CISSP Practice Test Chapter 1 Security and Risk Management (Sybex) Flashcards

Question 1

Q

Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?

A. Gamification
B. Computer-based training
C. Content reviews
D. Live training

Answer

A

C. Content reviews

Explanation:
Alyssa should use periodic content reviews to continually verify that the content in her program meets the organization’s needs and is up-to-date based upon the evolving risk landscape. She may do this using a combination of computer-based training, live training, and gamification, but those techniques do not necessarily verify that the content is updated.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.

Question 2

Q

Gavin is creating a report to management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?

A. Inherent risk
B. Residual risk
C. Control Risk
D. Mitigated risk

Answer

A

B. Residual risk

Explanation:
The residual risk is the level of risk that remains after controls have been applied to mitigate risks. Inherent risk is the original risk that existed prior to the controls. Control risk is new risk introduced by the addition of controls to the environment. Mitigated risk is the risk that has been addressed by existing controls.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.

Question 3

Q

Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party’s copyright. What law governs the actions that Francine must take?

A. Copyright Act
B. Lanham Act
C. Digital Millennium Copyright Act
D. Gramm Leach Bliley Act

Answer

A

C. Digital Millennium Copyright Act

Explanation:
C. The Digital Millennium Copyright Act (DMCA) sets forth the requirements for online service providers when handling copyright complaints received from third parties. The Copyright Act creates the mechanics for issuing and enforcing copyrights but does not cover the actions of online service providers. The Lanham Act regulates the issuance of trademarks to protect intellectual property. The Gramm-Leach-Bliley Act regulates the handling of personal financial information.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.

Question 4

Q

FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?

A. The right to access
B. Privacy by design
C. The right to be forgotten
D. The right of data portability

Answer

A

C. The right to be forgotten

Explanation:
The right to be forgotten, also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.

Question 5

Q

After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?

A. Accept
B. Transfer
C. Reduce
D. Reject

Answer

A

B. Transfer

Explanation:
B. Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.

Question 6

Q

Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws?

A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number

Answer

A

A. Student identification number

Explanation:
A. Most state data breach notification laws are modeled after California’s data breach notification law, which covers Social Security number, driver’s license number, state identification card number, credit/debit card numbers, and bank account numbers (in conjunction with a PIN or password). California’s breach notification law also protects some items not commonly found in other state laws, including medical records and health insurance information. These laws are separate and distinct from privacy laws, such as the California Consumer Privacy Act (CCPA), which regulates the handling of personal information more broadly.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.

Question 7

Q

Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for information security matters?

A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 3). Wiley. Kindle Edition.

Answer

A

C. Prudent man rule

Explanation:
The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in the United States in 1991.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.

Question 8

Q

Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: “Advance and protect the profession.” Who may bring ethics charges against Henry for this violation?

A. Anyone may bring charges.
B. Any certified or licensed professional may bring charges.
C. Only Henry’s employer may bring charges.
D. Only the affected employee may bring charges.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 3). Wiley. Kindle Edition.

Answer

A

B. Any certified or licensed professional may bring charges.

Explanation:
This is a question about who has standing to bring an ethics complaint. The group of individuals who has standing differs based upon the violated canon. In this case, we are examining Canon IV, which permits any certified or licensed professional who subscribes to a code of ethics to bring charges. Charges of violations of Canons I or II may be brought by anyone. Charges of violations of Canon III may only be brought by a principal with an employer/contractor relationship with the accused.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 312-313). Wiley. Kindle Edition.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.

Question 9

Q

Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?

A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor

Answer

A

C. Standard contractual clauses

Explanation:
C. The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 10

Q

Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

A. GLBA
B. SOX
C. HIPAA
D. FERPA

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 3). Wiley. Kindle Edition.

Answer

A

A. GLBA

Explanation:
A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions. The Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student educational records.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 11

Q

Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?

A. FISMA
B. PCI DSS
C.HIPAA
D. GISRA

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 3-4). Wiley. Kindle Edition.

Answer

A

A. FISMA

Explanation:
A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 12

Q

Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?

A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 4). Wiley. Kindle Edition.

Answer

A

D. Encryption software

Explanation:
D. The export of encryption software to certain countries is regulated under U.S. export control laws. Memory chips, office productivity applications, and hard drives are unlikely to be covered by these regulations.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 13

Q

Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?

A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 4). Wiley. Kindle Edition.

Answer

A

D. Elevation of privilege

Explanation:
D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 14

Q

You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next?

A. Implement new security controls to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.

Answer

A

D. Document your decision-making process.

Explanation:
Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 15

Q

You are completing a review of the controls used to protect a media storage facility in your organization and would like to properly categorize each control that is currently in place. Which of the following control categories accurately describe a fence around a facility? (Select all that apply.)

A. Physical
B. Detective
C. Deterrent
D. Preventive

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 4). Wiley. Kindle Edition.

Answer

A

A. Physical
B. Detective
C. Deterrent

Explanation:
A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 16

Q

Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.

Answer

A

D. Combination of quantitative and qualitative risk assessment

Explanation:
D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 17

Q

Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges?

A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.

Answer

A

D. Economic Espionage Act

Explanation:
The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a U.S. corporation. It gives true teeth to the intellectual property rights of trade secret owners. Copyright law does not apply in this situation because there is no indication that the information was copyrighted. The Lanham Act applies to trademark protection cases. The Glass-Steagall Act was a banking reform act that is not relevant in this situation.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 18

Q

Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?

A. Due diligence
B. Separation of duties
C. Due care
D. Least privilege

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.

Answer

A

C. Due care

Explanation:
C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.

Question 19

Q

Brenda’s organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition?

A. Consolidation of security functions
B. Integration of security tools
C. Protection of intellectual property
D. Documentation of security policies

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.

Answer

A

C. Protection of intellectual property

Explanation:
The protection of intellectual property is a greater concern during a divestiture, where a subsidiary is being spun off into a separate organization, than an acquisition, where one firm has purchased another. Acquisition concerns include consolidating security functions and policies as well as integrating security tools.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 20

Q

Kelly believes that an employee engaged in the unauthorized use of computing resources for a side business. After consulting with management, she decides to launch an administrative investigation. What is the burden of proof that she must meet in this investigation?

A. Preponderance of the evidence
B. Beyond a reasonable doubt
C. Beyond the shadow of a doubt
D. There is no standard

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.

Answer

A

D. There is no standard

Explanation:
Unlike criminal or civil cases, administrative investigations are an internal matter, and there is no set standard of proof that Kelly must apply. However, it would still be wise for her organization to include a standard burden of proof in their own internal procedures to ensure the thoroughness and fairness of investigations.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 21

Q

Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?

A. Patent
B. Trade secret
C. Copyright
D. Trademark

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.

Answer

A

A. Patent

Explanation:
Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case. Copyrights are used to protect creative works, while trademarks are used to protect names, logos, and symbols.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 22

Q

Which one of the following actions might be taken as part of a business continuity plan?

A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.

Answer

A

B. Implementing RAID

Explanation:
B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 23

Q

When developing a business impact analysis, the team should first create a list of assets. What should happen next?

A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.

Answer

A

C. Develop a value for each asset.

Explanation:
C. After developing a list of assets, the business impact analysis team should assign values to each asset. The other activities listed here occur only after the assets are assigned values.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 24

Q

Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.

Answer

A

C. Risk mitigation

Explanation:
C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation. Risk acceptance involves making a conscious decision to accept a risk as-is with no further action. Risk avoidance alters business activities to make a risk irrelevant. Risk transfer shifts the costs of a risk to another organization, such as an insurance company.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 25

Q

Laura has been asked to perform an SCA. What type of organization is she most likely in?

A. Higher education
B. Banking
C. Government
D. Healthcare

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.

Answer

A

C. Government

Explanation:
C. A security controls assessment (SCA) most often refers to a formal U.S. government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 26

Q

Carl is a federal agent investigating a computer crime case. He identified an attacker who engaged in illegal conduct and wants to pursue a case against that individual that will lead to imprisonment. What standard of proof must Carl meet?

A. Beyond the shadow of a doubt
B. Preponderance of the evidence
C. Beyond a reasonable doubt
D. Majority of the evidence

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 6-7). Wiley. Kindle Edition.

Answer

A

C. Beyond a reasonable doubt

Explanation:
There are two steps to answering this question. First, you must realize that for the case to lead to imprisonment, it must be the result of a criminal investigation. Next, you must know that the standard of proof for a criminal investigation is normally the beyond a reasonable doubt standard.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 27

Q

The International Information Systems Security Certification Consortium uses the logo shown here to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo?

A. Copyright
B. Patent
C. Trade secret
D. Trademark

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 7). Wiley. Kindle Edition.

Answer

A

D. Trademark

Explanation:
Trademark protection extends to words and symbols used to represent an organization, product, or service in the marketplace. Copyrights are used to protect creative works. Patents and trade secrets are used to protect inventions and similar intellectual property.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 28

Q

Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?

A. Availability
B. Confidentiality
C. Disclosure
D. Distributed

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 7). Wiley. Kindle Edition.

Answer

A

A. Availability

Explanation:
A. The message displayed is an example of ransomware, which encrypts the contents of a user’s computer to prevent legitimate use. This is an example of an availability attack. There is no indication that the data was disclosed to others, so there is no confidentiality/disclosure risk. There is also no indication that other systems were involved in a distributed attack.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 29

Q

Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions?

A. Healthcare provider
B. Health and fitness application developer
C. Health information clearinghouse
D. Health insurance plan

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

B. Health and fitness application developer

Explanation:
B. A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.

Question 30

Q

John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated?

A. Availability
B. Integrity
C. Confidentiality
D. Denial

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

A. Availability

Explanation:
A smurf attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network. Smurf attacks do not target integrity or confidentiality. While this is a denial of service attack, denial is not the correct answer because you are asked which principle is violated, not what type of attack took place. Denial of service attacks target resource availability.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 31

Q

Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. Her primary goal is to align the security function with the broader plans and objectives of the business. What type of plan is she developing?

A. Operational
B. Tactical
C. Summary
D. Strategic

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

D. Strategic

Explanation:
Strategic plans have a long-term planning horizon of up to five years in most cases. They are designed to strategically align the security function with the business’ objectives.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 32

Q

Gina is working to protect a logo that her company will use for a new product they are launching. She has questions about the intellectual property protection process for this logo. What U.S. government agency would be best able to answer her questions?

A. USPTO
B. Library of Congress
C. NSA
D. NIST

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

A. USPTO

Explanation:
First, you must realize that a trademark is the correct intellectual property protection mechanism for a logo. Therefore, Gina should contact the United States Patent and Trademark Office (USPTO), which bears responsibility for the registration of trademarks. The Library of Congress administers the copyright program. The National Security Agency (NSA) and the National Institute for Standards and Technology (NIST) play no role in intellectual property protection.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 33

Q

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

A. Mandatory vacation
B. Separation of duties
C. Defense in depth
D. Job rotation

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

B. Separation of duties

Explanation:
When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner. Mandatory vacations and job rotations are designed to detect fraud, not prevent it. Defense in depth is not the relevant principle here because the answer is seeking an initial control. We may choose to add additional controls at a later date, but the primary objective here would be to implement separation of duties.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 34

Q

Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?

A. Banks
B. Defense contractors
C. School districts
D. Hospitals

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

B. Defense contractors

Explanation:
The U.S. Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 35

Q

Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions?

A. HIPAA
B. PCI DSS
C. SOX
D. GLBA

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

B. PCI DSS

Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information. The Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Gramm Leach Bliley Act (GLBA) regulates the handling of personal financial information.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 36

Q

Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?

A. Data custodian
B. Data owner
C. User
D. Auditor

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

A. Data custodian

Explanation:
The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 37

Q

Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan’s company’s rights?

A. Trade secret
B. Copyright
C. Trademark
D. Patent

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

B. Copyright

Explanation:
Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions, and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 38

Q

Florian receives a flyer from a U.S. federal government agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?

A. United States Code
B. Supreme Court rulings
C. Code of Federal Regulations
D. Compendium of Laws

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

C. Code of Federal Regulations

Explanation:
The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.

Question 39

Q

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?

A. Impact
B. RPO
C. MTO
D. Likelihood

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 9-10). Wiley. Kindle Edition.

Answer

A

D. Likelihood

Explanation:
D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack. Adding a firewall will not address the impact of a risk, the recovery point objective (RPO) or the maximum tolerable outage (MTO).

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 315-316). Wiley. Kindle Edition.

Question 40

Q

Which one of the following individuals would be the most effective organizational owner for an information security program?

A. CISSP-certified analyst
B. Chief information officer (CIO)
C. Manager of network security
D. President and CEO

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

B. Chief information officer (CIO)

Explanation:
The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 41

Q

What important function do senior managers normally fill on a business continuity planning team?

A. Arbitrating disputes about criticality
B. Evaluating the legal environment
C. Training staff
D. Designing failure controls

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

A. Arbitrating disputes about criticality

Explanation:
Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 42

Q

You are the CISO for a major hospital system and are preparing to sign a contract with a software as a service (SaaS) email vendor and want to perform a control assessment to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?

A. SOC 1
B. FISMA
C. PCI DSS
D. SOC 2

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

D. SOC 2

Explanation:
The Service Organizations Control audit program includes business continuity controls in a SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 43

Q

Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?

A. Repudiation
B. Information disclosure
C. Tampering
D. Elevation of privilege

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

A. Repudiation

Explanation:
A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently. There is no evidence that the attacker engaged in information disclosure, tampering, or elevation of privilege.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 44

Q

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?

A. Integrity
B. Availability
C. Confidentiality
D. Denial

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

A. Integrity

Explanation:
A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information. There is no evidence of an attack against availability or confidentiality. Denial is an objective of attackers, rather than of security professionals and is not relevant in this scenario that targets integrity.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 45

Q

Which one of the following issues is not normally addressed in a service-level agreement (SLA)?

A. Confidentiality of customer information
B. Failover time
C. Uptime
D. Maximum consecutive downtime

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

A. Confidentiality of customer information

Explanation:
SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 46

Q

Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?

A. Trademark
B. Copyright
C. Patent
D. Trade secret

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

A. Trademark

Explanation:
Trademarks protect words and images that represent a product or service and would not protect computer software.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 47

Q

For questions 47–49, please refer to the following scenario: Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.

Users in the two offices would like to access each other’s file servers over the internet. What control would provide confidentiality for those communications?

A. Digital signatures
B. Virtual private network
C. Virtual LAN
D. Digital content management

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

B. Virtual private network

Explanation:
Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office’s server over the internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 48

Q

You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What control allows you to add robustness without adding additional servers?

A. Server clustering
B. Load balancing
C. RAID Scheduled
D. backups

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

C. RAID Scheduled

Explanation:
C. RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 49

Q

Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?

A. Hashing
B. ACLs
C. Read-only attributes
D. Firewalls

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

A. Hashing

Explanation:
Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.

Question 50

Q

Beth is a human resources specialist preparing to assist in the termination of an employee. Which of the following is not typically part of a termination process?

A. An exit interview
B. Recovery of property
C. Account termination
D. Signing an NDA

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

D. Signing an NDA

Explanation:

Signing a noncompete or nondisclosure agreement is typically done at hiring. Exit interviews, recovery of organizational property, and account termination are all common elements of a termination process. During the exit interview, the team may choose to review employment agreements and policies that remain in force, such as a noncompete or nondisclosure agreement.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 51

Q

Frances is reviewing her organization’s business continuity plan documentation for completeness. Which one of the following is not normally included in business continuity plan documentation?

A. Statement of accounts
B. Statement of importance
C. Statement of priorities
D. Statement of organizational responsibility

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

A. Statement of accounts

Explanation:
Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 52

Q

An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?

A. Separation of duties
B. Least privilege
C. Defense in depth
D. Mandatory vacation

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

D. Mandatory vacation

Explanation:
Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. The purpose of these required vacation periods is to disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 53

Q

Jeff would like to adopt an industry-standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use?

A. CMM
B. SW-CMM
C. RMM
D. COBIT

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

C. RMM

Explanation:
The Risk Maturity Model (RMM) is specifically designed for the purpose of assessing enterprise risk management programs. Jeff could conceivably use the more generic capability maturity model (CMM), but this would not be as good of a fit. The software capability maturity model (SW-CMM) is designed for assessing development projects, not risk management efforts. The Control Objectives for Information Technology (COBIT) are a set of security control objectives and not a maturity model.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 54

Q

Chris’ organization recently suffered an attack that rendered their website inaccessible to paying customers for several hours. Which information security goal was most directly impacted?

A. Confidentiality
B. Integrity
C. Availability
D. Denial

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 12-13). Wiley. Kindle Edition.

Answer

A

C. Availability

Explanation:
C. Denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 55

Q

Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?

A. Policy
B. Baseline
C. Guideline
D. Procedure

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

Answer

A

B. Baseline

Explanation:
Baselines provide the minimum level of security that every system throughout the organization must meet. This type of information would not appear in a policy, guideline, or procedure.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 56

Q

Who should receive initial business continuity plan training in an organization?

A. Senior executives
B. Those with specific business continuity roles
C. Everyone in the organization
D. First responders

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

Answer

A

C. Everyone in the organization

Explanation:
C. Everyone in the organization should receive basic training on the nature and scope of the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 57

Q

James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization’s primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?

A. Purchase cost
B. Depreciated cost
C. Replacement cost
D. Opportunity cost

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

Answer

A

C. Replacement cost

Explanation:
If the organization’s primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 58

Q

Roger’s organization suffered a breach of customer credit card records. Under the terms of PCI DSS, what organization may choose to pursue an investigation of this matter?

A. FBI
B. Local Law Enforcement
C. Bank
D. PCI SSC

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

Answer

A

C. Bank

Explanation:
PCI DSS is a standard promulgated by the Payment Card Industry Security Standards Council (PCI SSC), but is enforced through contractual relationships between merchants and their banks. Therefore, the bank would be the appropriate entity to initiate an investigation under PCI DSS. Local and federal law enforcement agencies (such as the FBI) could decide to pursue a criminal investigation if the circumstances warrant, but they do not have the authority to enforce PCI DSS requirements.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 59

Q

Rick recently engaged critical employees in each of his organization’s business units to ask for their assistance with his security awareness program. They will be responsible for sharing security messages with their peers and answering questions about cybersecurity matters. What term best describes this relationship?

A. Security champion
B. Security expert
C. Gamification
D. Peer Review

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 13-14). Wiley. Kindle Edition.

Answer

A

A. Security champion

Explanation:
This is an example of a security champion program that uses individuals employed in other roles in a business unit to share security messaging. The individuals in these roles are not necessarily security experts and do not have a peer review role.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 317). Wiley. Kindle Edition.

Question 60

Q

Frank discovers a keylogger hidden on the laptop of his company’s chief executive officer.
What information security principle is the keylogger most likely designed to disrupt?

A. Confidentiality
B. Integrity
C. Availability
D. Denial

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

Answer

A

A. Confidentiality

Explanation:
Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Question 61

Q

Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?

