March Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > ISC > ISC 2 Credentials > CISSP

CISSP Certified Information Systems Security Professional (CISSP) Question and Answers

Question # 4

The Structured Query Language (SQL) implements Discretionary Access Controls (DAC) using

A.

INSERT and DELETE.

B.

GRANT and REVOKE.

C.

PUBLIC and PRIVATE.

D.

ROLLBACK and TERMINATE.

Full Access
Question # 5

Which of the following actions will reduce risk to a laptop before traveling to a high risk area?

A.

Examine the device for physical tampering

B.

Implement more stringent baseline configurations

C.

Purge or re-image the hard disk drive

D.

Change access codes

Full Access
Question # 6

All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that

A.

determine the risk of a business interruption occurring

B.

determine the technological dependence of the business processes

C.

Identify the operational impacts of a business interruption

D.

Identify the financial impacts of a business interruption

Full Access
Question # 7

What is the MOST important consideration from a data security perspective when an organization plans to relocate?

A.

Ensure the fire prevention and detection systems are sufficient to protect personnel

B.

Review the architectural plans to determine how many emergency exits are present

C.

Conduct a gap analysis of a new facilities against existing security requirements

D.

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

Full Access
Question # 8

At a MINIMUM, audits of permissions to individual or group accounts should be scheduled

A.

annually

B.

to correspond with staff promotions

C.

to correspond with terminations

D.

continually

Full Access
Question # 9

Why is planning in Disaster Recovery (DR) an interactive process?

A.

It details off-site storage plans

B.

It identifies omissions in the plan

C.

It defines the objectives of the plan

D.

It forms part of the awareness process

Full Access
Question # 10

Which of the following would BEST support effective testing of patch compatibility when patches are applied to an organization’s systems?

A.

Standardized configurations for devices

B.

Standardized patch testing equipment

C.

Automated system patching

D.

Management support for patching

Full Access
Question # 11

A company receives an email threat informing of an Imminent Distributed Denial of Service (DDoS) attack

targeting its web application, unless ransom is paid. Which of the following techniques BEST addresses that threat?

A.

Deploying load balancers to distribute inbound traffic across multiple data centers

B.

Set Up Web Application Firewalls (WAFs) to filter out malicious traffic

C.

Implementing reverse web-proxies to validate each new inbound connection

D.

Coordinate with and utilize capabilities within Internet Service Provider (ISP)

Full Access
Question # 12

Which of the following is a common feature of an Identity as a Service (IDaaS) solution?

A.

Single Sign-On (SSO) authentication support

B.

Privileged user authentication support

C.

Password reset service support

D.

Terminal Access Controller Access Control System (TACACS) authentication support

Full Access
Question # 13

The process of mutual authentication involves a computer system authenticating a user and authenticating the

A.

user to the audit process.

B.

computer system to the user.

C.

user's access to all authorized objects.

D.

computer system to the audit process.

Full Access
Question # 14

Which of the following is a limitation of the Common Vulnerability Scoring System (CVSS) as it relates to conducting code review?

A.

It has normalized severity ratings.

B.

It has many worksheets and practices to implement.

C.

It aims to calculate the risk of published vulnerabilities.

D.

It requires a robust risk management framework to be put in place.

Full Access
Question # 15

A disadvantage of an application filtering firewall is that it can lead to

A.

a crash of the network as a result of user activities.

B.

performance degradation due to the rules applied.

C.

loss of packets on the network due to insufficient bandwidth.

D.

Internet Protocol (IP) spoofing by hackers.

Full Access
Question # 16

An organization is selecting a service provider to assist in the consolidation of multiple computing sites including development, implementation and ongoing support of various computer systems. Which of the following MUST be verified by the Information Security Department?

A.

The service provider's policies are consistent with ISO/IEC27001 and there is evidence that the service provider is following those policies.

B.

The service provider will segregate the data within its systems and ensure that each region's policies are met.

C.

The service provider will impose controls and protections that meet or exceed the current systems controls and produce audit logs as verification.

D.

The service provider's policies can meet the requirements imposed by the new environment even if they differ from the organization's current policies.

Full Access
Question # 17

Which one of the following describes granularity?

A.

Maximum number of entries available in an Access Control List (ACL)

B.

Fineness to which a trusted system can authenticate users

C.

Number of violations divided by the number of total accesses

D.

Fineness to which an access control system can be adjusted

Full Access
Question # 18

What would be the PRIMARY concern when designing and coordinating a security assessment for an Automatic Teller Machine (ATM) system?

