Domain 1 Security and Risk Management

Question 1

business organizations use which of the following levels of classifications:

Answer 1

Public, Internal Use Only, Confidential, Restricted

Question 2

time between when the changes are made on one system and when they’re propagated to other systems is known as:

Answer 2

Time-of-check/time-of-use (TOC/TOU)

Question 3

This person is responsible for the overall protection of the information assets.

Answer 3

Executive Manager

Question 4

This legal system is also known as Regulatory Law and is concerned with the governance of public bodies and agency power among other areas.

Answer 4

Administrative Law

Question 5

Who should direct short-term recovery actions immediately following a disaster?

Answer 5

Disaster Recovery Manager.

Question 6

Which of the following should NOT be a role of the Security Administrator?

Answer 6

Authorizing access rights

Question 7

What is the main purpose of Corporate Security Policy?

Answer 7

To communicate management’s intentions in regards to information security

Question 8

A contingency plan should address:

Answer 8

Potential risks. Residual risks. Identified risks.

Question 9

Which of the following focuses on sustaining an organization’s business functions during and after a disruption?

Answer 9

Business continuity plan

Question 10

The deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which flaws to exploit is called:

Answer 10

enticement

Question 11

What are the three primary goals of a BIA?

Answer 11

Criticality prioritization, downtime estimation, and resource requirements.

Question 12

most appropriate to notify an internal user that monitoring is being enforced and there is no expectation of privacy on systems that belong to the company?

Answer 12

Written agreement

Question 13

guidelines recommended to protect PII

Answer 13

Limited, Relevant and Specific in Purpose

Question 14

This type of authentication is better than simple passwords but the technology involved is still subject to loss, damage, or theft for examination.

Answer 14

Type 2: Something you have

Question 15

What is the appropriate role of the security analyst in the application system development or acquisition project?

Answer 15

control evaluator & consultant

Question 16

The first step in the implementation of the contingency plan is to perform:

Answer 16

A data backup

Question 17

Who is responsible for restricting and monitoring access of a data user?

Answer 17

Security Administrator

Question 18

Which of the following would be the best recovery strategy if you have an application which cannot accept any downtime without negatively impacting the organization.

Answer 18

Dual Data Center

Question 19

Hashing functions takes message input of a given length and create a(n) __________.

Answer 19

Fixed Length Output

Question 20

This sequence is used to detect errors in transmission of messages and is often deployed with symmetric key cryptography.

Answer 20

Checksum

Question 21

A professor in a school shared a time management software with a colleague so that she could check out its features and buy the software if she found it useful. This may have likely violated the terms under which the software was licensed to the professor. What ethical principle would the professor apply to justify his action?

Answer 21

Change of scale test

Question 22

Which of the following is not part of the current state assessment phase for BCP/DRP?

Answer 22

Design initial acceptance testing of plans

Question 23

Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances?

Answer 23

Guidelines

Question 24

Which of the following teams is responsible for starting recovery of the original site in the aftermath of a disaster?

Answer 24

Salvage team

Question 25

what are the guidelines to classify data?

Answer 25

Classify all data irrespective of the format it exists in (paper, digital, audio, video)

Question 26

What formula is used to calculate total risk?

Answer 26

Threats x vulnerability x asset value

Question 27

the following is NOT a responsibility of a database administrator

Answer 27

Providing access authorization to databases

Question 28

What are the five key principle that forms the core of the COBIT5 framework?

Answer 28

1) Meeting Stakeholders needs,
2) Covering the enterprise end to end,
3) Apply a single integrated framework,
4) Enabling a holistic approach,
5) Seperating governance from management.

Question 29

The method for determining the level of risk to the organization’s information if this data to be lost or compromised is known as:

Answer 29

Information Classification

Question 30

Plans and organizes information security activities throughout the organization.

Answer 30

Security officer

Question 31

When it comes to Risk Mitigation, which risk countermeasure involves not even taking the chance with the risk?

Answer 31

Risk Avoidance

Question 32

What are the three primary goals of a BIA?

Answer 32

Criticality prioritization,
downtime estimation, and
resource requirements.

