CISSP - 4

Question 1

Organizations and people that use computers can describe their needs for information security and trust in systems in terms of three major requirements. These requirements are A. concepts, awareness, and practicality B. confidentiality, integrity, and availability C. control, network, and technology D. features, assurances, and practices

Answer 1

B. confidentiality, integrity, and availability

Question 2

The Information Security Manager is reviewing hiring practices, background checks and personnel controls. What type of access control review is the Information Security Manager completing? A. Administrative B. Physical/Personnel C. Corrective D. Logical/Technical

Answer 2

A. Administrative

Question 3

To avoid long-term emloyees from acquiring excessive privileges audit control procedures must address teh following: A. Principle of least privilege B. Executive management privilege C. Segragation of duties D. Discretionary access control

Answer 3

A. Principle of least privilege

Question 4

What is considered an industry standard for remote access Virtual Private Networks? A. Internet Key Exchange Extended Authentication B. Internet Security Association and Key Management Protocol C. Transport Layer Security D. Interior Gateway Routing Protocol

Answer 4

C. Transport Layer Security

Question 5

Which attack is based on the principle given any input there is a fair chance to find a key that will leave that input unchanged? A. Fixed-Point Attack B. Birthday Attack C. Cut and Splice Attack D. Shortcut Attack

Answer 5

A. Fixed-Point Attack

Question 6

Internet Protocol Security provides security to traffic traversing a network at which point in the transmission? A. At the perimeter if IPSec is implemented on a router or firewall B. At the application level if IPSec is implemented on the desktop C. At the data link level if IPSec is implemented for link encryption D. At the transport layer if IPSec is implemented using TCP

Answer 6

A. At the perimeter if IPSec is implemented on a router or firewall

Question 7

Who is responsible for corporate information security? A. Supervisors B. Users C. System Administrators D. Executive Management

Answer 7

D. Executive Management

Question 8

Business and technology goals are typically associated with the A. Business Impact Analysis B. Operational Plan C. Strategic Plan D. Tactical Plan

Answer 8

C. Strategic Plan

Question 9

Which of the following is identified as a Directive Control Vulnerability? A. Failure to train new late-shift operators in database rollback process B. The new biometric lock resulted in a high false acceptance rate C. Executive review of recent policy changes was postponed due to other conflicts D. The process for transferring audit logs to a central repository failed and was undetected for serveral days

Answer 9

C. Executive review of recent policy changes was postponed due to other conflicts

Question 10

Known security vulnerabilities related to object sharing, trust, unprotected data channels, and timing issues are best addressed A. if redundant failover is built into the system B. in the design phase of development C. to avoid cascading runtime errors D. during the test stage of development

Answer 10

B. in the design phase of development

Question 11

Polyinstantiation in a database is meant to prevent what kind of attack? A. Inference B. Privilege escalation C. SQL injection D. Denial of Service

Answer 11

A. Inference

Question 12

Which of the following is a form of cryptography technique that is unbreakable? A. Polyalphabetic substitution rotary ciphers B. Rivest-Shamir-Adleman public key C. Keyed Vernam ciphers D. One-time pad ciphers

Answer 12

D. One-time pad ciphers

Question 13

Which one of the following provides data security using factorization of large integers? A. Rivest-Shamir-Adleman B. Data Encryption Standard C. Bell-LaPadula Model D. Diffie-Hellman Model

Answer 13

A. Rivest-Shamir-Adleman

Question 14

Which of the following is an advantage of using steganography when compared to using encryption? A. Can be used to protect all forms of data B. Concealment that secret communication is used C. Method is secure even after discovery of use D. More secure in protecting data

Answer 14

B. Concealment that secret communication is used

Question 15

What is the main reason that Public key encryption alogrithms have significantly longer key lengths than symmetric encryption algorithms? A. Public key algorithms are susceptible to techniques that significantly reduce the effective key length B. Longer keys are required for the session key exchange process C. Symmetric ciphers are optimised for implementation in hardware D. Brute force attacks are conducted against private keys

Answer 15

A. Public key algorithms are susceptible to techniques that significantly reduce the effective key length

Question 16

In what security mode is a system operating when two or more classification levels of information are processed simulateneously and not all users have a clearance for all data handled by the system? A. Partitioned B. Dedicated C. System High D. Multilevel

Answer 16

D. Multilevel

Question 17

An organization is using virtual machines on the user’s computer. This virtual machine becomes infected with malware. What is the best way to remove the malware from the machine? A. roll back the system from a point prior to infection B. follow cleanup instructions provided by anti-malware vendor C. reinstall the operating system in the virtual machine D. load an image from prior to infection

Answer 17

D. load an image from prior to infection

Question 18

The first action to take when physical security is breached and resources are compromised in a workplace is to A. notify the incident response team B. turn off compromised system C. activate fail-safe on facility access points D. examine facility access logs

Answer 18

A. notify the incident response team

Question 19

All of the following are part of an incident response plan except A. definition of an incident B. steps to respond to an incident C. assessment of the risk of an incident D. roles and responsibilities during an incident

Answer 19

C. assessment of the risk of an incident

Question 20

Decryption and verification of information contained in a message can be done by A. Only the encrypting party B. Only the party to whom the message was addressed C. Anyone with the public key of the sender D. Anyone with the private key of the intended recepient

Answer 20

C. Anyone with the public key of the sender

Question 21

What is the primary driver for selecting a disaster recovery strategy? A. recovery time sensitivity B. cost of implementing the strategy C. location of the alternate site D. access to the spare equipment

Answer 21

A. recovery time sensitivity

Question 22

All of the following are included in the ISC2 Code of Ethics except A. report all vulnerabilities to the public immediately B. provide diligent and competent service to principals C. protect society, the commonwealth, and the infrastructure D. act honorably, honestly, justly, responsibly, and legally

Answer 22

A. report all vulnerabilities to the public immediately

Question 23

Information retention policy should be clearly defined to all employees to protect the company from issues related to A. security B. financial fraud C. discovery D. privacy

Answer 23

C. discovery

Question 24

Which of the following helps detect unauthorized equipment? A. component checklist B. anti-virus scans C. physical inventories D. spy sweepers

Answer 24

C. physical inventories

Question 25

Why do organizations require all persons to visibly display badges with pertinent information? A. to verify the identity of the wearer B. to promote employee relations C. to ensure the wearer can be tracked D. to allow electronic entry

Answer 25

A. to verify the identity of the wearer