 800-30 is IT based, while OCTAVE and AS/NZS 4360 are
corporate based.
C. AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based.
D. NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is
international.
B


A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Reaizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server's configuration and employed strict operating system access controls.

The fact that the server has been in an unlocked room marked "Room 1" for the
last few years means the company was practicing which of the following?
A. Logical security
B. Risk management
C. Risk transference
D. Security through obscurity
D


A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Reaizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server's configuration and employed strict operating system access controls.

The new reinforced lock and cage serve as which of the following?
A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls
B


A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Reaizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server's configuration and employed strict operating system access controls.

The operating system access controls comprise which of the following?
A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls
A


A company has an e-commerce web-site that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,The firewall costs $65,000 per year to implement and maintain.

How much does the firewall save the company in loss expenses?
A. $62,000
B. $3,000
C. $65,000
D. $30,000
A


A company has an e-commerce web-site that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,The firewall costs $65,000 per year to implement and maintain.

What is the value of the firewall to the company?
A. $62,000
B. $3,000
C. -$62,000
D. -$3,000
D


A company has an e-commerce web-site that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,The firewall costs $65,000 per year to implement and maintain.

Which of the following describes the company's approach to risk management?
A. Risk transference
B. Risk avoidance
C. Risk acceptance
D. Risk mitigation
D


A small remote office for a company is valued at $800,It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

What is the single loss expectancy (SLE) for the facility suffering from a fire?
A. $80,000
B. $480,000
C. $320,000
D. 60%
B


A small remote office for a company is valued at $800,It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

What is the annualized rate of occurrence (ARO)?
A. 1
B. 10
C. .1
D. .01
C


A small remote office for a company is valued at $800,It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place.

What is the annualized loss expectancy (ALE)?
A. $480,000
B. $32,000
C. $48,000
D. .6
C


The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect mappings pertaining to the individual standards that make up the ISO/IEC 27000 series?
i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC
27003 outlines the ISMS program's requirements.
ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC
27002 outlines the metrics framework.
iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/
IEC 27005 outlines risk management guidelines.
iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines
the implementation framework.
A. i, iii
B. i, ii
C. ii, iii, iv
D. i, ii, iii, iv
D


The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time?
i. Information Technology Infrastructure Library should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement.
ii. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon.
iii. Capability Maturity Model Integration should be integrated because it provides distinct maturity levels.
iv. The Open Group Architecture Framework should be integrated because it provides a structure for process improvement.
A. i, iii
B. ii, iii, iv
C. ii, iii
D. ii, iv
C


Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank's personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

Todd documents several fraud opportunities that the employees have at the financial institution so that management understands these risks and allocates the funds and resources for his suggested solutions. Which of the following best describes the control Todd should put into place to be able to carry out fraudulent investigation activity?
A. Separation of duties
B. Rotation of duties
C. Mandatory vacations
D. Split knowledge
C


Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank's personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

If the financial institution wants to force collusion to take place for fraud to happen successfully in this situation, what should Todd put into place?
A. Separation of duties
B. Rotation of duties
C. Social engineering
D. Split knowledge
A


Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank's personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide?
A. Separation of duties by ensuring that a supervisor must approve the cashing of a check over $3,This is an administrative control that provides preventative protection for Todd's organization.
B. Rotation of duties by ensuring that one employee only stays in one position for up to three months at a time. This is an administrative control that provides detective capabilities.
C. Security awareness training, which is a preventive administrative control that can also emphasize enforcement.
D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.
D


Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured, along with what to do in this situation.

Which of the following best describes what Susan needs to ensure the operations staff creates for proper configuration standardization?
A. Dual control
B. Redundancy
C. Training
D. Baselines
D


Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured, along with what to do in this situation.

Which of the following is the best way for Susan to illustrate to her boss the dangers of the current configuration issues?
A. Map the configurations to the compliancy requirements.
B. Compromise a system to illustrate its vulnerability.
C. Audit the systems.
D. Carry out a risk assessment.
D


Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured, along with what to do in this situation.

Which of the following is one of the most likely solutions that Susan will come up with and present to her boss?
A. Development of standards
B. Development of training
C. Development of monitoring
D. Development of testing
A


What is one of the first steps in developing a business continuity plan?
A. Identify a backup solution.
B. Perform a simulation test.
C. Perform a business impact analysis.
D. Develop a business resumption plan.
C


The purpose of initiating emergency procedures right after a disaster takes place is
to prevent loss of life and injuries, and to _______________.
A. secure the area to ensure that no looting or fraud takes place
B. mitigate further damage
C. protect evidence and clues
D. investigate the extent of the damages
B


Which of the following would you use to control the public distribution, reproduction,
display, and adaptation of an original white paper written by your staff?
A. Copyright
B. Trademark
C. Patent
D. Trade secret
B


Many privacy laws dictate which of the following rules?
A. Individuals have a right to remove any data they do not want others to know.
B. Agencies do not need to ensure that the data is accurate.
C. Agencies need to allow all government agencies access to the data.
D. Agencies cannot use collected data for a purpose different from what they
were collected for.
D


The term used to denote a potential cause of an unwanted incident, which may
result in harm to a system or organization is
A. Vulnerability
B. Exploit
C. Threat
D. Attacker
C


A CISSP candidate signs an ethics statement prior to taking the CISSP
examination. Which of the following would be a violation of the (ISC) 2 Code of
Ethics that could cause the candidate to lose his or her certification?
A. E-mailing information or comments about the exam to other CISSP
candidates
B. Submitting comments on the questions of the exam to (ISC) 2
C. Submitting comments to the board of directors regarding the test and content
of the class
D. Conducting a presentation about the CISSP certification and what the
certification means
A


Which of the following has an incorrect definition mapping?
i. Civil (code) law: Based on previous interpretations of laws
ii. Common law: Rule-based law, not precedence-based
iii. Customary law: Deals mainly with personal conduct and patterns of behavior
iv. Religious law: Based on religious beliefs of the region
A. i, iii
B. i, ii, iii
C. i, ii
D. iv
C


Which of the following statements is true about the information life cycle?
A. The information life cycle begins with its archival and ends with its classification.
B. Most information must be retained indefinitely.
C. The information life cycle begins with its acquisition/creation and ends with its disposal/destruction.
D. Preparing information for use does not typically involve adding metadata to it.
C


Ensuring data consistency is important for all the following reasons, except
A. Replicated data sets can become desynchronized.
B. Multiple data items are commonly needed to perform a transaction.
C. Data may exist in multiple locations within our information systems.
D. Multiple users could attempt to modify data simultaneously.
B


Which of the following makes the most sense for a single organization's
classification levels for data?
A. Unclassified, Secret, Top Secret
B. Public, Releasable, Unclassified
C. Sensitive, Sensitive But Unclassified (SBU), Proprietary
D. Proprietary, Trade Secret, Private
A


Which of the following is the most important criterion in determining the
classification of data?
A. The level of damage that could be caused if the data were disclosed
B. The likelihood that the data will be accidentally or maliciously disclosed
C. Regulatory requirements in jurisdictions within which the organization is
not operating
D. The cost of implementing controls for the data
A


The effect of data aggregation on classification levels is best described by which of
the following?
A. Data classification standards apply to all the data within an organization.
B. Aggregation is a disaster recovery technique with no effect on classification.
C. A low-classification aggregation of data can be deconstructed into higher-classification data items.
D. Items of low-classification data combine to create a higher-classification set.
D


Who bears ultimate responsibility for the protection of assets within the
organization?
A. Data owners
B. Cyber insurance providers
C. Senior management
D. Security professionals
C


During which phase or phases of the information life cycle can cryptography be
an effective control?
A. Use
B. Archival
C. Disposal
D. All the above
D


A transition into the disposal phase of the information life cycle is most commonly triggered by
A. Senior management
B. Insufficient storage
C. Acceptable use policies
D. Data retention policies
D


Information classification is most closely related to which of the following?
A. The source of the information
B. The information's destination
C. The information's value
D. The information's age
C


The data owner is most often described by all of the following except
A. Manager in charge of a business unit
B. Ultimately responsible for the protection of the data
C. Financially liable for the loss of the data
D. Ultimately responsible for the use of the data
C


Data at rest is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
D


Data in motion is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
C


Data in use is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
B


Who has the primary responsibility of determining the classification level for
information?
A. The functional manager
B. Senior management
C. The owner
D. The user
C


If different user groups with different security access levels need to access the same information, which of the following actions should management take?
A. Decrease the security level on the information to ensure accessibility and usability of the information.
B. Require specific written approval each time an individual needs to access the information.
C. Increase the security controls on the information.
D. Decrease the classification label on the information.
C


What should management consider the most when classifying data?
A. The type of employees, contractors, and customers who will be accessing
the data
B. Availability, integrity, and confidentiality
C. Assessing the risk level and disabling countermeasures
D. The access controls that will be protecting the data
B


Who is ultimately responsible for making sure data is classified and protected?
A. Data owners
B. Users
C. Administrators
D. Management
D


Which of the following requirements should the data retention policy address?
A. Legal
B. Regulatory
C. Operational
D. All the above
D


Which of the following is not addressed by the data retention policy?
A. What data to keep
B. For whom data is kept
C. How long data is kept
D. Where data is kept
B


Which of the following best describes an application of cryptography to protect data at rest?
A. VPN
B. Degaussing
C. Whole-disk encryption
D. Up-to-date antivirus software
C


Which of the following best describes an application of cryptography to protect data in motion?
A. Testing software against side-channel attacks
B. TLS
C. Whole-disk encryption
D. EDLP
B


Which of the following best describes the mitigation of data remanence by a
physical destruction process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
D


Which of the following best describes the mitigation of data remanence by a
degaussing destruction process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
C


Which of the following best describes the mitigation of data remanence by an
overwriting process?
A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it unusable
A


What is the final step in authorizing a system for use in an environment?
A. Certification
B. Security evaluation and rating
C. Accreditation
D. Verification
C


What feature enables code to be executed without the usual security checks?
A. Temporal isolation
B. Maintenance hook
C. Race conditions
D. Process multiplexing
B


If a component fails, a system should be designed to do which of the following?
A. Change to a protected execution domain
B. Change to a problem state
C. Change to a more secure state
D. Release all data held in volatile memory
C


The trusted computing base (TCB) contains which of the following?
A. All trusted processes and software components
B. All trusted security policies and implementation mechanisms
C. All trusted software and design mechanisms
D. All trusted software and hardware components
D


What is the imaginary boundary that separates components that maintain security from components that are not security related?
A. Reference monitor
B. Security kernel
C. Security perimeter
D. Security policy
D


What is the best description of a security kernel from a security point of view?
A. Reference monitor
B. Resource manager
C. Memory mapper
D. Security perimeter
A


In secure computing systems, why is there a logical form of separation used between processes?
A. Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources.
B. Processes are contained within their own security perimeter so they can only access protection levels above them.
C. Processes are contained within their own security perimeter so they can only access protection levels equal to them.
D. The separation is hardware and not logical in nature.
A


What type of rating is used within the Common Criteria framework?
A. PP
B. EPL
C. EAL
D. A-D
C


Which of the following is a true statement pertaining to memory addressing?
A. The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value.
B. The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value.
C. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value.
D. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value.
A


Pete is a new security manager at a financial institution that develops its own internal software for specific proprietary functionality. The financial institution has several locations distributed throughout the world and has bought several individual companies over the last ten years, each with its own heterogeneous environment. Since each purchased company had its own unique environment, it has been difficult to develop and deploy internally developed software in an effective manner that meets all the necessary business unit requirements. Which of the following best describes a standard that Pete should ensure the software development team starts to implement so that various business needs can be met
A. ISO/IEC 42010
B. Common Criteria
C. ISO/IEC 43010
D. ISO/IEC 15408
A


Which of the following is an incorrect description pertaining to the common components that make up computer systems?
i. General registers are commonly used to hold temporary processing data, while special registers are used to hold process-characteristic data as in condition bits.
ii. A processor sends a memory address and a "read" request down an address bus and a memory address and a "write" request down an I/O bus.
iii. Process-to-process communication commonly takes place through memory stacks, which are made up of individually addressed buffer locations.
iv. A CPU uses a stack return pointer to keep track of the next instruction sets it needs to process.
A. i
B. i, ii
C. ii, iii
D. ii, iv
D


Mark is a security administrator who is responsible for purchasing new computer systems for a co-location facility his company is starting up. The company has several time-sensitive applications that require extensive processing capabilities. The co-location facility is not as large as the main facility, so it can only fit a smaller number of computers, which still must carry the same processing load as the systems in the main building. Which of the following best describes the most important aspects of the products Mark needs to purchase for these purposes?
A. Systems must provide symmetric multiprocessing capabilities and virtualized environments.
B. Systems must provide asymmetric multiprocessing capabilities and virtualized environments.
C. Systems must provide multiprogramming multiprocessing capabilities and virtualized environments.
D. Systems must provide multiprogramming multiprocessing capabilities and symmetric multiprocessing environments.
B


Tom is a new security manager who is responsible for reviewing the current software that the company has developed internally. He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform more slowly, but by rebooting the systems this issue goes away.

Which of the following best describes a characteristic of the software that may be causing issues?
A. Cooperative multitasking
B. Preemptive multitasking
C. Maskable interrupt use
D. Nonmaskable interrupt use
A


Tom is a new security manager who is responsible for reviewing the current software that the company has developed internally. He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform more slowly, but by rebooting the systems this issue goes away.

Which of the following best describes why rebooting helps with system performance in the situation described in this scenario?
A. Software is not using cache memory properly.
B. Software is carrying out too many mode transitions.
C. Software is working in ring 0.
D. Software is not releasing unused memory.
D


Steve has found out that the soft- ware product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement ddress space layout randomization and data execution protection.

Which of the following best describes Steve's confusion?
A. Certification must happen first before the evaluation process can begin.
B. Accreditation is the acceptance from management, which must take place efore the evaluation process.
C. Evaluation, certification, and accreditation are carried out by different groups ith different purposes.
D. Evaluation requirements include certification and accreditation components.
C


Steve has found out that the soft- ware product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement ddress space layout randomization and data execution protection.

Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner?
A. Improved security kernel processes
B. Improved security perimeter processes
C. Improved application programming interface processes
D. Improved garbage collection processes
A


Steve has found out that the soft- ware product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement ddress space layout randomization and data execution protection.

Which of the following best describes some of the issues that the evaluation testers most likely ran into while testing the submitted product?
A. Nonprotected ROM sections
B. Vulnerabilities that allowed malicious code to execute in protected memory sections
C. Lack of a predefined and implemented trusted computing base
D. Lack of a predefined and implemented security kernel
B


John has been told that one of the applications installed on a web server within the DMZ accepts any length of information that a customer using a web browser inputs into the form the web server provides to collect new customer data. Which of the following describes an issue that John should be aware of pertaining to this type of vulnerability?
A. Application is written in the C programming language.
B. Application is not carrying out enforcement of the trusted computing base.
C. Application is running in ring 3 of a ring-based architecture.
D. Application is not interacting with the memory manager properly.
A


What is the goal of cryptanalysis?
A. To determine the strength of an algorithm
B. To increase the substitution functions in a cryptographic algorithm
C. To decrease the transposition functions in a cryptographic algorithm
D. To determine the permutations used
A


Why has the frequency of successful brute-force attacks increased?
A. The use of permutations and transpositions in algorithms has increased.
B. As algorithms get stronger, they get less complex, and thus more susceptible to attacks.
C. Processor speed and power have increased.
D. Key length reduces over time.
C


Which of the following is not a property or characteristic of a one-way hash function?
A. It converts a message of arbitrary length into a value of fixed length.
B. Given the digest value, it should be computationally infeasible to find the corresponding message.
C. It should be impossible or rare to derive the same digest from two different messages.
D. It converts a message of fixed length to an arbitrary length value.
D


What would indicate that a message had been modified?
A. The public key has been altered.
B. The private key has been altered.
C. The message digest has been altered.
D. The message has been encrypted properly.
C


Which of the following is a U.S. federal government algorithm developed for creating secure message digests?
A. Data Encryption Algorithm
B. Digital Signature Standard
C. Secure Hash Algorithm
D. Data Signature Algorithm
C


Which of the following best describes the difference between HMAC and CBC-MAC?
A. HMAC creates a message digest and is used for integrity; CBC-MAC is used to encrypt blocks of data for confidentiality.
B. HMAC uses a symmetric key and a hashing algorithm; CBC-MAC uses the first block for the checksum.
C. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.
D. HMAC encrypts a message with a symmetric key and then puts the result through a hashing algorithm; CBC-MAC encrypts the whole message.
C


What is an advantage of RSA over DSA?
A. It can provide digital signature and encryption functionality.
B. It uses fewer resources and encrypts faster because it uses symmetric keys.
C. It is a block cipher rather than a stream cipher.
D. It employs a one-time encryption pad.
A


What is used to create a digital signature?
A. The receiver's private key
B. The sender's public key
C. The sender's private key
D. The receiver's public key
C


Which of the following best describes a digital signature?
A. A method of transferring a handwritten signature to an electronic document
B. A method to encrypt confidential information
C. A method to provide an electronic signature and encryption
D. A method to let the receiver of the message prove the source and integrity of a message
D


How many bits make up the effective length of the DES key?
A. 56
B. 64
C. 32
D. 16
A


Why would a certificate authority revoke a certificate?
A. If the user's public key has become compromised
B. If the user changed over to using the PEM model that uses a web of trust
C. If the user's private key has become compromised
D. If the user moved to a new location
C


What does DES stand for?
A. Data Encryption System
B. Data Encryption Standard
C. Data Encoding Standard
D. Data Encryption Signature
B


Which of the following best describes a certificate authority?
A. An organization that issues private keys and the corresponding algorithms
B. An organization that validates encryption processes
C. An organization that verifies encryption keys
D. An organization that issues certificates
D


What does DEA stand for?
A. Data Encoding Algorithm
B. Data Encoding Application
C. Data Encryption Algorithm
D. Digital Encryption Algorithm
C


Who was involved in developing the first public key algorithm?
A. Adi Shamir
B. Ross Anderson
C. Bruce Schneier
D. Martin Hellman
D


What process usually takes place after creating a DES session key?
A. Key signing
B. Key escrow
C. Key clustering
D. Key exchange
D


DES performs how many rounds of transposition/permutation and substitution?
A. 16
B. 32
C. 64
D. 56
A


Which of the following is a true statement pertaining to data encryption when it
is used to protect data?
A. It verifies the integrity and accuracy of the data.
B. It requires careful key management.
C. It does not require much system overhead in resources.
D. It requires keys to be escrowed.
B


If different keys generate the same ciphertext for the same message, what is
this called?
A. Collision
B. Secure hashing
C. MAC
D. Key clustering
D


What is the definition of an algorithm's work factor?
A. The time it takes to encrypt and decrypt the same plaintext
B. The time it takes to break the encryption
C. The time it takes to implement 16 rounds of computation
D. The time it takes to apply substitution functions
D


What is the primary purpose of using one-way hashing on user passwords?
A. It minimizes the amount of primary and secondary storage needed to store passwords.
B. It prevents anyone from reading passwords in plaintext.
C. It avoids excessive processing required by an asymmetric algorithm.
D. It prevents replay attacks.
B


Which of the following is based on the fact that it is hard to factor large numbers into two original prime numbers?
A. ECC
B. RSA
C. DES
D. Diffie-Hellman
B


Which of the following describes the difference between the Data Encryption Standard and the Rivest-Shamir-Adleman algorithm?
A. DES is symmetric, while RSA is asymmetric.
B. DES is asymmetric, while RSA is symmetric.
C. They are hashing algorithms, but RSA produces a 160-bit hashing value.
D. DES creates public and private keys, while RSA encrypts messages. A
...


Which of the following uses a symmetric key and a hashing algorithm?
A. HMAC
B. Triple-DES
C. ISAKMP-OAKLEY
D. RSA
A


The generation of keys that are made up of random values is referred to as Key Derivation Functions (KDFs). What values are not commonly used in this key generation process?
A. Hashing values
B. Asymmetric values
C. Salts
D. Passwords
B


When should a Class C fire extinguisher be used instead of a Class A fire extinguisher?
A. When electrical equipment is on fire
B. When wood and paper are on fire
C. When a combustible liquid is on fire
D. When the fire is in an open area
A


Which of the following is not a main component of CPTED?
A. Natural access control
B. Natural surveillance
C. Territorial reinforcement
D. Target hardening
D


Which problems may be caused by humidity in an area with electrical devices?
A. High humidity causes excess electricity, and low humidity causes corrosion.
B. High humidity causes corrosion, and low humidity causes static electricity.
C. High humidity causes power fluctuations, and low humidity causes static electricity.
D. High humidity causes corrosion, and low humidity causes power fluctuations.
B


What does positive pressurization pertaining to ventilation mean?
A. When a door opens, the air comes in.
B. When a fire takes place, the power supply is disabled.
C. When a fire takes place, the smoke is diverted to one room.
D. When a door opens, the air goes out.
D


Which of the following answers contains a category of controls that does not belong in a physical security program?
A. Deterrence and delaying
B. Response and detection
C. Assessment and detection
D. Delaying and lighting
D


How does TKIP provide more protection for WLAN environments?
A. It uses the AES algorithm.
B. It decreases the IV size and uses the AES algorithm.
C. It adds more keying material.
D. It uses MAC and IP filtering.
C


Which of the following is not a characteristic of the IEEE 802.11a standard?
A. It works in the 5-GHz range.
B. It uses the OFDM spread spectrum technology.
C. It provides 52 Mbps in bandwidth.
D. It covers a smaller distance than 802.11b.
C


Why are switched infrastructures safer environments than routed networks?
A. It is more difficult to sniff traffic since the computers have virtual private connections.
B. They are just as unsafe as nonswitched environments.
C. The data link encryption does not permit wiretapping.
D. Switches are more intelligent than bridges and implement security mechanisms.
A


Which of the following protocols is considered connection-oriented?
A. IP
B. ICMP
C. UDP
D. TCP
D


Which of the following can take place if an attacker can insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the data link layer?
A. Open relay manipulation
B. VLAN hopping attack
C. Hypervisor denial-of-service attack
D. Smurf attack
B


Which of the following proxies cannot make access decisions based upon protocol commands?
A. Application
B. Packet filtering
C. Circuit
D. Stateful
C


Which of the following is a bridge-mode technology that can monitor individual traffic links between virtual machines or can be integrated within a hypervisor component?
A. Orthogonal frequency division
B. Unified threat management modem
C. Virtual firewall
D. Internet Security Association and Key Management Protocol
C


Which of the following shows the layer sequence as layers 2, 5, 7, 4, and 3?
A. Data link, session, application, transport, and network
B. Data link, transport, application, session, and network
C. Network, session, application, network, and transport
D. Network, transport, application, session, and presentation
A


Which of the following technologies integrates previously independent security solutions with the goal of providing simplicity, centralized control, and streamlined processes?
A. Network convergence
B. Security as a service
C. Unified threat management
D. Integrated convergence management
C


Metro Ethernet is a MAN protocol that can work in network infrastructures made up of access, aggregation, metro, and core layers. Which of the following best describes these network infrastructure layers?
A. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a core network. The metro layer is the metropolitan area network. The core connects different metro networks.
B. The access layer connects the customer's equipment to a service provider's core network. Aggregation occurs on a distribution network at the core. The metro layer is the metropolitan area network.
C. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different access layers.
D. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.
D


Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec?
A. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks.
B. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity.
C. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange.
D. Internet Key Exchange provides authenticated keying material for use with encryption algorithms.
D


Systems that are built on the OSI framework are considered open systems. What does this mean?
A. They do not have authentication mechanisms configured by default.
B. They have interoperability issues.
C. They are built with internationally accepted protocols and standards so they can easily communicate with other systems.
D. They are built with international protocols and standards so they can choose what types of systems they will communicate with.
C


Which of the following protocols work in the following layers: application, data link, network, and transport?
A. FTP, ARP, TCP, and UDP
B. FTP, ICMP, IP, and UDP
C. TFTP, ARP, IP, and UDP
D. TFTP, RARP, IP, and ICMP
C


What takes place at the data link layer?
A. End-to-end connection
B. Dialog control
C. Framing
D. Data syntax
C


What takes place at the session layer?
A. Dialog control
B. Routing
C. Packet sequencing
D. Addressing
A


Which best describes the IP protocol?
A. A connectionless protocol that deals with dialog establishment, maintenance, and destruction
B. A connectionless protocol that deals with the addressing and routing of packets
C. A connection-oriented protocol that deals with the addressing and routing of packets
D. A connection-oriented protocol that deals with sequencing, error detection, and flow control
B


Which of the following is not a characteristic of the Protected Extensible Authentication Protocol?
A. Authentication protocol used in wireless networks and point-to-point connections
B. Designed to provide authentication for 802.11 WLANs
C. Designed to support 802.1X port access control and Transport Layer Security
D. Designed to support password-protected connections
D


The ______________ is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP.
A. Session Initiation Protocol
B. Real-time Transport Protocol
C. SS7
D. VoIP
A


Which of the following is not one of the stages of the DHCP lease process?
i. Discover
ii. Offer
iii. Request
iv. Acknowledgment
A. All of them
B. None of them
C. i, ii
D. ii, iii
B


An effective method to shield networks from unauthenticated DHCP clients is
through the use of _______________ on network switches.
A. DHCP snooping
B. DHCP protection
C. DHCP shielding
D. DHCP caching
A


Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

What type of client ports should Don make sure the institution's software is using when client-to-server communication needs to take place?
A. Well known
B. Registered
C. Dynamic
D. Free
C


Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

Which of the following is a cost-effective countermeasure that Don's team should implement?
A. Stateful firewall
B. Network address translation
C. SYN proxy
D. IPv6
C


Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

What should Don's team put into place to stop the masquerading attacks that have been taking place?
A. Dynamic packet filter firewall
B. ARP spoofing protection
C. Disable unnecessary ICMP traffic at edge routers
D. SRPC
D


Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP Echo Request packets to all the hosts on a specific subnet, which is aimed at one specific server.

Which of the following is most likely the issue that Grace's team experienced when their systems went offline?
A. Three critical systems were connected to a dual-attached station.
B. Three critical systems were connected to a single-attached station.
C. The secondary FDDI ring was overwhelmed with traffic and dropped the three critical systems.
D. The FDDI ring is shared in a metropolitan environment and only allows each company to have a certain number of systems connected to both rings.
B


Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP Echo Request packets to all the hosts on a specific subnet, which is aimed at one specific server.

Which of the following is the best type of fiber that should be implemented in
this scenario?
A. Single mode
B. Multimode
C. Optical carrier
D. SONET
B


Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP Echo Request packets to all the hosts on a specific subnet, which is aimed at one specific server.

Which of the following is the best and most cost-effective countermeasure for Grace's team to put into place?
A. Network address translation
B. Disallowing unnecessary ICMP traffic coming from untrusted networks
C. Application-based proxy firewall
D. Screened subnet using two firewalls from two different vendors
B


John is the manager of the security team within his company. He has learned that attackers have installed sniffers through- out the network without the company's knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

Which of the following is the best countermeasure to put into place to help reduce the threat of network sniffers viewing network management traffic?
A. SNMP v3
B. L2TP
C. CHAP
D. Dynamic packet filtering firewall
A


John is the manager of the security team within his company. He has learned that attackers have installed sniffers through- out the network without the company's knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.
Which of the following unauthorized activities have most likely been taking place
in this situation?
A. DNS querying
B. Phishing
C. Forwarding
D. Zone transfer
D


John is the manager of the security team within his company. He has learned that attackers have installed sniffers through- out the network without the company's knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

Which of the following is the best countermeasure that John's team should implement to protect from improper caching issues?
A. PKI
B. DHCP snooping
C. ARP protection
D. DNSSEC
D


Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean's team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following is most likely taking place to allow spurious packets to gain unauthorized access to critical servers?
A. TCP sequence hijacking is taking place.
B. Source routing is not restricted.
C. Fragment attacks are underway.
D. Attacker is tunneling communication through PPP.
B


Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean's team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following best describes the firewall configuration issues Sean's team member is describing?
A. Clean-up rule, stealth rule
B. Stealth rule, silent rule
C. Silent rule, negate rule
D. Stealth rule, silent rule
C


Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean's team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

Which of the following best describes why Sean's team wants to put in the mentioned countermeasure for the most commonly attacked systems?
A. Prevent production system hijacking
B. Reduce DoS attack effects
C. Gather statistics during the process of an attack
D. Increase forensic capabilities
B


Tom's company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom's team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom's boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

What should Tom's team implement to provide source authentication and data encryption at the data link level?
A. IEEE 802.1AR
B. IEEE 802.1AE
C. IEEE 802.1AF
D. IEEE 802.1X
D


Tom's company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom's team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom's boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

Which of the following solutions is best to meet the company's need to protect wireless traffic?
A. EAP-TLS
B. EAP-PEAP
C. LEAP
D. EAP-TTLS
D


Tom's company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom's team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom's boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

Which of the following is the best solution to meet the company's need for broadband wireless connectivity?
A. WiMAX
B. IEEE 802.12
C. WPA2
D. IEEE 802.15
A


Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network's NAT device. Lance has also found out that caching attacks have been successful against the company's public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password based authentication options.

