CISSP - 5

Question 1

The three basic elements of the Access Matrix Model are subjects, objects, and A. mode addresses B. access rights C. scalars D. strings

Answer 1

B. access rights

Question 2

What two problems may be resolved by conducting periodic review of access controls? A. Account Lockouts and Unknown user access B. Weak password and user impersonation C. Least privilege and accountability D. Excessive privilege and creeping privileges

Answer 2

D. Excessive privilege and creeping privileges

Question 3

From a security perspective, what is the primary advantage of fiber optics over copper cables? A. fiber optics have higher bandwidth B. fiber optics are more difficult to tap C. fiber optics are less expensive D. fiber optics are easier to deploy

Answer 3

B. fiber optics are more difficult to tap

Question 4

Which one of the following is most effective against an Internet Protocol Security based virtual private network? A. brute force B. man in the middle C. traffic analysis D. replay

Answer 4

C. traffic analysis

Question 5

Who is responsible for setting the overall tone for the information security program in an organization? A. Chief Information Security Officer B. Chief Executive Officer C. Chief Operating Office D. Board of Directors

Answer 5

B. Chief Executive Officer

Question 6

Which one of the following individuals has primary responsibility to determine information data classification level? A. Data Security Manager B. Data Owner C. Data Manager D. Data Custodian

Answer 6

B. Data Owner

Question 7

Which of the following is the best reason for using a formal risk analysis methodology? A. risk analysis methodologies generally require minimal training and knowledge of risk analysis B. Most software tools have user interfaces that are easy to use and require little or no computer experience C. Minimal information gathering is required due to the amount of information built into the software tool D. A structured framework provides a more comprehensive approach, allows reuse of materials and allows better risk comparison between organizations and systems using similar frameworks

Answer 7

D. A structured framework provides a more comprehensive approach, allows reuse of materials and allows better risk comparison between organizations and systems using similar frameworks

Question 8

Enterprise Security Architecture ensures that the Acquisition and Development Phase of the System Development Life Cycle A. reduces the likelihood of creating vulnerabilities in other enterprise systems B. creates a standards-based methodology for preparing audits and performing compliance review C. establishes technical requirements prior to the evaluation of the organizational culture and business needs of the organization D. prepares the system to meet the Common Criteria specifications

Answer 8

A. reduces the likelihood of creating vulnerabilities in other enterprise systems

Question 9

An adequate system of application information security controls should be defined during the A. systems design phase B. project initiation and planning phase C. development and implementation phase D. functional requirements phase

Answer 9

A. systems design phase

Question 10

A heap overflow attack is harder to detect because it A. relies on the specifics of hardware architecture B. replaces the function return address with the attacker’s address C. is really simple to keep track of the stack D. involves complex bookkeeping in allocation of free memory

Answer 10

D. involves complex bookkeeping in allocation of free memory

Question 11

Encryption of stored data is effective against all of the following except A. Physical theft B. eavesdropping C. shoulder surfing D. known plaintext attack

Answer 11

C. shoulder surfing

Question 12

In what way does the Rivest-Shamir-Adleman algorithm differ from the Data Encryption Standard? A. RSA is based on symmetric algorithm B. RSA uses a public key for encryption C. RSA eliminates the need for a key distribution center D. RSA cannot produce a digital signature

Answer 12

B. RSA uses a public key for encryption

Question 13

The Digital Signature Standard utilizes which of the following? A. Asymmetric keys B. Steganography C. Symmetric keys D. Watermarks

Answer 13

A. Asymmetric keys

Question 14

Which of the following is a security model used to protect similar data, requiring varying levels of privileges with similar restrictions? A. Lattice B. Matrix C. Non-interference D. Information flow

Answer 14

A. Lattice

Question 15

Which of the following is included in the accreditation process? A. User review of changes B. Compatibility with existing policy C. Risk acceptance review D. Review of documentation

Answer 15

C. Risk acceptance review

Question 16

A major benefit associated with establishing a categorization of vulnerabilities that is grouped together by their characteristics is that it allows A. auditors to locate specific types of software problems B. system to administrators to deploy patches more rapidly C. managers to effectively allocate security staff by areas of risk D. incident handlers to identify compromised systems

Answer 16

A. auditors to locate specific types of software problems

Question 17

The partitioning of tasks among different users or subjects, or to different, mutually exclusive roles associated with a single user is called A. separation of duty B. job rotation C. process sequencing D. least privilege

Answer 17

A. separation of duty

Question 18

A company issued smart phone has been stolen. What is the main security risk? A. loss of trust B. loss of reputation C. loss of sensitive data D. loss of money

Answer 18

C. loss of sensitive data

Question 19

Honeynet analysis is undertaken for the purpose of A. responding to an immediate threat B. discovering the characteristics of the existing threat in the network C. discovering fraud and abuse of internal resources D. blocking known perpetrators for entry into the local network

Answer 19

B. discovering the characteristics of the existing threat in the network

Question 20

In which order are successful business continuity planning project process? A. plan development, testing, business impact analysis, risk analysis, and maintenance B. requirement analysis, design, implementation, testing, and maintenance C. plan design, requirement analysis, plan testing, implementation, and maintenance D. requirement analysis, recovery strategy selection, user training and maintenance

Answer 20

B. requirement analysis, design, implementation, testing, and maintenance

Question 21

What is the main reason for measuring the impact of unplanned interruptions? A. it helps to decide the location of a hot site or warm site B. it provides insight into critical business processes C. it helps in capacity planning D. it provides data for off-site back-up strategy

Answer 21

B. it provides insight into critical business processes

Question 22

Which international agreement provides a minimum level of copyright protection to its signatories? A. Paris Convention B. Berne Convention C. Madrid Agreement D. Licensing Agreement

Answer 22

B. Berne Convention

Question 23

An important principle to follow when seizing digital evidence is A. digital evidence should not be place on the network B. section off the incident area to non-privileged persons C. senior management should be notified immediately D. any actions taken should not change the evidence

Answer 23

D. any actions taken should not change the evidence

Question 24

A security guard provides many benefits to a physical security program by A. providing an incident response capability B. determining access permissions C. granting access to trustworthy personnel D. creating access control policy

Answer 24

A. providing an incident response capability

Question 25

When considering security of faxed information, the security professional is most concerned with the A. possibility that the fax transmission is monitored B. possibility that the transmission is to a wrong number C. lack of control over document at receiving end D. lack of control over document at originating end

Answer 25

C. lack of control over document at receiving end