Domain 1

Question 1

84. Helen is the owner of a website that provides information for middle and high school students preparing for exams. She is concerned that the activities of her site may fall under the jurisdiction of the Children’s Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?
    a. 13
    b. 15
    c. 17
    d. 18

Answer 1

A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.

Question 2

30. John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with ICMP ECHO REPLY packets and believes that his organization is the victim of a Smurf attack. What principle of information security is being violated?
    a. Availability
    b. Integrity
    c. Confidentiality
    d. Denial

Answer 2

A. A Smurf attack is an example of a denial of service attack, which jeopardizes the availability of a targeted network.

Question 3

61. What is the formula used to determine risk?
    a. Risk = Threat * Vulnerability
    b. Risk = Threat / Vulnerability
    c. Risk = Asset * Threat
    d. Risk = Asset / Threat

Answer 3

A. Risks exist when there is an intersection of a threat and a vulnerability. This is described using the equation Risk = Threat * Vulnerability.

Question 4

15. Which one of the following control categories does not accurately describe a fence around a facility?
    a. Physical
    b. Detective
    c. Deterrent
    d. Preventive

Answer 4

B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.

Question 5

87. Alan is performing threat modeling and decides that it would be useful to decompose the system into the key elements shown in the following illustration. What tool is he using?

Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.

a. Vulnerability assessment
b. Fuzzing
c. Reduction analsis
d. Data modeling

Answer 5

C. In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls

Question 6

88. What law governs the handling of information related to the financial statements of publicly traded companies?
    a. GLBA
    b. PCI DSS
    c. HIPAA
    d. SOX

Answer 6

D. The Sarbanes-Oxley Act (SOX) governs the financial reporting of publicly traded companies and includes requirements for security controls that ensure the integrity of that information.

Question 7

44. Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?
    a. Integrity
    b. Availability
    c. Confidentiality
    d. Denial

Answer 7

A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information.

Question 8

65. Which one of the following components should be included in an organization’s emergency response guidelines?
    a. List of individuals who should be notified of an emergency incident
    b. Long-term business continuity protocols
    c. Activation procedures for the organization’s cold sites
    d. Contact information for ordering equipment

Answer 8

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

Question 9

20. Which one of the following is an example of an administrative control?
    a. Intrusion detection system
    b. Security awareness training
    c. Firewalls
    d. Security guards

Answer 9

B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.

Question 10

9,. What United States government agency is responsible for administering the terms of safe harbor agreements between the European Union and the United States under the EU Data Protection Directive?

a. Department of Defense
b. Department of the Treasury
c. State Department
d. Department of Commerce

Answer 10

D. The US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. The validity of this agreement was in legal question in the wake of the NSA surveillance disclosures.

Question 11

51. Which one of the following is not normally included in business continuity plan documentation?
    a. Statement of accounts
    b. Statement of importance
    c. Statement of priorities
    d. Statement of organizational responsibility

Answer 11

A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.

Question 12

80. Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?
    a. Purchasing insurance
    b. Encrypting the database contents
    c. Removing the data
    d. Objecting to the exception

Answer 12

B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

Question 13

3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder?
   a. Storage of information by a customer on a provider’s server
   b. Caching of information by the provider
   c. Transmission of information over the provider’s network by a customer
   d. Caching of information in a provider search engine

Answer 13

C. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all nontransitory actions that require remediation by the provider.

Question 14

46. Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?
    a. Trademark
    b. Copyright
    c. Patent
    d. Trade secret

Answer 14

A. Trademarks protect words and images that represent a product or service and would not protect computer software.

Question 15

28. Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?

a. Availability
b. Confidentiality
c. Disclosure
d. Distributed

Answer 15

A. The message displayed is an example of ransomware, which encrypts the contents of a user’s computer to prevent legitimate use. This is an example of an availability attack.

Question 16

81 The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown below. Which quadrant contains the risks that require the most immediate attention?

a. I
b. II
c. III
d. IV

Answer 16

A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.

Question 17

83. Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?
    a. Risk avoidance
    b. Risk mitigation
    c. Risk transference
    d. Risk acceptance

Answer 17

D. In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.

Question 18

4. FlyAway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly. Which of the seven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used?
   a. Notice
   b. Choice
   c. Onward Transfer
   d. Enforcement

Answer 18

A. The Notice principle says that organizations must inform individuals of the information the organization collects about individuals and how the organization will use it. These principles are based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in 2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing, processing or transmitting data on EU or Swiss citizens.

Question 19

71. Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?
    a. ITIL
    b. ISO 27002
    c. CMM
    d. PMBOK Guide

Answer 19

B. ISO 27002 is an international standard focused on information security and titled “Information technology – Security techniques – Code of practice for information security management.” The IT Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.

Question 20

77. Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?
    a. Authentication
    b. Authorization
    c. Integrity
    d. Nonrepudiation

Answer 20

D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

Question 21

93. Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?
    a. Awareness
    b. Training
    c. Education
    d. Indoctrination

Answer 21

B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.

Question 22

45. Which one of the following issues is not normally addressed in a service-level agreement (SLA)?
    a. Confidentiality of customer information
    b. Failover time
    c. Uptime
    d. Maximum consecutive downtime

Answer 22

A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a non-disclosure agreement (NDA).

Question 23

12. Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?
    a. Memory chips
    b. Office productivity applications
    c. Hard drives
    d. Encryption software

Answer 23

D. The export of encryption software to certain countries is regulated under US export control laws.

Question 24

56. Who should receive initial business continuity plan training in an organization?
    a. Senior executives
    b. Those with specific business continuity roles
    c. Everyone in the organization
    d. First responders

Answer 24

C. Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

Question 25

89. Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map below from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk?

Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.

a. New York
b. North Carolina
c. Indiana
d. Florida

Answer 25

D. Of the states listed, Florida is the only one that is not shaded to indicate a serious risk of a major earthquake.

Question 26

91. Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?
    a. Quantitative
    b. Qualitative
    c. Annualized loss expectancy
    d. Reduction

Answer 26

B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.

Question 27

35. Robert is responsible for securing systems used to process credit card information. What standard should guide his actions?
    a. HIPAA
    b. PCI DSS
    c. SOX
    d. GLBA

Answer 27

B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information.

Question 28

33. The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?
    a. Mandatory vacation
    b. Separation of duties
    c. Defense in depth
    d. Job rotation

Answer 28

B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.

Question 29

11. Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?
    a. FISMA
    b. PCI DSS
    c. HIPAA
    d. GISRA

Answer 29

A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.

Question 30

41. What important function do senior managers normally fill on a business continuity planning team?
    a. Arbitrating disputes about criticality
    b. Evaluating the legal environment
    c. Training staff
    d. Designing failure controls

Answer 30

A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.

Question 31

23. When developing a business impact analysis, the team should first create a list of assets. What should happen next?
    a. Identify vulnerabilities in each asset.
    b. Determine the risks facing the asset.
    c. Develop a value for each asset.
    d. Identify threats facing each asset

Answer 31

C. After developing a list of assets, the business impact analysis team should assign values to each asset.

Question 32

29. Which one of the following organizations would not be automatically subject to the terms of HIPAA if they engage in electronic transactions?
    a. Healthcare provider
    b. Health and fitness application developer
    c. Health information clearinghouse
    d. Health insurance plan

Answer 32

B. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.

Question 33

39. Tom is installing a next-generation firewall (NGFW) in his data center that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower?
    a. Impact
    b. RPO
    c. MTO
    d. Likelihood

Answer 33

D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.

Question 34

59. Which one of the following is not a requirement for an invention to be patentable?

a, It must be new.

b. It must be invented by an American citizen.
c. It must be nonobvious.
d. It must be useful.

Answer 34

B. There is no requirement that patents be for inventions made by American citizens. Patentable inventions must, on the other hand, be new, nonobvious, and useful.

Question 35

69. Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?
    a. Cold site
    b. Warm site
    c. Hot site
    d. Mobile site

Answer 35

A. A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations.

Question 36

14. You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next?
    a. Implement new security controls to reduce the risk level.
    b. Design a disaster recovery plan.
    c. Repeat the business impact assessment.
    d. Document your decision-making process.

Answer 36

D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).

Question 37

94. Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding?
    a. Training
    b. Education
    c. Indoctrination
    d. Awareness

Answer 37

D. Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.

Question 38

50. What law serves as the basis for privacy rights in the United States?
    a. Privacy Act of 1974
    b. Fourth Amendment
    c. First Amendment
    d. Electronic Communications Privacy Act of 1986

Answer 38

B. The Fourth Amendment directly prohibits government agents from searching private property without a warrant and probable cause. The courts have expanded the interpretation of the Fourth Amendment to include protections against other invasions of privacy.

Question 39

85. Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown below, and determines that the area he is considering lies within a 100-year flood plain.

What is the ARO of a flood in this area?

a. 100
b. 1
c. 0.1
d. 0.01

Answer 39

D. The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.

Question 40

5. Which one of the following is not one of the three common threat modeling techniques?
   a. Focused on assets
   b. Focused on attackers
   c. Focused on software
   d. Focused on social engineering

Answer 40

D. The three common threat modeling techniques are focused on attackers, software, and assets. Social engineering is a subset of attackers.

Question 41

74. Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement?
    a. NCA
    b. SLA
    c. NDA
    d. RTO

Answer 41

C. Non-disclosure agreements (NDAs) typically require either mutual or one-way confidentiality in a business relationship. Service-level agreements (SLAs) specify service uptime and other performance measures. Non-compete agreements (NCAs) limit the future employment possibilities of employees. Recovery time objectives (RTOs) are used in business continuity planning.

Question 42

67. Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?
    a. Structured analysis of the organization
    b. Review of the legal and regulatory landscape
    c. Creation of a BCP team
    d. Documentation of the plan

Answer 42

D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.

Question 43

16. Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?
    a. Quantitative risk assessment
    b. Qualitative risk assessment
    c. Neither quantitative nor qualitative risk assessment
    d. Combination of quantitative and qualitative risk assessment

Answer 43

D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.

Question 44

68. Gary is implementing a new RAID-based disk system designed to keep a server up and running even in the event of a single disk failure. What principle of information security is Gary seeking to enforce?
    a. Denial
    b. Confidentiality
    c. Integrity
    d. Availability

Answer 44

D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.

Question 45

18. Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?
    a. Due diligence
    b. Separation of duties
    c. Due care
    d. Least privilege

Answer 45

C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Question 46

57. James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization’s primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?
    a. Purchase cost
    b. Depreciated cost
    c. Replacement cost
    d. Opportunity cost

Answer 46

C. If the organization’s primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers.

Question 47

63. HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?
    a. Risk mitigation
    b. Risk acceptance
    c. Risk transference
    d. Risk avoidance

Answer 47

D. HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse.

Question 48

38. Florian receives a flyer from a federal agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?
    a. United States Code
    b. Supreme Court rulings
    c. Code of Federal Regulations
    d. Compendium of Laws

Answer 48

C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.

Question 49

75. Which one of the following is not an example of a technical control?
    a. Router ACL
    b. Firewall rule
    c. Encryption
    d. Data classification

Answer 49

D. Router ACLs, encryption, and firewall rules are all examples of technical controls. Data classification is an administrative control.

Question 50

82. Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with Human Resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?
    a. Informing other employees of the termination
    b. Retrieval of photo ID
    c. Calculation of final paycheck
    d. Revocation of electronic access rights

Answer 50

D. Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.

Question 51

73. Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?
    a. FERPA
    b. GLBA
    c. HIPAA
    d. HITECH

Answer 51

B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.

Question 52

17. What law provides intellectual property protection to the holders of trade secrets?
    a. Copyright Law
    b. Lanham Act
    c. Glass-Steagall Act
    d. Economic Espionage Act

Answer 52

D. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation. It gives true teeth to the intellectual property rights of trade secret owners.