A.

Physical access to the electronic hardware

B.

Regularly scheduled maintenance process

C.

Availability of the network connection

D.

Processing delays

Full Access
Question # 19

Which of the following MUST be done when promoting a security awareness program to senior management?

A.

Show the need for security; identify the message and the audience

B.

Ensure that the security presentation is designed to be all-inclusive

C.

Notify them that their compliance is mandatory

D.

Explain how hackers have enhanced information security

Full Access
Question # 20

During an audit of system management, auditors find that the system administrator has not been trained. What actions need to be taken at once to ensure the integrity of systems?

A.

A review of hiring policies and methods of verification of new employees

B.

A review of all departmental procedures

C.

A review of all training procedures to be undertaken

D.

A review of all systems by an experienced administrator

Full Access
Question # 21

The Hardware Abstraction Layer (HAL) is implemented in the

A.

system software.

B.

system hardware.

C.

application software.

D.

network hardware.

Full Access
Question # 22

Which of the following does the Encapsulating Security Payload (ESP) provide?

A.

Authorization and integrity

B.

Availability and integrity

C.

Integrity and confidentiality

D.

Authorization and confidentiality

Full Access
Question # 23

Which of the following statements is TRUE of black box testing?

A.

Only the functional specifications are known to the test planner.

B.

Only the source code and the design documents are known to the test planner.

C.

Only the source code and functional specifications are known to the test planner.

D.

Only the design documents and the functional specifications are known to the test planner.

Full Access
Question # 24

The BEST method of demonstrating a company's security level to potential customers is

A.

a report from an external auditor.

B.

responding to a customer's security questionnaire.

C.

a formal report from an internal auditor.

D.

a site visit by a customer's security team.

Full Access
Question # 25

By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the

A.

confidentiality of the traffic is protected.

B.

opportunity to sniff network traffic exists.

C.

opportunity for device identity spoofing is eliminated.

D.

storage devices are protected against availability attacks.

Full Access
Question # 26

Which of the following System and Organization Controls (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system?

A.

SOC 1 Type1

B.

SOC 1Type2

C.

SOC 2 Type 1

D.

SOC 2 Type 2

Full Access
Question # 27

Organization A is adding a large collection of confidential data records that it received when it acquired Organization B to its data store. Many of the users and staff from Organization B are no longer available. Which of the following MUST Organization A 0do to property classify and secure the acquired data?

A.

Assign data owners from Organization A to the acquired data.

B.

Create placeholder accounts that represent former users from Organization B.

C.

Archive audit records that refer to users from Organization A.

D.

Change the data classification for data acquired from Organization B.

Full Access
Question # 28

Which of the following will help identify the source internet protocol (IP) address of malware being exected on a computer?

A.

List of open network connections

B.

Display Transmission Control Protocol/Internet Protocol (TCP/IP) network configuration information.

C.

List of running processes

D.

Display the Address Resolution Protocol (APP) table.

Full Access
Question # 29

Which of the following processes has the PRIMARY purpose of identifying outdated software versions, missing patches, and lapsed system updates?

A.

Penetration testing

B.

Vulnerability management

C.

Software Development Life Cycle (SDLC)

D.

Life cycle management

Full Access
Question # 30

When implementing a data classification program, why is it important to avoid too much granularity?

A.

The process will require too many resources

B.

It will be difficult to apply to both hardware and software

C.

It will be difficult to assign ownership to the data

D.

The process will be perceived as having value

Full Access
Question # 31

Which one of the following affects the classification of data?

A.

Assigned security label

B.

Multilevel Security (MLS) architecture

C.

Minimum query size

D.

Passage of time

Full Access
Question # 32

Which one of the following can be used to detect an anomaly in a system by keeping track of the state of files that do not normally change?\

A.

System logs

B.

Anti-spyware

C.

Integrity checker

D.

Firewall logs

Full Access
Question # 33

What BEST describes the confidentiality, integrity, availability triad?

A.

A tool used to assist in understanding how to protect the organization's data

B.

The three-step approach to determine the risk level of an organization

C.

The implementation of security systems to protect the organization's data

D.

A vulnerability assessment to see how well the organization's data is protected

Full Access
Question # 34

The use of private and public encryption keys is fundamental in the implementation of which of the following?

A.

Diffie-Hellman algorithm

B.

Secure Sockets Layer (SSL)

C.