Based upon the information in the scenario, what should the network team implement as it pertains to IPv6 tunneling?
A. Teredo should be configured on IPv6-aware hosts that reside behind the NAT device.
B. 6to4 should be configured on IPv6-aware hosts that reside behind the NAT device.
C. Intra-Site Automatic Tunnel Addressing Protocol should be configured on IPv6-aware hosts that reside behind the NAT device.
D. IPv6 should be disabled on all systems.
A


Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network's NAT device. Lance has also found out that caching attacks have been successful against the company's public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password based authentication options.

Which of the following is the best countermeasure for the attack type addressed in the scenario?
A. DNSSEC
B. IPSec
C. Split server configurations
D. Disabling zone transfers
A


Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network's NAT device. Lance has also found out that caching attacks have been successful against the company's public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password based authentication options.

Which of the following technologies should Lance's team investigate for increased
authentication efforts?
A. Challenge Handshake Authentication Protocol
B. Simple Authentication and Security Layer
C. IEEE 802.2AB
D. EAP-SSL
B


Wireless LAN technologies have gone through different versions over the years
to address some of the inherent security issues within the original IEEE 802.11
standard. Which of the following provides the correct characteristics of Wi-Fi
Protected Access 2 (WPA2)?
A. IEEE 802.1X, WEP, MAC
B. IEEE 802.1X, EAP, TKIP
C. IEEE 802.1X, EAP, WEP
D. IEEE 802.1X, EAP, CCMP
D


Alice wants to send a message to Bob, who is several network hops away from her. What is the best approach to protecting the confidentiality of the message?
A. PPTP
B. S/MIME
C. Link encryption
D. SSH
B


Charlie uses PGP on his Linux-based email client. His friend Dave uses S/MIME on his Windows-based email. Charlie is unable to send an encrypted email to Dave. What is the likely reason?
A. PGP and S/MIME are incompatible
B. Each has a different secret key
C. Each is using a different CA
D. There is not enough information to determine the likely reason
A


1. Which of the following statements correctly describes biometric methods?
A. They are the least expensive and provide the most protection.
B. They are the most expensive and provide the least protection.
C. They are the least expensive and provide the least protection.
D. They are the most expensive and provide the most protection.
B


2. Which of the following statements correctly describes passwords?
A. They are the least expensive and most secure.
B. They are the most expensive and least secure.
C. They are the least expensive and least secure.
D. They are the most expensive and most secure.
C


3. How is a challenge/response protocol utilized with token device implementations?
A. This protocol is not used; cryptography is used.
B. An authentication service generates a challenge, and the smart token generates a response based on the challenge.
C. The token challenges the user for a username and password.
D. The token challenges the user's password against a database of stored credentials.
D


4. Which access control method is considered user-directed?
A. Nondiscretionary
B. Mandatory
C. Identity-based
D. Discretionary
B


5. Which item is not part of a Kerberos authentication implementation?
A. Message authentication code
B. Ticket granting service
C. Authentication service
D. Users, programs, and services
A


6. If a company has a high turnover rate, which access control structure is best?
A. Role-based
B. Decentralized
C. Rule-based
D. Discretionary
A


7. The process of mutual authentication involves _______________.
A. a user authenticating to a system and the system authenticating to the user
B. a user authenticating to two systems at the same time
C. a user authenticating to a server and then to a process
D. a user authenticating, receiving a ticket, and then authenticating to a service
A


8. In discretionary access control security, who has delegation authority to grant access to data?
A. User
B. Security officer
C. Security policy
D. Owner
D


9. Which could be considered a single point of failure within a single sign-on implementation?
A. Authentication server
B. User's workstation
C. Logon credentials
D. RADIUS
A


10. What role does biometrics play in access control?
A. Authorization
B. Authenticity
C. Authentication
D. Accountability
C


11. Who or what determines if an organization is going to operate under a discretionary, mandatory, or nondiscretionary access control model?
A. Administrator
B. Security policy
C. Culture
D. Security levels
B


12. Which of the following best describes what role-based access control offers companies in reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and cannot access resources.
B. It provides a centralized approach for access control, which frees up department managers.
C. User membership in roles can be easily revoked and new ones established as job assignments dictate.
D. It enforces enterprise-wide security policies, standards, and guidelines.
C


13. Which of the following is the best description of directories that are used in identity management technology?
A. Most are hierarchical and follow the X.500 standard.
B. Most have a flat architecture and follow the X.400 standard.
C. Most have moved away from LDAP.
D. Many use LDAP.
A


14. Which of the following is not part of user provisioning?
A. Creation and deactivation of user accounts
B. Business process implementation
C. Maintenance and deactivation of user objects and attributes
D. Delegating user administration
B


15. What is the technology that allows a user to remember just one password?
A. Password generation
B. Password dictionaries
C. Password rainbow tables
D. Password synchronization
D


16. Which of the following is not considered an anomaly-based intrusion protection system?
A. Statistical anomaly-based
B. Protocol anomaly-based
C. Temporal anomaly-based
D. Traffic anomaly-based
C


20. Which of the following has the correct term-to-definition mapping?
i. Brute-force attacks: Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
ii. Dictionary attacks: Files of thousands of words are compared to the user's password until a match is found.
iii. Social engineering: An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.
iv. Rainbow table: An attacker uses a table that contains all possible passwords already in a hash format.
A. i, ii
B. i, ii, iv
C. i, ii, iii, iv
D. i, ii, iii
C


21. George is responsible for setting and tuning the thresholds for his company's behavior-based IDS. Which of the following outlines the possibilities of not doing this activity properly?
A. If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, malicious activities are not identified (false negatives).
B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, malicious activities are not identified (false positives).
C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, malicious activities are not identified (false negatives).
D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, malicious activities are not identified (false negatives).
C


22. Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.

Which of the following changes would be best for Tom's team to implement?
A. Move from namespaces to distinguished names.
B. Move from meta-directories to virtual directories.
C. Move from RADIUS to TACACS+.
D. Move from a centralized to a decentralized control model.
B


23. Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.

Which of the following components should Tom make sure his team puts into place?
A. Single sign-on module
B. LDAP directory service synchronization
C. Web access management
D. X.500 database
C


24. Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.

Tom has been told that he has to reduce staff from the help-desk team. Which of the following technologies can help with the company's help-desk budgetary issues?
A. Self-service password support
B. RADIUS implementation
C. Reduction of authoritative IdM sources
D. Implement a role-based access control model
A


25. Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through the company's web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.

Which of the following is the best identity management technology that Lenny should consider implementing to accomplish some of the company's needs?
A. LDAP directories for authoritative sources
B. Digital identity provisioning
C. Active Directory
D. Federated identity
D


26. Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through the company's web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.

Lenny has a meeting with the internal software developers who are responsible for implementing the necessary functionality within the web-based system. Which of the following best describes the two items that Lenny needs to be prepared to discuss with this team?
A. Service Provisioning Markup Language and the Extensible Access Control Markup Language
B. Standard Generalized Markup Language and the Generalized Markup Language
C. Extensible Markup Language and the HyperText Markup Language
D. Service Provisioning Markup Language and the Generalized Markup Language
A


27. Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through the company's web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.

Pertaining to the CEO's security concerns, what should Lenny suggest the company put into place?
A. Security event management software, an intrusion prevention system, and behavior-based intrusion detection
B. Security information and event management software, an intrusion detection system, and signature-based protection
C. An intrusion prevention system, security event management software, and malware protection
D. An intrusion prevention system, security event management software, and war-dialing protection
A


28. Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets such as databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO's secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.

Which of the following is the best remote access technology for this situation?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos
C


29. Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets such as databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO's secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.

What are the two main security concerns Robbie is most likely being asked to identify and mitigate?
A. Social engineering and spear-phishing
B. War dialing and pharming
C. Spear-phishing and war dialing
D. Pharming and spear-phishing
C


30. Tanya is working with the company's internal software development team. Before a user of an application can access files located on the company's centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company's missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.

Which of the following best describes what is currently in place?
A. Capability-based access system
B. Synchronous tokens that generate one-time passwords
C. RADIUS
D. Kerberos
A


31. Tanya is working with the company's internal software development team. Before a user of an application can access files located on the company's centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company's missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.

Which of the following is one of the easiest and best solutions Tanya can consider for proper data protection?
A. Implementation of mandatory access control
B. Implementation of access control lists
C. Implementation of digital signatures
D. Implementation of multilevel security
B


32. Tanya is working with the company's internal software development team. Before a user of an application can access files located on the company's centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company's missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.

Which of the following is the best single sign-on technology for this situation?
A. PKI
B. Kerberos
C. RADIUS
D. TACACS+
B


33. Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.

Which of the following best describes the type of environment Harry's team needs to set up?
A. RADIUS
B. Service-oriented architecture
C. Public key infrastructure
D. Web services
B


34. Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.

Which of the following best describes the types of languages and/or protocols that Harry needs to ensure are implemented?
A. Security Assertion Markup Language, Extensible Access Control Markup Language, Service Provisioning Markup Language
B. Service Provisioning Markup Language, Simple Object Access Protocol, Extensible Access Control Markup Language
C. Extensible Access Control Markup Language, Security Assertion Markup Language, Simple Object Access Protocol
D. Service Provisioning Markup Language, Security Association Markup Language
C


35. Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.

The company's partners need to integrate compatible authentication functionality into their web portals to allow for interoperability across the different company boundaries. Which of the following will deal with this issue?
A. Service Provisioning Markup Language
B. Simple Object Access Protocol
C. Extensible Access Control Markup Language
D. Security Assertion Markup Language
D


Internal audits are the preferred approach when which of the following is true?
A. The organization lacks the organic expertise to conduct them.
B. Regulatory requirements dictate the use of a third-party auditor.
C. The budget for security testing is limited or nonexistent.
D. There is concern over the spillage of proprietary or confidential information.
C


All of the following are steps in the security audit process except which one?
A. Document the results.
B. Convene a management review.
C. Involve the right business unit leaders.
D. Determine the scope.
B


Which of the following is an advantage of using third-party auditors? A. They may have knowledge that an organization wouldn't otherwise be able to leverage.
B. Their cost.
C. The requirement for NDAs and supervision.
D. Their use of automated scanners and reports.
A


Choose the term that describes an audit report that covers the information security controls of a service organization and is intended for public release.
A. SOC 1
B. SOC 2
C. SOC 3
D. Both B and C.
C


Which of the following is true of a vulnerability assessment?
A. The aim is to identify as many vulnerabilities as possible.
B. It is not concerned with the effects of the assessment on other systems.
C. It is a predictive test aimed at assessing the future performance of a system.
D. Ideally the assessment is fully automated with no human involvement.
A


An assessment whose goal is to assess the susceptibility of an organization to social engineering attacks is best classified as
A. Physical testing
B. Personnel testing
C. Vulnerability testing
D. Network testing
B


Which of the following is an assessment that affords the auditor detailed knowledge of the system's architecture before conducting the test?
A. White box testing
B. Gray box testing
C. Black box testing
D. Zero knowledge testing
A


Vulnerability scans normally involve all of the following except which one?
A. The identification of active hosts on the network
B. The identification of malware on all hosts
C. The identification of misconfigured settings
D. The identification of operating systems
B


Security event logs can best be protected from tampering by which one of the following?
A. Encrypting the contents using asymmetric key encryption
B. Ensuring every user has administrative rights on their own workstations
C. Using remote logging over simplex communications media
D. Storing the event logs on DVD-RW
C


Synthetic transactions are best described as
A. Real user monitoring (RUM)
B. Transactions that fall outside the normal purpose of a system
C. Transactions that are synthesized from multiple users' interactions with the system
D. A way to test the behavior and performance of critical services
D


Suppose you want to study the actions an adversary may attempt against your system and test the effectiveness of the controls you have emplaced to mitigate the associated risks. Which of the following approaches would best allow you to accomplish this goal?
A. Misuse case testing
B. Use case testing
C. Real user monitoring (RUM)
D. Fuzzing
A


Code reviews include all the following except which one?
A. Ensuring the code conforms to applicable coding standards
B. Discussing bugs, design issues, and anything else that comes up about the code
C. Agreeing on a "disposition" for the code
D. Fuzzing the code
D


Interface testing could involve which of the following?
A. The application programming interface (API)
B. The graphical user interface (GUI)
C. Both of the above
D. None of the above
C


One of the actions that attackers typically attempt after compromising a system is to acquire the ability to mimic a normal privileged user. What is one way in which they may accomplish this?
A. Rebooting the compromised host
B. Exporting the password hash table
C. Pivoting from the compromised host to another target
D. Adding a privileged user account
D


Which of the following is not normally an element of user accounts management audits?
A. Password hashing
B. Signed AUPs
C. Privileged accounts
D. Suspended accounts
A


How might one test adherence to the user accounts policy?
A. User self-reporting
B. Penetration testing
C. Management review
D. User records auditing
D


Which operating systems allows users to temporarily elevate their privileges in order to launch an application at a higher privilege level?
A. All major desktop operating systems
B. Recent versions of Windows
C. Linux and Windows
D. Recent versions of Mac OS X
A


All of the following are normally legitimate reasons to suspend rather than delete user accounts except which one?
A. Regulatory compliance
B. Protection of the user's privacy
C. Investigation of a subsequently discovered event
D. Data retention policy
B


Data backup verification efforts should
A. Have the smallest scope possible
B. Be based on the threats to the organization
C. Maximize impact on business
D. Focus on user data
B


Why would an organization need to periodically test disaster recovery and business continuity plans if they've already been shown to work?
A. Environmental changes may render them ineffective over time.
B. It has low confidence in the abilities of the testers.
C. To appease senior leadership.
D. Resources may not be available in the future to test again.
A


All of the following are types of tests for disaster recovery and business continuity plans except which one?
A. Structured walk-through test
B. Simulation test
C. Null hypothesis test
D. Full-interruption test
C


What is the difference between security training and security awareness training?
A. Security training is focused on skills, while security awareness training is focused on recognizing and responding to issues.
B. Security training must be performed, while security awareness training is an aspirational goal.
C. Security awareness training is focused on security personnel, while security training is geared toward all users.
D. There is no difference. These terms refer to the same process.
A


Which of the following is not a form of social engineering?
A. Pretexting
B. Fishing
C. Whaling
D. Blackmailing
B


What is a key performance indicator (KPI)?
A. Any attribute of the ISMS that can be described as a value
B. The value of a factor at a particular point in time
C. A derived value that is generated by comparing multiple measurements against each other or against a baseline
D. An interpretation of one or more metrics that describes the effectiveness of the ISMS
D


Which of the following is true about key risk indicators (KRIs)?
A. They tell managers where an organization stands with regard to its goals.
B. They are inputs to the calculation of single loss expectancy (SLE).
C. They tell managers where an organization stands with regard to its risk appetite.
D. An interpretation of one or more metrics that describes the effectiveness of the ISMS.
C


Which of the following is true of management reviews?
A. They happen periodically and include results of audits as a key input.
B. They happen in an ad hoc manner as the needs of the organization dictate.
C. They are normally conducted by mid-level managers, but their reports are presented to the key business leaders.
D. They are focused on assessing the management of the information systems.
A


What is the difference between due care and due diligence?
A. Due care is the continual effort to ensure that the right thing takes place, and due diligence is the continual effort to stay compliant with regulations.
B. Due care is based on the prudent person concept, whereas due diligence is not.
C. They mean the same thing.
D. Due diligence involves investigating the risks, whereas due care involves carrying out the necessary steps to mitigate these risks.
D


Why should employers make sure employees take their vacations?
A. They have a legal obligation.
B. It is part of due diligence.
C. It is a way for fraud to be uncovered.
D. To ensure the employee does not get burnt out.
C


Which of the following best describes separation of duties and job rotation?
A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot perform a high-risk task alone.
B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position.
C. They are the same thing, but with different titles.
D. They are administrative controls that enforce access control and protect the
B
company's resources.


If a programmer is restricted from updating and modifying production code, what is this an example of?
A. Rotation of duties
B. Due diligence
C. Separation of duties
D. Controlling input values
C


Why is it important to control and audit input and output values?
A. Incorrect values can cause mistakes in data processing and be evidence of fraud.
B. Incorrect values can be the fault of the programmer and do not comply with the due care clause.
C. Incorrect values can be caused by brute-force attacks.
D. Incorrect values are not security issues.
A


What is the difference between least privilege and need to know?
A. A user should have least privilege that restricts her need to know.
B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources.
C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know.
D. They are two different terms for the same issue.
C


Which of the following would not require updated documentation?
A. An antivirus signature update
B. Reconfiguration of a server
C. A change in security policy
D. The installation of a patch to a production server
A


A company needs to implement a CCTV system that will monitor a large area outside the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length
A


Which of the following is not a true statement about CCTV lenses?
A. Lenses that have a manual iris should be used in outside monitoring.
B. Zoom lenses will carry out focus functionality automatically.
C. Depth of field increases as the size of the lens opening decreases.
D. Depth of field increases as the focal length of the lens decreases.
A


What is true about a transponder?
A. It is a card that can be read without sliding it through a card reader.
B. It is a biometric proximity device.
C. It is a card that a user swipes through a card reader to gain access to a facility.
D. It exchanges tokens with an authentication server.
A


When is a security guard the best choice for a physical access control mechanism?
A. When discriminating judgment is required
B. When intrusion detection is required
C. When the security budget is low
D. When access controls are in place
A


Which of the following is not a characteristic of an electrostatic intrusion detection system?
A. It creates an electrostatic field and monitors for a capacitance change.
B. It can be used as an intrusion detection system for large areas.
C. It produces a balance between the electric capacitance and inductance of an object.
D. It can detect if an intruder comes within a certain range of an object.
B


What is a common problem with vibration-detection devices used for perimeter security?
A. They can be defeated by emitting the right electrical signals in the protected area.
B. The power source is easily disabled.
C. They cause false alarms.
D. They interfere with computing devices.
C


Which of the following is not considered a delaying mechanism?
A. Locks
B. Defense-in-depth measures
C. Warning signs
D. Access controls
C


What are the two general types of proximity identification devices?
A. Biometric devices and access control devices
B. Swipe card devices and passive devices
C. Preset code devices and wireless devices
D. User-activated devices and system sensing devices
D


Which is not a drawback to installing intrusion detection and monitoring systems?
A. It's expensive to install.
B. It cannot be penetrated.
C. It requires human response.
D. It's subject to false alarms.
B


What is a cipher lock?
A. A lock that uses cryptographic keys
B. A lock that uses a type of key that cannot be reproduced
C. A lock that uses a token and perimeter reader
D. A lock that uses a keypad
D


If a cipher lock has a door delay option, what does that mean?
A. After a door is open for a specific period, the alarm goes off.
B. It can only be opened during emergency situations.
C. It has a hostage alarm capability.
D. It has supervisory override capability.
A


Which of the following best describes the difference between a warded lock and
a tumbler lock?
A. A tumbler lock is more simplistic and easier to circumvent than a warded lock.
B. A tumbler lock uses an internal bolt, and a warded lock uses internal cylinders.
C. A tumbler lock has more components than a warded lock.
D. A warded lock is mainly used externally, and a tumbler lock is used internally.
C


All of the following are best practices for controlling the software that is installed and authorized to run in our systems except which?
A. Application whitelisting
B. Code reviews
C. Gold Masters
D. Least privilege
B


You come across an advanced piece of polymorphic malware that uses a custom communications protocol for network traffic. This protocol has a distinctive signature in its header. Which tool is best suited to mitigate this malware by preventing the packets from traversing the network?
A. Antimalware
B. Stateful firewall
C. Intrusion detection system (IDS)
D. Intrusion prevention system (IPS)
D


Which best describes a hot-site facility versus a warm- or cold-site facility?
A. A site that has disk drives, controllers, and tape drives
B. A site that has all necessary PCs, servers, and telecommunications
C. A site that has wiring, central air-conditioning, and raised flooring
D. A mobile site that can be brought to the company's parking lot
B


Which is the best description of remote journaling?
A. Backing up bulk data to an offsite facility
B. Backing up transaction logs to an offsite facility
C. Capturing and saving transactions to two mirrored servers in-house
D. Capturing and saving transactions to different media types
B


Which of the following is something that should be required of an offsite backup facility that stores backed-up media for companies?
A. The facility should be within to minutes of the original facility to ensure easy access.
B. The facility should contain all necessary PCs and servers and should have raised flooring.
C. The facility should be protected by an armed guard.
D. The facility should protect against unauthorized access and entry.
D


Which of the following does not describe a reciprocal agreement?
A. The agreement is enforceable.
B. It is a cheap solution.
C. It may be able to be implemented right after a disaster.
D. It could overwhelm a current data processing site.
A


Which of the following describes a cold site?
A. Fully equipped and operational in a few hours
B. Partially equipped with data processing equipment
C. Expensive and fully configured
D. Provides environmental measures but no equipment
D


After a computer forensic investigator seizes a computer during a crime investigation, what is the next step?
A. Label and put it into a container, and then label the container
B. Dust the evidence for fingerprints
C. Make an image copy of the disks
D. Lock the evidence in the safe
C


Which of the following is a necessary characteristic of evidence for it to
be admissible?
A. It must be real.
B. It must be noteworthy.
C. It must be reliable.
D. It must be important.
C


If a company deliberately planted a flaw in one of its systems in the hope of detecting an attempted penetration and exploitation of this flaw, what would this be called?
A. Incident recovery response
B. Entrapment
C. Illegal
D. Enticement
D


An application is downloaded from the Internet to perform disk cleanup and to delete unnecessary temporary files. The application is also recording network login data and sending it to another party. This application is best described as which of the following?
A. A virus
B. A Trojan horse
C. A worm
D. A logic bomb
B


Which of the following best describes the term DevOps?
A. The practice of incorporating development, IT, and quality assurance (QA) staff into software development projects.
B. A multidisciplinary development team with representatives from many or all the stakeholder populations.
C. The operationalization of software development activities to support just-in- time delivery.
D. A software development methodology that relies more on the use of operational prototypes than on extensive upfront planning. A


A system has been patched many times and has recently become infected with a dangerous virus. If antimalware software indicates that disinfecting a file may damage it, what is the correct action?
A. Disinfect the file and contact the vendor
B. Back up the data and disinfect the file
C. Replace the file with the file saved the day before
D. Restore an uninfected version of the patched file from backup media
D


What is the purpose of polyinstantiation?
A. To restrict lower-level subjects from accessing low-level information
B. To make a copy of an object and modify the attributes of the second copy
C. To create different objects that will react in different ways to the same input
D. To create different objects that will take on inheritance attributes from their class
B


Database views provide what type of security control?
A. Detective
B. Corrective
C. Preventive
D. Administrative
C


Which of the following techniques or set of techniques is used to deter database inference attacks?
A. Partitioning, cell suppression, and noise and perturbation
B. Controlling access to the data dictionary
C. Partitioning, cell suppression, and small query sets
D. Partitioning, noise and perturbation, and small query sets
A


When should security first be addressed in a project?
A. During requirements development
B. During integration testing
C. During design specifications
D. During implementation
A


An online transaction processing (OLTP) system that detects an invalid transaction should do which of the following?
A. Roll back and rewrite over original data
B. Terminate all transactions until properly addressed
C. Write a report to be reviewed
D. Checkpoint each data entry
C


Which of the following are rows and columns within relational databases?
A. Rows and tuples
B. Attributes and rows
C. Keys and views
D. Tuples and attributes
D


Databases can record transactions in real time, which usually updates more than one database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement thecharacteristics of what's known as the ACID test. Which of the following are incorrect characteristics of the ACID test?
i. Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect.
ii. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases.
iii. Isolation Transactions execute in isolation until completed, without interacting with other transactions.
iv. Durability Once the transaction is verified as inaccurate on all systems, it is committed and the databases cannot be rolled back.
A. i, ii
B. ii. iii
C. ii, iv
D. iv
D


The software development life cycle has several phases. Which of the following lists these phases in the correct order?
A. Requirements gathering, design, development, maintenance, testing, release
B. Requirements gathering, design, development, testing, release
C. Prototyping, build and fix, increment, test, maintenance
D. Prototyping, testing, requirements gathering, integration, testing
B


John is a manager of the application development department within his company. He needs to make sure his team is carrying out all of the correct testing types and at the right times of the development stages. Which of the following accurately describe types of software testing that should be carried out?
i. Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions.
ii. Integration testing Verifying that components work together as outlined in design specifications.
iii. Acceptance testing Ensuring that the code meets customer requirements.
iv. Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection.
A. i, ii
B. ii, iii
C. i, ii, iv
D. i, ii, iii, iv
D


Tim is a software developer for a financial institution. He develops middleware software code that carries out his company's business logic functions. One of the applications he works with is written in the C programming language and seems to be taking up too much memory as it runs over time. Which of the following best describes what Tim should implement to rid this software of this type of problem?
A. Bounds checking
B. Garbage collector
C. Parameter checking
D. Compiling
B


Marge has to choose a software development model that her team should follow. The application that her team is responsible for developing is a critical application that can have few to no errors. Which of the following best describes the type of model her team should follow?
A. Cleanroom
B. Joint Analysis Development (JAD)
C. Rapid Application Development (RAD)
D. Reuse model
A


__________ is a software testing technique that provides invalid, unexpected, or random data to the input interfaces of a program.
A. Agile testing
B. Structured testing
C. Fuzzing
D. EICAR
C


Which of the following is the second level of the Capability Maturity Model
Integration?
A. Repeatable
B. Defined
C. Managed
D. Optimizing
A


One of the characteristics of object-oriented programming is deferred commitment. Which of the following is the best description for this characteristic?
A. The building blocks of software are autonomous objects, cooperating through the exchange of messages.
B. The internal components of an object can be redefined without changing other parts of the system.
C. Classes are reused by other programs, though they may be refined through inheritance.
D. Object-oriented analysis, design, and modeling map to business needs and solutions.
D


Which of the following attack types best describes what commonly takes place when you insert specially crafted and excessively long data into an input field?
A. Traversal attack
B. Unicode encoding attack
C. URL encoding attack
D. Buffer overflow attack
B


Which of the following has an incorrect attack to definition mapping?
A. EBJ XSS attack Content processing stages performed by the client, typically in client-side Java.
B. Nonpersistent XSS attack Improper sanitation of response from a web client.
C. Persistent XSS attack Data provided by attackers is saved on the server.
D. DOM-based XSS attack Content processing stages performed by the client, typically in client-side JavaScript.
A


John is reviewing database products. He needs a product that can manipulate a standard set of data for his company's business logic needs. Which of the following should the necessary product implement?
A. Relational database
B. Object-relational database
C. Network database
D. Dynamic-static
B


ActiveX Data Objects (ADO) is an API that allows applications to access back- end database systems. It is a set of ODBC interfaces that exposes the functionality of data sources through accessible objects. Which of the following are incorrect characteristics of ADO?
i. It's a low-level data access programming interface to an underlying data access technology (such as OLE DB).
ii. It's a set of COM objects for accessing data sources, not just database access.
iii. It allows a developer to write programs that access data without knowing how the database is implemented.
iv. SQL commands are required to access a database when using ADO.
A. i, iv
B. ii, iii
C. i, ii, iii
D. i, ii, iii, iv
A


Database software performs three main types of integrity services: semantic, referential, and entity. Which of the following correctly describes one of these services?
i. A semantic integrity mechanism makes sure structural and semantic rules are enforced.
ii. A database has referential integrity if all foreign keys reference existing primary keys.
iii. Entity integrity guarantees that the tuples are uniquely identified by primary key values.
A. ii
B. ii, iii
C. i, ii, iii
D. i, ii
C


Which of the following is not very useful in assessing the security of acquired software?
A. The reliability and maturity of the vendor
B. The NIST's National Software Reference Library
C. Third-party vulnerability assessments
D. In-house code reviews
B


Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Program- mers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package.

