Chapter 1 Master

Question 1

Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?

A. Gamification
B. Computer-based training
C. Content reviews
D. Live training

Answer 1

C. Content reviews

Question 2

Gavin is creating a report to management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?

A. Inherent risk
B. Residual risk
C. Control risk
D. Mitigated risk

Answer 2

B. Residual risk

Question 3

Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party’s copyright. What law governs the actions that Francine must take?

A. Copyright Act
B. Lanham Act
C. Digital Millennium Copyright Act
D. Gramm Leach Bliley Act

Answer 3

C. Digital Millennium Copyright Act

Question 4

FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?

A. The right to access
B. Privacy by design
C. The right to be forgotten
D. The right of data portability

Answer 4

C. The right to be forgotten

Question 5

5. After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?

A. Accept
B. Transfer
C. Reduce
D. Reject

Answer 5

B. Transfer

Question 6

Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws?

A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number

Answer 6

A. Student identification number

Question 7

Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for information security matters?

A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule

Answer 7

C. Prudent man rule

Question 8

Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: “Advance and protect the profession.” Who may bring ethics charges against Henry for this violation?

A. Anyone may bring charges.
B. Any certified or licensed professional may bring charges.
C. Only Henry’s employer may bring charges.
D. Only the affected employee may bring charges.

Answer 8

B. Any certified or licensed professional may bring charges.

Question 9

Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?

A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor

Answer 9

C. Standard contractual clauses

Question 10

Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

A. GLBA
B. SOX
C. HIPAA
D. FERPA

Answer 10

A. GLBA

Question 11

Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?

A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA

Answer 11

A. FISMA

Question 12

Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?

A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software

Answer 12

D. Encryption software

Question 13

Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?

A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege

Answer 13

D. Elevation of privilege

Question 14

You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next?

A. Implement new security controls to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.

Answer 14

D. Document your decision-making process.

Question 15

You are completing a review of the controls used to protect a media storage facility in your organization and would like to properly categorize each control that is currently in place. Which of the following control categories accurately describe a fence around a facility? (Select all that apply.)

A. Physical
B. Detective
C. Deterrent
D. Preventive

Answer 15

A. Physical
C. Deterrent
D. Preventive

Question 16

Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment

Answer 16

D. Combination of quantitative and qualitative risk assessment

Question 17

Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges?

A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act

Answer 17

D. Economic Espionage Act

Question 18

Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?

A. Due diligence
B. Separation of duties
C. Due care
D. Least privilege

Answer 18

C. Due care

Question 19

Brenda’s organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition?

A. Consolidation of security functions
B. Integration of security tools
C. Protection of intellectual property
D. Documentation of security policies

Answer 19

C. Protection of intellectual property

Question 20

Kelly believes that an employee engaged in the unauthorized use of computing resources for a side business. After consulting with management, she decides to launch an administrative investigation. What is the burden of proof that she must meet in this investigation?

A. Preponderance of the evidence
B. Beyond a reasonable doubt
C. Beyond the shadow of a doubt
D. There is no standard

Answer 20

D. There is no standard

Question 21

Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?

A. Patent
B. Trade secret
C. Copyright
D. Trademark

Answer 21

A. Patent

Question 22

Which one of the following actions might be taken as part of a business continuity plan?

A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations

Answer 22

B. Implementing RAID

Question 23

When developing a business impact analysis, the team should first create a list of assets. What should happen next?

A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset.

Answer 23

C. Develop a value for each asset.

Question 24

Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference

Answer 24

C. Risk mitigation

Question 25

Laura has been asked to perform an SCA. What type of organization is she most likely in?

A. Higher education
B. Banking
C. Government
D. Healthcare

Answer 25

C. Government

Question 26

Carl is a federal agent investigating a computer crime case. He identified an attacker who engaged in illegal conduct and wants to pursue a case against that individual that will lead to imprisonment. What standard of proof must Carl meet?

A. Beyond the shadow of a doubt
B. Preponderance of the evidence
C. Beyond a reasonable doubt
D. Majority of the evidence

Answer 26

C. Beyond a reasonable doubt

Question 27

27. The International Information Systems Security Certification Consortium uses the logo shown here to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo?

A. Copyright
B. Patent
C. Trade secret
D. Trademark

Answer 27

D. Trademark

Question 28

Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?

A. Availability
B. Confidentiality
C. Disclosure
D. Distributed

Answer 28

A. Availability

Question 29

Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions?

