Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP 2024 > Domain 1: Review Questions > Flashcards

Domain 1: Review Questions Flashcards

The Security and Risk Management domain encompasses many of the foundational elements of security solutions.

1
Q

Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrastructure. Which of the following is not considered a violation of confidentiality?

A. Stealing passwords using a keystroke logging tool
B. Eavesdropping on wireless network communications
C. Hardware destruction caused by arson
D. Social engineering that tricks a user into providing personal information to a false website

A

C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include stealing passwords, eavesdropping, and social engineering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security?

A. A network’s border perimeter
B. The CIA Triad
C. AAA services
D. Ensuring that subject activities are recorded

A

B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.

The other options are incorrect. A security infrastructure needs to establish a network’s border perimeter security, but that is not a primary goal or objective of security. AAA services are a common component of secured systems, which can provide support for accounting, but the primary goals of security remain the elements of the CIA Triad. Ensuring that subject activities are recorded is the purpose of auditing, but that is not a primary goal or objective of security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Jamie recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated?

A. Identification
B. Availability
C. Encryption
D. Layering

A

B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.

Identification is claiming an identity, the first step of AAA services. Encryption is protecting the confidentiality of data by converting plaintext into ciphertext. Layering is the use of multiple security mechanisms in series.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Emma is concerned that the recent breach of personal health information in a large healthcare corporation may affect her, but she has not yet been notified by the company that was breached. Emma, a resident of the state of Alabama, is researching the various laws under which she should be legally notified of the breach. Which of the following relevant laws or regulations dictates the timeframe under which she should be notified of the data breach of her PHI?

A. California Consumer Privacy Act (CCPA)
B. Health Information Technology for Economic and Clinical Health (HI-TECH) Act
C. General Data Protection Regulation (GDPR)
D. Federal Information Security Management Act (FISMA)

A

B Emma should be notified of the breach under the Health Information Technology for Economic and Clinical Health (HI-TECH) Act, which expands HIPAA regulations to include breach notification. As a resident of the state of Alabama, neither the California Consumer Privacy Act (CCPA), which protects state of California residents, nor the General Data Protection Regulation (GDPR), which protects citizens of the European Union, applies. FISMA is a federal regulation requiring government agencies to manage risk and implement security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization’s security purpose. It also needs to define the security function and align it with the goals, mission, and objectives of the organization. What are you being asked to create?

A. Tactical plan
B. Operational plan
C. Strategic plan
D. Rollback plan

A

C. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose. It defines the security function and aligns it with the goals, mission, and objectives of the organization.

The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based on unpredicted events. An operational plan is a short-term, highly detailed plan based on strategic and tactical plans. It is valid or useful only for a short time. A rollback plan is a means to return to a prior state after a change does not meet expectations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Annaliese’s organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are examples of those risks? (Choose all that apply.)

A. Inappropriate information disclosure
B. Increased worker compliance
C. Data loss
D. Downtime
E. Additional insight into the motivations of inside attackers
F. Failure to achieve a sufficient return on investment (ROI)

A

A, C, D, F. Acquisitions and mergers place an organization at an increased level of risk. Such risks include inappropriate information disclosure, data loss, downtime, and failure to achieve a sufficient return on investment (ROI). Increased worker compliance is not a risk, but a desired security precaution against the risks of acquisitions. Additional insight into the motivations of inside attackers is not a risk, but a potential result of investigating breaches or incidents related to acquisitions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which security control framework is a set of security standards and requirements designed to ensure the protection of sensitive credit card and debit card information?

A. ITIL
B. ISO 27000
C. PCI DSS
D. CSF

A

C. Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards and requirements designed to ensure the protection of sensitive credit card and debit card information.

The other options are incorrect. Information Technology Infrastructure Library (ITIL) was initially crafted by the British government for domestic use but is now an international standard, which is a set of recommended best practices for core IT security and operational processes, and is often used as a starting point for the crafting of a customized IT security solution. ISO 27000 is a family group of international security standards that can be the basis for implementing organizational security and related management practices. NIST Cybersecurity Framework (CSF) is designed for critical infrastructure and commercial organizations and consists of five functions: Identify, Protect, Detect, Respond, and Recover. It is a prescription of operational activities that are to be performed on an ongoing basis for the support and improvement of security over time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which is the opposite of disclosure?

A. Integrity
B. Availability
C. Confidentiality
D. Authorization

A

C. The opposite of disclosure is confidentiality. The opposite of corruption is integrity. The opposite of destruction is availability. The opposite of disapproval is authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following controls is an administrative control?

A. Security policy
B. CCTV
C. Data backups
D. Locks

A

A. A security policy is an administrative control. CCTV and locks are physical controls. Data backups are a technical control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a vulnerability?

A. The entity that carries out a threat
B. The exposure of an organizational asset to losses
C. An absence or a system weakness that can be exploited
D. A control that reduces risk

A

C. A vulnerability is an absence or a weakness of a countermeasure that is in place. A threat occurs when a vulnerability is identified or exploited. A threat agent is the entity that carries out a threat. Exposure occurs when an organizational asset is exposed to losses. A countermeasure or safeguard is a control that reduces risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which framework uses the six communication questions (what, where, when, why, who, and how) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual)?

A. Six Sigma
B. SABSA
C. ITIL
D. ISO/IEC 27000 series

A

B. SABSA uses the six communication questions (what, where, when, why, who, and how) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual). Six Sigma is a process improvement standard that includes two project methodologies that were inspired by Deming’s Plan–Do–Check–Act cycle. ITIL is a process management development standard that has five core publications: ITIL Service Strategy, ITIL Service Design, ITIL Service Transition, ITIL Service Operation, and ITIL Continual Service Improvement. The ISO/IEC 27000 Series includes a list of standards, each of which addresses a particular aspect of information security management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which group of threat agents includes hardware and software failure, malicious code, and new technologies?

A. Human
B. Natural
C. Environmental
D. Technical

A

D. Technical threat agents include hardware and software failure, malicious code, and new technologies.

Human threat agents include both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel. Natural threat agents include floods, fires, tornadoes, hurricanes, earthquakes, or other natural disasters or weather events. Environmental threat agents include power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which term indicates the monetary impact of each threat occurrence?

A. Annual Rate of Occurrence (ARO)
B. Annual Loss Expectancy (ALE)
C. Exposure Factor (EF)
D. Single Loss Expectancy (SLE)

A

D. Single loss expectancy (SLE) indicates the monetary impact of each threat occurrence.

Annualized rate of occurrence (ARO) is the estimate of how often a given threat might occur annually. Annual loss expectancy (ALE) is the expected risk factor of an annual threat event. Exposure factor (EF) is the percent value or functionality of an asset that will be lost when a threat event occurs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is risk avoidance?

A. Risk that is left over after safeguards have been implemented
B. Terminating the activity that causes a risk or choosing an alternative that is not as risky
C. Passing the risk on to a third party
D. Defining the acceptable risk level the organization can tolerate and reducing the risk to that level

A

B. Risk avoidance is terminating the activity that causes a risk or choosing an alternative that is not as risky.

Residual risk is risk that is left over after safeguards have been implemented. Risk transfer is passing the risk on to a third party. Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following security policies provides instruction on acceptable and unacceptable activities?

A. Informative security policies
B. Regulatory security policies
C. System-specific security policies
D. Advisory security policies

A

D. Advisory security policies provide instruction on acceptable and unacceptable activities. Informative security policies provide information on certain topics and act as an educational tool. Regulatory security policies address specific industry regulations, including mandatory standards. System-specific security policies address security for a specific computer, network, technology, or application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which organization role determines the classification level of the information to protect the data for which that role is responsible?

