Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > CISSP CBK Review Seminar -- Domains 1 & 2 > Flashcards

CISSP CBK Review Seminar -- Domains 1 & 2 Flashcards

Domains 1 & 2

1
Q
  1. International Organization for Standardization (ISO) standard 27002 provides guidance for vendor compliance by outlining

(A) guidelines and practices of security controls.
(B) financial soundness and business viability metrics.
(C) standard best practice for procurement policy.
(D) contract agreement writing standards.

A

(A) guidelines and practices of security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Which of the following is an industry specific standard that PRIMARILY deals with privacy matters?

(A) Control Objectives for Information and Related Technology (COBIT)
(B) European Union Principles
(C) International Organization for Standardization (ISO) 9001:2000
(D) The Wassenaar Agreement

A

(B) European Union Principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which of the following defines the intent of a system security policy?

(A) A description of the settings that will provide the highest level of security
(B) A brief high-level statement defining what is and is not permitted in the operation of the system
(C) A definition of those items that must be denied on the system
(D) A listing of tools and applications that will be used to protect the system

A

(B) A brief high-level statement defining what is and is not permitted in the operation of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Which of the following is the BEST reason for using an automated risk analysis methodology?

(A) Automated methodologies generally require minimal training and knowledge of risk analysis.
(B) Most software tools have user interfaces that are easy to use and require little or no computer experience.
(C) Minimal information gathering is required due to the amount of information built into the software tool.
(D) Much of the data gathered during the review can be reused, greatly reducing the time required to perform a subsequent analysis.

A

(D) Much of the data gathered during the review can be reused, greatly reducing the time required to perform a subsequent analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. An organizational information security strategy is incomplete without

(A) recommendations for salary improvement of security professionals.
(B) addressing privacy and health care requirements of employees.
(C) alignment with organizational audit and marketing plans.
(D) incorporating input from organizational privacy and safety professionals.

A

(D) incorporating input from organizational privacy and safety professionals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. The organizational information security plan can

(A) assure protection of organizational data and information.
(B) select the technology solutions to enhance organizational security
effectiveness.
(C) identify potential risks to organizational employee behavior.
(D) align organizational data protection schemes to business goals.

A

(D) align organizational data protection schemes to business goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Verifying vendor compliance with their active security policies is typically provided through

(A) indemnification clauses.
(B) unqualified vendor management reports.
(C) good faith agreements.
(D) audit and standards compliance reporting.

A

(D) audit and standards compliance reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. What is the MOST critical factor to the success of enterprise security?

(A) Ability to effectively monitor the enterprise
(B) Budget available for security department
(C) Senior management support
(D) Complete security awareness plans

A

(C) Senior management support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Which one of the following individuals has PRIMARY responsibility for determining the classification level of information?

(A) Security manager
(B) User
(C) Owner
(D) Auditor

A

(C) Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. When a communication link is subject to monitoring, what advantage does end- to-end encryption have over link encryption?

(A) Cleartext is only available to the sending and receiving processes.
(B) Routing information is included in the message transmission protocol.
(C) Routing information is encrypted by the originator.
(D) Each message has a unique encryption key.

A

(A) Cleartext is only available to the sending and receiving processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Computer security is the responsibility of

(A) everyone in the organization.
(B) corporate management.
(C) the corporate security staff.
(D) everyone with computer access.

A

(A) everyone in the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. What is the PRIMARY objective for implementing a security awareness program?

(A) To reduce the cost associated with security tools
(B) To ensure users are aware of security policies and their responsibilities
(C) To reduce the risk of social engineering
(D) To obtain the support of users when investigating security breaches

A

(B) To ensure users are aware of security policies and their responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Employee involuntary termination processing should include

(A) a list of all passwords used by the individual.
(B) a report on outstanding projects.
(C) the surrender of any company identification.
(D) the signing of a Non-Disclosure Agreement (NDA).

A

(C) the surrender of any company identification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What is the company benefit, in terms of risk, for people taking a vacation of a specified minimum length?

(A) Reduces stress levels, thereby lowering insurance claims
(B) Improves morale, thereby decreasing errors
(C) Increases potential for discovering frauds
(D) Reduces dependence on critical individuals

A

(C) Increases potential for discovering frauds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard 27002 documents which body of knowledge?

(A) Information security management
(B) Personally identifiable health information data management
(C) Credit card handling processes
(D) Software development best practices

A

(A) Information security management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Which one of the following is the MOST crucial link in the computer security chain?

(A) Access controls
(B) People
(C) Management
(D) Awareness programs

A

(B) People

17
Q
  1. During a routine investigation of violation reports, a technician discovers a memorandum written to a competitor containing sensitive information about the technician’s company. Based on the (ISC)2 Code of Ethics, what is the FIRST action the technician should take?

