Domain 1 - Security and Risk Management

Question 1

Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?
A. Gamification
B. Computer-based training
C. Content reviews
D. Live training

Answer 1

C. Content reviews

Alyssa should use periodic content reviews to continually verify that the content in her program meets the organization’s needs and is up-to-date based upon the evolving risk landscape.
She may do this using a combination of computer-based training, live training, and gamification, but those techniques do not necessarily verify that the content is updated.

Question 2

Gavin is creating a report to management on the results of his
most recent risk assessment. In his report, he would like to
identify the remaining level of risk to the organization after
adopting security controls. What term best describes this
current level of risk?
A. Inherent risk
B. Residual risk
C. Control risk
D. Mitigated risk

Answer 2

B. Residual risk

The residual risk is the level of risk that remains after
controls have been applied to mitigate risks. Inherent risk is the
original risk that existed prior to the controls. Control risk is
new risk introduced by the addition of controls to the
environment. Mitigated risk is the risk that has been addressed
by existing controls.

Question 3

Francine is a security specialist for an online service provider in
the United States. She recently received a claim from a copyright
holder that a user is storing information on her service that
violates the third party’s copyright. What law governs the
actions that Francine must take?
A. Copyright Act
B. Lanham Act
C. Digital Millennium Copyright Act
D. Gramm Leach Bliley Act

Answer 3

C. Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA) sets forth the
requirements for online service providers when handling
copyright complaints received from third parties. The Copyright
Act creates the mechanics for issuing and enforcing copyrights
but does not cover the actions of online service providers. The
Lanham Act regulates the issuance of trademarks to protect
intellectual property. The Gramm-Leach-Bliley Act regulates the
handling of personal financial information.

Question 4

FlyAway Travel has offices in both the European Union (EU)
and the United States and transfers personal information
between those offices regularly. They have recently received a
request from an EU customer requesting that their account be
terminated. Under the General Data Protection Regulation
(GDPR), which requirement for processing personal information
states that individuals may request that their data no longer be
disseminated or processed?
A. The right to access
B. Privacy by design
C. The right to be forgotten
D. The right of data portability

Answer 4

C. The right to be forgotten

The right to be forgotten, also known as the right to erasure,
guarantees the data subject the ability to have their information
removed from processing or use. It may be tied to consent given
for data processing; if a subject revokes consent for processing,
the data controller may need to take additional steps, including
erasure.

Question 5

After conducting a qualitative risk assessment of her
organization, Sally recommends purchasing cybersecurity
breach insurance. What type of risk response behavior is she
recommending?
A. Accept
B. Transfer
C. Reduce
D. Reject

Answer 5

B. Transfer

Purchasing insurance is a means of transferring risk. If Sally
had worked to decrease the likelihood of the events occurring,
she would have been using a reduce or risk mitigation strategy,
while simply continuing to function as the organization has
would be an example of an acceptance strategy. Rejection, or
denial of the risk, is not a valid strategy, even though it occurs!

Question 6

Which one of the following elements of information is not
considered personally identifiable information that would
trigger most United States (U.S.) state data breach laws?
A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number

Answer 6

A. Student identification number

Most state data breach notification laws are modeled after
California’s data breach notification law, which covers Social
Security number, driver’s license number, state identification
card number, credit/debit card numbers, and bank account
numbers (in conjunction with a PIN or password). California’s
breach notification law also protects some items not commonly
found in other state laws, including medical records and health
insurance information. These laws are separate and distinct
from privacy laws, such as the California Consumer Privacy Act
(CCPA), which regulates the handling of personal information
more broadly.

Question 7

Renee is speaking to her board of directors about their
responsibilities to review cybersecurity controls. What rule
requires that senior executives take personal responsibility for
information security matters?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule

Answer 7

C. Prudent man rule

The prudent man rule requires that senior executives take
personal responsibility for ensuring the due care that ordinary,
prudent individuals would exercise in the same situation. The
rule originally applied to financial matters, but the Federal
Sentencing Guidelines applied them to information security
matters in the United States in 1991

Question 8

Henry recently assisted one of his co-workers in preparing for
the CISSP exam. During this process, Henry disclosed
confidential information about the content of the exam, in
violation of Canon IV of the Code of Ethics: “Advance and
protect the profession.” Who may bring ethics charges against
Henry for this violation?
A. Anyone may bring charges.
B. Any certified or licensed professional may bring charges.
C. Only Henry’s employer may bring charges.
D. Only the affected employee may bring charges.

Answer 8

B. Any certified or licensed professional may bring charges.

This is a question about who has standing to bring an ethics
complaint. The group of individuals who has standing differs
based upon the violated canon. In this case, we are examining
Canon IV, which permits any certified or licensed professional
who subscribes to a code of ethics to bring charges. Charges of
violations of Canons I or II may be brought by anyone. Charges
of violations of Canon III may only be brought by a principal
with an employer/contractor relationship with the accused.

Question 9

Wanda is working with one of her organization’s European
Union business partners to facilitate the exchange of customer
information. Wanda’s organization is located in the United
States. What would be the best method for Wanda to use to
ensure GDPR compliance?
A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor

Answer 9

C. Standard contractual clauses

The European Union provides standard contractual clauses
that may be used to facilitate data transfer. That would be the
best choice in a case where two different companies are sharing
data. If the data were being shared internally within a company,
binding corporate rules would also be an option. The EU/U.S.
Privacy Shield was a safe harbor agreement that would
previously have allowed the transfer but is no longer valid.

Question 10

Yolanda is the chief privacy officer for a financial institution and
is researching privacy requirements related to customer
checking accounts. Which one of the following laws is most
likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA

Answer 10

A. GLBA

A. The Gramm-Leach-Bliley Act (GLBA) contains provisions
regulating the privacy of customer financial information. It
applies specifically to financial institutions. The Sarbanes Oxley
(SOX) Act regulates the financial reporting activities of publicly
traded companies. The Health Insurance Portability and
Accountability Act (HIPAA) regulates the handling of protected
health information (PHI). The Family Educational Rights and
Privacy Act (FERPA) regulates the handling of student
educational records.

Question 11

Tim’s organization recently received a contract to conduct
sponsored research as a government contractor. What law now
likely applies to the information systems involved in this
contract?
A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA

Answer 11

A. FISMA

A. The Federal Information Security Management Act (FISMA)
specifically applies to government contractors. The Government
Information Security Reform Act (GISRA) was the precursor to
FISMA and expired in November 2002. HIPAA and PCI DSS
apply to healthcare and credit card information, respectively.

Question 12

Chris is advising travelers from his organization who will be
visiting many different countries overseas. He is concerned
about compliance with export control laws. Which of the
following technologies is most likely to trigger these regulations?
A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software

Answer 12

D. Encryption software

D. The export of encryption software to certain countries is
regulated under U.S. export control laws. Memory chips, office
productivity applications, and hard drives are unlikely to be
covered by these regulations.

Question 13

Bobbi is investigating a security incident and discovers that an
attacker began with a normal user account but managed to
exploit a system vulnerability to provide that account with
administrative rights. What type of attack took place under the
STRIDE threat model?
A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege

Answer 13

D. Elevation of privilege

D. In an elevation of privilege attack, the attacker transforms a
limited user account into an account with greater privileges,
powers, and/or access to the system. Spoofing attacks falsify an
identity, while repudiation attacks attempt to deny
accountability for an action. Tampering attacks attempt to
violate the integrity of information or resources.