A. Compliance with all laws and regulations
B. Handling information in the same manner the organization would
C. Elimination of all identified security risks
D. Compliance with the vendor’s own policies

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

Answer

A

B. Handling information in the same manner the organization would

Explanation:
The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendor’s security controls meet the organization’s own standards. Compliance with laws and regulations should be included in that requirement and are a necessary, but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, as the vendor’s policy may be weaker than the organization’s own requirements. The elimination of all identified security risks is an impossible requirement for a potential vendor to meet.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Question 62

Q

The following graphic shows the NIST risk management framework with step 4 missing. What is the missing step? Assess security controls. Determine control gaps. Remediate control gaps. Evaluate user activity.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 14-15). Wiley. Kindle Edition.

Question 63

Q

HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?

A. Risk mitigation
B. Risk acceptance
C. Risk transference
D. Risk avoidance

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 15). Wiley. Kindle Edition.

Answer

A

D. Risk avoidance

Explanation:
HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse. Risk acceptance involves making a conscious decision to accept a risk as-is with no further action. Risk mitigation takes measures to reduce the likelihood and/or impact of a risk. Risk transfer shifts the costs of a risk to another organization, such as an insurance company.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Question 64

Q

Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?

A. Availability
B. Denial
C. Confidentiality
D. Integrity

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 15). Wiley. Kindle Edition.

Answer

A

C. Confidentiality

Explanation:
Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Answer 64

A

A. List of individuals who should be notified of an emergency incident

Explanation:
A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Answer 65

A

B. Chief executive officer

Explanation:
Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Answer 66

A

D. Documentation of the plan

Explanation:
D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Answer 67

A

D. Availability

Explanation:
Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Answer 68

A

A. Cold site

Explanation:
A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations. Warm sites, hot sites, and mobile sites would all include hardware.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Answer 69

A

B. The breach laws of states they do business in.

Explanation:
In general, companies should be aware of the breach laws in any location where they do business. U.S. states have a diverse collection of breach laws and requirements, meaning that in this case, Greg’s company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state’s residents.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 318). Wiley. Kindle Edition.

Answer 70

A

B. ISO 27002

Explanation:
ISO 27002 is an international standard focused on information security and titled “Information technology—Security techniques—Code of practice for information security management.” The Information Technology Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document, and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 71

A

B. CALEA

Explanation:
The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 72

A

B. GLBA

Explanation:
The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 73

A

C. NDA

Explanation:
Nondisclosure agreements (NDAs) typically require either mutual or one-way confidentiality in a business relationship. Service-level agreements specify service uptime and other performance measures. Noncompete agreements (NCAs) limit the future employment possibilities of employees. Recovery time objectives (RTOs) are used in business continuity planning.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 74

A

B. Disclose breaches of privacy, trust, and ethics.

Explanation:
The (ISC)2 Code of Ethics also includes “Act honorably, honestly, justly, responsibly, and legally” but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 75

A

C. CEO

Explanation:
While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 76

A

D. Nonrepudiation

Explanation:
Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 77

A

C. Defense in depth

Explanation:
Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure. Least privilege ensures that an individual only has the minimum set of permissions necessary to carry out their assigned job functions and does not require overlapping controls. Separation of duties requires that one person not have permission to perform two separate actions that, when combined, carry out a sensitive function. Security through obscurity attempts to hide the details of security controls to add security to them. Neither separation of duties nor security through obscurity involve overlapping controls.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 78

A

A. (ISC)2 Code of Ethics
B. Organizational code of ethics

Explanation:
All (ISC)2 certified professionals are required to comply with the (ISC)2 Code of Ethics. All employees of an organization are required to comply with the organization’s code of ethics. The federal code of ethics (or, more formally, the Code of Ethics for Government Service) would not apply to a nonprofit organization, as it only applies to federal employees. RFC 1087 does provide a code of ethics for the internet, but it is not binding on any individual.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 79

A

B. Encrypting the database contents

Explanation:
Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 319). Wiley. Kindle Edition.

Answer 80

A

A. I

Explanation:
A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.

Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 319-320). Wiley. Kindle Edition.

Answer 81

A

D. Revoking electronic access rights

Explanation:
Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action.
On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.