A. Healthcare provider
B. Health and fitness application developer
C. Health information clearinghouse
D. Health insurance plan

Answer 29

B. Health and fitness application developer

Question 30

John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated?

A. Availability
B. Integrity
C. Confidentiality
D. Denial

Answer 30

A. Availability

Question 31

Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. Her primary goal is to align the security function with the broader plans and objectives of the business. What type of plan is she developing?

A. Operational
B. Tactical
C. Summary
D. Strategic

Answer 31

D. Strategic

Question 32

Gina is working to protect a logo that her company will use for a new product they are launching. She has questions about the intellectual property protection process for this logo. What U.S. government agency would be best able to answer her questions?

A. USPTO
B. Library of Congress
C. NSA
D. NIST

Answer 32

A. USPTO

Question 33

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

A. Mandatory vacation
B. Separation of duties
C. Defense in depth
D. Job rotation

Answer 33

B. Separation of duties

Question 34

Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?

A. Banks
B. Defense contractors
C. School districts
D. Hospitals

Answer 34

B. Defense contractors

Question 35

Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions?

A. HIPAA
B. PCI DSS
C. SOX
D. GLBA

Answer 35

B. PCI DSS

Question 36

Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?

A. Data custodian
B. Data owner
C. User
D. Auditor

Answer 36

A. Data custodian

Question 37

Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan’s company’s rights?

A. Trade secret
B. Copyright
C. Trademark
D. Patent

Answer 37

B. Copyright

Question 38

Florian receives a flyer from a U.S. federal government agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?

A. United States Code
B. Supreme Court rulings
C. Code of Federal Regulations
D. Compendium of Laws

Answer 38

C. Code of Federal Regulations

Question 39

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?

A. Impact
B. RPO
C. MTO
D. Likelihood

Answer 39

D. Likelihood

Question 40

Which one of the following individuals would be the most effective organizational owner for an information security program?

A. CISSP-certified analyst
B. Chief information officer (CIO)
C. Manager of network security
D. President and CEO

Answer 40

B. Chief information officer (CIO)

Question 41

What important function do senior managers normally fill on a business continuity planning team?

A. Arbitrating disputes about criticality
B. Evaluating the legal environment
C. Training staff
D. Designing failure controls

Answer 41

A. Arbitrating disputes about criticality

Question 42

You are the CISO for a major hospital system and are preparing to sign a contract with a software as a service (SaaS) email vendor and want to perform a control assessment to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?

A. SOC 1
B. FISMA
C. PCI DSS
D. SOC 2

Answer 42

D. SOC 2

Question 43

Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?

A. Repudiation
B. Information disclosure
C. Tampering
D. Elevation of privilege

Answer 43

A. Repudiation

Question 44

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?

A. Integrity
B. Availability
C. Confidentiality
D. Denial

Answer 44

A. Integrity

Question 45

Which one of the following issues is not normally addressed in a service-level agreement (SLA)?

A. Confidentiality of customer information
B. Failover time
C. Uptime
D. Maximum consecutive downtime

Answer 45

A. Confidentiality of customer information

Question 46

Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?

A. Trademark
B. Copyright
C. Patent
D. Trade secret

Answer 46

A. Trademark

Question 47

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.

Users in the two offices would like to access each other’s file servers over the internet. What control would provide confidentiality for those communications?

A. Digital signatures
B. Virtual private network
C. Virtual LAN
D. Digital content management

Answer 47

B. Virtual private network

Question 48

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.

You are concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What control allows you to add robustness without adding additional servers?

A. Server clustering
B. Load balancing
C. RAID
D. Scheduled backups

Answer 48

C. RAID

Question 49

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.

Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?

A. Hashing
B. ACLs
C. Read-only attributes
D. Firewalls

Answer 49

A. Hashing

Question 50

Beth is a human resources specialist preparing to assist in the termination of an employee. Which of the following is not typically part of a termination process?

A. An exit interview
B. Recovery of property
C. Account termination
D. Signing an NCA

Answer 50

D. Signing an NCA

Question 51

Frances is reviewing her organization’s business continuity plan documentation for completeness. Which one of the following is not normally included in business continuity plan documentation?

A. Statement of accounts
B. Statement of importance
C. Statement of priorities
D. Statement of organizational responsibility

Answer 51

A. Statement of accounts

Question 52

An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?

A. Separation of duties
B. Least privilege
C. Defense in depth
D. Mandatory vacation

Answer 52

D. Mandatory vacation

Question 53

Jeff would like to adopt an industry-standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use?