Question 14

You are completing your business continuity planning effort and
have decided that you want to accept one of the risks. What
should you do next?
A. Implement new security controls to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.

Answer 14

D. Document your decision-making process.

D. Whenever you choose to accept a risk, you should maintain
detailed documentation of the risk acceptance process to satisfy
auditors in the future. This should happen before implementing
security controls, designing a disaster recovery plan, or
repeating the business impact analysis (BIA).

Question 15

You are completing a review of the controls used to protect a
media storage facility in your organization and would like to
properly categorize each control that is currently in place. Which
of the following control categories accurately describe a fence
around a facility? (Select all that apply.)
A. Physical
B. Detective
C. Deterrent
D. Preventive

Answer 15

A. Physical
C. Deterrent
D. Preventive

A, C, D. A fence does not have the ability to detect intrusions. It
does, however, have the ability to prevent and deter an
intrusion. Fences are an example of a physical control.

Question 16

Tony is developing a business continuity plan and is having
difficulty prioritizing resources because of the difficulty of
combining information about tangible and intangible assets.
What would be the most effective risk assessment approach for
him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment

Answer 16

D. Combination of quantitative and qualitative risk assessment

D. Tony would see the best results by combining elements of
quantitative and qualitative risk assessment. Quantitative risk
assessment excels at analyzing financial risk, while qualitative
risk assessment is a good tool for intangible risks. Combining
the two techniques provides a well-rounded risk picture.

Question 17

Vincent believes that a former employee took trade secret
information from his firm and brought it with him to a
competitor. He wants to pursue legal action. Under what law
could he pursue charges?
A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act

Answer 17

D. Economic Espionage Act

D. The Economic Espionage Act imposes fines and jail
sentences on anyone found guilty of stealing trade secrets from a
U.S. corporation. It gives true teeth to the intellectual property
rights of trade secret owners. Copyright law does not apply in
this situation because there is no indication that the information
was copyrighted. The Lanham Act applies to trademark
protection cases. The Glass-Steagall Act was a banking reform
act that is not relevant in this situation.

Question 18

Which one of the following principles imposes a standard of care
upon an individual that is broad and equivalent to what one
would expect from a reasonable person under the
circumstances?
A. Due diligence
B. Separation of duties
C. Due care
D. Least privilege

Answer 18

C. Due care

C. The due care principle states that an individual should react
in a situation using the same level of care that would be expected
from any reasonable person. It is a very broad standard. The due
diligence principle is a more specific component of due care that
states that an individual assigned a responsibility should
exercise due care to complete it accurately and in a timely
manner.

Question 19

Brenda’s organization recently completed the acquisition of a
competitor firm. Which one of the following tasks would be
LEAST likely to be part of the organizational processes
addressed during the acquisition?
A. Consolidation of security functions
B. Integration of security tools
C. Protection of intellectual property
D. Documentation of security policies

Answer 19

C. Protection of intellectual property

C. The protection of intellectual property is a greater concern
during a divestiture, where a subsidiary is being spun off into a
separate organization, than an acquisition, where one firm has
purchased another. Acquisition concerns include consolidating
security functions and policies as well as integrating security
tools.

Question 20

Kelly believes that an employee engaged in the unauthorized use
of computing resources for a side business. After consulting with
management, she decides to launch an administrative
investigation. What is the burden of proof that she must meet in
this investigation?
A. Preponderance of the evidence
B. Beyond a reasonable doubt
C. Beyond the shadow of a doubt
D. There is no standard

Answer 20

D. There is no standard

D. Unlike criminal or civil cases, administrative investigations
are an internal matter, and there is no set standard of proof that
Kelly must apply. However, it would still be wise for her
organization to include a standard burden of proof in their own
internal procedures to ensure the thoroughness and fairness of
investigations.

Question 21

Keenan Systems recently developed a new manufacturing
process for microprocessors. The company wants to license the
technology to other companies for use but wants to prevent
unauthorized use of the technology. What type of intellectual
property protection is best suited for this situation?
A. Patent
B. Trade secret
C. Copyright
D. Trademark

Answer 21

A. Patent

A. Patents and trade secrets can both protect intellectual
property related to a manufacturing process. Trade secrets are
appropriate only when the details can be tightly controlled
within an organization, so a patent is the appropriate solution in
this case. Copyrights are used to protect creative works, while
trademarks are used to protect names, logos, and symbols.

Question 22

Which one of the following actions might be taken as part of a
business continuity plan?
A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations

Answer 22

B. Implementing RAID

B. RAID technology provides fault tolerance for hard drive
failures and is an example of a business continuity action.
Restoring from backup tapes, relocating to a cold site, and
restarting business operations are all disaster recovery actions.

Question 23

When developing a business impact analysis, the team should
first create a list of assets. What should happen next?
A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset.

Answer 23

C. Develop a value for each asset.

C. After developing a list of assets, the business impact analysis
team should assign values to each asset. The other activities
listed here occur only after the assets are assigned values.

Question 24

Mike recently implemented an intrusion prevention system
designed to block common network attacks from affecting his
organization. What type of risk management strategy is Mike
pursuing?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference

Answer 24

C. Risk mitigation

C. Risk mitigation strategies attempt to lower the probability
and/or impact of a risk occurring. Intrusion prevention systems
attempt to reduce the probability of a successful attack and are,
therefore, examples of risk mitigation. Risk acceptance involves
making a conscious decision to accept a risk as-is with no
further action. Risk avoidance alters business activities to make
a risk irrelevant. Risk transfer shifts the costs of a risk to another
organization, such as an insurance company.

Question 25

Laura has been asked to perform an SCA. What type of
organization is she most likely in?
A. Higher education
B. Banking
C. Government
D. Healthcare

Answer 25

C. Government

C. A security controls assessment (SCA) most often refers to a
formal U.S. government process for assessing security controls
and is often paired with a Security Test and Evaluation (ST&E)
process. This means that Laura is probably part of a government
organization or contractor.

Question 26

Carl is a federal agent investigating a computer crime case. He
identified an attacker who engaged in illegal conduct and wants
to pursue a case against that individual that will lead to
imprisonment. What standard of proof must Carl meet?
A. Beyond the shadow of a doubt
B. Preponderance of the evidence
C. Beyond a reasonable doubt
D. Majority of the evidence

Answer 26

C. Beyond a reasonable doubt

C. There are two steps to answering this question. First, you
must realize that for the case to lead to imprisonment, it must be
the result of a criminal investigation. Next, you must know that
the standard of proof for a criminal investigation is normally the
beyond a reasonable doubt standard.

Question 27

The International Information Systems Security Certification
Consortium uses their logo to represent itself online
and in a variety of forums. What type of intellectual property
protection may it use to protect its rights in this logo?
A. Copyright
B. Patent
C. Trade secret
D. Trademark

Answer 27

D. Trademark

D. Trademark protection extends to words and symbols used to
represent an organization, product, or service in the
marketplace. Copyrights are used to protect creative works.
Patents and trade secrets are used to protect inventions and
similar intellectual property.