Which of the following is the best technology for Sandy's team to implement as it pertains to the previous scenario?
A. Computer-aided software engineering tools
B. Software configuration management
C. Software development life-cycle management
D. Software engineering best practices
B


Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Program- mers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package.

Which is the best software architecture that Sandy should introduce her team to for effective business application use?
A. Distributed component object architecture
B. Simple Object Access Protocol architecture
C. Enterprise JavaBeans architecture
D. Service-oriented architecture
D


Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Program- mers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package.

Which best describes the approach Sandy's team member took when creating the business-oriented software package mentioned within the scenario?
A. Software as a Service
B. Cloud computing
C. Web services
D. Mashup
D


Karen wants her team to develop software that allows her company to take advantage of and use many of the web services currently available by other companies. Which of the following best describes the components that need to be in place and what their roles are?
A. Web service provides the application functionality. Universal Description, Discovery, and Integration describes the web service's specifications. The Web Services Description Language provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service.
B. Web service provides the application functionality. The Web Services Description Language describes the web service's specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service.
C. Web service provides the application functionality. The Web Services Description Language describes the web service's specifications. The Simple Object Access Protocol provides the mechanisms for web services to be posted and discovered. Universal Description, Discovery, and Integration allows for the exchange of messages between a requester and provider of a web service.
D. Web service provides the application functionality. The Simple Object Access Protocol describes the web service's specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Web Services Description Language allows for the exchange of messages between a requester and provider of a web service.
B


Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the following characters "%and "../". The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database.

Which of the following best describes attacks that could be taking place against this organization?
A. Cross-site scripting and certification stealing
B. URL encoding and directory traversal attacks
C. Parameter validation manipulation and session management attacks
D. Replay and password brute-force attacks
B


Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the following characters "%and "../". The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database.

Which of the following functions is the web server software currently carrying out, and what is an associated security concern Brad should address?
A. The web server should carry out a secondary set of input validation rules on the presented data before processing it.
B. Server-side includes validation The web server should carry out a secondary set of input validation rules on the presented data before processing it.
C. Data Source Name logical naming access The web server should be carrying out a second set of reference integrity rules.
D. Data Source Name logical naming access The web server should carry out a secondary set of input validation rules on the presented data before processing it.
A


Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the following characters "%and "../". The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database.

Pertaining to the network architecture described in the previous scenario, which of the following attack types should Brad be concerned with?
A. Parameter validation attack
B. Injection attack
C. Cross-site scripting
D. Database connector attack
B


Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research finding, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded.

Based upon this scenario, what is most likely the biggest risk Josh's company needs to be concerned with?
A. Market share drop if the attackers are able to bring the specific product to market more quickly than Josh's company.
B. Confidentiality of e-mail messages. Attackers may post all captured e-mail messages to the Internet.
C. Impact on reputation if the customer base finds out about the attack.
D. Depth of infiltration of attackers. If attackers have compromised other systems, more confidential data could be at risk.
A


Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research finding, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded.

The attackers in this situation would be seen as which of the following?
A. Vulnerability
B. Threat
C. Risk
D. Threat agent
D


Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research finding, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded.

If Josh is correct in his assumptions, which of the following best describes the vulnerability, threat, and exposure, respectively?
A. E-mail server is hardened, an entity could exploit programming code flaw, server is compromised and leaking data.
B. E-mail server is not patched, an entity could exploit a vulnerability, server is hardened.
C. E-mail server misconfiguration, an entity could exploit misconfiguration, server is compromised and leaking data.
D. DMZ firewall misconfiguration, an entity could exploit misconfiguration, internal e-mail server is compromised.
C


Aaron is a security manager who needs to develop a solution to allow his company's mobile devices to be authenticated in a standardized and centralized manner using digital certificates. The applications these mobile clients use require a TCP connection. Which of the following is the best solution for Aaron to implement?
A. SESAME using PKI
B. RADIUS using EAP
C. Diameter using EAP
D. RADIUS using TTLS
C


Terry is a security manager for a credit card processing company. His company uses internal DNS servers, which are placed within the LAN, and external DNS servers, which are placed in the DMZ. The company also relies upon DNS servers provided by its service provider. Terry has found out that attackers have been able to manipulate several DNS server caches to point employee traffic to malicious websites. Which of the following best describes the solution this company should implement?
A. IPSec
B. PKI
C. DNSSEC
D. MAC-based security
C


It is important to deal with the issue of "reasonable expectation of privacy" (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of privacy is used when defining the scope of the privacy protections provided by the
A. Federal Privacy Act
B. PATRIOT Act
C. Fourth Amendment of the Constitution
D. Bill of Rights
C


Jane is suspicious that an employee is sending sensitive data to one of the company's competitors. The employee has to use this data for daily activities, thus it is difficult to properly restrict the employee's access rights. In this scenario, which best describes the company's vulnerability, threat, risk, and necessary control?
A. Vulnerability is employee access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed network traffic monitoring.
B. Vulnerability is lenient access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed user monitoring.
C. Vulnerability is employee access rights, threat is internal employees misusing privileged access, risk is the business impact of confidentiality, and the necessary control is multifactor authentication.
D. Vulnerability is employee access rights, threat is internal users misusing privileged access, risk is the business impact of confidentiality, and the necessary control is CCTV.
B


Which of the following best describes what role-based access control offers companies in reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and cannot access resources.
B. It provides a centralized approach for access control, which frees up department managers.
C. User membership in roles can be easily revoked and new ones established as job assignments dictate.
D. It enforces an enterprise-wide security policy, standards, and guidelines.
C


Mark works for a large corporation operating in multiple countries worldwide. He is reviewing his company's policies and procedures dealing with data breaches. Which of the following is an issue that he must take into consideration?
A. Each country may or may not have unique notification requirements.
B. All breaches must be announced to affected parties within 24 hours.
C. Breach notification is a "best effort" process and not a guaranteed process.
D. Breach notifications are avoidable if all PII is removed from data stores.
A


A software development company released a product that committed several errors that were not expected once deployed in their customers' environments. All of the software code went through a long list of tests before being released. The team manager found out that after a small change was made to the code, the program was not tested before it was released. Which of the following tests was most likely not conducted?
A. Unit
B. Compiled
C. Integration
D. Regression
D


It is important to choose the right risk analysis methodology to meet the goals of the organization's needs. Which of the following best describes when the risk management standard AS/NZS 4360 should be used?
A. When there is a need to assess items of an organization that are directly related to information security
B. When there is a need to assess items of an organization that are not just restricted to information security
C. When a qualitative method is needed to prove the compliance levels as they pertain to regulations
D. When a qualitative method is needed to prove the compliance levels as they pertain to laws
B


Companies should follow certain steps in selecting and implementing a new computer product. Which of the following sequences is ordered correctly?
A. Evaluation, accreditation, certification
B. Evaluation, certification, accreditation
C. Certification, evaluation, accreditation
D. Certification, accreditation, evaluation
B


Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence

Which of the following approaches has been implemented in this scenario?
A. Defense-in-depth
B. Security through obscurity
C. Information security management system
D. BS 17799
B


Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence

Which ISO/IEC standard would be best for Jack to follow to meet his goals?
A. ISO/IEC 27002
B. ISO/IEC 27004
C. ISO/IEC 27005
D. ISO/IEC 27006
C


Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence

Which standard should Jack suggest to his boss for compliance?
A. BS 17799
B. ISO/IEC 27004
C. ISO/IEC 27799
D. BS 7799:2011
C


An operating system maintains several processes in memory at the same time. The processes can only interact with the CPU during their assigned time slices since there is only one CPU and many processes. Each process is assigned an interrupt value to allow for this type of time slicing to take place. Which of the following best describes the difference between maskable and nonmaskable interrupts?
A. A maskable interrupt is assigned to a critical process, and a nonmaskable interrupt is assigned to a noncritical process.
B. A maskable interrupt is assigned to a process in ring 0, and a nonmaskable interrupt is assigned to a process in ring 3.
C. A maskable interrupt is assigned to a process in ring 3, and a nonmaskable interrupt is assigned to a process in ring 4.
D. A maskable interrupt is assigned to a noncritical process, and a nonmaskable interrupt is assigned to a critical process.
D


The confidentiality of sensitive data is protected in different ways depending on the state of the data. Which of the following is the best approach to protecting data in transit?
A. SSL
B. VPN
C. IEEE 802.1x
D. Whole-disk encryption
B


There are different categories for evidence depending upon what form it is in and possibly how it was collected. Which of the following is considered supporting evidence?
A. Best evidence
B. Corroborative evidence
C. Conclusive evidence
D. Direct evidence
B


A(n) _____ is the graphical representation of data commonly used on websites. It is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot.
A. Anti-spoofing symbol
B. CAPTCHA
C. Spam anti-spoofing symbol
D. CAPCHAT
B


Mark has been asked to interview individuals to fulfill a new position in his company, chief privacy officer (CPO). What is the function of this type of position?
A. Ensuring that company financial information is correct and secure
B. Ensuring that customer, company, and employee data is protected
C. Ensuring that security policies are defined and enforced
D. Ensuring that partner information is kept safe
B


A risk management program must be developed properly and in the right sequence. Which of the following provides the correct sequence for the steps listed?
Develop a risk management team
Calculate the value of each asset
Identify the vulnerabilities and threats that can affect the identified assets
Identify company assets to be assessed
A. 1, 3, 2, 4
B. 2, 1, 4, 3
C. 3, 1, 4, 2
D. 1, 4, 2, 3
D


Jack needs to assess the performance of a critical web application that his company recently upgraded. Some of the new features are very profitable, but not frequently used. He wants to ensure that the user experience is positive, but doesn't want to wait for the users to report problems. Which of the following techniques should Jack use?
A. Real user monitoring
B. Synthetic transactions
C. Log reviews
D. Management review
B


Which of the following best describes a technical control for dealing with the risks presented by data remanence?
A. Encryption
B. Data retention policies
C. File deletion
D. Using solid-state drives (SSD)
A


George is the security manager of a large bank, which provides online banking and other online services to its customers. George has recently found out that some of the bank's customers have complained about changes to their bank accounts that they did not make. George worked with the security team and found out that all changes took place after proper authentication steps were completed. Which of the following describes what most likely took place in this situation?
A. Web servers were compromised through cross-scripting attacks.
B. TLS connections were decrypted through a man-in-the-middle attack.
C. Personal computers were compromised with Trojan horses that installed keyloggers.
D. Web servers were compromised and masquerading attacks were carried out.
C


Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the suite provides different functionality. Which of the following is not a function or characteristic of IPSec?
A. Encryption
B. Link layer protection
C. Authentication
D. Protection of packet payloads and the headers
B


In what order would a typical PKI infrastructure perform the following transactions?
Receiver decrypts and obtains session key.
Sender requests receiver's public key.
Public key is sent from a public directory.
Sender sends a session key encrypted with receiver's public key.
A. 4, 3, 2, 1
B. 2, 1, 3, 4
C. 2, 3, 4, 1
D. 2, 4, 3, 1
C


Tim is the CISO for a large distributed financial investment organization. The company's network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim's team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default.

Which of the following is the best solution for this company to implement as it pertains to the first issue addressed in the scenario?
A. Event correlation tools
B. Intrusion detection systems
C. Security information and event management
D. Security event correlation management tools
C


Tim is the CISO for a large distributed financial investment organization. The company's network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim's team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default.

Which of the following best describes why Tim should be concerned about the second issue addressed in the scenario?
A. Software and devices that are scanning traffic for suspicious activity may only be configured to evaluate one system type.
B. Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate one service type.
C. Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate two protocol types.
D. Software and devices that are monitoring traffic for suspicious activity may only be configured to evaluate one traffic type.
D


Which of the following is not a concern of a security professional considering adoption of Internet of Things (IoT) devices?
A. Weak or nonexistent authentication mechanisms
B. Vulnerability of data at rest and data in motion
C. Difficulty of deploying patches and updates
D. High costs associated with connectivity
D


What type of rating system is used within the Common Criteria structure?
A. PP
B. EPL
C. EAL
D. A-D
C


31.____, a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies.
____ is an XML-based framework being developed by OASISfor exchanging user, resource, and service provisioning information between cooperating organizations.
A. Service Provisioning Markup Language (SPML), Extensible Access Control Markup Language (XACML)
B. Extensible Access Control Markup Language (XACML), Service Provisioning Markup Language (SPML)
C. Extensible Access Control Markup Language (XACML), Security Assertion Markup Language (SAML)
D. Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML)
B


Doors configured in fail-safe mode assume what position in the event of a powerfailure?
A. Open and locked
B. Closed and locked
C. Closed and unlocked
D. Open
C


Next-generation firewalls combine the best attributes of other types of firewalls. Which of the following is not a common characteristic of these firewall types?
A. Integrated intrusion prevention system
B. Sharing signatures with cloud-based aggregators
C. Automated incident response
D. High cost
C


The purpose of security awareness training is to expose personnel to security issues so that they may be able to recognize them and better respond to them. Which of the following is not normally a topic covered in security awareness training?
A. Social engineering
B. Phishing
C. Whaling
D. Trolling
D


Zack is a security consultant who has been hired to help an accounting company improve some of their current e-mail secu- rity practices. The company wants to ensure that when their clients send the company accounting files and data, the clients cannot later deny sending these messages. The company also wants to integrate a more granular and secure authentication method for their current mail server and clients.