Advanced Encryption Standard (AES)

D.

Message Digest 5 (MD5)

Full Access
Question # 35

Who in the organization is accountable for classification of data information assets?

A.

Data owner

B.

Data architect

C.

Chief Information Security Officer (CISO)

D.

Chief Information Officer (CIO)

Full Access
Question # 36

Which security service is served by the process of encryption plaintext with the sender’s private key and decrypting cipher text with the sender’s public key?

A.

Confidentiality

B.

Integrity

C.

Identification

D.

Availability

Full Access
Question # 37

Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?

A.

Hashing the data before encryption

B.

Hashing the data after encryption

C.

Compressing the data after encryption

D.

Compressing the data before encryption

Full Access
Question # 38

What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?

A.

Implementation Phase

B.

Initialization Phase

C.

Cancellation Phase

D.

Issued Phase

Full Access
Question # 39

Which of the following mobile code security models relies only on trust?

A.

Code signing

B.

Class authentication

C.

Sandboxing

D.

Type safety

Full Access
Question # 40

What is the purpose of an Internet Protocol (IP) spoofing attack?

A.

To send excessive amounts of data to a process, making it unpredictable

B.

To intercept network traffic without authorization

C.

To disguise the destination address from a target’s IP filtering devices

D.

To convince a system that it is communicating with a known entity

Full Access
Question # 41

An external attacker has compromised an organization’s network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information?

A.

Implement packet filtering on the network firewalls

B.

Install Host Based Intrusion Detection Systems (HIDS)

C.

Require strong authentication for administrators

D.

Implement logical network segmentation at the switches

Full Access
Question # 42

Which of the following factors contributes to the weakness of Wired Equivalent Privacy (WEP) protocol?

A.

WEP uses a small range Initialization Vector (IV)

B.

WEP uses Message Digest 5 (MD5)

C.

WEP uses Diffie-Hellman

D.

WEP does not use any Initialization Vector (IV)

Full Access
Question # 43

Which of the following is the BEST network defense against unknown types of attacks or stealth attacks in progress?

A.

Intrusion Prevention Systems (IPS)

B.

Intrusion Detection Systems (IDS)

C.

Stateful firewalls

D.

Network Behavior Analysis (NBA) tools

Full Access
Question # 44

In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?

A.

Transport layer

B.

Application layer

C.

Network layer

D.

Session layer

Full Access
Question # 45

At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located?

A.

Link layer

B.

Physical layer

C.

Session layer

D.

Application layer

Full Access
Question # 46

Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?

A.

Layer 2 Tunneling Protocol (L2TP)

B.

Link Control Protocol (LCP)

C.

Challenge Handshake Authentication Protocol (CHAP)

D.

Packet Transfer Protocol (PTP)

Full Access
Question # 47

Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?

A.

Packet filtering

B.

Port services filtering

C.

Content filtering

D.

Application access control

Full Access
Question # 48

An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly implement a control?

A.

Add a new rule to the application layer firewall

B.

Block access to the service

C.

Install an Intrusion Detection System (IDS)

D.

Patch the application source code

Full Access
Question # 49

Refer to the information below to answer the question.

A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization’s Information Technology (IT) department discovers that a peer-to-peer program has been installed on the computer using the employee's access.

Which of the following could have MOST likely prevented the Peer-to-Peer (P2P) program from being installed on the computer?

A.

Removing employee's full access to the computer

B.

Supervising their child's use of the computer

C.

Limiting computer's access to only the employee

D.

Ensuring employee understands their business conduct guidelines

Full Access
Question # 50

Which of the following is the MOST effective attack against cryptographic hardware modules?

A.

Plaintext

B.

Brute force

C.

Power analysis

D.

Man-in-the-middle (MITM)

Full Access
Question # 51

Which of the following is a detective access control mechanism?

A.

Log review

B.

Least privilege

C.

Password complexity

D.

Non-disclosure agreement

Full Access
Question # 52

In which of the following programs is it MOST important to include the collection of security process data?

A.

Quarterly access reviews

B.

Security continuous monitoring

C.

Business continuity testing

D.

Annual security training

Full Access
Question # 53

Which of the following could cause a Denial of Service (DoS) against an authentication system?

A.

Encryption of audit logs

B.

No archiving of audit logs

C.

Hashing of audit logs

D.

Remote access audit logs

Full Access
Question # 54

Which of the following is the MOST important consideration when developing a Disaster Recovery Plan (DRP)?