Question 33

ISC2 Code of Ethics Canons?

Answer 33

*Protect society, the commonwealth, and the infrastructure
Advance and protect the profession
Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals

Question 34

financial risks can be calculated is by using the formula:

Answer 34

P * M = C

Question 35

(AAA)

Answer 35

Identity and Authentication, Authorization and Accountability

Question 36

legal system where court decisions governed by previous court rulings and generally use an adversarial approach to litigation.

Answer 36

Common Law

Question 37

MTD estimates for business continuity planning:

Answer 37

nonessential: 30 days;
normal: seven days;
important: 72 hours;
urgent: 24 hours;
critical: minutes to hours.

Question 38

What information gathering technique is generally regarded as legal

Answer 38

Dumpster Diving

Question 39

BCP testing interval

Answer 39

Annually

Question 40

4 ways to handle risk

Answer 40

risk mitigation,
risk avoidance,
risk transference
risk acceptance.

Question 41

What type of evidence cannot be used on its own, but may be admissible to prove other, more substantial evidence?

Answer 41

Corroborative evidence

Question 42

BCP defined

Answer 42

A business continuity plan is a set of policies, procedures, guidelines, and standards that are intended to ensure the survival and continued operation of a business following a disaster. It should be tightly coupled with the corporate security policy and program for reasons of operational efficiency, cost savings, as well as providing an overarching framework protecting the business and its assets from threats to its survival and well being

Question 43

Advisory policy

Answer 43

Advisory policy. Such policies typically advise employees on acceptable behavior within an organization and the result of not conforming to such behavior. For example, such an advisory policy could be put into effect while handling confidential data.

Question 44

formula is used to calculate total risk

Answer 44

Threats x vulnerability x asset value

Question 45

Backup types:

Answer 45

Incremental backups take less time to complete than either full or differential backups, as only the files with changed archived bits are backed up. However, incremental backups are more complicated and take more time to restore, because they must be restored in the precise order in which they were backed up to avoid missing a file.

Question 46

Risk

Answer 46

A risk is the likelihood that a threat agent will take advantage of a vulnerability. It ties the vulnerability, threat and the likelihood of being exploited, to the business impact that could result.

Question 47

Guidelines

Answer 47

Guidelines are general approaches and provide the necessary flexibility to handle emergencies. Guidelines may also be certain recommended approaches / actions to handle certain scenarios.

Question 48

Service outage levels:

Answer 48

A non-disaster is an outage in hours

A disaster is an event that causes an entire facility to be unavailable for a day or longer, and typically involves the use of a backup site while the primary facility is being repaired..

A catastrophe is an event in which an entire facility is destroyed.

Question 49

the following is a key metric in the aftermath of a disaster

Answer 49

Compromised customer service

Question 50

Which type of online backup provides faster IO access to files?

Answer 50

Disk Shadowing

Question 51

The following represents the correct order in of activities in response to an incident?

Answer 51

Triage, Reaction, Follow-up

Question 52

How often should background checks be done on employees in a company?

Answer 52

Prior to their joining work and as required.

Question 53

CoBIT

Answer 53

The CoBIT stands for Control Objectives for Information and related Technology. This is published by the IT Governance Institute and is an effective IT Governance framework. COSO is a model for corporate governance, while ISO 17799 and ISO 27001 are enterprise security standards.

Question 54

The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP:

Answer 54

Control

Question 55

Which of the following would be best suited to oversee the development of an information security policy?

Answer 55

Security officers

Question 56

Which of the following should NOT be a role of the Security Administrator?

Answer 56

Authorizing access rights

Question 57

best suited to oversee the development of an information security policy

Answer 57

Security Officer

Question 58

NOT a role of the Security Administrator

Answer 58

Authorizing access rights

Question 59

Configuration Management process is one that can:

Answer 59

(1) accommodate change;
(2) accommodate the reuse of proven standards and best practices;
(3) ensure that all requirements remain clear, concise, and valid;
(4) ensure changes, standards, and requirements are communicated promptly and precisely; and
(5) ensure that the results conform to each instance of the product.

Question 60

How should a risk be HANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk?

