CISSP Practice Test Chapter 1 Security and Risk Management (Sybex) Flashcards
Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?
A. Gamification
B. Computer-based training
C. Content reviews
D. Live training
C. Content reviews
Explanation:
Alyssa should use periodic content reviews to continually verify that the content in her program meets the organization’s needs and is up-to-date based upon the evolving risk landscape. She may do this using a combination of computer-based training, live training, and gamification, but those techniques do not necessarily verify that the content is updated.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
Gavin is creating a report to management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?
A. Inherent risk
B. Residual risk
C. Control Risk
D. Mitigated risk
B. Residual risk
Explanation:
The residual risk is the level of risk that remains after controls have been applied to mitigate risks. Inherent risk is the original risk that existed prior to the controls. Control risk is new risk introduced by the addition of controls to the environment. Mitigated risk is the risk that has been addressed by existing controls.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party’s copyright. What law governs the actions that Francine must take?
A. Copyright Act
B. Lanham Act
C. Digital Millennium Copyright Act
D. Gramm Leach Bliley Act
C. Digital Millennium Copyright Act
Explanation:
C. The Digital Millennium Copyright Act (DMCA) sets forth the requirements for online service providers when handling copyright complaints received from third parties. The Copyright Act creates the mechanics for issuing and enforcing copyrights but does not cover the actions of online service providers. The Lanham Act regulates the issuance of trademarks to protect intellectual property. The Gramm-Leach-Bliley Act regulates the handling of personal financial information.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?
A. The right to access
B. Privacy by design
C. The right to be forgotten
D. The right of data portability
C. The right to be forgotten
Explanation:
The right to be forgotten, also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?
A. Accept
B. Transfer
C. Reduce
D. Reject
B. Transfer
Explanation:
B. Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws?
A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number
A. Student identification number
Explanation:
A. Most state data breach notification laws are modeled after California’s data breach notification law, which covers Social Security number, driver’s license number, state identification card number, credit/debit card numbers, and bank account numbers (in conjunction with a PIN or password). California’s breach notification law also protects some items not commonly found in other state laws, including medical records and health insurance information. These laws are separate and distinct from privacy laws, such as the California Consumer Privacy Act (CCPA), which regulates the handling of personal information more broadly.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for information security matters?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 3). Wiley. Kindle Edition.
C. Prudent man rule
Explanation:
The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in the United States in 1991.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: “Advance and protect the profession.” Who may bring ethics charges against Henry for this violation?
A. Anyone may bring charges.
B. Any certified or licensed professional may bring charges.
C. Only Henry’s employer may bring charges.
D. Only the affected employee may bring charges.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 3). Wiley. Kindle Edition.
B. Any certified or licensed professional may bring charges.
Explanation:
This is a question about who has standing to bring an ethics complaint. The group of individuals who has standing differs based upon the violated canon. In this case, we are examining Canon IV, which permits any certified or licensed professional who subscribes to a code of ethics to bring charges. Charges of violations of Canons I or II may be brought by anyone. Charges of violations of Canon III may only be brought by a principal with an employer/contractor relationship with the accused.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 312-313). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 312). Wiley. Kindle Edition.
Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?
A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor
C. Standard contractual clauses
Explanation:
C. The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 3). Wiley. Kindle Edition.
A. GLBA
Explanation:
A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions. The Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student educational records.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?
A. FISMA
B. PCI DSS
C.HIPAA
D. GISRA
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 3-4). Wiley. Kindle Edition.
A. FISMA
Explanation:
A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?
A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 4). Wiley. Kindle Edition.
D. Encryption software
Explanation:
D. The export of encryption software to certain countries is regulated under U.S. export control laws. Memory chips, office productivity applications, and hard drives are unlikely to be covered by these regulations.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?
A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 4). Wiley. Kindle Edition.
D. Elevation of privilege
Explanation:
D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next?
A. Implement new security controls to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.
D. Document your decision-making process.
Explanation:
Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
You are completing a review of the controls used to protect a media storage facility in your organization and would like to properly categorize each control that is currently in place. Which of the following control categories accurately describe a fence around a facility? (Select all that apply.)
A. Physical
B. Detective
C. Deterrent
D. Preventive
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 4). Wiley. Kindle Edition.
A. Physical
B. Detective
C. Deterrent
Explanation:
A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.
D. Combination of quantitative and qualitative risk assessment
Explanation:
D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges?
A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.
D. Economic Espionage Act
Explanation:
The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a U.S. corporation. It gives true teeth to the intellectual property rights of trade secret owners. Copyright law does not apply in this situation because there is no indication that the information was copyrighted. The Lanham Act applies to trademark protection cases. The Glass-Steagall Act was a banking reform act that is not relevant in this situation.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?
A. Due diligence
B. Separation of duties
C. Due care
D. Least privilege
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.
C. Due care
Explanation:
C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 313). Wiley. Kindle Edition.
Brenda’s organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition?
A. Consolidation of security functions
B. Integration of security tools
C. Protection of intellectual property
D. Documentation of security policies
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.
C. Protection of intellectual property
Explanation:
The protection of intellectual property is a greater concern during a divestiture, where a subsidiary is being spun off into a separate organization, than an acquisition, where one firm has purchased another. Acquisition concerns include consolidating security functions and policies as well as integrating security tools.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Kelly believes that an employee engaged in the unauthorized use of computing resources for a side business. After consulting with management, she decides to launch an administrative investigation. What is the burden of proof that she must meet in this investigation?
A. Preponderance of the evidence
B. Beyond a reasonable doubt
C. Beyond the shadow of a doubt
D. There is no standard
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 5). Wiley. Kindle Edition.
D. There is no standard
Explanation:
Unlike criminal or civil cases, administrative investigations are an internal matter, and there is no set standard of proof that Kelly must apply. However, it would still be wise for her organization to include a standard burden of proof in their own internal procedures to ensure the thoroughness and fairness of investigations.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?
A. Patent
B. Trade secret
C. Copyright
D. Trademark
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.
A. Patent
Explanation:
Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case. Copyrights are used to protect creative works, while trademarks are used to protect names, logos, and symbols.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Which one of the following actions might be taken as part of a business continuity plan?
A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.
B. Implementing RAID
Explanation:
B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
When developing a business impact analysis, the team should first create a list of assets. What should happen next?
A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.
C. Develop a value for each asset.
Explanation:
C. After developing a list of assets, the business impact analysis team should assign values to each asset. The other activities listed here occur only after the assets are assigned values.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.
C. Risk mitigation
Explanation:
C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation. Risk acceptance involves making a conscious decision to accept a risk as-is with no further action. Risk avoidance alters business activities to make a risk irrelevant. Risk transfer shifts the costs of a risk to another organization, such as an insurance company.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Laura has been asked to perform an SCA. What type of organization is she most likely in?
A. Higher education
B. Banking
C. Government
D. Healthcare
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 6). Wiley. Kindle Edition.
C. Government
Explanation:
C. A security controls assessment (SCA) most often refers to a formal U.S. government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Carl is a federal agent investigating a computer crime case. He identified an attacker who engaged in illegal conduct and wants to pursue a case against that individual that will lead to imprisonment. What standard of proof must Carl meet?
A. Beyond the shadow of a doubt
B. Preponderance of the evidence
C. Beyond a reasonable doubt
D. Majority of the evidence
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 6-7). Wiley. Kindle Edition.
C. Beyond a reasonable doubt
Explanation:
There are two steps to answering this question. First, you must realize that for the case to lead to imprisonment, it must be the result of a criminal investigation. Next, you must know that the standard of proof for a criminal investigation is normally the beyond a reasonable doubt standard.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
The International Information Systems Security Certification Consortium uses the logo shown here to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo?
A. Copyright
B. Patent
C. Trade secret
D. Trademark
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 7). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 7). Wiley. Kindle Edition.
D. Trademark
Explanation:
Trademark protection extends to words and symbols used to represent an organization, product, or service in the marketplace. Copyrights are used to protect creative works. Patents and trade secrets are used to protect inventions and similar intellectual property.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?