A.

The dynamic reconfiguration of systems

B.

The cost of downtime

C.

A recovery strategy for all business processes

D.

A containment strategy

Full Access
Question # 55

When designing a vulnerability test, which one of the following is likely to give the BEST indication of what components currently operate on the network?

A.

Topology diagrams

B.

Mapping tools

C.

Asset register

D.

Ping testing

Full Access
Question # 56

In which identity management process is the subject’s identity established?

A.

Trust

B.

Provisioning

C.

Authorization

D.

Enrollment

Full Access
Question # 57

When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?

A.

To force the software to fail and document the process

B.

To find areas of compromise in confidentiality and integrity

C.

To allow for objective pass or fail decisions

D.

To identify malware or hidden code within the test results

Full Access
Question # 58

A vulnerability in which of the following components would be MOST difficult to detect?

A.

Kernel

B.

Shared libraries

C.

Hardware

D.

System application

Full Access
Question # 59

During which of the following processes is least privilege implemented for a user account?

A.

Provision

B.

Approve

C.

Request

D.

Review

Full Access
Question # 60

Determining outage costs caused by a disaster can BEST be measured by the

A.

cost of redundant systems and backups.

B.

cost to recover from an outage.

C.

overall long-term impact of the outage.

D.

revenue lost during the outage.

Full Access
Question # 61

An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective?

A.

Third-party vendor with access to the system

B.

System administrator access compromised

C.

Internal attacker with access to the system

D.

Internal user accidentally accessing data

Full Access
Question # 62

How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?

A.

Use an impact-based approach.

B.

Use a risk-based approach.

C.

Use a criticality-based approach.

D.

Use a threat-based approach.

Full Access
Question # 63

In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software inventories is a critical part of

A.

systems integration.

B.

risk management.

C.

quality assurance.

D.

change management.

Full Access
Question # 64

A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually?

A.

Asset Management, Business Environment, Governance and Risk Assessment

B.

Access Control, Awareness and Training, Data Security and Maintenance

C.

Anomalies and Events, Security Continuous Monitoring and Detection Processes

D.

Recovery Planning, Improvements and Communications

Full Access
Question # 65

Which of the following BEST describes a chosen plaintext attack?

A.

The cryptanalyst can generate ciphertext from arbitrary text.

B.

The cryptanalyst examines the communication being sent back and forth.

C.

The cryptanalyst can choose the key and algorithm to mount the attack.

D.

The cryptanalyst is presented with the ciphertext from which the original message is determined.

Full Access
Question # 66

Which of the following adds end-to-end security inside a Layer 2 Tunneling Protocol (L2TP) Internet Protocol Security (IPSec) connection?

A.

Temporal Key Integrity Protocol (TKIP)

B.

Secure Hash Algorithm (SHA)

C.

Secure Shell (SSH)

D.

Transport Layer Security (TLS)

Full Access
Question # 67

Which of the following is MOST important when deploying digital certificates?

A.

Validate compliance with X.509 digital certificate standards

B.

Establish a certificate life cycle management framework

C.

Use a third-party Certificate Authority (CA)

D.

Use no less than 256-bit strength encryption when creating a certificate

Full Access
Question # 68

Although code using a specific program language may not be susceptible to a buffer overflow attack,

A.

most calls to plug-in programs are susceptible.

B.

most supporting application code is susceptible.

C.

the graphical images used by the application could be susceptible.

D.

the supporting virtual machine could be susceptible.

Full Access
Question # 69

A continuous information security monitoring program can BEST reduce risk through which of the following?

A.

Collecting security events and correlating them to identify anomalies

B.

Facilitating system-wide visibility into the activities of critical user accounts

C.

Encompassing people, process, and technology

D.

Logging both scheduled and unscheduled system changes

Full Access
Question # 70

Which of the following types of business continuity tests includes assessment of resilience to internal and external risks without endangering live operations?

A.

Walkthrough

B.

Simulation

C.

Parallel

D.

White box

Full Access
Question # 71

An organization is found lacking the ability to properly establish performance indicators for its Web hosting solution during an audit. What would be the MOST probable cause?

A.

Absence of a Business Intelligence (BI) solution

B.

Inadequate cost modeling

C.

Improper deployment of the Service-Oriented Architecture (SOA)

D.

Insufficient Service Level Agreement (SLA)

Full Access
Question # 72

A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following?

A.

Guaranteed recovery of all business functions

B.