Question 53

2. An evil twin attack that broadcasts a legitimate SSID for an unauthorized network is an example of what category of threat?
   a. Spoofing
   b. Information disclosure
   c. Repudiation
   d. Tampering

Answer 53

A. Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email addresses, names, or, in the case of an evil twin attack, SSIDs.

Question 54

43. Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?
    a. Repudiation
    b. Information disclosure
    c. Tampering
    d. Elevation of privilege

Answer 54

A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently.

Question 55

19. Darcy is designing a fault tolerant system and wants to implement RAID-5 for her system. What is the minimum number of physical hard disks she can use to build this system?
    a. One
    b. Two
    c. Three
    d. Five

Answer 55

C. RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.

Question 56

13. Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE model?
    a. Spoofing
    b. Repudiation
    c. Tampering
    d. Elevation of privilege

Answer 56

D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.

Question 57

36. Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?
    a. Data custodian
    b. Data owner
    c. User
    d. Auditor

Answer 57

A. The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.

Question 58

92. Which one of the following is the first step in developing an organization’s vital records program?
    a. Identifying vital records
    b. Locating vital records
    c. Archiving vital records
    d. Preserving vital records

Answer 58

A. An organization pursuing a vital records management program should begin by identifying all of the documentation that qualifies as a vital business record. This should include all of the records necessary to restart the business in a new location should the organization invoke its business continuity plan.

Question 59

26. Which one of the following is normally used as an authorization tool?
    a. ACL
    b. Token
    c. Username
    d. Password

Answer 59

A. Access control lists are used for determining a user’s authorization level. Usernames are identification tools. Passwords and tokens are authentication tools.

Question 60

34. Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?
    a. Banks
    b. Defense contractors
    c. School districts
    d. Hospitals

Answer 60

B. The Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.

Question 61

79. Which one of the following is not a goal of a formal change management program?
    a. Implement change in an orderly fashion.
    b. Test changes prior to implementation.
    c. Provide rollback plans for changes.
    d. Inform stakeholders of changes after they occur.

Answer 61

D. Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.

Question 62

62. The graphic below shows the NIST risk management framework with step 4 missing. What is the missing step?
    a. Assess security controls
    b. Determine control gaps
    c. Remediate control gaps
    d. Evaluate user activity

Answer 62

A. The fourth step of the NIST risk management framework is assessing security controls.

Question 63

52. An accounting employee at Doolitte Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?
    a. Separation of duties
    b. Least privilege
    c. Defense in depth
    d. Mandatory vacation

Answer 63

D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will hopefully disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Question 64

95. Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the threat?
    a. Unpatched web application
    b. Web defacement
    c. Hacker
    d. Operating system

Answer 64

C. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, the missing patch is the vulnerability. In this scenario, if the hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.

Question 65

78. What principle of information security states that an organization should implement overlapping security controls whenever possible?
    a. Least privilege
    b. Separation of duties
    c. Defense in depth
    d. Security through obscurity

Answer 65

C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure.

Question 66

10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?
    a. GLBA
    b. SOX
    c. HIPAA
    d. FERPA

Answer 66

A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions.

Question 67

7. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule?
   a. Due diligence rule
   b. Personal liability rule
   c. Prudent man rule
   d. Due process rule

Answer 67

C. The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.

Question 68

8. Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multifactor authentication?

a Username

b. PIN
c. Security question
d. Fingerprint scan

Answer 68

D. A fingerprint scan is an example of a “something you are” factor, which would be appropriate for pairing with a “something you know” password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both “something you know,” which would not achieve multifactor authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.

Question 69

66. Who is the ideal person to approve an organization’s business continuity plan?
    a. Chief information officer
    b. Chief executive officer
    c. Chief information security officer
    d. Chief operating officer

Answer 69

B. Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.

Question 70

86. You discover that a user on your network has been using the Wireshark tool, as shown in the following screen shot. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?
    a. Integrity
    b. Denial
    c. Availability
    d. Confidentiality

Answer 70

D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.

