Domain 1 Flashcards
- Helen is the owner of a website that provides information for middle and high school students preparing for exams. She is concerned that the activities of her site may fall under the jurisdiction of the Children’s Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?
a. 13
b. 15
c. 17
d. 18
A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.
- John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with ICMP ECHO REPLY packets and believes that his organization is the victim of a Smurf attack. What principle of information security is being violated?
a. Availability
b. Integrity
c. Confidentiality
d. Denial
A. A Smurf attack is an example of a denial of service attack, which jeopardizes the availability of a targeted network.
- What is the formula used to determine risk?
a. Risk = Threat * Vulnerability
b. Risk = Threat / Vulnerability
c. Risk = Asset * Threat
d. Risk = Asset / Threat
A. Risks exist when there is an intersection of a threat and a vulnerability. This is described using the equation Risk = Threat * Vulnerability.
- Which one of the following control categories does not accurately describe a fence around a facility?
a. Physical
b. Detective
c. Deterrent
d. Preventive
B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.
- Alan is performing threat modeling and decides that it would be useful to decompose the system into the key elements shown in the following illustration. What tool is he using?

Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.
a. Vulnerability assessment
b. Fuzzing
c. Reduction analsis
d. Data modeling
C. In reduction analysis, the security professional breaks the system down into five key elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls
- What law governs the handling of information related to the financial statements of publicly traded companies?
a. GLBA
b. PCI DSS
c. HIPAA
d. SOX
D. The Sarbanes-Oxley Act (SOX) governs the financial reporting of publicly traded companies and includes requirements for security controls that ensure the integrity of that information.
- Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?
a. Integrity
b. Availability
c. Confidentiality
d. Denial
A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information.
- Which one of the following components should be included in an organization’s emergency response guidelines?
a. List of individuals who should be notified of an emergency incident
b. Long-term business continuity protocols
c. Activation procedures for the organization’s cold sites
d. Contact information for ordering equipment
A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
- Which one of the following is an example of an administrative control?
a. Intrusion detection system
b. Security awareness training
c. Firewalls
d. Security guards
B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.
9,. What United States government agency is responsible for administering the terms of safe harbor agreements between the European Union and the United States under the EU Data Protection Directive?
a. Department of Defense
b. Department of the Treasury
c. State Department
d. Department of Commerce
D. The US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. The validity of this agreement was in legal question in the wake of the NSA surveillance disclosures.
- Which one of the following is not normally included in business continuity plan documentation?
a. Statement of accounts
b. Statement of importance
c. Statement of priorities
d. Statement of organizational responsibility
A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.
- Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?
a. Purchasing insurance
b. Encrypting the database contents
c. Removing the data
d. Objecting to the exception
B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.
- Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder?
a. Storage of information by a customer on a provider’s server
b. Caching of information by the provider
c. Transmission of information over the provider’s network by a customer
d. Caching of information in a provider search engine
C. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all nontransitory actions that require remediation by the provider.
- Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?
a. Trademark
b. Copyright
c. Patent
d. Trade secret
A. Trademarks protect words and images that represent a product or service and would not protect computer software.
- Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?

a. Availability
b. Confidentiality
c. Disclosure
d. Distributed
A. The message displayed is an example of ransomware, which encrypts the contents of a user’s computer to prevent legitimate use. This is an example of an availability attack.
81 The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown below. Which quadrant contains the risks that require the most immediate attention?
a. I
b. II
c. III
d. IV

A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.
- Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?
a. Risk avoidance
b. Risk mitigation
c. Risk transference
d. Risk acceptance
D. In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.
- FlyAway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly. Which of the seven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used?
a. Notice
b. Choice
c. Onward Transfer
d. Enforcement
A. The Notice principle says that organizations must inform individuals of the information the organization collects about individuals and how the organization will use it. These principles are based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in 2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing, processing or transmitting data on EU or Swiss citizens.
- Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?
a. ITIL
b. ISO 27002
c. CMM
d. PMBOK Guide
B. ISO 27002 is an international standard focused on information security and titled “Information technology – Security techniques – Code of practice for information security management.” The IT Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.
- Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?
a. Authentication
b. Authorization
c. Integrity
d. Nonrepudiation
D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.
- Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?
a. Awareness
b. Training
c. Education
d. Indoctrination
B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.
- Which one of the following issues is not normally addressed in a service-level agreement (SLA)?
a. Confidentiality of customer information
b. Failover time
c. Uptime
d. Maximum consecutive downtime
A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a non-disclosure agreement (NDA).
- Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?
a. Memory chips
b. Office productivity applications
c. Hard drives
d. Encryption software
D. The export of encryption software to certain countries is regulated under US export control laws.
- Who should receive initial business continuity plan training in an organization?
a. Senior executives
b. Those with specific business continuity roles
c. Everyone in the organization
d. First responders
C. Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.