Question 28

Mary is helping a computer user who sees the following message
appear on his computer screen. What type of attack has
occurred?
“Your personal files are encrypted!” Ransomware
A. Availability
B. Confidentiality
C. Disclosure
D. Distributed

Answer 28

A. Availability

A. The message displayed is an example of ransomware, which
encrypts the contents of a user’s computer to prevent legitimate
use. This is an example of an availability attack. There is no
indication that the data was disclosed to others, so there is no
confidentiality/disclosure risk. There is also no indication that
other systems were involved in a distributed attack.

Question 29

Which one of the following organizations would not be
automatically subject to the privacy and security requirements
of HIPAA if they engage in electronic transactions?
A. Healthcare provider
B. Health and fitness application developer
C. Health information clearinghouse
D. Health insurance plan

Answer 29

B. Health and fitness application developer

B. A health and fitness application developer would not
necessarily be collecting or processing healthcare data, and the
terms of HIPAA do not apply to this category of business.
HIPAA regulates three types of entities—healthcare providers,
health information clearinghouses, and health insurance plans—
as well as the business associates of any of those covered
entities.

Question 30

John’s network begins to experience symptoms of slowness.
Upon investigation, he realizes that the network is being
bombarded with TCP SYN packets and believes that his
organization is the victim of a denial-of-service attack. What
principle of information security is being violated?
A. Availability
B. Integrity
C. Confidentiality
D. Denial

Answer 30

A. Availability

A. A smurf attack is an example of a denial-of-service attack,
which jeopardizes the availability of a targeted network. Smurf
attacks do not target integrity or confidentiality. While this is a
denial of service attack, denial is not the correct answer because
you are asked which principle is violated, not what type of attack
took place. Denial of service attacks target resource availability.

Question 31

Renee is designing the long-term security plan for her
organization and has a three- to five-year planning horizon. Her
primary goal is to align the security function with the broader
plans and objectives of the business. What type of plan is she
developing?
A. Operational
B. Tactical
C. Summary
D. Strategic

Answer 31

D. Strategic

D. Strategic plans have a long-term planning horizon of up to
five years in most cases. They are designed to strategically align
the security function with the business’ objectives. Operational
and tactical plans have shorter horizons of a year or less.

Question 32

Gina is working to protect a logo that her company will use for a
new product they are launching. She has questions about the
intellectual property protection process for this logo. What U.S.
government agency would be best able to answer her questions?
A. USPTO
B. Library of Congress
C. NSA
D. NIST

Answer 32

A. USPTO

A. First, you must realize that a trademark is the correct
intellectual property protection mechanism for a logo.
Therefore, Gina should contact the United States Patent and
Trademark Office (USPTO), which bears responsibility for the
registration of trademarks. The Library of Congress administers
the copyright program. The National Security Agency (NSA) and
the National Institute for Standards and Technology (NIST) play
no role in intellectual property protection.

Question 33

The Acme Widgets Company is putting new controls in place for
its accounting department. Management is concerned that a
rogue accountant may be able to create a new false vendor and
then issue checks to that vendor as payment for services that
were never rendered. What security control can best help
prevent this situation?
A. Mandatory vacation
B. Separation of duties
C. Defense in depth
D. Job rotation

Answer 33

B. Separation of duties

B. When following the separation of duties principle,
organizations divide critical tasks into discrete components and
ensure that no one individual has the ability to perform both
actions. This prevents a single rogue individual from performing
that task in an unauthorized manner. Mandatory vacations and
job rotations are designed to detect fraud, not prevent it.
Defense in depth is not the relevant principle here because the
answer is seeking an initial control. We may choose to add
additional controls at a later date, but the primary objective here
would be to implement separation of duties.

Question 34

Which one of the following categories of organizations is most
likely to be covered by the provisions of FISMA?
A. Banks
B. Defense contractors
C. School districts
D. Hospitals

Answer 34

B. Defense contractors

B. The U.S. Federal Information Security Management Act
(FISMA) applies to federal government agencies and
contractors. Of the entities listed, a defense contractor is the
most likely to have government contracts subject to FISMA.

Question 35

Robert is responsible for securing systems used to process credit
card information. What security control framework should guide
his actions?
A. HIPAA
B. PCI DSS
C. SOX
D. GLBA

Answer 35

B. PCI DSS

B. The Payment Card Industry Data Security Standard (PCI
DSS) governs the storage, processing, and transmission of credit
card information. The Sarbanes Oxley (SOX) Act regulates the
financial reporting activities of publicly traded companies. The
Health Insurance Portability and Accountability Act (HIPAA)
regulates the handling of protected health information (PHI).
The Gramm Leach Bliley Act (GLBA) regulates the handling of
personal financial information.

Question 36

Which one of the following individuals is normally responsible
for fulfilling the operational data protection responsibilities
delegated by senior management, such as validating data
integrity, testing backups, and managing security policies?
A. Data custodian
B. Data owner
C. User
D. Auditor

Answer 36

A. Data custodian

A. The data custodian role is assigned to an individual who is
responsible for implementing the security controls defined by
policy and senior management. The data owner does bear
ultimate responsibility for these tasks, but the data owner is
typically a senior leader who delegates operational responsibility
to a data custodian.

Question 37

Alan works for an e-commerce company that recently had some
content stolen by another website and republished without
permission. What type of intellectual property protection would
best preserve Alan’s company’s rights?
A. Trade secret
B. Copyright
C. Trademark
D. Patent

Answer 37

B. Copyright

B. Written works, such as website content, are normally
protected by copyright law. Trade secret status would not be
appropriate here because the content is online and available
outside the company. Patents protect inventions, and
trademarks protect words and symbols used to represent a
brand, neither of which is relevant in this scenario.

Question 38

Florian receives a flyer from a U.S. federal government agency
announcing that a new administrative law will affect his
business operations. Where should he go to find the text of the
law?
A. United States Code
B. Supreme Court rulings
C. Code of Federal Regulations
D. Compendium of Laws

Answer 38

C. Code of Federal Regulations

C. The Code of Federal Regulations (CFR) contains the text of
all administrative laws promulgated by federal agencies. The
United States Code contains criminal and civil law. Supreme
Court rulings contain interpretations of law and are not laws
themselves. The Compendium of Laws does not exist.

Question 39

Tom enables an application firewall provided by his cloud
infrastructure as a service provider that is designed to block
many types of application attacks. When viewed from a risk
management perspective, what metric is Tom attempting to
lower by implementing this countermeasure?
A. Impact
B. RPO
C. MTO
D. Likelihood

Answer 39

D. Likelihood

D. Installing a device that will block attacks is an attempt to
lower risk by reducing the likelihood of a successful application
attack. Adding a firewall will not address the impact of a risk,
the recovery point objective (RPO) or the maximum tolerable
outage (MTO).

Question 40

Which one of the following individuals would be the most
effective organizational owner for an information security
program?
A. CISSP-certified analyst
B. Chief information officer (CIO)
C. Manager of network security
D. President and CEO

Answer 40

B. Chief information officer (CIO)

B. The owner of information security programs may be different
from the individuals responsible for implementing the controls.
This person should be as senior an individual as possible who is
able to focus on the management of the security program. The
president and CEO would not be an appropriate choice because
an executive at this level is unlikely to have the time necessary to
focus on security. Of the remaining choices, the CIO is the most
senior position who would be the strongest advocate at the
executive level.

Question 41

What important function do senior managers normally fill on a
business continuity planning team?
A. Arbitrating disputes about criticality
B. Evaluating the legal environment
C. Training staff
D. Designing failure controls

Answer 41

A. Arbitrating disputes about criticality

A. Senior managers play several business continuity planning
roles. These include setting priorities, obtaining resources, and
arbitrating disputes among team members.

Question 42

You are the CISO for a major hospital system and are preparing
to sign a contract with a software as a service (SaaS) email
vendor and want to perform a control assessment to ensure that
its business continuity planning measures are reasonable. What
type of audit might you request to meet this goal?
A. SOC 1
B. FISMA
C. PCI DSS
D. SOC 2

Answer 42

D. SOC 2

D. The Service Organizations Control audit program includes
business continuity controls in a SOC 2, but not SOC 1, audit.
Although FISMA and PCI DSS may audit business continuity,
they would not apply to an email service used by a hospital.

Question 43

Gary is analyzing a security incident and, during his
investigation, encounters a user who denies having performed
an action that Gary believes he did perform. What type of threat
has taken place under the STRIDE model?
A. Repudiation
B. Information disclosure
C. Tampering
D. Elevation of privilege

Answer 43

A. Repudiation

A. Repudiation threats allow an attacker to deny having
performed an action or activity without the other party being
able to prove differently. There is no evidence that the attacker
engaged in information disclosure, tampering, or elevation of
privilege.

Question 44

Beth is the security administrator for a public school district.
She is implementing a new student information system and is
testing the code to ensure that students are not able to alter their
own grades. What principle of information security is Beth
enforcing?
A. Integrity
B. Availability
C. Confidentiality
D. Denial

Answer 44

A. Integrity

A. Integrity controls, such as the one Beth is implementing in
this example, are designed to prevent the unauthorized
modification of information. There is no evidence of an attack
against availability or confidentiality. Denial is an objective of
attackers, rather than of security professionals and is not
relevant in this scenario that targets integrity.

Question 45

Which one of the following issues is not normally addressed in a
service-level agreement (SLA)?
A. Confidentiality of customer information
B. Failover time
C. Uptime
D. Maximum consecutive downtime

Answer 45

A. Confidentiality of customer information

A. SLAs do not normally address issues of data confidentiality.
Those provisions are normally included in a nondisclosure
agreement (NDA).

Question 46

Joan is seeking to protect a piece of computer software that she
developed under intellectual property law. Which one of the
following avenues of protection would not apply to a piece of
software?
A. Trademark
B. Copyright
C. Patent
D. Trade secret

Answer 46

A. Trademark

A. Trademarks protect words and images that represent a
product or service and would not protect computer software.

Question 47

Juniper Content is a web content development company with 40
employees located in two offices: one in New York and a smaller
office in the San Francisco Bay Area. Each office has a local area
network protected by a perimeter firewall. The local area
network (LAN) contains modern switch equipment connected to
both wired and wireless networks.
Each office has its own file server, and the information
technology (IT) team runs software every hour to synchronize
files between the two servers, distributing content between the
offices. These servers are primarily used to store images and
other files related to web content developed by the company.
The team also uses a SaaS-based email and document
collaboration solution for much of their work.
You are the newly appointed IT manager for Juniper Content,
and you are working to augment existing security controls to
improve the organization’s security.
Users in the two offices would like to access each other’s file
servers over the internet. What control would provide
confidentiality for those communications?
A. Digital signatures
B. Virtual private network
C. Virtual LAN
D. Digital content management

Answer 47

B. Virtual private network

B. Virtual private networks (VPNs) provide secure
communications channels over otherwise insecure networks
(such as the internet) using encryption. If you establish a VPN
connection between the two offices, users in one office could
securely access content located on the other office’s server over
the internet. Digital signatures are used to provide
nonrepudiation, not confidentiality. Virtual LANs (VLANs)
provide network segmentation on local networks but do not
cross the internet. Digital content management solutions are
designed to manage web content, not access shared files located
on a file server.

Question 48

Juniper Content is a web content development company with 40
employees located in two offices: one in New York and a smaller
office in the San Francisco Bay Area. Each office has a local area
network protected by a perimeter firewall. The local area
network (LAN) contains modern switch equipment connected to
both wired and wireless networks.
Each office has its own file server, and the information
technology (IT) team runs software every hour to synchronize
files between the two servers, distributing content between the
offices. These servers are primarily used to store images and
other files related to web content developed by the company.
The team also uses a SaaS-based email and document
collaboration solution for much of their work.
You are the newly appointed IT manager for Juniper Content,
and you are working to augment existing security controls to
improve the organization’s security.
You are also concerned about the availability of data stored on
each office’s server. You would like to add technology that would
enable continued access to files located on the server even if a
hard drive in a server fails. What control allows you to add
robustness without adding additional servers?
A. Server clustering
B. Load balancing
C. RAID
D. Scheduled backups

Answer 48

C. RAID

C. RAID uses additional hard drives to protect the server
against the failure of a single device. Load balancing and server
clustering do add robustness but require the addition of a server.
Scheduled backups protect against data loss but do not provide
immediate access to data in the event of a hard drive failure.

Question 49

Juniper Content is a web content development company with 40
employees located in two offices: one in New York and a smaller
office in the San Francisco Bay Area. Each office has a local area
network protected by a perimeter firewall. The local area
network (LAN) contains modern switch equipment connected to
both wired and wireless networks.
Each office has its own file server, and the information
technology (IT) team runs software every hour to synchronize
files between the two servers, distributing content between the
offices. These servers are primarily used to store images and
other files related to web content developed by the company.
The team also uses a SaaS-based email and document
collaboration solution for much of their work.
You are the newly appointed IT manager for Juniper Content,
and you are working to augment existing security controls to
improve the organization’s security.
Finally, there are historical records stored on the server that are
extremely important to the business and should never be
modified. You would like to add an integrity control that allows
you to verify on a periodic basis that the files were not modified.
What control can you add?
A. Hashing
B. ACLs
C. Read-only attributes
D. Firewalls

Answer 49

A. Hashing

A. Hashing allows you to computationally verify that a file has
not been modified between hash evaluations. ACLs and readonly attributes are useful controls that may help you prevent
unauthorized modification, but they cannot verify that files were
not modified. Firewalls are network security controls and do not
verify file integrity.

Question 50

Beth is a human resources specialist preparing to assist in the
termination of an employee. Which of the following is not
typically part of a termination process?
A. An exit interview
B. Recovery of property
C. Account termination
D. Signing an NCA

Answer 50

D. Signing an NCA

D. Signing a noncompete or nondisclosure agreement is
typically done at hiring. Exit interviews, recovery of
organizational property, and account termination are all
common elements of a termination process. During the exit
interview, the team may choose to review employment
agreements and policies that remain in force, such as a
noncompete or nondisclosure agreement.

Question 51

Frances is reviewing her organization’s business continuity plan
documentation for completeness. Which one of the following is
not normally included in business continuity plan
documentation?
A. Statement of accounts
B. Statement of importance
C. Statement of priorities
D. Statement of organizational responsibility

Answer 51

A. Statement of accounts

A. Business continuity plan documentation normally includes
the continuity planning goals, a statement of importance,
statement of priorities, statement of organizational
responsibility, statement of urgency and timing, risk assessment
and risk acceptance and mitigation documentation, a vital
records program, emergency response guidelines, and
documentation for maintaining and testing the plan.

Question 52

An accounting employee at Doolittle Industries was recently
arrested for participation in an embezzlement scheme. The
employee transferred money to a personal account and then
shifted funds around between other accounts every day to
disguise the fraud for months. Which one of the following
controls might have best allowed the earlier detection of this
fraud?
A. Separation of duties
B. Least privilege
C. Defense in depth
D. Mandatory vacation

Answer 52

D. Mandatory vacation

D. Mandatory vacation programs require that employees take
continuous periods of time off each year and revoke their system
privileges during that time. The purpose of these required
vacation periods is to disrupt any attempt to engage in the
cover-up actions necessary to hide fraud and result in exposing
the threat. Separation of duties, least privilege, and defense in
depth controls all may help prevent the fraud in the first place
but are unlikely to speed the detection of fraud that has already
occurred.

Question 53

Jeff would like to adopt an industry-standard approach for
assessing the processes his organization uses to manage risk.
What maturity model would be most appropriate for his use?
A. CMM
B. SW-CMM
C. RMM
D. COBIT

Answer 53

C. RMM

C. The Risk Maturity Model (RMM) is specifically designed for
the purpose of assessing enterprise risk management programs.
Jeff could conceivably use the more generic capability maturity
model (CMM), but this would not be as good of a fit. The
software capability maturity model (SW-CMM) is designed for
assessing development projects, not risk management efforts.
The Control Objectives for Information Technology (COBIT) are
a set of security control objectives and not a maturity model.

Question 54

Chris’ organization recently suffered an attack that rendered
their website inaccessible to paying customers for several hours.
Which information security goal was most directly impacted?
A. Confidentiality
B. Integrity
C. Availability
D. Denial

Answer 54

C. Availability

C. Denial-of-service (DoS) attacks and distributed denial-ofservice (DDoS) attacks try to disrupt the availability of
information systems and networks by flooding a victim with
traffic or otherwise disrupting service.

Question 55

Yolanda is writing a document that will provide configuration
information regarding the minimum level of security that every
system in the organization must meet. What type of document is
she preparing?
A. Policy
B. Baseline
C. Guideline
D. Procedure

Answer 55

B. Baseline

B. Baselines provide the minimum level of security that every
system throughout the organization must meet. This type of
information would not appear in a policy, guideline, or
procedure.

Question 56

Who should receive initial business continuity plan training in
an organization?
A. Senior executives
B. Those with specific business continuity roles
C. Everyone in the organization
D. First responders

Answer 56

C. Everyone in the organization

C. Everyone in the organization should receive basic training on
the nature and scope of the business continuity program. Those
with specific roles, such as first responders and senior
executives, should also receive detailed, role-specific training.

Question 57

James is conducting a risk assessment for his organization and
is attempting to assign an asset value to the servers in his data
center. The organization’s primary concern is ensuring that it
has sufficient funds available to rebuild the data center in the
event it is damaged or destroyed. Which one of the following
asset valuation methods would be most appropriate in this
situation?
A. Purchase cost
B. Depreciated cost
C. Replacement cost
D. Opportunity cost

Answer 57

C. Replacement cost

C. If the organization’s primary concern is the cost of rebuilding
the data center, James should use the replacement cost method
to determine the current market price for equivalent servers.

Question 58

Roger’s organization suffered a breach of customer credit card
records. Under the terms of PCI DSS, what organization may
choose to pursue an investigation of this matter?
A. FBI
B. Local law enforcement
C. Bank
D. PCI SSC

Answer 58

C. Bank

C. PCI DSS is a standard promulgated by the Payment Card
Industry Security Standards Council (PCI SSC), but is enforced
through contractual relationships between merchants and their
banks. Therefore, the bank would be the appropriate entity to
initiate an investigation under PCI DSS. Local and federal law
enforcement agencies (such as the FBI) could decide to pursue a
criminal investigation if the circumstances warrant, but they do
not have the authority to enforce PCI DSS requirements.

Question 59

Rick recently engaged critical employees in each of his
organization’s business units to ask for their assistance with his
security awareness program. They will be responsible for
sharing security messages with their peers and answering
questions about cybersecurity matters. What term best describes
this relationship?
A. Security champion
B. Security expert
C. Gamification
D. Peer review

Answer 59

A. Security champion

A. This is an example of a security champion program that uses
individuals employed in other roles in a business unit to share
security messaging. The individuals in these roles are not
necessarily security experts and do not have a peer review role.

Question 60

Frank discovers a keylogger hidden on the laptop of his
company’s chief executive officer. What information security
principle is the keylogger most likely designed to disrupt?
A. Confidentiality
B. Integrity
C. Availability
D. Denial

Answer 60

A. Confidentiality

A. Keyloggers monitor the keystrokes of an individual and
report them back to an attacker. They are designed to steal
sensitive information, a disruption of the goal of confidentiality.

Question 61

Elise is helping her organization prepare to evaluate and adopt a
new cloud-based human resource management (HRM) system
vendor. What would be the most appropriate minimum security
standard for her to require of possible vendors?
A. Compliance with all laws and regulations
B. Handling information in the same manner the organization
would
C. Elimination of all identified security risks
D. Compliance with the vendor’s own policies

Answer 61

B. Handling information in the same manner the organization
would

B. The most appropriate standard to use as a baseline when
evaluating vendors is to determine whether the vendor’s security
controls meet the organization’s own standards. Compliance
with laws and regulations should be included in that
requirement and are a necessary, but not sufficient, condition
for working with the vendor. Vendor compliance with their own
policies also fits into the category of necessary, but not
sufficient, controls, as the vendor’s policy may be weaker than
the organization’s own requirements. The elimination of all
identified security risks is an impossible requirement for a
potential vendor to meet.

Question 62

NIST RMF
Step 1: Categorize Information Systems
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: ???
Step 5: Authorize Information System
Step 6: Monitor Security Controls
What is the missing step?
A. Assess security controls.
B. Determine control gaps.
C. Remediate control gaps.
D. Evaluate user activity.

Answer 62

A. Assess security controls.

A. The fourth step of the NIST risk management framework is
assessing security controls. This is an important component of
the process. The organization has already categorized the
system, selected appropriate controls, and implemented those
controls. Before authorizing the use of the system, they must
assess the effectiveness of those controls to ensure that they
meet security requirements.

Question 63

HAL Systems recently decided to stop offering public NTP
services because of a fear that its NTP servers would be used in
amplification DDoS attacks. What type of risk management
strategy did HAL pursue with respect to its NTP services?
A. Risk mitigation
B. Risk acceptance
C. Risk transference
D. Risk avoidance

Answer 63

D. Risk avoidance

D. HAL Systems decided to stop offering the service because of
the risk. This is an example of a risk avoidance strategy. The
company altered its operations in a manner that eliminates the
risk of NTP misuse. Risk acceptance involves making a
conscious decision to accept a risk as-is with no further action.
Risk mitigation takes measures to reduce the likelihood and/or
impact of a risk. Risk transfer shifts the costs of a risk to another
organization, such as an insurance company.

Question 64

Susan is working with the management team in her company to
classify data in an attempt to apply extra security controls that
will limit the likelihood of a data breach. What principle of
information security is Susan trying to enforce?
A. Availability
B. Denial
C. Confidentiality
D. Integrity

Answer 64

C. Confidentiality

C. Confidentiality controls prevent the disclosure of sensitive
information to unauthorized individuals. Limiting the likelihood
of a data breach is an attempt to prevent unauthorized
disclosure.

Question 65

Which one of the following components should be included in
an organization’s emergency response guidelines?
A. List of individuals who should be notified of an emergency
incident
B. Long-term business continuity protocols
C. Activation procedures for the organization’s cold sites
D. Contact information for ordering equipment

Answer 65

A. List of individuals who should be notified of an emergency
incident

A. The emergency response guidelines should include the
immediate steps an organization should follow in response to an
emergency situation. These include immediate response
procedures, a list of individuals who should be notified of the
emergency, and secondary response procedures for first
responders. They do not include long-term actions such as
activating business continuity protocols, ordering equipment, or
activating DR sites.

Question 66

Chas recently completed the development of his organization’s
business continuity plan. Who is the ideal person to approve an
organization’s business continuity plan?
A. Chief information officer
B. Chief executive officer
C. Chief information security officer
D. Chief operating officer

Answer 66

B. Chief executive officer

B. Although the CEO will not normally serve on a BCP team, it
is best to obtain top-level management approval for your plan to
increase the likelihood of successful adoption.

Question 67

Which one of the following actions is not normally part of the
project scope and planning phase of business continuity
planning?
A. Structured analysis of the organization
B. Review of the legal and regulatory landscape
C. Creation of a BCP team
D. Documentation of the plan

Answer 67

D. Documentation of the plan

D. The project scope and planning phase includes four actions:
a structured analysis of the organization, the creation of a BCP
team, an assessment of available resources, and an analysis of
the legal and regulatory landscape.

Question 68

Gary is implementing a new website architecture that uses
multiple small web servers behind a load balancer. What
principle of information security is Gary seeking to enforce?
A. Denial
B. Confidentiality
C. Integrity
D. Availability

Answer 68

D. Availability

D. Keeping a server up and running is an example of an
availability control because it increases the likelihood that a
server will remain available to answer user requests.

Question 69

Becka recently signed a contract with an alternate data
processing facility that will provide her company with space in
the event of a disaster. The facility includes HVAC, power, and
communications circuits but no hardware. What type of facility
is Becka using?
A. Cold site
B. Warm site
C. Hot site
D. Mobile site

Answer 69

A. Cold site

A. A cold site includes the basic capabilities required for data
center operations: space, power, HVAC, and communications,
but it does not include any of the hardware required to restore
operations. Warm sites, hot sites, and mobile sites would all
include hardware.

Question 70

Ben is seeking a control objective framework that is widely
accepted around the world and focuses specifically on
information security controls. Which one of the following
frameworks would best meet his needs?
A. ITIL
B. ISO 27002
C. CMM
D. PMBOK Guide

Answer 70

B. ISO 27002

B. ISO 27002 is an international standard focused on
information security and titled “Information technology—
Security techniques—Code of practice for information security
management.” The Information Technology Infrastructure
Library (ITIL) does contain security management practices, but
it is not the sole focus of the document, and the ITIL security
section is derived from ISO 27002. The Capability Maturity
Model (CMM) is focused on software development, and the
Project Management Body of Knowledge (PMBOK) Guide
focuses on project management.

Question 70

Greg’s company recently experienced a significant data breach
involving the personal data of many of their customers. Which
breach laws should they review to ensure that they are taking
appropriate action?
A. The breach laws in the state where they are headquartered.
B. The breach laws of states they do business in.
C. Only federal breach laws.
D. Breach laws only cover government agencies, not private
businesses.

Answer 70

B. The breach laws of states they do business in.

B. In general, companies should be aware of the breach laws in
any location where they do business. U.S. states have a diverse
collection of breach laws and requirements, meaning that in this
case, Greg’s company may need to review many different breach
laws to determine which they may need to comply with if they
conduct business in the state or with the state’s residents.

Question 71

Every year, Gary receives privacy notices in the mail from
financial institutions where he has accounts. What law requires
the institutions to send Gary these notices?
A. FERPA
B. GLBA
C. HIPAA
D. HITECH

Answer 71

B. GLBA

B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy
regulations on financial institutions, including providing written
notice of privacy practices to customers.

Question 71

Matt works for a telecommunications firm and was approached
by a federal agent seeking assistance with wiretapping one of
Matt’s clients pursuant to a search warrant. Which one of the
following laws requires that communications service providers
cooperate with law enforcement requests?
A. ECPA
B. CALEA
C. Privacy Act
D. HITECH Act

Answer 71

B. CALEA

B. The Communications Assistance to Law Enforcement Act
(CALEA) requires that all communications carriers make
wiretaps possible for law enforcement officials who have an
appropriate court order.

Question 72

Which one of the following agreements typically requires that a
vendor not disclose confidential information learned during the
scope of an engagement?
A. NCA
B. SLA
C. NDA
D. RTO

Answer 72

C. NDA

C. Nondisclosure agreements (NDAs) typically require either
mutual or one-way confidentiality in a business relationship.
Service-level agreements specify service uptime and other
performance measures. Noncompete agreements (NCAs) limit
the future employment possibilities of employees. Recovery time
objectives (RTOs) are used in business continuity planning.

Question 73

The (ISC)2
Code of Ethics applies to all CISSP holders. Which of
the following is not one of the four mandatory canons of the
code?
A. Protect society, the common good, the necessary public
trust and confidence, and the infrastructure.
B. Disclose breaches of privacy, trust, and ethics.
C. Provide diligent and competent service to the principles.
D. Advance and protect the profession.

Answer 73

B. Disclose breaches of privacy, trust, and ethics.

B. The (ISC)2
Code of Ethics also includes “Act honorably,
honestly, justly, responsibly, and legally” but does not
specifically require credential holders to disclose all breaches of
privacy, trust, or ethics.

Question 74

Ben is designing a messaging system for a bank and would like
to include a feature that allows the recipient of a message to
prove to a third party that the message did indeed come from
the purported originator. What goal is Ben trying to achieve?
A. Authentication
B. Authorization
C. Integrity
D. Nonrepudiation

Answer 74

D. Nonrepudiation

D. Nonrepudiation allows a recipient to prove to a third party
that a message came from a purported source. Authentication
would provide proof to Ben that the sender was authentic, but
Ben would not be able to prove this to a third party.

Question 75

Which one of the following stakeholders is not typically included
on a business continuity planning team?
A. Core business function leaders
B. Information technology staff
C. CEO
D. Support departments

Answer 75

C. CEO

C. While senior management should be represented on the BCP
team, it would be highly unusual for the CEO to fill this role
personally.

Question 76

What principle of information security states that an
organization should implement overlapping security controls
whenever possible?
A. Least privilege
B. Separation of duties
C. Defense in depth
D. Security through obscurity

Answer 76

C. Defense in depth

C. Defense in depth states that organizations should have
overlapping security controls designed to meet the same security
objectives whenever possible. This approach provides security in
the event of a single control failure. Least privilege ensures that
an individual only has the minimum set of permissions
necessary to carry out their assigned job functions and does not
require overlapping controls. Separation of duties requires that
one person not have permission to perform two separate actions
that, when combined, carry out a sensitive function. Security
through obscurity attempts to hide the details of security
controls to add security to them. Neither separation of duties
nor security through obscurity involve overlapping controls.

Question 77

Ryan is a CISSP-certified cybersecurity professional working in
a nonprofit organization. Which of the following ethical
obligations apply to his work? (Select all that apply.)
A. (ISC)2
Code of Ethics
B. Organizational code of ethics
C. Federal code of ethics
D. RFC 1087

Answer 77

A. (ISC)2 Code of Ethics
B. Organizational code of ethics

A, B. All (ISC)2
certified professionals are required to comply
with the (ISC)2
Code of Ethics. All employees of an organization
are required to comply with the organization’s code of ethics.
The federal code of ethics (or, more formally, the Code of Ethics
for Government Service) would not apply to a nonprofit
organization, as it only applies to federal employees. RFC 1087
does provide a code of ethics for the internet, but it is not
binding on any individual.

Question 78

Ben is responsible for the security of payment card information
stored in a database. Policy directs that he remove the
information from the database, but he cannot do this for
operational reasons. He obtained an exception to policy and is
seeking an appropriate compensating control to mitigate the
risk. What would be his best option?
A. Purchasing insurance
B. Encrypting the database contents
C. Removing the data
D. Objecting to the exception

Answer 78

Ben is responsible for the security of payment card information

B. Ben should encrypt the data to provide an additional layer of
protection as a compensating control. The organization has
already made a policy exception, so he should not react by
objecting to the exception or removing the data without
authorization. Purchasing insurance may transfer some of the
risk but is not a mitigating control.

Question 79

| | | ^
| | | ^
| | | ^
| II | I | P
| | | r
| | | o
| | | b
—————————————– a
| | | b
| | | i
| | | l
| III | IV | i
| | | t
| | | y
| | | ^
—————————————– ^
»» Impact&raquo_space;»>

The Domer Industries risk assessment team recently conducted
a qualitative risk assessment and developed a matrix similar to
the one shown here. Which quadrant contains the risks that
require the most immediate attention?
A. I
B. II
C. III
D. IV

Answer 79

A. I

A. The risk assessment team should pay the most immediate
attention to those risks that appear in quadrant I. These are the
risks with a high probability of occurring and a high impact on
the organization if they do occur.

Question 80

Tom is planning to terminate an employee this afternoon for
fraud and expects that the meeting will be somewhat hostile. He
is coordinating the meeting with human resources and wants to
protect the company against damage. Which one of the
following steps is most important to coordinate in time with the
termination meeting?
A. Informing other employees of the termination
B. Retrieving the employee’s photo ID
C. Calculating the final paycheck
D. Revoking electronic access rights

Answer 80

D. Revoking electronic access rights

D. Electronic access to company resources must be carefully
coordinated. An employee who retains access after being
terminated may use that access to take retaliatory action. On the
other hand, if access is terminated too early, the employee may
figure out that he or she is about to be terminated.

Question 81

Rolando is a risk manager with a large-scale enterprise. The firm
recently evaluated the risk of California mudslides on its
operations in the region and determined that the cost of
responding outweighed the benefits of any controls it could
implement. The company chose to take no action at this time.
What risk management strategy did Rolando’s organization
pursue?
A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance

Answer 81

D. Risk acceptance

D. In a risk acceptance strategy, the organization decides that
taking no action is the most beneficial route to managing a risk.

Question 82

Helen is the owner of a U.S. website that provides information
for middle and high school students preparing for exams. She is
writing the site’s privacy policy and would like to ensure that it
complies with the provisions of the Children’s Online Privacy
Protection Act (COPPA). What is the cutoff age below which
parents must give consent in advance of the collection of
personal information from their children under COPPA?
A. 13
B. 15
C. 17
D. 18

Answer 82

A. 13

A. COPPA requires that websites obtain advance parental
consent for the collection of personal information from children
under the age of 13.

Question 83

Tom is considering locating a business in the downtown area of
Miami, Florida. He consults the FEMA flood plain map for the
region and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area?
A. 100
B. 1
C. 0.1
D. 0.01

Answer 83

D. 0.01

D. The annualized rate of occurrence (ARO) is the frequency at
which you should expect a risk to materialize each year. In a
100-year flood plain, risk analysts expect a flood to occur once
every 100 years, or 0.01 times per year.

Question 84

You discover that a user on your network has been using the
Wireshark tool. Further investigation revealed
that he was using it for illicit purposes. What pillar of
information security has most likely been violated?
A. Integrity
B. Denial
C. Availability
D. Confidentiality

Answer 84

D. Confidentiality

D. Wireshark is a protocol analyzer and may be used to
eavesdrop on network connections. Eavesdropping is an attack
against confidentiality.

Question 85

Alan is performing threat modeling and decides that it would be
useful to decompose the system into the core elements. What tool is he using?
A. Vulnerability assessment
B. Fuzzing
C. Reduction analysis
D. Data modeling

Answer 85

C. Reduction analysis

C. In reduction analysis, the security professional breaks the
system down into five core elements: trust boundaries, data flow
paths, input points, privileged operations, and details about
security controls.

Question 86

Craig is selecting the site for a new data center and must choose
a location somewhere within the United States. He obtained the
earthquake risk map from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk?
A. New York (24-32)
B. North Carolina (16-24)
C. Indiana (16-24)
D. Florida (0-2)

Answer 86

D. Florida (0-2)

D. Of the states listed, Florida is the only one that is not shaded
to indicate a serious risk of a major earthquake.

Question 87

Which type of business impact assessment tool is most
appropriate when attempting to evaluate the impact of a failure
on customer confidence?
A. Quantitative
B. Qualitative
C. Annualized loss expectancy
D. Reduction

Answer 87

B. Qualitative

B. Qualitative tools are often used in business impact
assessment to capture the impact on intangible factors such as
customer confidence, employee morale, and reputation.

Question 88

Ryan is a security risk analyst for an insurance company. He is
currently examining a scenario in which a malicious hacker
might use a SQL injection attack to deface a web server due to a
missing patch in the company’s web application. In this
scenario, what is the threat?
A. Unpatched web application
B. Web defacement
C. Malicious hacker
D. Operating system

Answer 88

C. Malicious hacker

C. Risks are the combination of a threat and a vulnerability.
Threats are the external forces seeking to undermine security,
such as the malicious hacker in this case. Vulnerabilities are the
internal weaknesses that might allow a threat to succeed. In this
case, the missing patch is the vulnerability. In this scenario, if
the malicious hacker (threat) attempts a SQL injection attack
against the unpatched server (vulnerability), the result is
website defacement.