A. Data owner
B. Data custodian
C. Security administrator
D. Security analyst

A

A. The data owner determines the classification level of the information to protect the data for which that role is responsible.

The data custodian implements the information classification and controls after they are determined. The security administrator maintains security devices and software. The security analyst analyzes the security needs of the organizations and develops the internal information security governance documents.

17
Q

Which type of crime occurs when a computer is used as a tool to help commit a crime?

A. Computer-assisted crime
B. Incidental computer crime
C. Computer-targeted crime
D. Computer prevalence crime

A

A. A computer-assisted crime occurs when a computer is used as a tool to help commit a crime.

An incidental computer crime occurs when a computer is involved in a computer crime without being the victim of the attack or the attacker. A computer-targeted crime occurs when a computer is the victim of an attack in which the sole purpose is to harm the computer and its owner. A computer prevalence crime occurs due to the fact that computers are so widely used in today’s world.

18
Q

Which access control type reduces the effect of an attack or another undesirable event?

A. Compensative control
B. Preventive control
C. Detective control
D. Corrective control

A

D. A corrective control reduces the effect of an attack or other undesirable event.

A compensative control substitutes for a primary access control and mainly acts as mitigation to risks. A preventive control prevents an attack from occurring. A detective control detects an attack while it is occurring to alert appropriate personnel.

19
Q

What is the first stage of the security program life cycle?

A. Plan and Organize
B. Implement
C. Operate and Maintain
D. Monitor and Evaluate

A

A. Plan and Organize

The four stages of the security program life cycle, in order, are as follows:

  1. Plan and Organize
  2. Implement
  3. Operate and Maintain
  4. Monitor and Evaluate
20
Q

Which of the following frameworks is a two-dimensional model that intersects communication interrogatives (what, why, where, and so on) with various viewpoints (planner, owner, designer, and so on)?

A. SABSA
B. Zachman Framework
C. TOGAF
D. ITIL

A

B. The Zachman Framework is a two-dimensional model that intersects communication interrogatives (what, why, where, and so on) with various viewpoints (planner, owner, designer, and so on). It is designed to help optimize communication between the various viewpoints during the creation of the security architecture.

21
Q

Which management officer implements and manages all aspects of security, including risk analysis, security policies and procedures, training, and emerging technologies?

A. Data protection officer (DPO)
B. Chief financial officer (CFO)
C. Chief security officer (CSO)
D. Chief information officer (CIO)

A

C. The chief security officer (CSO) is the officer that leads any security effort and reports directly to the chief executive officer (CEO).

The chief privacy officer (CPO) is the officer responsible for private information and usually reports directly to the chief information officer (CIO). The chief financial officer (CFO) is the officer responsible for all financial aspects of an organization. The CFO reports directly to the CEO and must also provide financial data for the shareholders and government entities. The CIO is the officer responsible for all information systems and technology used in the organization and reports directly to the CEO or CFO.

22
Q

Which of the following do organizations have employees sign to protect trade secrets?

A. Trademark
B. Patent
C. Digital Rights Management (DRM)
D. Nondisclosure agreement (NDA)

A

D. Most organizations that have trade secrets attempt to protect these secrets using nondisclosure agreements (NDAs). These NDAs must be signed by any entity that has access to information that is part of the trade secret.

A trademark is an intellectual property type that ensures that the symbol, sound, or expression that identifies a product or an organization is protected from being used by another. A patent is an intellectual property type that covers an invention described in a patent application and is granted to an individual or company. Digital rights management (DRM) is used by hardware manufacturers, publishers, copyright holders, and individuals to control the use of digital content. This often also involves device controls.

23
Q

Which type of access control type is an acceptable use policy (AUP) most likely considered?

A. Corrective
B. Detective
C. Compensative
D. Directive

A

D. The most popular directive control is an acceptable use policy (AUP) that lists proper (and often examples of improper) procedures and behaviors that personnel must follow.

Corrective controls are in place to reduce the effect of an attack or other undesirable event. Examples of corrective controls include installing fire extinguishers and implementing new firewall rules.

Detective controls are in place to detect an attack while it is occurring to alert appropriate personnel. Examples of detective controls include motion detectors, IDSs, or guards.

Compensative controls are in place to substitute for a primary access control and mainly act as a mitigation to risks. Examples of compensative controls include requiring two authorized signatures to release sensitive or confidential information and requiring two keys owned by different personnel to open a safety deposit box.

24
Q

What is the legal term used to describe an organization taking all reasonable measures to prevent security breaches and also taking steps to mitigate damages caused by successful breaches?

A. Due care
B. Due diligence
C. Default security posture
D. Qualitative risk analysis

A

A. Due care is a legal term that is used when an organization took all reasonable measures to prevent security breaches and also took steps to mitigate damages caused by successful breaches.

Due diligence is a legal term that is used when an organization investigated all vulnerabilities. The default security posture is the default security posture used by the organization. An allow-by-default security posture permits access to any data unless a need exists to restrict access. A deny-by-default security posture is much stricter because it denies any access that is not explicitly permitted. Qualitative risk analysis is a method of analyzing risk whereby intuition, experience, and best practice techniques are used to determine risk.

25
Q

Which threat modeling perspective profiles malicious characteristics, skills, and motivation to exploit vulnerabilities?

A. Application-centric
B. Asset-centric
C. Attacker-centric
D. Hostile-centric

A

C. Attacker-centric threat modeling profiles an attacker’s characteristics, skills, and motivation to exploit vulnerabilities.

Application-centric threat modeling uses application architecture diagrams to analyze threats. Asset-centric threat modeling uses attack trees, attack graphs, or displaying patterns to determine how an asset can be attacked. Hostile describes one of two threat actor categories: nonhostile and hostile.

26
Q

Which of the following is not a consideration for security professionals during mergers and acquisitions?

A. New data types
B. New technology types
C. Cost of the merger or acquisition
D. The other organization’s security awareness training program

A

C. A security professional should not be concerned with the cost of a merger or an acquisition. A security professional should be concerned only with issues that affect security and leave financial issues to financial officers.

27
Q

What is the first step of CRAMM (CCTA Risk Analysis and Management Method)?

A. Identify threats and vulnerabilities.
B. Identify and value assets.
C. Identify countermeasures.
D. Prioritize countermeasures.

A

B. Identify and value assets.

CRAMM review includes three steps:

  1. Identify and value assets.
  2. Identify threats and vulnerabilities and calculate risks.
  3. Identify and prioritize countermeasures.
28
Q

Which of the following is the process of taking away or removing characteristics from something to reduce it to a set of essential characteristics?

A. Auditing
B. Accounting
C. Non-repudiation
D. Abstraction

A

D. Abstraction is the process of taking away or removing characteristics from something to reduce it to a set of essential characteristics.

Auditing is the process of providing a manual or systematic measurable technical assessment of a system or application. Accounting is the process whereby auditing results are used to hold users and organizations accountable for their actions or inaction. Non-repudiation is the assurance that a user cannot deny an action.

29
Q

Which specific plan focuses on restoring an organization’s mission-essential functions (MEFs) at an alternate site and performing those functions for up to 30 days before returning to normal operations?

A. Continuity of operations plan
B. Business continuity plan
C. Crisis communications plan
D. Cyber incident response plan

A

A. A continuity of operations plan (COOP) is a plan that focuses on restoring an organization’s mission-essential functions (MEFs) at an alternate site and performing those functions for up to 30 days before returning to normal operations.

A business continuity plan (BCP) is a plan that focuses on sustaining an organization’s mission/business processes during and after a disruption. A crisis communications plan is a plan that documents standard procedures for internal and external communications in the event of a disruption using a crisis communications plan. It also provides various formats for communications appropriate to the incident. A cyber incident response plan is a plan that establishes procedures to address cyberattacks against an organization’s information system(s).

30
Q

Which of the following is an information system–focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency?

A. Occupant emergency plan
B. Disaster recovery plan
C. Information system contingency plan
D. Critical infrastructure protection plan

A

B. A disaster recovery plan (DRP) is an information system–focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency.

An occupant emergency plan (OEP) is a plan that outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property. An information system contingency plan (ISCP) provides established procedures for the assessment and recovery of a system following a system disruption. A critical infrastructure protection (CIP) plan is a set of policies and procedures that serve to protect and recover assets and mitigate risks and vulnerabilities.

31
Q

Which of the following is a segment of the communication path that an attack uses to access a vulnerability?

A. Breach
B. Threat agent
C. Attack vector
D. Countermeasure

A

C. An attack vector is a segment of the communication path that an attack uses to access a vulnerability.

A breach is an attack that has been successful in reaching its goal. A threat is carried out by a threat agent. Not all threat agents will actually exploit an identified vulnerability. A countermeasure reduces the potential risk. Countermeasures are also referred to as safeguards or controls.

32
Q

Which of the following is a six-category threat classification model developed by Microsoft to assess the threats in an application?

A. Visual, Agile, and Simple Threat (VAST)
B. Trike
C. Process for Attack Simulation and Threat Analysis (PASTA)
D. STRIDE (Spoofing of user identity, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege)

A

D. Developed by Microsoft, STRIDE is a threat classification model that is used to assess the threats in an application. It covers the following six categories:

  1. Spoofing of user identity
  2. Tampering
  3. Repudiation
  4. Information disclosure (privacy breach or data leak)
  5. Denial of service (DoS)
  6. Elevation of privilege

The Visual, Agile, and Simple Threat (VAST) model was created as a result of the shortcomings in the other models and methodologies. VAST threat modeling scales across the infrastructure and entire development portfolio. Trike is both a methodology and a tool with its basis in a requirements model designed to ensure the level of risk assigned to each asset is classified as acceptable by stakeholders. The Process for Attack Simulation and Threat Analysis (PASTA) methodology provides a seven-step process for analyzing applications to align business objectives and technical requirements. It is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

33
Q

What is the first step of the NIST SP 800-154 draft publication for data-centric system threat modeling?

A. Identify and select the attack vectors to be included in the model.
B. Identify and characterize the system and data of interest.
C. Analyze the threat model.
D. Characterize the security controls for mitigating the attack vectors.

A

B. NIST SP 800-154 is a draft publication for data-centric system threat modeling. It includes the following steps:

  1. Identify and characterize the system and data of interest.
  2. Identify and select the attack vectors to be included in the model.
  3. Characterize the security controls for mitigating the attack vectors.
  4. Analyze the threat model.

Most of the actions within the methodology can be addressed in a wide variety of ways in terms of both content (what information is captured) and format/structure (how that information is captured).

34
Q

What investigation type specifically refers to litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process?

A. Data loss prevention (DLP)
B. Regulatory
C. eDiscovery
D. Operations

A

C. Electronic discovery (eDiscovery) refers to litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process. It involves electronically stored information (ESI) and includes emails, documents, presentations, databases, voicemail, audio and video files, social media, and websites. Data loss prevention (DLP) software attempts to prevent data leakage. It does this by maintaining awareness of actions that can and cannot be taken with respect to a document. A regulatory investigation occurs when a regulatory body investigates an organization for a regulatory infraction. Operations investigations involve any investigations that do not result in any criminal, civil, or regulatory issue. In most cases, this type of investigation is completed to determine the root cause so that steps can be taken to prevent this incident in the future.

35
Q

What is the second step of the forensic investigations process?

A. Identification
B. Collection
C. Preservation
D. Examination

A

C. The steps of the forensic investigation process are as follows:

  1. Identification
  2. Preservation
  3. Collection
  4. Examination
  5. Analysis
  6. Presentation
  7. Decision

CISSP 2024 (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions