Dec 226 Flashcards
To learn
- Helen is the owner of a website that provides information for middle and high school students preparing for exams. She is concerned that the activities of her site may fall under the jurisdiction of the Children’s Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?a. 13b. 15c. 17d. 18
A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.
- John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with ICMP ECHO REPLY packets and believes that his organization is the victim of a Smurf attack. What principle of information security is being violated?
a. Availability
b. Integrity
c. Confidentiality
d. Denial
A. A Smurf attack is an example of a denial of service attack, which jeopardizes the availability of a targeted network.
- What is the formula used to determine risk?a. Risk = Threat * Vulnerabilityb. Risk = Threat / Vulnerabilityc. Risk = Asset * Threatd. Risk = Asset / Threat
A. Risks exist when there is an intersection of a threat and a vulnerability. This is described using the equation Risk = Threat * Vulnerability.
- Which one of the following control categories does not accurately describe a fence around a facility?a. Physicalb. Detectivec. Deterrentd. Preventive
B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.
- Alan is performing threat modeling and decides that it would be useful to decompose the system into the key elements shown in the following illustration. What tool is he using?## FootnoteImage reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.a. Vulnerability assessmentb. Fuzzingc. Reduction analsisd. Data modeling
C. In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls
- What law governs the handling of information related to the financial statements of publicly traded companies?a. GLBAb. PCI DSSc. HIPAAd. SOX
D. The Sarbanes-Oxley Act (SOX) governs the financial reporting of publicly traded companies and includes requirements for security controls that ensure the integrity of that information.
- Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?a. Integrityb. Availabilityc. Confidentialityd. Denial
A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information.
- Which one of the following components should be included in an organization’s emergency response guidelines?a. List of individuals who should be notified of an emergency incidentb. Long-term business continuity protocolsc. Activation procedures for the organization’s cold sitesd. Contact information for ordering equipment
A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
- Which one of the following is an example of an administrative control?a. Intrusion detection systemb. Security awareness trainingc. Firewallsd. Security guards
B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.
9,. What United States government agency is responsible for administering the terms of safe harbor agreements between the European Union and the United States under the EU Data Protection Directive?a. Department of Defenseb. Department of the Treasuryc. State Departmentd. Department of Commerce
D. The US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. The validity of this agreement was in legal question in the wake of the NSA surveillance disclosures.
- Which one of the following is not normally included in business continuity plan documentation?a. Statement of accountsb. Statement of importancec. Statement of prioritiesd. Statement of organizational responsibility
A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.
- Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?a. Purchasing insuranceb. Encrypting the database contentsc. Removing the datad. Objecting to the exception
B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.
- Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder?a. Storage of information by a customer on a provider’s serverb. Caching of information by the providerc. Transmission of information over the provider’s network by a customerd. Caching of information in a provider search engine
C. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all nontransitory actions that require remediation by the provider.
- Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?a. Trademarkb. Copyrightc. Patentd. Trade secret
A. Trademarks protect words and images that represent a product or service and would not protect computer software.
- Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?## Footnotea. Availabilityb. Confidentialityc. Disclosured. Distributed
A. The message displayed is an example of ransomware, which encrypts the contents of a user’s computer to prevent legitimate use. This is an example of an availability attack.
81 The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown below. Which quadrant contains the risks that require the most immediate attention?a. Ib. IIc. IIId. IV
A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.
- Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?a. Risk avoidanceb. Risk mitigationc. Risk transferenced. Risk acceptance
D. In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.
- FlyAway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly. Which of the seven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used?a. Noticeb. Choicec. Onward Transferd. Enforcement
A. The Notice principle says that organizations must inform individuals of the information the organization collects about individuals and how the organization will use it. These principles are based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in 2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing, processing or transmitting data on EU or Swiss citizens.
- Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?a. ITILb. ISO 27002c. CMMd. PMBOK Guide
B. ISO 27002 is an international standard focused on information security and titled “Information technology – Security techniques – Code of practice for information security management.” The IT Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.
- Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?a. Authenticationb. Authorizationc. Integrityd. Nonrepudiation
D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.
- Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?a. Awarenessb. Trainingc. Educationd. Indoctrination
B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.
- Which one of the following issues is not normally addressed in a service-level agreement (SLA)?a. Confidentiality of customer informationb. Failover timec. Uptimed. Maximum consecutive downtime
A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a non-disclosure agreement (NDA).
- Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?a. Memory chipsb. Office productivity applicationsc. Hard drivesd. Encryption software
D. The export of encryption software to certain countries is regulated under US export control laws.
- Who should receive initial business continuity plan training in an organization?a. Senior executivesb. Those with specific business continuity rolesc. Everyone in the organizationd. First responders
C. Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.
- Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map below from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk?Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.a. New Yorkb. North Carolinac. Indianad. Florida
D. Of the states listed, Florida is the only one that is not shaded to indicate a serious risk of a major earthquake.
- Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?a. Quantitativeb. Qualitativec. Annualized loss expectancyd. Reduction
B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.
- Robert is responsible for securing systems used to process credit card information. What standard should guide his actions?a. HIPAAb. PCI DSSc. SOXd. GLBA
B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information.
- The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?a. Mandatory vacationb. Separation of dutiesc. Defense in depthd. Job rotation
B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.
- Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?a. FISMAb. PCI DSSc. HIPAAd. GISRA
A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.
- What important function do senior managers normally fill on a business continuity planning team?a. Arbitrating disputes about criticalityb. Evaluating the legal environmentc. Training staffd. Designing failure controls
A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.
- When developing a business impact analysis, the team should first create a list of assets. What should happen next?a. Identify vulnerabilities in each asset.b. Determine the risks facing the asset.c. Develop a value for each asset.d. Identify threats facing each asset
C. After developing a list of assets, the business impact analysis team should assign values to each asset.
- Which one of the following organizations would not be automatically subject to the terms of HIPAA if they engage in electronic transactions?a. Healthcare providerb. Health and fitness application developerc. Health information clearinghoused. Health insurance plan
B. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.
- Tom is installing a next-generation firewall (NGFW) in his data center that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower?a. Impactb. RPOc. MTOd. Likelihood
D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.
- Which one of the following is not a requirement for an invention to be patentable?a, It must be new.b. It must be invented by an American citizen.c. It must be nonobvious.d. It must be useful.
B. There is no requirement that patents be for inventions made by American citizens. Patentable inventions must, on the other hand, be new, nonobvious, and useful.
- Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?a. Cold siteb. Warm sitec. Hot sited. Mobile site
A. A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations.
- You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next?a. Implement new security controls to reduce the risk level.b. Design a disaster recovery plan.c. Repeat the business impact assessment.d. Document your decision-making process.
D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).
- Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding?a. Trainingb. Educationc. Indoctrinationd. Awareness
D. Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.
- What law serves as the basis for privacy rights in the United States?a. Privacy Act of 1974b. Fourth Amendmentc. First Amendmentd. Electronic Communications Privacy Act of 1986
B. The Fourth Amendment directly prohibits government agents from searching private property without a warrant and probable cause. The courts have expanded the interpretation of the Fourth Amendment to include protections against other invasions of privacy.
- Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown below, and determines that the area he is considering lies within a 100-year flood plain.## FootnoteWhat is the ARO of a flood in this area?a. 100b. 1c. 0.1d. 0.01
D. The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.
- Which one of the following is not one of the three common threat modeling techniques?a. Focused on assetsb. Focused on attackersc. Focused on softwared. Focused on social engineering
D. The three common threat modeling techniques are focused on attackers, software, and assets. Social engineering is a subset of attackers.