Question 71

40. Which one of the following individuals would be the most effective organizational owner for an information security program?
    a. CISSP-certified analyst
    b. Chief information officer
    c. Manager of network security
    d. President and CEO

Answer 71

B. The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.

Question 72

21. Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wishes to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?
    a. Patent
    b. Trade secret
    c. Copyright
    d. Trademark

Answer 72

A. Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case.

Question 73

72. Which one of the following laws requires that communications service providers cooperate with law enforcement requests?
    a. ECPA
    b. CALEA
    c. Privacy Act
    d. HITECH Act

Answer 73

B. The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Question 74

Questions 96–98 refer to the following scenario.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.

Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

96. Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s data center?
    a. 10%
    b. 25%
    c. 50%
    d. 75%

Answer 74

C. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50%.

Question 75

90. Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?
    a. Password
    b. Retinal scan
    c. Username
    d. Token

Answer 75

C. Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

Question 76

31. Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. What type of plan is she developing?
    a. Operational
    b. Tactical
    c. Summary
    d. Strategic

Answer 76

D. Strategic plans have a long-term planning horizon of up to five years in most cases. Operational and tactical plans have shorter horizons of a year or less.

Question 77

Questions 96–98 refer to the following scenario.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.

Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

97. Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s data center?
    a. 0.0025
    b. 0.005
    c. 0.01
    d. 0.015

Answer 77

B. The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year.

Question 78

6. Which one of the following elements of information is not considered personally identifiable information that would trigger most US state data breach laws?
   a. Student identification number
   b. Social Security number
   c. Driver’s license number
   d. Credit card number

Answer 78

A. Most state data breach notification laws are modeled after California’s law, which covers Social Security number, driver’s license number, state identification card number, credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), medical records, and health insurance information.

Question 79

Questions 96–98 refer to the following scenario.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.

Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

98. Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s data center?
    a. $25,000
    b. $50,000
    c. $250,000
    d. $500,000

Answer 79

A. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000 and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.

Question 80

Questions 47–49 refer to the following scenario.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The LAN contains modern switch equipment connected to both wired and wireless networks.

Each office has its own file server, and the IT team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.

You are the newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization’s security.

49. Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?
    a. Hashing
    b. ACLs
    c. Read-only attributes
    d. Firewalls

Answer 80

A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

Question 81

54. Which information security goal is impacted when an organization experiences a DoS or DDoS attack?
    a. Confidentiality
    b. Integrity
    c. Availability
    d. Denial

Answer 81

C. Denial of service (DoS) and distributed denial of service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

Question 82

100. Which one of the following is an administrative control that can protect the confidentiality of information?
     a. Encryption
     b. Non-disclosure agreement
     c. Firewall
     d. Fault tolerance

Answer 82

B. Non-disclosure agreements (NDAs) protect the confidentiality of sensitive information by requiring that employees and affiliates not share confidential information with third parties. NDAs normally remain in force after an employee leaves the company.

Question 83

37. Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan’s company’s rights?
    a. Trade secret
    b. Copyright
    c. Trademark
    d. Patent

Answer 83

B. Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.

Question 84

53. Which one of the following is not normally considered a business continuity task?
    a. Business impact assessment
    b. Emergency response guidelines
    c. Electronic vaulting
    d. Vital records program

Answer 84

C. Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.

Question 85

22. Which one of the following actions might be taken as part of a business continuity plan?
    a. Restoring from backup tapes
    b. Implementing RAID
    c. Relocating to a cold site
    d. Restarting business operations

Answer 85

B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Question 86

Questions 47–49 refer to the following scenario.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The LAN contains modern switch equipment connected to both wired and wireless networks.

Each office has its own file server, and the IT team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.

You are the newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization’s security.

47. Users in the two offices would like to access each other’s file servers over the Internet. What control would provide confidentiality for those communications?
    a. Digital signatures
    b. Virtual private network
    c. Virtual LAN
    d. Digital content management

Answer 86

B. Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the Internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office’s server over the Internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the Internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.