A. CMM
B. SW-CMM
C. RMM
D. COBIT

Answer 53

C. RMM

Question 54

Chris’ organization recently suffered an attack that rendered their website inaccessible to paying customers for several hours. Which information security goal was most directly impacted?

A. Confidentiality
B. Integrity
C. Availability
D. Denial

Answer 54

C. Availability

Question 55

Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?

A. Policy
B. Baseline
C. Guideline
D. Procedure

Answer 55

B. Baseline

Question 56

Who should receive initial business continuity plan training in an organization?

A. Senior executives
B. Those with specific business continuity roles
C. Everyone in the organization
D. First responders

Answer 56

C. Everyone in the organization

Question 57

James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization’s primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?

A. Purchase cost
B. Depreciated cost
C. Replacement cost
D. Opportunity cost

Answer 57

C. Replacement cost

Question 58

Roger’s organization suffered a breach of customer credit card records. Under the terms of PCI DSS, what organization may choose to pursue an investigation of this matter?

A. FBI
B. Local law enforcement
C. Bank
D. PCI SSC

Answer 58

D. PCI SSC

Question 59

Rick recently engaged critical employees in each of his organization’s business units to ask for their assistance with his security awareness program. They will be responsible for sharing security messages with their peers and answering questions about cybersecurity matters. What term best describes this relationship?

A. Security champion
B. Security expert
C. Gamification
D. Peer review

Answer 59

A. Security champion

Question 60

Frank discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt?

A. Confidentiality
B. Integrity
C. Availability
D. Denial

Answer 60

A. Confidentiality

Question 61

Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?

A. Compliance with all laws and regulations
B. Handling information in the same manner the organization would
C. Elimination of all identified security risks
D. Compliance with the vendor’s own policies

Answer 61

B. Handling information in the same manner the organization would

Question 62

The following graphic shows the NIST risk management framework with step 4
What is the missing step?

A. Assess security controls.
B. Determine control gaps.
C. Remediate control gaps.
D. Evaluate user activity.

Answer 62

A. Assess security controls.

Question 63

HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?

A. Risk mitigation
B. Risk acceptance
C. Risk transference
D. Risk avoidance

Answer 63

D. Risk avoidance

Question 64

Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?

A. Availability
B. Denial
C. Confidentiality
D. Integrity

Answer 64

C. Confidentiality

Question 65

Which one of the following components should be included in an organization’s emergency response guidelines?

A. List of individuals who should be notified of an emergency incident
B. Long-term business continuity protocols
C. Activation procedures for the organization’s cold sites
D. Contact information for ordering equipment

Answer 65

A. List of individuals who should be notified of an emergency incident

Question 66

Chas recently completed the development of his organization’s business continuity plan. Who is the ideal person to approve an organization’s business continuity plan?

A. Chief information officer
B. Chief executive officer
C. Chief information security officer
D. Chief operating officer

Answer 66

B. Chief executive officer

Question 67

Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?

A. Structured analysis of the organization
B. Review of the legal and regulatory landscape
C. Creation of a BCP team
D. Documentation of the plan

Answer 67

D. Documentation of the plan

Question 68

Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce?

A. Denial
B. Confidentiality
C. Integrity
D. Availability

Answer 68

D. Availability

Question 69

Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?

A. Cold site
B. Warm site
C. Hot site
D. Mobile site

Answer 69

A. Cold site

Question 70

Greg’s company recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action?

A. The breach laws in the state where they are headquartered.
B. The breach laws of states they do business in.
C. Only federal breach laws.
D. Breach laws only cover government agencies, not private businesses.

Answer 70

B. The breach laws of states they do business in.

Question 71

Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?

A. ITIL
B. ISO 27002
C. CMM
D. PMBOK Guide

Answer 71

B. ISO 27002

Question 72

Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt’s clients pursuant to a search warrant. Which one of the following laws requires that communications service providers cooperate with law enforcement requests?

A. ECPA
B. CALEA
C. Privacy Act
D. HITECH Act

Answer 72

B. CALEA

Question 73

Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?

A. FERPA
B. GLBA
C. HIPAA
D. HITECH

Answer 73

B. GLBA

Question 74

Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement?

A. NCA
B. SLA
C. NDA
D. RTO

Answer 74

C. NDA

Question 75

The (ISC)2 Code of Ethics applies to all CISSP holders. Which of the following is not one of the four mandatory canons of the code?