Minimization of the need decision making during a crisis

C.

Insurance against litigation following a disaster

D.

Protection from loss of organization resources

Full Access
Question # 73

What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?

A.

Take the computer to a forensic lab

B.

Make a copy of the hard drive

C.

Start documenting

D.

Turn off the computer

Full Access
Question # 74

What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application?

A.

Disable all unnecessary services

B.

Ensure chain of custody

C.

Prepare another backup of the system

D.

Isolate the system from the network

Full Access
Question # 75

Intellectual property rights are PRIMARY concerned with which of the following?

A.

Owner’s ability to realize financial gain

B.

Owner’s ability to maintain copyright

C.

Right of the owner to enjoy their creation

D.

Right of the owner to control delivery method

Full Access
Question # 76

An important principle of defense in depth is that achieving information security requires a balanced focus on which PRIMARY elements?

A.

Development, testing, and deployment

B.

Prevention, detection, and remediation

C.

People, technology, and operations

D.

Certification, accreditation, and monitoring

Full Access
Question # 77

Which of the following represents the GREATEST risk to data confidentiality?

A.

Network redundancies are not implemented

B.

Security awareness training is not completed

C.

Backup tapes are generated unencrypted

D.

Users have administrative privileges

Full Access
Question # 78

Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas?

A.

Install mantraps at the building entrances

B.

Enclose the personnel entry area with polycarbonate plastic

C.

Supply a duress alarm for personnel exposed to the public

D.

Hire a guard to protect the public area

Full Access
Question # 79

A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with?

A.

Application

B.

Storage

C.

Power

D.

Network

Full Access
Question # 80

When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?

A.

Only when assets are clearly defined

B.

Only when standards are defined

C.

Only when controls are put in place

D.

Only procedures are defined

Full Access
Question # 81

Which of the following is the MOST appropriate action when reusing media that contains sensitive data?

A.

Erase

B.

Sanitize

C.

Encrypt

D.

Degauss

Full Access
Question # 82

Which of the following is a responsibility of a data steward?

A.

Ensure alignment of the data governance effort to the organization.

B.

Conduct data governance interviews with the organization.

C.

Document data governance requirements.

D.

Ensure that data decisions and impacts are communicated to the organization.

Full Access
Question # 83

Which of the following MUST be scalable to address security concerns raised by the integration of third-party

identity services?

A.

Mandatory Access Controls (MAC)

B.

Enterprise security architecture

C.

Enterprise security procedures

D.

Role Based Access Controls (RBAC)

Full Access
Question # 84

An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses?

A.

The Data Protection Authority (DPA)

B.

The Cloud Service Provider (CSP)

C.

The application developers

D.

The data owner

Full Access
Question # 85

What is the BEST location in a network to place Virtual Private Network (VPN) devices when an internal review reveals network design flaws in remote access?

A.

In a dedicated Demilitarized Zone (DMZ)

B.

In its own separate Virtual Local Area Network (VLAN)

C.

At the Internet Service Provider (ISP)

D.

Outside the external firewall

Full Access
Question # 86

Who is accountable for the information within an Information System (IS)?

A.

Security manager

B.

System owner

C.

Data owner

D.

Data processor

Full Access
Question # 87

An organization’s security policy delegates to the data owner the ability to assign which user roles have access

to a particular resource. What type of authorization mechanism is being used?

A.

Discretionary Access Control (DAC)

B.

Role Based Access Control (RBAC)

C.

Media Access Control (MAC)

D.

Mandatory Access Control (MAC)

Full Access
Question # 88

In a High Availability (HA) environment, what is the PRIMARY goal of working with a virtual router address as the gateway to a network?

A.

The second of two routers can periodically check in to make sure that the first router is operational.

B.

The second of two routers can better absorb a Denial of Service (DoS) attack knowing the first router is

present.

C.

The first of two routers fails and is reinstalled, while the second handles the traffic flawlessly.

D.

The first of two routers can better handle specific traffic, while the second handles the rest of the traffic

seamlessly.

Full Access
Question # 89

What is the correct order of steps in an information security assessment?

Place the information security assessment steps on the left next to the numbered boxes on the right in the

correct order.

Full Access
Question # 90

Which of the following is the BEST reason for writing an information security policy?

A.

To support information security governance

B.

To reduce the number of audit findings

C.

To deter attackers

D.

To implement effective information security controls

Full Access
Question # 91

Which of the following could elicit a Denial of Service (DoS) attack against a credential management system?