Which of the following best describes how client messages can be dealt with and addresses the first issue outlined in the scenario?
A. The company needs to integrate a public key infrastructure and the Diameter protocol.
B. Clients must encrypt messages with their public key before sending them to the accounting company.
C. The company needs to have all clients sign a formal document outlining nonrepudiation requirements.
D. Clients must digitally sign messages that contain financial information.
D


Zack is a security consultant who has been hired to help an accounting company improve some of their current e-mail secu- rity practices. The company wants to ensure that when their clients send the company accounting files and data, the clients cannot later deny sending these messages. The company also wants to integrate a more granular and secure authentication method for their current mail server and clients.

Which of the following would be the best solution to integrate to meet the authentication requirements outlined in the scenario?
A. TLS
B. IPSec
C. 802.1x
D. SASL
D


Rennie needs to ensure that the BCP project will be successful. His manager has asked him to carry out a SWOT analysis to ensure that the defined objectives within the scope can be accomplished and to identify issues that could impede the necessary success and productivity required of the project as a whole. Which of the following is not considered to be a basic tenet of a SWOT analysis?
A. Strengths: Characteristics of the project team that give it an advantage over others
B. Weaknesses: Characteristics that place the team at a disadvantage relative to others
C. Opportunities: Elements that could contribute to the project's success
D. Trends: Elements that could contribute to the project's failure
D


A ____ is the amount of time it should take to recover from a is the amount of data, measured in time, that can
disaster, and a ____ be lost and be tolerable from that same event.
A. recovery time objective, recovery point objective
B. recovery point objective, recovery time objective
C. maximum tolerable downtime, work recovery time
D. work recovery time, maximum tolerable downtime
A


Mary is playing around on her computer late at night and discovers a way to compromise a small company's personnel files. She decides to take a look around, but does not steal any information. Is she still committing a crime even if she does not steal any of the information?
A. No, since she does not steal any information, she is not committing a crime.
B. Yes, she has gained unauthorized access.
C. Not if she discloses the vulnerability she exploited to the company.
D. Yes, she could jeopardize the system without knowing it.
B


In the structure of Extensible Access Control Markup Language (XACML), a Subject element is the ____ , a Resource element is the ____ , and an Action element is the ____.
A. requesting entity, requested entity, types of access
B. requested entity, requesting entity, types of access
C. requesting entity, requested entity, access control
D. requested entity, requesting entity, access control
A


The Mobile IP protocol allows location-independent routing of IP datagrams on the Internet. Each mobile node is identified by its ____, disregarding its current location in the Internet. While away from its home network, a mobile node is associated with a ____.
A. prime address, care-of address
B. home address, care-of address
C. home address, secondary address
D. prime address, secondary address
B


Instead of managing and maintaining many different types of security products and solutions, Joan wants to purchase a product that combines many technologies into one appliance. She would like to have centralized control, streamlined maintenance, and a reduction in stove pipe security solutions. Which of the following would best fit Joan's needs?
A. Dedicated appliance
B. Centralized hybrid firewall applications
C. Hybrid IDS\IPS integration
D. Unified threat management
D


Why is it important to have a clearly defined incident-handling process in place?
A. To avoid dealing with a computer and network threat in an ad hoc, reactive, and confusing manner
B. To provide a quick reaction to a threat so that a company can return to normal operations as soon as possible
C. To provide a uniform approach with certain expectations of the results
D. All of the above
D


Which of the following is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy and provides guidelines on the protection of privacy and transborder flows of personal data rules?
A. Council of Global Convention on Cybercrime
B. Council of Europe Convention on Cybercrime
C. Organisation for Economic Co-operation and Development
D. Organisation for Cybercrime Co-operation and Development
C


System ports allow different computers to communicate with each other's services and protocols. Internet Corporation for Assigned Names and Numbers has assigned registered ports to be ____ and dynamic ports to be ____.
A. 0-1024, 49152-65535
B. 1024-49151, 49152-65535
C. 1024-49152, 49153-65535
D. 0-1024, 1025-49151
B


When conducting a quantitative risk analysis, items are gathered and assigned numeric values so that cost/benefit analysis can be carried out. Which of the following provides the correct formula to understand the value of a safeguard?
A. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
B. (ALE before implementing safeguard) - (ALE during implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
C. (ALE before implementing safeguard) - (ALE while implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company
D. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of asset) = value of safeguard to the company
A


Patty is giving a presentation next week to the executive staff of her company. She wants to illustrate the benefits of the company using specific cloud computing solutions. Which of the following does not properly describe one of these benefits
or advantages?
A. Organizations have more flexibility and agility in IT growth and functionality.
B. Cost of computing can be increased since it is a shared delivery model.
C. Location independence can be achieved because the computing is not centralized and tied to a physical data center.
D. Scalability and elasticity of resources can be accomplished in near real-time through automation.
B


Frank is the new manager of the in-house software designers and programmers. He has been telling his team that before design and programming on a new product begins, a formal architecture needs to be developed. He also needs this team to understand security issues as they pertain to soft- ware design. Frank has shown the team how to follow a systematic approach that allows them to understand how different compromises could take place with the software prod- ucts they develop.

Which of the following best describes what an architecture is in the context of this scenario?
A. Tool used to conceptually understand the structure and behavior of a complex entity through different views
B. Formal description and representation of a system and the components that make it up
C. Framework used to create individual architectures with specific views
D. Framework that is necessary to identify needs and meet all of the stakeholder requirements
A


Frank is the new manager of the in-house software designers and programmers. He has been telling his team that before design and programming on a new product begins, a formal architecture needs to be developed. He also needs this team to understand security issues as they pertain to soft- ware design. Frank has shown the team how to follow a systematic approach that allows them to understand how different compromises could take place with the software prod- ucts they develop.

Which of the following best describes the approach Frank has shown his team as outlined in the scenario?
A. Attack surface analysis
B. Threat modeling
C. Penetration testing
D. Double-blind penetration testing
B


Barry was told that the IDS product that is being used on the network has heuristic capabilities. Which of the following best describes this functionality?
A. Gathers packets and reassembles the fragments before assigning anomaly values
B. Gathers data to calculate the probability of an attack taking place
C. Gathers packets and compares their payload values to a signature engine
D. Gathers packet headers to determine if something suspicious is taking place within the network traffic
B


Bringing in external auditors has advantages over using an internal team. Which
of the following is not true about using external auditors?
A. They are required by certain governmental regulations.
B. They bring experience gained by working in many other organizations.
C. They know the organization's processes and technology better than anyone else.
D. They are less influenced by internal culture and politics.
C


Don is a senior manager of an architectural firm. He has just found out that a key contract was renewed, allowing the company to continue developing an operating system that was idle for several months. Excited to get started, Don begins work on the operating system privately, but cannot tell his staff until the news is announced publicly in a few days. However, as Don begins making changes in the software, various staff members notice changes in their connected systems, even though they work in a lower security level. What kind of model could be used to ensure this does not happen?
A. Biba
B. Bell-LaPadula
C. Noninterference
D. Clark-Wilson
C


Betty has received several e-mail messages from unknown sources that try and entice her to click a specific link using a "Click Here" approach. Which of the following best describes what is most likely taking place in this situation?
A. DNS pharming attack
B. Embedded hyperlink is obfuscated
C. Malware back-door installation
D. Bidirectional injection attack
B


Rebecca is an internal auditor for a large retail company. The company has a number of web applications that run critical business processes with customers and partners around the world. Her company would like to ensure the security of technical controls on these processes. Which of the following would not be a good approach to auditing these technical controls?
A. Log reviews
B. Code reviews
C. Personnel background checks
D. Misuse case testing
C


Which of the following multiplexing technologies analyzes statistics related to the typical workload of each input device and makes real-time decisions on how much time each device should be allocated for data transmission?
A. Time-division multiplexing
B. Wave-division multiplexing
C. Frequency-division multiplexing
D. Statistical time-division multiplexing
D


In a VoIP environment, the Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) are commonly used. Which of the following best describes the difference between these two protocols?
A. RTCP provides a standardized packet format for delivering audio and video over IP networks. RTP provides out-of-band statistics and control
information to provide feedback on QoS levels.
B. RTP provides a standardized packet format for delivering data over IP networks. RTCP provides control information to provide feedback on QoS levels.
C. RTP provides a standardized packet format for delivering audio and video over MPLS networks. RTCP provides control information to provide
feedback on QoS levels.
D. RTP provides a standardized packet format for delivering audio and video over IP networks. RTCP provides out-of-band statistics and control
information to provide feedback on QoS levels.
D


ISO/IEC 27031:2011 is an international standard for business continuity that organizations can follow. Which of the following is a correct characteristic of this standard?
A. Guidelines for information and communications technology readiness for business continuity
B. ISO/IEC standard that is a component of the overall BS 7999 series
C. Standard that was developed by NIST and evolved to be an international standard
D. Component of the Safe Harbor requirements
A


A preferred technique of attackers is to become "normal" privileged users of the systems they compromise as soon as possible. This can normally be accomplished in all the following ways except which one?
A. Compromising an existing privileged account
B. Creating a new privileged account
C. Deleting the /etc/passwd file
D. Elevating the privileges of an existing account
C


IPSec's main protocols are AH and ESP. Which of the following services does AH provide?
A. Confidentiality and authentication
B. Confidentiality and availability
C. Integrity and accessibility
D. Integrity and authentication
D


When multiple databases exchange transactions, each database is updated. This can happen many times and in many different ways. To protect the integrity of the data, databases should incorporate a concept known as an ACID test. What does this acronym stand for?
A. Availability, confidentiality, integrity, durability
B. Availability, consistency, integrity, durability
C. Atomicity, confidentiality, isolation, durability
D. Atomicity, consistency, isolation, durability
D


Jim works for a large energy company. His senior management just conducted a meeting with Jim's team with the purpose of reducing IT costs without degrading their security posture. The senior management decided to move all administrative systems to a cloud provider. These systems are proprietary applications currently running on Linux servers.

Which of the following services would allow Jim to transition all administrative custom applications to the cloud while leveraging the service provider for security and patching of the cloud platforms?
A. IaaS
B. PaaS
C. SaaS
D. IDaaS
B


Jim works for a large energy company. His senior management just conducted a meeting with Jim's team with the purpose of reducing IT costs without degrading their security posture. The senior management decided to move all administrative systems to a cloud provider. These systems are proprietary applications currently running on Linux servers.

Which of the following would not be an issue that Jim would have to consider in transitioning administrative services to the cloud?
A. Privacy and data breach laws in the country where the cloud servers are located
B. Loss of efficiencies, performance, reliability, scalability, and security
C. Security provisions in the terms of service
D. Total cost of ownership compared to the current systems
B


Henry is the team leader of a group of software designers. They are at a stage in their software development project where they need to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege level as much as possible, and eliminate unnecessary services. Which of the following best describes the first step the team needs to carry out to accomplish these tasks?
A. Attack surface analysis
B. Software development life cycle
C. Risk assessment
D. Unit testing
A


Jenny needs to engage a new software development company to create he company's internal banking software. It will need to be created specifically for her company's environment, so it must be proprietary in nature. Which of the following would be useful for Jenny to use as a gauge to determine how advanced and mature the various software development companies are in their processes?
A. SaS 70
B. Capability Maturity Model Integration level
C. Auditing results
D. Key performance metrics
B


Which of the following is a representation of the logical relationship between elements of data and dictates the degree of association among elements, methods of access, processing alternatives, and the organization of data elements?
A. Data element
B. Array
C. Secular component
D. Data structure
D


Kerberos is a commonly used access control and authentication technology. It is important to understand what the technology can and cannot do and its potential downfalls. Which of the following is not a potential security issue that must be addressed when using Kerberos?
i. The KDC can be a single point of failure.
ii. The KDC must be scalable.
iii. Secret keys are temporarily stored on the users' workstations.
iv. Kerberos is vulnerable to password guessing.
A. i, iv
B. iii
C. All of them
D. None of them
D


If the ALE for a specific asset is $100,000, and after implementation of the control the new ALE is $45,000 and the annual cost of the control is $30,000, should the company implement this control?
A. Yes
B. No
C. Not enough information
D. It depends on the ARO
A


ISO/IEC 27000 is a growing family of ISO/IEC information security management system (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?
A. ISO/IEC 27002: Code of practice for information security management
B. ISO/IEC 27003: Guideline for ISMS implementation
C. ISO/IEC 27004: Guideline for information security management measurement and metrics framework
D. ISO/IEC 27005: Guideline for bodies providing audit and certification of information security management systems
D


When a CPU is passed an instruction set and data to be processed and the program status word (PSW) register contains a value indicating that execution should take place in privileged mode, which of the following would be considered true?
A. Operating system is executing in supervisory mode
B. Request came from a trusted process
C. Functionality that is available in user mode is not available
D. An untrusted process submitted the execution request
B


Encryption and decryption can take place at different layers of an Operating system, application, and network stack. End-to-end encryption happens within the ____ layer. IPSec encryption takes place at the ____ layers. PPTP encryption takes place at the ____ layer. Link encryption takes place at the ____ and ____ layers.
A. applications, transport, data link, data link, physical
B. applications, transport, network, data link, physical
C. applications, network, data link, data link, physical
D. network, transport, data link, data link, physical
C


Which of the following best describes the difference between hierarchical storage management (HSM) and storage area network (SAN) technologies?
A. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems.
B. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems.
C. HSM and SAN are one and the same. The difference is in the implementation.
D. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.
A


Which legal system is characterized by its reliance on previous interpretations of the law?
A. Tort
B. Customary
C. Common
D. Civil (code)
C


In order to be admissible in court, evidence should normally be which of the following?
A. Subpoenaed
B. Relevant
C. Motioned
D. Adjudicated
B


A fraud analyst with a national insurance company uses database tools every day to help identify violations and identify relationships between the captured data through the uses of rule discovery. These tools help identify relationships among a wide variety of information types. What kind of knowledge discovery in database (KDD) is this considered?
A. Probability
B. Statistical
C. Classification
D. Behavioral
B


Which of the following is an XML-based protocol that defines the schema of how web service communication takes place over HTTP transmissions?
A. Service-Oriented Protocol
B. Active X Protocol
C. Simple Object Access Protocol
D. JVEE
C


Which of the following has an incorrect definition mapping?
i. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Team-oriented approach that assesses organizational and
IT risks through facilitated workshops
ii. AS/NZS 4360 Australia and New Zealand business risk management assessment approach
iii. ISO/IEC 27005 International standard for the implementation of a risk management program that integrates into an information security management system (ISMS)
iv. Failure Modes and Effect Analysis (FMEA) Approach that dissects a component into its basic functions to identify flaws and those flaws' effects
v. Fault tree analysis Approach to map specific flaws to root causes in complex systems