A. Protect society, the common good, the necessary public trust and confidence, and the infrastructure.
B. Disclose breaches of privacy, trust, and ethics.
C. Provide diligent and competent service to the principles.
D. Advance and protect the profession

Answer 75

B. Disclose breaches of privacy, trust, and ethics.

Question 76

Which one of the following stakeholders is not typically included on a business continuity planning team?

A. Core business function leaders
B. Information technology staff
C. CEO
D. Support departments

Answer 76

C. CEO

Question 77

Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?

A. Authentication
B. Authorization
C. Integrity
D. Nonrepudiation

Answer 77

D. Nonrepudiation

Question 78

What principle of information security states that an organization should implement overlapping security controls whenever possible?

A. Least privilege
B. Separation of duties
C. Defense in depth
D. Security through obscurity

Answer 78

C. Defense in depth

Question 79

Ryan is a CISSP-certified cybersecurity professional working in a nonprofit organization. Which of the following ethical obligations apply to his work? (Select all that apply.)

A. (ISC)2 Code of Ethics
B. Organizational code of ethics
C. Federal code of ethics
D. RFC 1087

Answer 79

A. (ISC)2 Code of Ethics
B. Organizational code of ethics

Question 79

Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?

A. Purchasing insurance
B. Encrypting the database contents
C. Removing the data
D. Objecting to the exception

Answer 79

B. Encrypting the database contents

Question 80

The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention?

A. I
B. II
C. III
D. IV

Answer 80

A. I

Question 81

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?

A. Informing other employees of the termination
B. Retrieving the employee’s photo ID
C. Calculating the final paycheck
D. Revoking electronic access rights

Answer 81

D. Revoking electronic access rights

Question 82

Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?

A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance

Answer 82

D. Risk acceptance

Question 83

Helen is the owner of a U.S. website that provides information for middle and high school students preparing for exams. She is writing the site’s privacy policy and would like to ensure that it complies with the provisions of the Children’s Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?

A. 13
B. 15
C. 17
D. 18

Answer 83

A. 13

Question 84

8Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown here, and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area?

A. 100
B. 1
C. 0.1
D. 0.01

Answer 84

D. 0.01

Question 85

You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?

A. Integrity
B. Denial
C. Availability
D. Confidentiality

Answer 85

D. Confidentiality

Question 86

Alan is performing threat modeling and decides that it would be useful to decompose the system into the core elements shown here. What tool is he using?

A. Vulnerability assessment
B. Fuzzing
C. Reduction analysis
D. Data modeling

Answer 86

C. Reduction analysis

Question 87

Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map shown here from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk?

A. New York
B. North Carolina
C. Indiana
D. Florida

Answer 87

D. Florida

Question 88

Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?

A. Quantitative
B. Qualitative
C. Annualized loss expectancy
D. Reduction

Answer 88

B. Qualitative

Question 89

Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the threat?

A. Unpatched web application
B. Web defacement
C. Malicious hacker
D. Operating system

Answer 89

C. Malicious hacker

Question 90

scenario:
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.
Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s data center?

A. 10 percent
B. 25 percent
C. 50 percent
D. 75 percent

Answer 90

C. 50 percent

Question 91

scenario:
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.
Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s data center?

A. 0.0025
B. 0.005
C. 0.01
D. 0.015

Answer 91

B. 0.005

Question 92

scenario:
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.
Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s data center?

A. $25,000
B. $50,000
C. $250,000
D. $500,000

Answer 92

A. $25,000

Question 93

John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?

A. Spoofing
B. Repudiation
C. Information disclosure
D. Elevation of privilege

Answer 93

C. Information disclosure

Question 94

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?

A. His supply chain
B. His vendor contracts
C. His post-purchase build process
D. The original equipment manufacturer (OEM)

Answer 94

A. His supply chain

Question 95

In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe?

A. Regression testing
B. Code review
C. Change management
D. Fuzz testing

Answer 95

C. Change management

Question 96

After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95 percent completion rate he was aiming for. What is this type of measure called?

A. A KPI
B. A metric
C. An awareness control
D. A return on investment rate

Answer 96

A. A KPI

Question 97

Which of the following is not typically included in a prehire screening process?

A. A drug test
B. A background check
C. Social media review
D. Fitness evaluation

Answer 97

D. Fitness evaluation

Question 98

Which of the following would normally be considered a supply chain risk? (Select all that apply.)

A. Adversary tampering with hardware prior while being shipped to the end customer
B. Adversary hacking into a web server run by the organization in an IaaS environment
C. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts
D. Adversary conducting a denial-of-service attack using a botnet
100. Match the following numbered laws or industry standards to their lettered

Answer 98

A. Adversary tampering with hardware prior while being shipped to the end customer
C. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts

Question 99

Match the Laws and Industry standards to their description.

Laws and industry standards
1. GLBA
2. PCI DSS
3. HIPAA
4. SOX

Descriptions
A. A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis
B. A U.S. law that requires internal controls assessments, including IT transaction flows for publicly traded companies
C. An industry standard that covers organizations that handle credit cards
D. A U.S. law that provides data privacy and security requirements for medical information

Answer 99

1-A
2-C
3-D
4-B

Question 100

“Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrastructure. Which of the following is not considered a violation of confidentiality?

A. Stealing passwords using a keystroke logging tool
B. Eavesdropping on wireless network communications
C. Hardware destruction caused by arson
D. Social engineering that tricks a user into providing personal information to a false website”

Answer 100

C. Hardware destruction caused by arson

Question 101

Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security?

A. A network’s border perimeter
B. The CIA Triad
C. AAA services
D. Ensuring that subject activities are recorded

Answer 101

B. The CIA Triad

Question 102

James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated?

A. Identification
B. Availability
C. Encryption
D. Layering

Answer 102

B. Availability

Question 103

Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance?

A. Security governance ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.
B. Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
C. Security governance is a documented set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives.
D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.

Answer 103

D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.

Question 104

You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization’s security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create?

A. Tactical plan
B. Operational plan
C. Strategic plan
D. Rollback plan

Answer 104

C. Strategic plan

Question 105

Annaliese’s organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are example of those risks? (Choose all that apply.)

A. Inappropriate information disclosure
B. Increased worker compliance
C. Data loss
D. Downtime
E. Additional insight into the motivations of inside attackers
F. Failure to achieve sufficient return on investment (ROI)

Answer 105

A. Inappropriate information disclosure
C. Data loss
D. Downtime
F. Failure to achieve sufficient return on investment (ROI)

Question 106

Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure?

A. ITIL
B. ISO 27000
C. CIS
D. CSF

Answer 106

A. ITIL

Question 107

A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional responsibility for security, including writing the security policy and implementing it?

A. Senior management
B. Security professional
C. Custodian
D. Auditor

Answer 107

B. Security professional

Question 108

Control Objectives for Information and Related Technology (COBIT) is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on six key principles for governance and management of enterprise IT. Which of the following are among these key principles? (Choose all that apply.)

A. Holistic Approach
B. End-to-End Governance System
C. Provide Stakeholder Value
D. Maintaining Authenticity and Accountability
E. Dynamic Governance System

Answer 108

A. Holistic Approach
B. End-to-End Governance System
C. Provide Stakeholder Value
E. Dynamic Governance System

Question 109

In today’s business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements? (Choose all that apply.)

A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization.
B. Due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures.
C. Due diligence is the continued application of a security structure onto the IT infrastructure of an organization.
D. Due care is practicing the individual activities that maintain the security effort.
E. Due care is knowing what should be done and planning for it.
F. Due diligence is doing the right action at the right time.

Answer 109

A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization.

D. Due care is practicing the individual activities that maintain the security effort.

Question 110

Security documentation is an essential element of a successful security program. Understanding the components is an early step in crafting the security documentation. Match the following components to their respective definitions.

1. Policy
2. Standard
3. Procedure
4. Guideline
5. A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.
6. A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection.
7. A minimum level of security that every system throughout the organization must meet.
8. Offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users.
9. Defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls.

A. 1 – I; 2 – IV; 3 – II; 4 - V
B. 1 – II; 2 – V; 3 – I; 4 - IV
C. 1 – IV; 2 – II; 3 – V; 4 - I
D. 1 – V; 2 – I; 3 – IV; 4 - III

Answer 110

B. 1 – II; 2 – V; 3 – I; 4 - IV

Question 111

STRIDE is often used in relation to assessing threats against applications or operating systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation?

A. S
B. T
C. R
D. I
E. D
F. E

Answer 111

D. I

Question 112

A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threats, and risks of their solution and integrates protections against unwanted outcomes. What concept of threat modeling is this?