A.

Delayed revocation or destruction of credentials

B.

Modification of Certificate Revocation List

C.

Unauthorized renewal or re-issuance

D.

Token use after decommissioning

Full Access
Question # 92

For privacy protected data, which of the following roles has the highest authority for establishing dissemination rules for the data?

A.

Information Systems Security Officer

B.

Data Owner

C.

System Security Architect

D.

Security Requirements Analyst

Full Access
Question # 93

During a fingerprint verification process, which of the following is used to verify identity and authentication?

A.

A pressure value is compared with a stored template

B.

Sets of digits are matched with stored values

C.

A hash table is matched to a database of stored value

D.

A template of minutiae is compared with a stored template

Full Access
Question # 94

Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?

A.

Discretionary Access Control (DAC) procedures

B.

Mandatory Access Control (MAC) procedures

C.

Data link encryption

D.

Segregation of duties

Full Access
Question # 95

What security risk does the role-based access approach mitigate MOST effectively?

A.

Excessive access rights to systems and data

B.

Segregation of duties conflicts within business applications

C.

Lack of system administrator activity monitoring

D.

Inappropriate access requests

Full Access
Question # 96

Secure Sockets Layer (SSL) encryption protects

A.

data at rest.

B.

the source IP address.

C.

data transmitted.

D.

data availability.

Full Access
Question # 97

Retaining system logs for six months or longer can be valuable for what activities?

A.

Disaster recovery and business continuity

B.

Forensics and incident response

C.

Identity and authorization management

D.

Physical and logical access control

Full Access
Question # 98

Are companies legally required to report all data breaches?

A.

No, different jurisdictions have different rules.

B.

No, not if the data is encrypted.

C.

No, companies' codes of ethics don't require it.

D.

No, only if the breach had a material impact.

Full Access
Question # 99

The 802.1x standard provides a framework for what?

A.

Network authentication for only wireless networks

B.

Network authentication for wired and wireless networks

C.

Wireless encryption using the Advanced Encryption Standard (AES)

D.

Wireless network encryption using Secure Sockets Layer (SSL)

Full Access
Question # 100

Which of the following entities is ultimately accountable for data remanence vulnerabilities with data replicated by a cloud service provider?

A.

Data owner

B.

Data steward

C.

Data custodian

D.

Data processor

Full Access
Question # 101

In which order, from MOST to LEAST impacted, does user awareness training reduce the occurrence of the events below?

Full Access
Question # 102

What is the MOST effective method of testing custom application code?

A.

Negative testing

B.

White box testing

C.

Penetration testing

D.

Black box testing

Full Access
Question # 103

The BEST example of the concept of "something that a user has" when providing an authorized user access to a computing system is

A.

the user's hand geometry.

B.

a credential stored in a token.

C.

a passphrase.

D.

the user's face.

Full Access
Question # 104

Which of the following is a function of Security Assertion Markup Language (SAML)?

A.

File allocation

B.

Redundancy check

C.

Extended validation

D.

Policy enforcement

Full Access
Question # 105

Which of the following command line tools can be used in the reconnaisance phase of a network vulnerability assessment?

A.

dig

B.

ifconfig

C.

ipconfig

D.

nbtstat

Full Access
Question # 106

What is the PRIMARY reason for ethics awareness and related policy implementation?

A.

It affects the workflow of an organization.

B.

It affects the reputation of an organization.

C.

It affects the retention rate of employees.

D.

It affects the morale of the employees.

Full Access
Question # 107

If an attacker in a SYN flood attack uses someone else's valid host address as the source address, the system under attack will send a large number of Synchronize/Acknowledge (SYN/ACK) packets to the

A.

default gateway.

B.

attacker's address.

C.

local interface being attacked.

D.

specified source address.

Full Access
Question # 108

During an investigation of database theft from an organization's web site, it was determined that the Structured Query Language (SQL) injection technique was used despite input validation with client-side scripting. Which of the following provides the GREATEST protection against the same attack occurring again?

A.

Encrypt communications between the servers

B.

Encrypt the web server traffic

C.

Implement server-side filtering

D.

Filter outgoing traffic at the perimeter firewall

Full Access
Question # 109

Which of the following is the MOST crucial for a successful audit plan?

A.

Defining the scope of the audit to be performed

B.

Identifying the security controls to be implemented

C.

Working with the system owner on new controls

D.

Acquiring evidence of systems that are not compliant

Full Access
Question # 110

Refer to the information below to answer the question.

A large, multinational organization has decided to outsource a portion of their Information Technology (IT) organization to a third-party provider’s facility. This provider will be responsible for the design, development, testing, and support of several critical, customer-based applications used by the organization.

What additional considerations are there if the third party is located in a different country?

A.

The organizational structure of the third party and how it may impact timelines within the organization

B.

The ability of the third party to respond to the organization in a timely manner and with accurate information

C.

The effects of transborder data flows and customer expectations regarding the storage or processing of their data

D.

The quantity of data that must be provided to the third party and how it is to be used

Full Access
Question # 111

Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?

A.

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

B.

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

C.

Management teams will understand the testing objectives and reputational risk to the organization

D.

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

Full Access
Question # 112

What is the MAIN feature that onion routing networks offer?

A.

Non-repudiation

B.

Traceability

C.

Anonymity

D.

Resilience

Full Access
Question # 113

Which of the following is of GREATEST assistance to auditors when reviewing system configurations?

A.

Change management processes

B.

User administration procedures

C.

Operating System (OS) baselines

D.

System backup documentation

Full Access
Question # 114

A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation. What MUST an administrator review to audit a user’s access to data files?

A.

Host VM monitor audit logs

B.

Guest OS access controls

C.

Host VM access controls

D.

Guest OS audit logs

Full Access
Question # 115

An organization needs a general purpose document to prove that its internal controls properly address security, availability, processing integrity, confidentiality or privacy risks. Which of the following reports is required?

A.

A Service Organization Control (SOC) 3 report

B.

The Statement on Standards for Attestation Engagements No. 18 (SSAE 18)

C.

A Service Organization Control (SOC) 2 report

D.

The International Organization for Standardization (ISO) 27001

Full Access
Question # 116

Which of the following BEST describes the purpose of the reference monitor when defining access control to enforce the security model?

A.

Quality design principles to ensure quality by design

B.

Policies to validate organization rules

C.

Cyber hygiene to ensure organizations can keep systems healthy

D.

Strong operational security to keep unit members safe

Full Access
Question # 117

The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the BEST solution to securely store the private keys?

A.

Physically secured storage device

B.

Encrypted flash drive

C.

Public key infrastructure (PKI)

D.

Trusted Platform Module (TPM)

Full Access
Question # 118

How does security in a distributed file system using mutual authentication differ from file security in a multi-user host?

A.

Access control can rely on the Operating System (OS), but eavesdropping is

B.

Access control cannot rely on the Operating System (OS), and eavesdropping

C.

Access control can rely on the Operating System (OS), and eavesdropping is

D.

Access control cannot rely on the Operating System (OS), and eavesdropping

Full Access
Question # 119

Secure coding can be developed by applying which one of the following?

A.

Applying the organization's acceptable use guidance

B.

Applying the industry best practice coding guidelines

C.

Applying rapid application development (RAD) coding

D.

Applying the organization's web application firewall (WAF) policy

Full Access
Question # 120

a large organization uses biometrics to allow access to its facilities. It adjusts the biometric value for incorrectly granting or denying access so that the two numbers are the same.

What is this value called?

A.

False Rejection Rate (FRR)

B.

Accuracy acceptance threshold

C.

Equal error rate

D.

False Acceptance Rate (FAR)

Full Access
Question # 121

Which of the following VPN configurations should be used to separate Internet and corporate traffic?

A.

Split-tunnel

B.

Remote desktop gateway

C.

Site-to-site

D.

Out-of-band management

Full Access
Question # 122

Digital non-repudiation requires which of the following?

A.

A trusted third-party

B.

Appropriate corporate policies

C.

Symmetric encryption

D.

Multifunction access cards

Full Access
Question # 123

Which of the following is the FIRST requirement a data owner should consider before implementing a data retention policy?

A.

Training

B.

Legal

C.

Business

D.

Storage

Full Access
Question # 124

Which of the following is the top barrier for companies to adopt cloud technology?

A.

Migration period

B.

Data integrity

C.

Cost

D.

Security

Full Access
Question # 125

Which of the following is MOST important to follow when developing information security controls for an organization?

A.

Exercise due diligence with regard to all risk management information to tailor appropriate controls.

B.

Perform a risk assessment and choose a standard that addresses existing gaps.

C.

Use industry standard best practices for security controls in the organization.

D.

Review all local and international standards and choose the most stringent based on location.

Full Access
Question # 126

How should the retention period for an organization's social media content be defined?

A.

Wireless Access Points (AP)

B.

Token-based authentication

C.

Host-based firewalls

D.

Trusted platforms

Full Access
Question # 127

Which part of an operating system (OS) is responsible for providing security interfaces among the hardware, OS, and other parts of the computing system?

A.

Time separation

B.

Trusted Computing Base (TCB)

C.

Reference monitor

D.

Security kernel

Full Access
Question # 128

Which of the following BEST describes an access control method utilizing cryptographic keys derived from a smart card private key that is embedded within mobile devices?

A.

Derived credential

B.

Temporary security credential

C.

Mobile device credentialing service

D.

Digest authentication

Full Access
Question # 129

What is the BEST approach for controlling access to highly sensitive information when employees have the same level of security clearance?

A.

Audit logs

B.

Role-Based Access Control (RBAC)

C.

Two-factor authentication

D.

Application of least privilege

Full Access
Question # 130

Users require access rights that allow them to view the average salary of groups of employees. Which control would prevent the users from obtaining an individual employee’s salary?

A.

Limit access to predefined queries

B.

Segregate the database into a small number of partitions each with a separate security level

C.

Implement Role Based Access Control (RBAC)

D.

Reduce the number of people who have access to the system for statistical purposes

Full Access
Question # 131

A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its 20 different supplier companies. Which of the following is the BEST solution for the manufacturing organization?

A.

Trusted third-party certification

B.

Lightweight Directory Access Protocol (LDAP)

C.

Security Assertion Markup language (SAML)

D.

Cross-certification

Full Access
Question # 132

What is the BEST approach to addressing security issues in legacy web applications?

A.

Debug the security issues

B.

Migrate to newer, supported applications where possible

C.

Conduct a security assessment

D.

Protect the legacy application with a web application firewall

Full Access
Question # 133

Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?

A.

Check arguments in function calls

B.

Test for the security patch level of the environment

C.

Include logging functions

D.

Digitally sign each application module

Full Access
Question # 134

Which of the following is the PRIMARY risk with using open source software in a commercial software construction?

A.

Lack of software documentation

B.

License agreements requiring release of modified code

C.

Expiration of the license agreement

D.

Costs associated with support of the software

Full Access
Question # 135

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

A.

After the system preliminary design has been developed and the data security categorization has been performed

B.

After the vulnerability analysis has been performed and before the system detailed design begins

C.

After the system preliminary design has been developed and before the data security categorization begins

D.

After the business functional analysis and the data security categorization have been performed

Full Access
Question # 136

Which of the following is the BEST method to prevent malware from being introduced into a production environment?

A.

Purchase software from a limited list of retailers

B.

Verify the hash key or certificate key of all updates

C.

Do not permit programs, patches, or updates from the Internet

D.

Test all new software in a segregated environment

Full Access
Question # 137

The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?

A.

System acquisition and development

B.

System operations and maintenance

C.

System initiation

D.

System implementation

Full Access
Question # 138

A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the MOST probable security feature of Java preventing the program from operating as intended?

A.

Least privilege

B.

Privilege escalation

C.

Defense in depth

D.

Privilege bracketing

Full Access
Question # 139

Which of the following BEST describes the responsibilities of a data owner?

A.

Ensuring quality and validation through periodic audits for ongoing data integrity

B.

Maintaining fundamental data availability, including data storage and archiving

C.

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

D.

Determining the impact the information has on the mission of the organization

Full Access
Question # 140

Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?

A.

Personal Identity Verification (PIV)

B.

Cardholder Unique Identifier (CHUID) authentication

C.

Physical Access Control System (PACS) repeated attempt detection

D.

Asymmetric Card Authentication Key (CAK) challenge-response

Full Access
Question # 141

In a data classification scheme, the data is owned by the

A.

system security managers

B.

business managers

C.

Information Technology (IT) managers

D.

end users

Full Access
Question # 142

Which of the following is MOST important when assigning ownership of an asset to a department?

A.

The department should report to the business owner

B.

Ownership of the asset should be periodically reviewed

C.

Individual accountability should be ensured

D.

All members should be trained on their responsibilities

Full Access
Question # 143

Which of the following is an initial consideration when developing an information security management system?

A.

Identify the contractual security obligations that apply to the organizations

B.

Understand the value of the information assets

C.

Identify the level of residual risk that is tolerable to management

D.

Identify relevant legislative and regulatory compliance requirements

Full Access