A. None of them
B. ii
C. iii, iv
D. v
A


For an enterprise security architecture to be successful in its development and implementation, which of the following items must be understood and followed?
i. Strategic alignment
ii. Process enhancement
iii. Business enablement
iv. Security effectiveness

A. i, ii
B. ii, iii
C. i, ii, iii, iv
D. iii, iv
C


Which of the following best describes the purpose of the Organisation for Economic Co-operation and Development (OECD)?
A. An international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
B. A national organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy
C. An international organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized econom
D. A national organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized economy
A


There are many enterprise architecture models that have been developed over the years for specific purposes. Some of them can be used to provide structure for information security processes and technology to be integrated throughout an organization. Which of the following provides an incorrect mapping between the architect type and the associated definition?
A. Zachman Framework Model and methodology for the development of information security enterprise architectures
B. TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group
C. DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals
D. MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence
A


Which of the following best describes the difference between the role of the ISO/ IEC 27000 series and COBIT? A. COBIT provides a high-level overview of security program requirements, while the ISO/IEC 27000 series provides the objectives of the individual security controls.
B. The ISO/IEC 27000 series provides a high-level overview of security program requirements, while COBIT provides the objectives of the individual security controls.
C. COBIT is process oriented, and the ISO/IEC 27000 series is solution oriented.
D. The ISO/IEC 27000 series is process oriented, and COBIT is solution oriented.
B


The Capability Maturity Model Integration (CMMI) approach is being used more frequently in security program and enterprise development. Which of the following provides an incorrect characteristic of this model?
A. It provides a pathway for how incremental improvement can take place.
B. It provides structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes.
C. It was created for process improvement and developed by Carnegie Mellon.
D. It was built upon the SABSA model.
D


If Joe wanted to use a risk assessment methodology that allows the various business owners to identify risks and know how to deal with them, what methodology would he use?
A. Qualitative
B. COSO
C. FRAP
D. OCTAVE
D


Information security is a field that is maturing and becoming more organized and standardized. Organizational security models should be based upon a formal architecture framework. Which of the following best describes what a formal architecture framework is and why it would be used?
A. Mathematical model that defines the secure states that various software components can enter and still provide the necessary protection
B. Conceptual model that is organized into multiple views addressing each of the stakeholder's concerns
C. Business enterprise framework that is broken down into six conceptual levels to ensure security is deployed and managed in a controllable manner
D. Enterprise framework that allows for proper security governance
B


Which of the following provides a true characteristic of a fault tree analysis?
A. Fault trees are assigned qualitative values to faults that can take place over a series of business processes.
B. Fault trees are assigned failure mode values.
C. Fault trees are labeled with actual numbers pertaining to failure probabilities.
D. Fault trees are used in a stepwise approach to software debugging.
C


Several models and frameworks have been developed by different organizations over the years to help businesses carry out processes in a more efficient and effective manner. Which of the following provides the correct definition mapping of one of these items?
i. COSOA framework and methodology for enterprise security architecture and service management
ii. ITIL Processes to allow for IT service management developed by the United Kingdom's Office of Government Commerce
iii. Six Sigma Business management strategy that can be used to carry out process improvement
iv. Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon

A. i
B. i, iii
C. ii, iv
D. ii, iii, iv
D


It is important that organizations ensure that their security efforts are effective and measurable. Which of the following is not a common method used to track the effectiveness of security efforts?
A. Service level agreement
B. Return on investment
C. Balanced scorecard system
D. Provisioning system
D


Capability Maturity Model Integration (CMMI) is a process improvement approach that is used to help organizations improve their performance. The CMMI model may also be used as a framework for appraising the process maturity of the organization. Which of the following is an incorrect mapping of the levels that may be assigned to an organization based upon this model?
i. Maturity Level 2 - Managed or Repeatable
ii. Maturity Level 3 - Defined
iii. Maturity Level 4 - Quantitatively Managed
iv. Maturity Level 5 - Optimizing

A. i
B. i, ii
C. All of them
D. None of them
D


An organization's information system risk management (ISRM) policy should address many items to provide clear direction and structure. Which of the following is not a core item that should be covered in this type of policy?
i. The objectives of the IRM team
ii. The level of risk the organization will accept and what is considered an acceptable level of risk
iii. Formal processes of risk identification
iv. The connection between the IRM policy and the organization's strategic planning processes
v. Responsibilities that fall under IRM and the roles to fulfill them
vi. The mapping of risk to specific physical controls
vii. The approach toward changing staff behaviors and resource allocation in response to risk analysis
viii. The mapping of risks to performance targets and budgets ix. Key indicators to monitor the effectiveness of controls

A. ii, v, ix
B. vi
C. v
D. vii, ix
B


More organizations are outsourcing business functions to allow them to focus on their core business functions. Companies use hosting companies to maintain websites and e-mail servers, service providers for various telecommunication connections, disaster recovery companies for co-location capabilities, cloud computing providers for infrastructure or application services, developers for software creation, and security companies to carry out vulnerability management. Which of the following items should be included during the analysis of an outsourced partner or vendor?
i. Conduct onsite inspection and interviews
ii. Review contracts to ensure security and protection levels are agreed upon
iii. Ensure service level agreements are in place
iv. Review internal and external audit reports and third-party reviews
v. Review references and communicate with former and existing customers
vi. Review Better Business Bureau reports

A. ii, iii, iv
B. iv, v, vi
C. All of them
D. i, ii, iii
C


Which of the following is normally not an element of e-Discovery?
A. Identification
B. Preservation
C. Production
D. Remanence
D


A financial institution has developed its internal security program based upon the ISO/IEC 27000 series. The security officer has been told that metrics need to be developed and integrated into this program so that effectiveness can be gauged. Which of the following standards should be followed to provide this type of guidance and functionality?
A. ISO/IEC 27002
B. ISO/IEC 27003
C. ISO/IEC 27004
D. ISO/IEC 27005
C


Which of the following is not an advantage of using content distribution networks?
A. Improved responsiveness to regional users
B. Resistance to ARP spoofing attacks
C. Customization of content for regional users
D. Resistance to DDoS attacks
B


Sue has been asked to install a web access management (WAM) product for her company's environment. What is the best description for what WAMs are commonly used for?
A. Control external entities requesting access to internal objects
B. Control internal entities requesting access to external objects
C. Control external entities requesting access through X.500 databases
D. Control internal entities requesting access through X.500 databases
A


A user's digital identity is commonly made up of more than just a username. Which of the following is not a common item that makes up a user's identity?
A. Entitlements
B. Traits
C. Figures
D. Attributes
C


Which of the following is a true statement pertaining to markup languages?
A. HyperText Markup Language (HTML) came from Generalized Markup Language (GML), which came from the Standard Generalized Markup Language (SGML).
B. HyperText Markup Language (HTML) came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML).
C. Standard Generalized Markup Language (SGML) came from the HyperText Markup Language (HTML), which came from the Generalized Markup Language (GML).
D. Standard Generalized Markup Language (SGML) came from the Generalized Markup Language (GML), which came from the HyperText Markup Language (HTML).
B


What is Extensible Markup Language (XML), and why was it created?
A. A specification that is used to create various types of markup languages for specific industry requirements
B. A specification that is used to create static and dynamic websites
C. A specification that outlines a detailed markup language dictating all formats of all companies that use it
D. A specification that does not allow for interoperability for the sake of security
A


Which access control policy is enforced in an environment that uses containers and implicit permission inheritance using a nondiscretionary model?
A. Rule-based
B. Role-based
C. Identity-based
D. Mandatory
B


Which of the following centralized access control protocols would a security professional choose if her network consisted of multiple protocols, including Mobile IP, and had users connecting via wireless and wired transmissions?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos
C


Jay is the security administrator at a credit card processing company. The company has many identity stores, which are not properly synchronized. Jay is going to oversee the process of centralizing and synchronizing the identity data within the company. He has determined that the data in the HR database will be considered the most up-to-date data, which cannot be overwritten by the software in other identity stores during their synchronization processes. Which of the following best describes the role of this database in the identity management structure of the company?
A. Authoritative system of record
B. Infrastructure source server
C. Primary identity store
D. Hierarchical database primary
A


Proper access control requires a structured user provisioning process. Which of the following best describes user provisioning?
A. The creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
B. The creation, maintenance, activation, and delegation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to compliance processes
C. The maintenance of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
D. The creation and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes
A


A user's identity can be a collection of her ____ (department, role in company, shift time, clearance); her ____ (resources available to her, authoritative rights in the company); and her ____ (biometricinformation, height, sex,).
A. attributes, access, traits
B. attributes, entitlements, access
C. attributes, characteristics, traits
D. attributes, entitlements, traits
D


John needs to ensure that his company's application can accept provisioning data from the company's partner's application in a standardized method. Which of the following best describes the technology that John should implement?
A. Service Provisioning Markup Language
B. Extensible Provisioning Markup Language
C. Security Assertion Markup Language
D. Security Provisioning Markup Language
A


Lynn logs into a website and purchases an airline ticket for her upcoming trip. The website also offers her pricing and package deals for hotel rooms and rental cars while she is completing her purchase. The airline, hotel, and rental companies are all separate and individual companies. Lynn decides to purchase her hotel room through the same website at the same time. The website is using Security Assertion Markup Language to allow for this type of federated identity management functionality. In this example which entity is the principal, which entity is the identity provider, and which entity is the service provider?
A. Portal, Lynn, hotel company
B. Lynn, airline company, hotel company
C. Lynn, hotel company, airline company
D. Portal, Lynn, airline company
B


John is the new director of software development within his company. Several proprietary applications offer individual services to the employees, but the employees have to log into each and every application independently to gain access to these discrete services. John would like to provide a way that allows each of the services provided by the various applications to be centrally accessed and controlled. Which of the following best describes the architecture that John should deploy?
A. Service-oriented architecture
B. Web services architecture
C. Single sign-on architecture
D. Hierarchical service architecture
A


Which security model enforces the principle that the security levels of an object should never change and is known as the "strong tranquility" property?
A. Biba
B. Bell-LaPadula
C. Brewer-Nash
D. Noninterference
B


Khadijah is leading a software development team for her company. She knows the importance of conducting an attack surface analysis and developing a threat model. During which phase of the software development life cycle should she perform these actions?
A. Requirements gathering
B. Testing and validation
C. Release and maintenance
D. Design
D


There is a specific terminology taxonomy used in the discipline of formal architecture framework development and implementation. Which of the following terms has an incorrect definition?
i. Architecture Fundamental organization of a system embodied in its components, their relationships to each other and to the environment, and the principles guiding its design and evolution.
ii. Architectural description (AD) Representation of a whole system from the perspective of a related set of concerns.
iii. Stakeholder Individual, team, or organization (or classes thereof ) with interests in, or concerns relative to, a system.
iv. View Collection of document types to convey an architecture in a formal manner.
v. Viewpoint A specification of the conventions for constructing and using a view. A template from which to develop individual views by establishing the purposes and audience for a view and the techniques for its creation and analysis.

A. i, iii
B. ii, iv
C. iv, v
D. ii
B


Operating systems may not work on systems with specific processors. Which of the following best describes why one operating system may work on an Intel processor but not on an AMD processor?
A. The operating system was not developed to work within the architecture of a specific processor and cannot use that specific processor instruction set.
B. The operating system was developed before the new processor architecture was released, and thus is not backward compatible.
C. The operating system is programmed to use a different instruction set.
D. The operating system is platform dependent, and thus can work only on one specific processor family.
A


Which of the following best describes how an address bus and a data bus are used for instruction execution?
A. The CPU sends a "fetch" request on the data bus, and the data residing at the requested address is returned on the address bus.
B. The CPU sends a "get" request on the address bus, and the data residing at the requested address is returned on the data bus.
C. The CPU sends a "fetch" request on the address bus, and the data residing at the requested address is returned on the data bus.
D. The CPU sends a "get" request on the data bus, and the data residing at the requested address is returned on the address bus.
C


An operating system has many different constructs to keep all of the different execution components in the necessary synchronization. One construct the operating system maintains is a process table. Which of the following best describes the role of a process table within an operating system?
A. The table contains information about each process that the CPU uses during the execution of the individual processes' instructions.
B. The table contains memory boundary addresses to ensure that processes do not corrupt each other's data
C. The table contains condition bits that the CPU uses during state transitions.
D. The table contains I/O and memory addresses.
A


Hanna is a security manager of a company that relies heavily on one specific operating system. The operating system is used in the employee workstations and is embedded within devices that support the automated production line software. She has uncovered that the operating system has a vulnerability that could allow an attacker to force applications to not release memory segments after execution. Which of the following best describes the type of threat this vulnerability
introduces?
A. Injection attacks
B. Memory corruption
C. Denial of service
D. Software locking
C


Which of the following architecture frameworks has a focus on command, control, communications, computers, intelligence, surveillance, and
reconnaissance systems and processes?
A. DoDAF
B. TOGAF
C. CMMI
D. MODAF
A


Many operating systems implement address space layout randomization (ASLR). Which of the following best describes this type of technology?
A. Randomly arranging memory address values
B. Restricting the types of processes that can execute instructions in privileged mode
C. Running privileged instructions in virtual machines
D. Randomizing return pointer values
A


A company needs to implement a CCTV system that will monitor a large area of the facility. Which of the following is the correct lens combination for this?
A. A wide-angle lens and a small lens opening
B. A wide-angle lens and a large lens opening
C. A wide-angle lens and a large lens opening with a small focal length
D. A wide-angle lens and a large lens opening with a large focal length
A


What is the name of a water sprinkler system that keeps pipes empty and doesn't release water until a certain temperature is met and a "delay mechanism" is instituted?
A. Wet
B. Preaction
C. Delayed
D. Dry
B


There are different types of fire suppression systems. Which of the following answers best describes the difference between a deluge and a preaction system?
A. A deluge system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A preaction system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
B. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
C. A dry pipe system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
D. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly.
B


Which of the following best describes why Crime Prevention Through Environmental Design (CPTED) would integrate block parties and civic meetings?
A. These activities are designed to get people to work together to increase the overall crime and criminal behavior in the area.
B. These activities are designed to get corporations to work together to increase the overall awareness of acceptable and unacceptable activities in the area.
C. These activities are designed to get people to work together to increase the three strategies of this design model.
D. These activities are designed to get people to work together to increase the overall awareness of acceptable and unacceptable activities in the area.
D


Which of the following frameworks is a two-dimensional model that uses six basic communication interrogatives intersecting with different viewpoints to give
a holistic understanding of the enterprise?
A. SABSA
B. TOGAF
C. CMMI
D. Zachman
D


Not every data transmission incorporates the session layer. Which of the following best describes the functionality of the session layer?
A. End-to-end data transmission
B. Application client/server communication mechanism in a distributed environment
C. Application-to-computer physical communication
D. Provides application with the proper syntax for transmission
B


What is the purpose of the Logical Link Control (LLC) layer in the OSI model?
A. Provides a standard interface for the network layer protocol
B. Provides the framing functionality of the data link layer
C. Provides addressing of the packet during encapsulation
D. Provides the functionality of converting bits into electrical signals
A


Which of the following best describes why classless interdomain routing (CIDR) was created?
A. To allow IPv6 traffic to tunnel through IPv4 networks
B. To allow IPSec to be integrated into IPv4 traffic
C. To allow an address class size to meet an organization's need
D. To allow IPv6 to tunnel IPSec traffic
C


John is a security engineer at a company that develops highly confidential products for various government agencies. While his company has VPNs set up to protect traffic that travels over the Internet and other nontrusted networks, he knows that internal traffic should also be protected. Which of the following is the best type of approach John's company should take?
A. Implement a data link technology that provides 802.1AE security functionality.
B. Implement a network-level technology that provides 802.1AE security functionality.
C. Implement TLS over L2TP.
D. Implement IPSec over L2TP.
A


IEEE ____ provides a unique ID for a device. IEEE ____ provides data encryption, integrity, and origin authentication functionality. IEEE ____ carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE ___ framework.
A. 802.1AF, 802.1AE, 802.1AR, 802.1X EAP-TLS
B. 802.1AT, 802.1AE, 802.1AM, 802.1X EAP-SSL
C. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-SSL
D. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-TLS
D


Bob has noticed that one of the network switches has been acting strangely over the last week. Bob installed a network protocol analyzer to monitor the traffic going to the specific switch. He has identified UDP traffic coming from an outside source using the destination port 161. Which of the following best describes what is most likely taking place?
A. An attacker is modifying the switch SNMP MIB.
B. An attacker is carrying out a selective DoS attack.
C. An attacker is manipulating the ARP cache.
D. An attacker is carrying out an injection attack.
A


Larry is a seasoned security professional and knows the potential dangers associated with using an ISP's DNS server for Internet connectivity. When Larry stays at a hotel or uses his laptop in any type of environment he does not fully trust, he updates values in his HOSTS file. Which of the following best describes why Larry carries out this type of task?
A. Reduces the risk of an attacker sending his system a corrupt ARP address that points his system to a malicious website.
B. Ensures his host-based IDS is properly updated.
C. Reduces the risk of an attacker sending his system an incorrect IP address-to- host mapping that points his system to a malicious website.
D. Ensures his network-based IDS is properly synchronized with his host-based IDS.
C


John has uncovered a rogue system on the company network that emulates a switch. The software on this system is being used by an attacker to modify frame tag values. Which of the following best describes the type of attack that has most likely been taking place?
A. DHCP snooping
B. VLAN hopping
C. Network traffic shaping
D. Network traffic hopping
B


Frank is a new security manager for a large financial institution. He has been told that the organization needs to reduce the total cost of ownership for many components of the network and infrastructure. The organization currently maintains many distributed networks, software packages, and applications. Which of the following best describes the cloud services that are most likely provided by service providers for Frank to choose from?
A. Infrastructure as a Service provides an environment similar to an operating system, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application- based functionality.
B. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality.
C. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides application-based functionality, and Software as a Service provides specific operating system functionality.
D. Infrastructure as a Service provides an environment similar to a database, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality.
B


Terry is told by his boss that he needs to implement a networked-switched infrastructure that allows several systems to be connected to any storage device. What does Terry need to roll out?
A. Electronic vaulting
B. Hierarchical storage management
C. Storage area network
D. Remote journaling
C


On a Tuesday morning, Jami is summoned to the office of the security director, where she finds six of her peers from other departments. The security director gives them instructions about an event that will be taking place in two weeks. Each of the individuals will be responsible for removing specific systems from the facility, bringing them to the offsite facility, and implementing them. Each individual will need to test the installed systems and ensure the configurations are correct for production activities. What event is Jami about to take part in?
A. Parallel test
B. Full-interruption test
C. Simulation test
D. Structured walk-through test
A


While DRP and BCP are directed at the development of "plans," is the holistic management process that should cover both of them. It provides a framework for integrating resilience with the capability for effective responses that protects the interests of the organization's key stakeholders.
A. continuity of operations
B. business continuity management
C. risk management
D. enterprise management architecture
B


The "Safe Harbor" privacy framework was created to:
A. Ensure that personal information should be collected only for a stated purpose
by lawful and fair means and with the knowledge or consent of the subject
B. Provide a streamlined means for U.S. organizations to comply with European privacy laws
C. Require the federal government to release to citizens the procedures for how records are collected, maintained, used, and distributed
D. None of the above
B


The European Union's Directive on Data Protection forbids the transfer of individually identifiable information to a country outside the EU, unless:
A. The receiving country grants individuals adequate privacy protection.
B. The receiving country pays a fee to the EU.
C. There are no exceptions; no information is ever transferred.
D. The receiving country is a member of the Fair Trade Organization.
A


The main goal of the Wassenaar Arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. How does this relate to technology
A. Cryptography is a dual-use tool.
B. Technology is used in weaponry systems.
C. Military actions directly relate to critical infrastructure systems.
D. Critical infrastructure systems can be at risk under this agreement.
A


Which world legal system of law is used in continental European countries, such as France and Spain, and is rule-based law, not precedence based?
A. Civil (code) law system
B. Common law system
C. Customary law system
D. Mixed law system
A


Which of the following is not a correct characteristic of the Failure Modes and Effect Analysis (FMEA) method?
A. Determining functions and identifying functional failures
B. Assessing the causes of failure and their failure effects through a structured process
C. Structured process carried out by an identified team to address high-level security compromises
D. Identifying where something is most likely going to break and either fixing the flaws that could cause this issue or implementing controls to reduce the impact of the break
C


A risk analysis can be carried out through qualitative or quantitative means. It is important to choose the right approach to meet the organization's goals. In a quantitative analysis, which of the following items would not be assigned a numeric value?
i. Asset value
ii. Threat frequency
iii. Severity of vulnerability
iv. Impact damage
v. Safeguard costs
vi. Safeguard effectiveness
vii. Probability

A. All of them
B. None of them
C. ii
D. vii
B


Uncovering restricted information by using permissible data is referred to as ____.
A. inference
B. data mining
C. perturbation
D. cell suppression
A


Tim recently started working at an organization with no defined security processes. One of the areas he'd like to improve is software patching. Consistent with the organizational culture, he is considering a decentralized or unmanaged model for patching. Which of the following is not one of the risks his organization would face with such a model?
A. This model typically requires users to have admin credentials, which violates the principle of least privilege.
B. It will be easier to ensure that all software is updated, since they will be configured to do so automatically.
C. It may be difficult (or impossible) to attest to the status of every application in the organization.
D. Having each application or service independently download the patches will lead to network congestion.
B


An attacker can modify the client-side JavaScript that provides structured layout and HTML representation. This commonly takes place through form fields within compromised web servers. Which of the following best describes this type of attack?
A. Injection attack
B. DOM-based XSS
C. Persistent XSS
D. Session hijacking
B


COBIT and COSO can be used together, but have different goals and focuses. Which of the following is incorrect as it pertains to these two models?
i. COSO is a model for corporate governance, and COBIT is a model for IT governance.
ii. COSO deals more at the strategic level, while COBIT focuses more at the operational level.
iii. COBIT is a way to meet many of the COSO objectives, but only from the IT perspective.
iv. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures.

A. None
B. All
C. i, ii
D. ii, iii
A


Ron is in charge of updating his company's business continuity and disaster recovery plans and processes. After conducting a business impact analysis, his team has told him that if the company's e-commerce payment gateway was unable to process payments for 24 hours or more, this could drastically affect the survivability of the company. The analysis indicates that after an outage, the payment gateway and payment processing should be restored within 13 hours. Ron's team needs to integrate solutions that provide redundancy, fault tolerance, and failover capability

In the scenario, what does the 24-hour time period represent and what does the 13-hour time period represent?
A. Maximum tolerable downtime, recovery time objective
B. Recovery time objective, maximum tolerable downtime
C. Maximum tolerable downtime, recovery data period
D. Recovery time objective, data recovery period
A


Ron is in charge of updating his company's business continuity and disaster recovery plans and processes. After conducting a business impact analysis, his team has told him that if the company's e-commerce payment gateway was unable to process payments for 24 hours or more, this could drastically affect the survivability of the company. The analysis indicates that after an outage, the payment gateway and payment processing should be restored within 13 hours. Ron's team needs to integrate solutions that provide redundancy, fault tolerance, and failover capability

Which of the following best describes the type of solution Ron's team needs to
implement?
A. RAID and clustering
B. Storage area networks
C. High availability
D. Grid computing and clustering
C


1. Which of the following statements is true about the information life cycle?
A. The information life cycle begins with its archival and ends with its classification.
B. Most information must be retained indefinitely.
C. The information life cycle begins with its acquisition/creation and ends with
its disposal/destruction.
D. Preparing information for use does not typically involve adding metadata to it.
C


2. Ensuring data consistency is important for all the following reasons, except
A. Replicated data sets can become desynchronized.
B. Multiple data items are commonly needed to perform a transaction.
C. Data may exist in multiple locations within our information systems.
D. Multiple users could attempt to modify data simultaneously.
B


3. Which of the following makes the most sense for a single organization's
classification levels for data?
A. Unclassified, Secret, Top Secret
B. Public, Releasable, Unclassified
C. Sensitive, Sensitive But Unclassified (SBU), Proprietary
D. Proprietary, Trade Secret, Private
A


4. Which of the following is the most important criterion in determining the
classification of data?
A. The level of damage that could be caused if the data were disclosed
B. The likelihood that the data will be accidentally or maliciously disclosed
C. Regulatory requirements in jurisdictions within which the organization is
not operating
D. The cost of implementing controls for the data
A


5. The effect of data aggregation on classification levels is best described by which of
the following?
A. Data classification standards apply to all the data within an organization.
B. Aggregation is a disaster recovery technique with no effect on classification.
C. A low-classification aggregation of data can be deconstructed into higher-
classification data items.
D. Items of low-classification data combine to create a higher-classification set.
D


6. Who bears ultimate responsibility for the protection of assets within the
organization?
A. Data owners
B. Cyber insurance providers
C. Senior management
D. Security professionals
C


7. During which phase or phases of the information life cycle can cryptography be
an effective control?
A. Use
B. Archival
C. Disposal
D. All the above
D


8. A transition into the disposal phase of the information life cycle is most
commonly triggered by
A. Senior management
B. Insufficient storage
C. Acceptable use policies
D. Data retention policies
D


9. Information classification is most closely related to which of the following?
A. The source of the information
B. The information's destination
C. The information's value
D. The information's age
C


10. The data owner is most often described by all of the following except
A. Manager in charge of a business unit
B. Ultimately responsible for the protection of the data
C. Financially liable for the loss of the data
D. Ultimately responsible for the use of the data
C


11. Data at rest is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
D


12. Data in motion is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
C


13. Data in use is commonly
A. Using a RESTful protocol for transmission
B. Stored in registers
C. Being transmitted across the network
D. Stored in external storage devices
B


14. Who has the primary responsibility of determining the classification level for
information?
A. The functional manager
B. Senior management
C. The owner
D. The user
C


15. If different user groups with different security access levels need to access the
same information, which of the following actions should management take?
A. Decrease the security level on the information to ensure accessibility and
usability of the information.
B. Require specific written approval each time an individual needs to access the
information.
C. Increase the security controls on the information.
D. Decrease the classification label on the information.
C


16. What should management consider the most when classifying data?
A. The type of employees, contractors, and customers who will be accessing
the data
B. Availability, integrity, and confidentiality
C. Assessing the risk level and disabling countermeasures
D. The access controls that will be protecting the data
B


17. Who is ultimately responsible for making sure data is classified and protected?
A. Data owners
B. Users
C. Administrators
D. Management
D


18. Which of the following requirements should the data retention policy address?
A. Legal
B. Regulatory
C. Operational
D. All the above
D


19. Which of the following is not addressed by the data retention policy?
A. What data to keep
B. For whom data is kept
C. How long data is kept
D. Where data is kept
B


20. Which of the following best describes an application of cryptography to protect
data at rest?
A. VPN
B. Degaussing
C. Whole-disk encryption
D. Up-to-date antivirus software
C


21. Which of the following best describes an application of cryptography to protect
data in motion?
A. Testing software against side-channel attacks
B. TLS
C. Whole-disk encryption
D. EDLP
B


22. Which of the following best describes the mitigation of data remanence by a
physical destruction process?
A. Replacing the 1's and 0's that represent data on storage media with random or
fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a
cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives
or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it
Unusable
D




Nâng cấp để gỡ bỏ quảng cáo
Chỉ 35,99 US$/năm
23. Which of the following best describes the mitigation of data remanence by a
degaussing destruction process?
A. Replacing the 1's and 0's that represent data on storage media with random or
fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a
cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives
or tapes
D. Exposing storage media to caustic or corrosive chemicals that render it
Unusable
C


24. Which of the following best describes the mitigation of data remanence by an
overwriting process?
A. Replacing the 1's and 0's that represent data on storage media with random or
fixed patterns of 1's and 0's
B. Converting the 1's and 0's that represent data with the output of a
cryptographic function
C. Removing or reducing the magnetic field patterns on conventional disk drives
or tapes
D. Exposing storage media to caustic or corrosive chemicals that render
it unusable
A