A. Availability
B. Confidentiality
C. Disclosure
D. Distributed
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 7). Wiley. Kindle Edition.
A. Availability
Explanation:
A. The message displayed is an example of ransomware, which encrypts the contents of a user’s computer to prevent legitimate use. This is an example of an availability attack. There is no indication that the data was disclosed to others, so there is no confidentiality/disclosure risk. There is also no indication that other systems were involved in a distributed attack.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions?
A. Healthcare provider
B. Health and fitness application developer
C. Health information clearinghouse
D. Health insurance plan
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
B. Health and fitness application developer
Explanation:
B. A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 314). Wiley. Kindle Edition.
John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated?
A. Availability
B. Integrity
C. Confidentiality
D. Denial
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
A. Availability
Explanation:
A smurf attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network. Smurf attacks do not target integrity or confidentiality. While this is a denial of service attack, denial is not the correct answer because you are asked which principle is violated, not what type of attack took place. Denial of service attacks target resource availability.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.
Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. Her primary goal is to align the security function with the broader plans and objectives of the business. What type of plan is she developing?
A. Operational
B. Tactical
C. Summary
D. Strategic
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
D. Strategic
Explanation:
Strategic plans have a long-term planning horizon of up to five years in most cases. They are designed to strategically align the security function with the business’ objectives.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.
Gina is working to protect a logo that her company will use for a new product they are launching. She has questions about the intellectual property protection process for this logo. What U.S. government agency would be best able to answer her questions?
A. USPTO
B. Library of Congress
C. NSA
D. NIST
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
A. USPTO
Explanation:
First, you must realize that a trademark is the correct intellectual property protection mechanism for a logo. Therefore, Gina should contact the United States Patent and Trademark Office (USPTO), which bears responsibility for the registration of trademarks. The Library of Congress administers the copyright program. The National Security Agency (NSA) and the National Institute for Standards and Technology (NIST) play no role in intellectual property protection.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.
The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?
A. Mandatory vacation
B. Separation of duties
C. Defense in depth
D. Job rotation
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.
B. Separation of duties
Explanation:
When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner. Mandatory vacations and job rotations are designed to detect fraud, not prevent it. Defense in depth is not the relevant principle here because the answer is seeking an initial control. We may choose to add additional controls at a later date, but the primary objective here would be to implement separation of duties.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.
Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?
A. Banks
B. Defense contractors
C. School districts
D. Hospitals
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.
B. Defense contractors
Explanation:
The U.S. Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.
Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions?
A. HIPAA
B. PCI DSS
C. SOX
D. GLBA
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.
B. PCI DSS
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information. The Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Gramm Leach Bliley Act (GLBA) regulates the handling of personal financial information.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.
Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?
A. Data custodian
B. Data owner
C. User
D. Auditor
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.
A. Data custodian
Explanation:
The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.
Florian receives a flyer from a U.S. federal government agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?
A. United States Code
B. Supreme Court rulings
C. Code of Federal Regulations
D. Compendium of Laws
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.
C. Code of Federal Regulations
Explanation:
The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 315). Wiley. Kindle Edition.
Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?
A. Impact
B. RPO
C. MTO
D. Likelihood
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 9-10). Wiley. Kindle Edition.
D. Likelihood
Explanation:
D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack. Adding a firewall will not address the impact of a risk, the recovery point objective (RPO) or the maximum tolerable outage (MTO).
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (pp. 315-316). Wiley. Kindle Edition.
Which one of the following individuals would be the most effective organizational owner for an information security program?
A. CISSP-certified analyst
B. Chief information officer (CIO)
C. Manager of network security
D. President and CEO
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.
B. Chief information officer (CIO)
Explanation:
The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.
What important function do senior managers normally fill on a business continuity planning team?
A. Arbitrating disputes about criticality
B. Evaluating the legal environment
C. Training staff
D. Designing failure controls
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.
A. Arbitrating disputes about criticality
Explanation:
Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.
Chapple, Mike; Seidl, David. (ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests (p. 316). Wiley. Kindle Edition.