A. Threat hunting
B. Proactive approach
C. Qualitative approach
D. Adversarial approach

Answer 112

B. Proactive approach

Question 113

Supply chain risk management (SCRM) is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations. Which of the following are true statements? (Choose all that apply.)

A. Each link in the supply chain should be responsible and accountable to the next link in the chain.
B. Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips.
C. If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements.
D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.

Answer 113

A. Each link in the supply chain should be responsible and accountable to the next link in the chain.

B. Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips.

D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.

Question 114

Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However, a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what product component in this scenario?

A. Software
B. Services
C. Data
D. Hardware

Answer 114

C. Data

Question 115

Cathy’s employer has asked her to perform a documentation review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers several serious issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding?

A. Write up a report and submit it to the CIO.
B. Void the ATO of the vendor.
C. Require that the vendor review their terms and conditions.
D. Have the vendor sign an NDA.

Answer 115

B. Void the ATO of the vendor.

Question 116

Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establishment of minimum security requirements of the third party. What should these requirements be based on?

A. Existing security policy
B. Third-party audit
C. On-site assessment
D. Vulnerability scan results

Answer 116

A. Existing security policy

Question 117

It’s common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization’s valuable assets. Which of the following is a risk-centric threat-modeling approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected?

A. VAST
B. SD3+C
C. PASTA
D. STRIDE

Answer 117

C. PASTA

Question 118

The next step after threat modeling is reduction analysis. Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements. Which of the following are key components to identify when performing decomposition? (Choose all that apply.)

A. Patch or update versions
B. Trust boundaries
C. Dataflow paths
D. Open vs. closed source code use
E. Input points
F. Privileged operations
G. Details about security stance and approach

Answer 118

B. Trust boundaries
C. Dataflow paths
E. Input points
F. Privileged operations
G. Details about security stance and approach

Question 119

Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following are terms that relate to or are based on defense in depth? (Choose all that apply.)

A. Layering
B. Classifications
C. Zones
D. Realms
E. Compartments
F. Silos
G. Segmentations
H. Lattice structure
I. Protection rings

Answer 119

A. Layering
B. Classifications
C. Zones
D. Realms
E. Compartments
F. Silos
G. Segmentations
H. Lattice structure
I. Protection rings

Question 120

Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified only by authorized subjects. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.As a group what is this commonly known as?

Answer 120

CIA Triad

Question 121

__________ is composed of identification, authentication, authorization, auditing, and accountability?

Answer 121

AAA Services

Question 122

_________ is the process by which a subject professes an identity and accountability is initiated.

Answer 122

Identification

Question 123

__________ must provide an identity to a system to start the process of authentication, authorization, and accountability.

Answer 123

A subject

Question 124

___________ is the process of verifying or testing that a claimed identity is valid. Authentication requires information from the subject that must exactly correspond to the identity indicated.

Answer 124

Authentication

Question 125

__________ is the programmatic means by which subjects are held accountable for their actions while authenticated on a system through the documentation or recording of subject activities.

Answer 125

Auditing

Question 126

Security can be maintained only if subjects are held accountable for their actions.What is the term used for this?

Answer 126

Accountability

Question 127

______________ ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Answer 127

Nonrepudiation

Question 128

___________ is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.

Answer 128

Abstraction

Question 129

Preventing data from being discovered or accessed by a subject. It is often a key element in security controls as well as in programming.
What does this define?

Answer 129

Data hiding

Question 130

_____________ is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Answer 130

Security boundary

Question 131

_____________ is the collection of practices related to supporting, defining, and directing the security efforts of an organization.

Answer 131

Security governance

Question 132

______________ is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor.

Answer 132

Third-party governance

Question 133

_________________ is the process of reading the exchanged materials and verifying them against standards and expectations. In many situations, especially related to government or military agencies or contractors, failing to provide sufficient documentation to meet requirements of third-party governance can result in a loss of or a voiding of authorization to operate (ATO).

Answer 133

Documentation review

Question 134

_____________ is planning ensures proper creation, implementation, and enforcement of a security policy. ________________ aligns the security functions to the strategy, goals, mission, and objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources.

Answer 134

Security management
Security management planning

Question 135

___________ is usually a documented argument or stated position in order to define a need to make a decision or take some form of action.

Answer 135

A business case

Question 136

____________ demonstrates a business-specific need to alter an existing process or choose an approach to a business task.