Answer 60

Accept the risk

Question 61

Information classification should be based on

Answer 61

the value of the information to the organization and its sensitivity

Question 62

BCP vs BRP vs COOP

Answer 62

A business continuity plan (BCP) focuses on sustaining an organization’s business functions during and after a disruption. Information systems are considered in the BCP only in terms of their support to the larger business processes. The business recovery plan (BRP) addresses the restoration of business processes after an emergency. The BRP is similar to the BCP, but it typically lacks procedures to ensure continuity of critical processes throughout an emergency or disruption. The continuity of operations plan (COOP) focuses on restoring an organization’s essential functions at an alternate site and performing those functions for up to 30 days before returning to normal operations. The disaster recovery plan (DRP) applies to major, usually catastrophic events that deny access to the normal facility for an extended period. A DRP is narrower in scope than an IT contingency plan in that it does not address minor disruptions that do not require relocation.

Question 63

The copyright law (“original works of authorship”) protects the right of the owner in all of the following except?

Answer 63

The idea itself

Question 64

MOM in criminal cases refers to

Answer 64

Motivation, Opportunity, Means

Question 65

A periodic review of user account management should not determine:

Answer 65

Strength of user-chosen passwords

Question 66

An effective information security policy should:

Answer 66

Include separation of duties

Be understandable and supported by all stakeholders

Specify areas of responsibility and authority

Question 67

Whose role is it to assign classification level to information?

Answer 67

Owner

Question 68

How often should tests and disaster recovery drills be performed?

Answer 68

At least once a year

Question 69

What are the three primary goals of a BIA?

Answer 69

Criticality prioritization, downtime estimation, and resource requirements.

Question 70

Which of the following best describes an exploit?

Answer 70

A chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software

Question 71

Who is responsible for restricting and monitoring access of a data user?

Answer 71

Security Administrator

Question 72

This position is responsible for ensuring that users, owners, custodians, systems and networks are in compliance with security policy.

Answer 72

Information Systems Auditor

Question 73

Contingency Planning includes

Answer 73

prioritization of apps = asset valuation

assessment of threat impact = threat modeling

development of recovery scenarios = risk mitigation

Question 74

Who is responsible for providing adequate physical and logical security for Information System (IS) program, data, and equipment?

Answer 74

Security Administrator

Question 75

What is one component of penetration testing that is often left out and doesn’t include any technical intrusion testing?

Answer 75

Social Engineering

Question 76

A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks is called a ?

Answer 76

Vulnerability

Question 77

Which of the following is given the responsibility of the maintenance and protection of the data?

Answer 77

Data custodian

Question 78

What category of law deals with regulatory standards that regulate performance and conduct?

Answer 78

Administrative/regulatory law.

Question 79

What can be described as a measure of the magnitude of loss or impact on the value of an asset?

Answer 79

Exposure factor

Question 80

What is the name of the process defined by extracting user names, machine names, network hosts, shares and finding services hosted on computers?

Answer 80

Enumeration

Question 81

The method for determining the level of risk to the organization’s information if this data to be lost or compromised is known as:

Answer 81

Information Classification

Question 82

Which of the following BEST describes why it is critical to train your user community on data classification?

Answer 82

They are the ones most often handling critical information and can best ensure its proper use.

Question 83

Which answer BEST explains specifically what a firewall does to provide basic network security?

Answer 83

Enforce Administrative Policy

Question 84

Financial risk formula

Answer 84

P*M=C
Probability
Magnatude
Cost

Question 85

Which disaster recovery plan test involves functional representatives meeting to review the plan in detail?

Answer 85

Structured walk-through test

Question 86

Who is responsible for providing technical support for the hardware and software environment by developing, installing and operating the requested system?

Answer 86

System Development Management

Question 87

Plans and organizes information security activities throughout the organization.

Answer 87

Security officer

Question 88

After all other risk management principles have been applied, this principle is observed as the last requirement. This principle MUST be observed if the business function is to occur:

Answer 88

Risk Acceptance

Question 89

This sequence is used to detect errors in transmission of messages and is often deployed with symmetric key cryptography.

Answer 89

Checksum