Question 87

42. You are the CISO for a major hospital system and are preparing to sign a contract with a Software-as-a-Service (SaaS) email vendor and want to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?
    a. SOC-1
    b. FISMA
    c. PCI DSS
    d. SOC-2

Answer 87

D. The Service Organizations Control audit program includes business continuity controls in a Type 2, but not Type 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

Question 88

64. Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?
    a. Availability
    b. Denial
    c. Confidentiality
    d. Integrity

Answer 88

C. Confidentiality controls prevent the disclosure of sensitive information to unautho-rized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

Question 89

25. Which one of the following is an example of physical infrastructure hardening?
    a. Antivirus software
    b. Hardware-based network firewall
    c. Two-factor authentication
    d. Fire suppression system

Answer 89

D. Fire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.

Question 90

1. What is the final step of a quantitative risk analysis?
   a. Determine asset value.
   b. Assess the annualized rate of occurrence.
   c. Derive the annualized loss expectancy.
   d. Conduct a cost/benefit analysis.

Answer 90

D. The final step of a quantitative risk analysis is conducting a cost/benefit analysis to determine whether the organization should implement proposed countermeasure(s).

Question 91

55. Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?
    a. Policy
    b. Baseline
    c. Guideline
    d. Procedure

Answer 91

B. Baselines provide the minimum level of security that every system throughout the organization must meet.

Question 92

60. Frank discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt?
    a. Confidentiality
    b. Integrity
    c. Availability
    d. Denial

Answer 92

A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

Question 93

58. The Computer Security Act of 1987 gave a federal agency responsibility for developing computer security standards and guidelines for federal computer systems. What agency did the act give this responsibility to?
    a. National Security Agency
    b. Federal Communications Commission
    c. Department of Defense
    d. National Institute of Standards and Technology

Answer 93

D. The Computer Security Act of 1987 gave the National Institute of Standards and Technology (NIST) responsibility for developing standards and guidelines for federal computer systems. For this purpose, NIST draws upon the technical advice and assistance of the National Security Agency where appropriate.

Question 94

70. What is the threshold for malicious damage to a federal computer system that triggers the Computer Fraud and Abuse Act?
    a. $500
    b. $2,500
    c. $5,000
    d. $10,000

Answer 94

C. The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to maliciously cause damage in excess of $5,000 to a federal computer system during any one-year period.

Question 95

99. John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?
    a. Spoofing
    b. Repudiation
    c. Information disclosure
    d. Elevation of privilege

Answer 95

C. Information disclosure attacks rely upon the revelation of private, confidential, or controlled information. Programming comments embedded in HTML code are an example of this type of attack.

Question 96

27. The International Information Systems Security Certification Consortium uses the logo below to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo?
    a. Copyright
    b. Patent
    c. Trade secret
    d. Trademark

Answer 96

D. Trademark protection extends to words and symbols used to represent an organization, product, or service in the marketplace.

Question 97

24. Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?
    a. Risk acceptance
    b. Risk avoidance
    c. Risk mitigation
    d. Risk transference

Answer 97

C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation.

Question 98

76. Which one of the following stakeholders is not typically included on a business continuity planning team?
    a. Core business function leaders
    b. Information technology staff
    c. CEO
    d. Support departments

Answer 98

C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.

Question 99

32. What government agency is responsible for the evaluation and registration of trademarks?
    a. USPTO
    b. Library of Congress
    c. TVA
    d. NIST

Answer 99

A. The United States Patent and Trademark Office (USPTO) bears responsibility for the registration of trademarks.

Question 100

Questions 47–49 refer to the following scenario.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The LAN contains modern switch equipment connected to both wired and wireless networks.

Each office has its own file server, and the IT team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.

You are the newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization’s security.

48. You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?
    a. Server clustering
    b. Load balancing
    c. RAID
    d. Scheduled backups

Answer 100

C. Redundant Array of Inexpensive Disks (RAID) uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.