Question 89

Henry is the risk manager for Atwood Landing, a resort
community in the midwestern United States. The resort’s main
data center is located in northern Indiana in an area that is
prone to tornados. Henry recently undertook a replacement cost
analysis and determined that rebuilding and reconfiguring the
data center would cost $10 million.
Henry consulted with tornado experts, data center specialists,
and structural engineers. Together, they determined that a
typical tornado would cause approximately $5 million of
damage to the facility. The meteorologists determined that
Atwood’s facility lies in an area where they are likely to
experience a tornado once every 200 years.
Based upon the information in this scenario, what is the
exposure factor for the effect of a tornado on Atwood Landing’s
data center?
A. 10 percent
B. 25 percent
C. 50 percent
D. 75 percent

Answer 89

C. 50 percent

C. The exposure factor is the percentage of the facility that risk
managers expect will be damaged if a risk materializes. It is
calculated by dividing the amount of damage by the asset value.
In this case, that is $5million in damage divided by the
$10million facility value, or 50 percent.

Question 90

Henry is the risk manager for Atwood Landing, a resort
community in the midwestern United States. The resort’s main
data center is located in northern Indiana in an area that is
prone to tornados. Henry recently undertook a replacement cost
analysis and determined that rebuilding and reconfiguring the
data center would cost $10 million.
Henry consulted with tornado experts, data center specialists,
and structural engineers. Together, they determined that a
typical tornado would cause approximately $5 million of
damage to the facility. The meteorologists determined that
Atwood’s facility lies in an area where they are likely to
experience a tornado once every 200 years.
Based upon the information in this scenario, what is the
annualized rate of occurrence for a tornado at Atwood Landing’s
data center?
A. 0.0025
B. 0.005
C. 0.01
D. 0.015

Answer 90

B. 0.005

B. The annualized rate of occurrence is the number of times
that risk analysts expect a risk to happen in any given year. In
this case, the analysts expect tornados once every 200 years, or
0.005 times per year.

Question 91

Henry is the risk manager for Atwood Landing, a resort
community in the midwestern United States. The resort’s main
data center is located in northern Indiana in an area that is
prone to tornados. Henry recently undertook a replacement cost
analysis and determined that rebuilding and reconfiguring the
data center would cost $10 million.
Henry consulted with tornado experts, data center specialists,
and structural engineers. Together, they determined that a
typical tornado would cause approximately $5 million of
damage to the facility. The meteorologists determined that
Atwood’s facility lies in an area where they are likely to
experience a tornado once every 200 years.
Based upon the information in this scenario, what is the
annualized loss expectancy for a tornado at Atwood Landing’s
data center?
A. $25,000
B. $50,000
C. $250,000
D. $500,000

Answer 91

A. $25,000

A. The annualized loss expectancy is calculated by multiplying
the single loss expectancy (SLE) by the annualized rate of
occurrence (ARO). In this case, the SLE is $5,000,000, and the
ARO is 0.005. Multiplying these numbers together gives you the
ALE of $25,000.

Question 92

John is analyzing an attack against his company in which the
attacker found comments embedded in HTML code that
provided the clues needed to exploit a software vulnerability.
Using the STRIDE model, what type of attack did he uncover?
A. Spoofing
B. Repudiation
C. Information disclosure
D. Elevation of privilege

Answer 92

C. Information disclosure

C. Information disclosure attacks rely upon the revelation of
private, confidential, or controlled information. Programming
comments embedded in HTML code are an example of this type
of attack.

Question 93

Chris is worried that the laptops that his organization has
recently acquired were modified by a third party to include
keyloggers before they were delivered. Where should he focus
his efforts to prevent this?
A. His supply chain
B. His vendor contracts
C. His post-purchase build process
D. The original equipment manufacturer (OEM)

Answer 93

A. His supply chain

A. Supply chain management can help ensure the security of
hardware, software, and services that an organization acquires.
Chris should focus on each step that his laptops take from the
original equipment manufacturer to delivery.

Question 94

In her role as a developer for an online bank, Lisa is required to
submit her code for testing and review. After it passes through
this process and it is approved, another employee moves the
code to the production environment. What security
management does this process describe?
A. Regression testing
B. Code review
C. Change management
D. Fuzz testing

Answer 94

C. Change management

C. Change management is a critical control process that
involves systematically managing change. Without it, Lisa might
simply deploy her code to production without oversight,
documentation, or testing. Regression testing focuses on testing
to ensure that new code doesn’t bring back old flaws, while fuzz
testing feeds unexpected input to code. Code review reviews the
source code itself and may be involved in the change
management process but isn’t what is described here.

Question 95

After completing the first year of his security awareness
program, Charles reviews the data about how many staff
completed training compared to how many were assigned the
training to determine whether he hit the 95 percent completion
rate he was aiming for. What is this type of measure called?
A. A KPI
B. A metric
C. An awareness control
D. A return on investment rate

Answer 95

A. A KPI

A. Charles is tracking a key performance indicator (KPI). A KPI
is used to measure performance (and success). Without a
definition of success, this would simply be a metric, but Charles
is working toward a known goal and can measure against it.
There is not a return investment calculation in this problem, and
the measure is not a control.

Question 96

Which of the following is not typically included in a prehire
screening process?
A. A drug test
B. A background check
C. Social media review
D. Fitness evaluation

Answer 96

D. Fitness evaluation

D. A fitness evaluation is not a typical part of a hiring process.
Drug tests, background checks, and social media checks are all
common parts of current hiring practices.

Question 97

Which of the following would normally be considered a supply
chain risk? (Select all that apply.)
A. Adversary tampering with hardware prior while being
shipped to the end customer
B. Adversary hacking into a web server run by the organization
in an IaaS environment
C. Adversary using social engineering to compromise an
employee of a SaaS vendor to gain access to customer
accounts
D. Adversary conducting a denial-of-service attack using a
botnet

Answer 97

A. Adversary tampering with hardware prior while being shipped to the end customer
C. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts

A, C. Supply chain risks occur when the adversary is interfering
with the delivery of goods or services from a supplier to the
customer. This might involve tampering with hardware before
the customer receives it or using social engineering to
compromise a vendor employee. Hacking into a web server run
in an IaaS environment is not a supply chain risk because the
web server is already under the control of the customer. Using a
botnet to conduct a denial-of-service attack does not involve any
supply chain elements.

Question 98

Match the following numbered laws or industry standards to
their lettered description:
Laws and industry standards
1. GLBA
2. PCI DSS
3. HIPAA
4. SOX
Descriptions
A. A U.S. law that requires covered financial institutions to
provide their customers with a privacy notice on a yearly
basis
B. A U.S. law that requires internal controls assessments,
including IT transaction flows for publicly traded
companies
C. An industry standard that covers organizations that handle
credit cards
D. A U.S. law that provides data privacy and security
requirements for medical information

Answer 98

The laws or industry standards match to the descriptions as
follows:
1. GLBA: A. A U.S. law that requires covered financial
institutions to provide their customers with a privacy notice
on a yearly basis
2. PCI DSS: C. An industry standard that covers organizations
that handle credit cards
3. HIPAA: D. A U.S. law that provides data privacy and
security requirements for medical information
4. SOX: B. A U.S. law that requires internal controls
assessments including IT transaction flows for publicly
traded companies