Answer 136

A business case

Question 137

_________________ is based on three types of plans: strategic, tactical, and operational.

Answer 137

Security management

Question 138

____________ is a long-term plan that is fairly stable. It defines the organization’s goals, mission, and objectives.

Answer 138

Strategic plan

Question 139

__________ is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.

Answer 139

The tactical plan

Question 140

List the elements of a security policy that is formalized. (there are 5)

Answer 140

Security policy
standards,
baselines,
guidelines,
procedures.

Question 141

Security governance needs to address every aspect of an organization. What are those areas? (there are 3)

Answer 141

organizational processes of acquisitions, divestitures,
governance committees.

Question 142

List the Key Security Roles (there are 5)

Answer 142

senior manager,
security professional,
asset owner,
custodian,
user,
auditor.

Question 143

______________ is a security concept infrastructure used to organize the complex security solutions of companies.

Answer 143

Control Objectives for Information and Related Technology (COBIT)

Question 144

____________ is establishing a plan, policy, and process to protect the interests of an organization.

Answer 144

Due diligence

Question 145

____________ can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed.

Answer 145

Threat modeling

Question 146

____________ is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners.

Answer 146

Supply Chain Risk Management (SCRM)

Question 147

_________ is knowing what should be done and planning for it; due care is doing the right action at the right time.

Answer 147

Due diligence

Question 148

STRIDE, PASTA, VAST, diagramming, reduction/decomposing, and DREAD.

Are key concepts of what?

Answer 148

Threat modeling

Question 149

_____________ includes evaluating risks associated with hardware, software, and services; performing third-party assessment and monitoring; establishing minimum security requirements; and enforcing service-level requirements.

Answer 149

SCRM (Supply Chain Risk Management)

Question 150

_____________ is practicing the individual activities that maintain the due diligence effort.

Answer 150

Due care

Question 151

_____________ is the security process where potential threats are identified, categorized, and analyzed.

Answer 151

Threat modeling

Question 152

Which factor is the most important item when it comes to ensuring security is successful in an organization?

A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees

Answer 152

A. Senior management support

Question 153

(scenario) Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

Todd documents several fraud opportunities that the employees have at the financial institution so that management understands these risks and allocates the funds and resources for his suggested solutions. Which of the following best describes the control Todd should put into place to be able to carry out fraudulent investigation activity?

A. Separation of duties
B. Job rotation
C. Mandatory vacations
D. Split knowledge

Answer 153

C. Mandatory vacations

Question 154

(scenario) Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

If the financial institution wants to ensure that fraud cannot happen successfully unless collusion occurs, what should Todd put into place?

A. Separation of duties
B. Job rotation
C. Social engineering
D. Split knowledge

Answer 154

A. Separation of duties

Question 154

(scenario) Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, he needs to develop a security awareness program. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the activities of bank personnel to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault.

Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide?

A. Separation of duties, by ensuring that a supervisor must approve the cashing of a check over $3,500. This is an administrative control that provides preventive protection for Todd’s organization.
B. Job rotation, by ensuring that one employee only stays in one position for up to three months at a time. This is an administrative control that provides detective capabilities.
C. Security awareness training, which can also emphasize enforcement.
D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.

Answer 154

D. Dual control

Question 154

Which term denotes a potential cause of an unwanted incident, which may result in harm to a system or organization?

A. Vulnerability
B. Exploit
C. Threat
D. Attacker

Answer 154

C. Threat

Question 155

A CISSP candidate signs an ethics statement prior to taking the CISSP examination. Which of the following would be a violation of the (ISC)2 Code of Ethics that could cause the candidate to lose his or her certification?

A. E-mailing information or comments about the exam to other CISSP candidates
B. Submitting comments on the questions of the exam to (ISC)2
C. Submitting comments to the board of directors regarding the test and content of the class
D. Conducting a presentation about the CISSP certification and what the certification means

Answer 155

A. E-mailing information or comments about the exam to other CISSP candidates

Question 156

You want to ensure that your organization’s finance department, and only the finance department, has access to the organization’s bank statements. Which of the security properties would be most important?

A. Confidentiality
B. Integrity
C. Availability
D. Both A and C

Answer 156

D. Both A and C

Question 157

You want to make use of the OpenOffice productivity software suite mandatory across your organization. In what type of document would you codify this?

A. Policy
B. Standard
C. Guideline
D. Procedure

Answer 157

B. Standard

Question 158

For an enterprise security architecture to be successful in its development and implementation, which of the following items is not essential?

A. Strategic alignment
B. Security guidelines
C. Business enablement
D. Process enhancement

Answer 158

B. Security guidelines

Question 159

Which of the following practices is likeliest to mitigate risks when considering a candidate for hiring?

A. Security awareness training
B. Nondisclosure agreement (NDA)
C. Background checks
D. Organizational ethics

Answer 159

C. Background checks

Question 160

Which of the following best describes the relationship between COBIT and ITIL?

A. COBIT is a model for IT governance, whereas ITIL is a model for corporate governance.
B. COBIT provides a corporate governance roadmap, whereas ITIL is customizable framework for IT service management.
C. COBIT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.
D. COBIT Provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.

Answer 160

C. COBIT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.

Question 161

Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?

A. Committee of Sponsoring Organizations of the Treadway Commission.
B. The Organization for Economic Co-operation and Development.
C. COBIT
D. International Organization for Standardization.

Answer 161

B. The Organization for Economic Co-operation and Development.

Question 162

Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?

A. Security policy committee
B. Audit committee
C. Risk management committee
D. Security steering committee

Answer 162

D. Security steering committee

Question 163

Which of the following is not included in a risk assessment?

A. Discontinuing activities that introduce risk.
B. Identifying assets.
C. Identifying threats.
D. Analyzing risk in order of cost or criticality.

Answer 163

A. Discontinuing activities that introduce risk.

Question 164

The integrity of data is not related to which of the following?

A. Unauthorized manipulation or changes to data
B. The modification of data without authorization
C. The intentional or accidental substitution of data
D. The extraction of data to share with unauthorized entities.

Answer 164

A. Unauthorized manipulation or changes to data

Question 165

As the company’s CISC, George needs to demonstrate to the board of directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?

A. threats x vulnerability x asset value = residual risk
B. SLE x frequency = ALE, which is equal to residual risk
C. (threats x vulnerability x asset value) x controls gap = residual risk
D. (total risk - asset value) x countermeasures - residual risk

Answer 165

C. (threats x vulnerability x asset value) x controls gap = residual risk

Question 166

Which of the following is not a characteristic of a company with a security governance program in place?

A. Board members are updated quarterly on the company’s state of security.
B. All security activity takes place within the security department.
C. Security products, services and consultants are deployed in an informed manner,
D. The organization has established metrics and goals for improving security.

Answer 166

B. All security activity takes place within the security department.

Question 167

ISO/IEC 27002 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?

A. ISO/IEC 20072: Code of practice for information security management.
B.ISO/IEC 20073: Guideline for ISMS implementation
C. ISO/IEC 20074: Guideline for information security management measurement and metrics framework.
D. ISO/IEC 20075” Guideline for bodies providing audit and certification of information security management systems.

Answer 167

D. ISO/IEC 20075” Guideline for bodies providing audit and certification of information security management systems.

Question 168

Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loos expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400.

Which of the following is the criteria Sam’s company was most likely certified under?

A. SABSA
B. Capability Maturity Model Integration
C. Information Technology Infrastructure Library
D. Prince2

Answer 168

B. Capability Maturity Model Integration

Question 169

Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loos expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400.

What is the associated single loss expectancy value in this scenario?

A. 65,000
B. 400,000
C. 40,000
D. 4,000

Answer 169

C. 40,000

Question 170

As his company’s business continuity coordinator, Matthew is responsible for helping recruit members to the business continuity planning (BCP) committee. Which of the following does not correctly describe this effort?
A. Committee members should be involved with the planning stages, as well as the testing and implementation stages.
B. The smaller the team, the better to keep meetings under control.
C. The business continuity coordinator should work with management to appoint committee members.
D. The team should consist of people from different departments across the company.

Answer 170

B. The smaller the team, the better to keep meetings under control.

Question 171

A proper risk analysis has specific steps and objectives that it needs to accomplish, which of the following list these items.

A. Identify assets and their values, identify vulnerabilities and threats, quantify the probability and business impact of these potential threats; and provide inexpensive countermeasure recommendations.
B. Identify assets and their value to the organization, determine the likelihood that a threat exploits a vulnerability, determine the business impact of these potential threats; and provide an economic balance between the impact of the threat and the cost of the countermeasure.
C. Identify assets; identify vulnerabilities and threats; quantify the probability and business impact these potential threats; and provide economical countermeasure recommendations.
D. Identify assets, and their values; identify fraud and collusion, quantify the probability and business impact of these potential threats; and provide economical countermeasure recommendations.