(A) Delete the memorandum to ensure no one else will see it
(B) Contact the author of the memorandum to let them know of the discovery
(C) Immediately inform the company’s management of the technician’s
findings and the potential risk
(D) Launch a training program outlining the need for protection of intellectual
property

A

(C) Immediately inform the company’s management of the technician’s
findings and the potential risk

18
Q
  1. When dealing with intellectual property rights for software between nations, it is important to consider

(A) information concerning the overall foreign trade agreements between the two nations.
(B) the governing law in the agreements between the two nations.
(C) foreign corrupt trading practices in the agreement between the two
nations.
(D) information about the specific product liabilities that the software has.

A

(B) the governing law in the agreements between the two nations.

19
Q
  1. A critical step in the Business Impact Analysis (BIA) is to

(A) document application vulnerabilities.
(B) create a vendor contact list.
(C) identify acceptable recovery times.
(D) determine if a warm or hot site will be used.

A

(C) identify acceptable recovery times.

20
Q
  1. Which of the following is the MOST important information to consider when writing a security policy?

(A) The impact on the organization’s ability to achieve its goals.
(B) The acceptance by members of the IT department.
(C) The effect it could have on organizational morale.
(D) The degree to which it may affect the Business Continuity Plan (BCP).

A

(A) The impact on the organization’s ability to achieve its goals.

21
Q
  1. In order to reduce the costs and complexity of providing fault tolerant processor services, a certain number of the most recent transactions are allowed to be lost during the recovery. The magnitude of this loss is specified in the

(A) Recovery Point Objective (RPO).
(B) Recovery Time Objective (RTO).
(C) Return to Access Objective
(D) Annualized Loss Expectancy (ALE).

A

(A) Recovery Point Objective (RPO).

22
Q
  1. Which of the following is MOST true about Management’s overarching security policy.

(A) It details the organization’s security plan.
(B) It directly reflects management’s commitment to security.
(C) It should be published so it can be read.
(D) Copies should be controlled for easy of updating, accountability purposes, auditing, and to demonstrate management’s commitment to security

A

(B) It directly reflects management’s commitment to security.

23
Q
  1. All of the following are basic components of a security policy EXCEPT the

(A) Definition of the issue being addressed and relevant terms.
(B) Statement of roles and responsibilities.
(C) Statement of applicability and compliance requirements.
(D) Statement of performance characteristics and requirements.

A

(D) Statement of performance characteristics and requirements.

24
Q
  1. Which of the following provides for an effective security program?

(A) An hierarchical definition of security policies, standards, and procedures
(B) The identification, assessment, and mitigation of vulnerabilities
(C) A definition of program modules and procedures for data structures
(D) The identification of organizational, procedural, and administrative weaknesses

A

(A) An hierarchical definition of security policies, standards, and procedures

25
Q
  1. Which one of the following risk analysis terms characterizes the absence or weakness of a risk-reducing safeguard?

(A) Threat
(B) Probability
(C) Vulnerability
(D) Loss expectancy

A

(C) Vulnerability

26
Q
  1. Non-binding statements on how to achieve compliance with protective standards are called:

(A) Policies if signed by the Chief Information Officer (CIO).
(B) Standards, but only if issued by an International Organization.
(C) Guidelines if they provide “Best Practices.”
(D) Procedures if they are properly written.

A

(C) Guidelines if they provide “Best Practices.”

27
Q
  1. You are the Chief Information Security Officer for the United Nations. Understanding the International challenges will be difficult. However, which of the following will have the LEAST impact on your decision-making during risk analysis?

(A) Cost/benefit analysis
(B) Deploying safeguards
(C) Auditing
(D) Selecting products from different International vendors.

A

(D) Selecting products from different International vendors.

28
Q
  1. Which risk management methodology uses the exposure factor multiplied by the asset value to determine its outcome?

(A) Annualized Loss Expectancy
(B) Single Loss Expectancy
(C) Annualized Rate of Occurrence
(D) Information Security Risk Management

A

(B) Single Loss Expectancy

29
Q
  1. A large number of approved waivers to an organization’s policy may indicate:

(A) that the policy is too general.
(B) that that the policy is being enforced.
(C) that the policy is inappropriate for the organization or situation.
(D) that the waiver process is not properly processing the waivers.

A

(C) that the policy is inappropriate for the organization or situation.

30
Q
  1. CISSPs may be faced with an ethical conflict between their company’s policies and the (ISC)2 Code of Ethics. According to the (ISC)2 Code of Ethics, in which order of priority should ethical conflicts be resolved?

(A) Duty to principals, profession, public safety, and individuals
(B) Duty to protect society (public safety), Act honorable and legally (for the individual), provide diligent service to principals, and advance and protect the profession
(C) Duty to profession, public safety, individuals, and principals
(D) Duty to public safety, profession, individuals, and principals

A

(B) Duty to protect society (public safety), Act honorable and legally (for the individual), provide diligent service to principals, and advance and protect the profession

31
Q
  1. Key elements of an information security program include

(A) Disaster recovery and business continuity planning, definition of access control requirements, and human resources policies.
(B) Business impact, threat and vulnerability analysis, delivery of an information security awareness program, and physical security of key installations.
(C) Security policy implementation, assignment of roles and responsibilities, and information asset classification.
(D) Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems.

A

(C) Security policy implementation, assignment of roles and responsibilities, and information asset classification.

CISSP (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions