Domain 2 Asset Security

Question 1

Which of the following is needed for System Accountability?

Answer 1

Audit mechanisms

Question 2

Operations Security seeks to primarily protect against which of the following?

Answer 2

asset threats

Question 3

The ISO/IEC 27001:2013 is a standard for:

Answer 3

Information Security Management System

Question 4

system state of mandatory settings and security configuration settings which must be in place on a system prior to being permitted on the enterprise network?

Answer 4

Configuration Baseline

Question 5

Critical areas should be lighted:

Answer 5

Eight feet high and two feet out.

Question 6

The core principles of PCI-DSS

Answer 6

Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

Question 7

OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluationism

Answer 7

OCTAVE ® stands for Operationally Critical Threat, Asset, and Vulnerability Evaluationsm, a risk management framework from Carnegie Mellon University. OCTAVE ® describes a three-phase process for managing risk.
Phase 1 identifies staff knowledge, assets, and threats.
Phase 2 identifies vulnerabilities and evaluates safeguards.
Phase 3 conducts the Risk Analysis and develops the risk mitigation strategy.

Conrad, Eric; Misenar, Seth; Feldman, Joshua. CISSP Study Guide (Kindle Locations 2437-2441). Elsevier Science. Kindle Edition.

Question 8

ISO 17799 was renumbered to ISO 27002 in 2005, to make it consistent with the 27000 series of ISO security standards. ISO 27001

Answer 8

1. Policy
2. Organization of information security
3. Asset management
4. Human resources security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Information systems acquisition, development, and maintenance
9. Information security incident management
10. Business continuity management 11. Compliance

Question 9

COBIT (Control Objectives for Information and related Technology)

Answer 9

is a control framework for employing information security governance best practices within an organization.

Question 10

COBIT has four domains:

Answer 10

Plan and Organize,
Acquire and Implement,
Deliver and Support,
Monitor and Evaluate.

Question 11

ITIL ®

Answer 11

IT best services framework
ITIL ® contains five “Service Management Practices— Core Guidance” publications: 
• Service Strategy 
• Service Design 
• Service Transition 
• Service Operation 
• Continual Service Improvement

Question 12

Scoping

Answer 12

process of determining which portions of a standard will be employed by an organization.

Question 13

Tailoring

Answer 13

process of customizing a standard for an organization. It begins with controls selection, continues with scoping, and finishes with the application of compensating controls.

Question 14

NIST Special Publication 800-53

Answer 14

(Security and Privacy Controls for Federal Information Systems and Organizations)

Question 15

What data classification level indicates that information should stay within the organization but not identify as proprietary?

Answer 15

private

Question 16

What would you call a microchip installed on the motherboard of modern computers and is dedicated to carrying out security functions that involve the storage and processing of symmetric and asymmetric keys, hashes, and digital certificates.

Answer 16

Trusted Platform Module (TPM)

Question 17

Which of the following is required in order to provide accountability?

Answer 17

Audit trails

Question 18

Asymmetric encryption

Answer 18

A public/ private key system is an asymmetric encryption mechanism. Public keys are shared between users of the same encryption software, while the private keys are known only by the owner of that key. The sender uses the public key of the recipient to encrypt the message, while the private key of the recipient is used to decrypt the message. Asymmetric encryption is more computationally intensive than symmetric cryptography, and is best used for small data payloads.

Question 19

Use of SSL over HTTP technology, also known as HTTPS, helps prevent which of the following attacks?

Answer 19

Man-in-the-middle

Question 20

Joe wants to exchange data with 100 other users using symmetric key encryption. How many separate keys does Joe need to have?

Answer 20

In symmetric cryptography, the sender and receiver will use two instances of the same key to encrypt and decrypt. So if Joe needs to exchange data with 100 other people, he would need to have as many separate keys, so the correct answer is 100.

Question 21

Substitution cipher

Answer 21

The substitution cipher replaces bits, characters, or blocks with different bits, characters, or blocks to create the ciphertext. For example, if you wanted to encrypt the plaintext term “James” and you were using the English alphabet and moving three positions to the right, the new ciphertext would be “Mdphv”.

Question 22

What is multiparty key recovery in the context of key management?

Answer 22

The private key is broken up into multiple parts and these are handed out to various trusted people within an organization. In case of loss of the key, these people are grouped together and the key is reconstructed.

Question 23

Communications utilizing an asymmetric encryption method are most susceptible to which of the following attacks?

Answer 23

Man-in-the-middle

Question 24

When working with asymmetric algorithms, which of these principles regarding open / confidential messages is correct?

Answer 24

Confidential messages are encrypted with the public key. This allows only the holder of the private key to decrypt them. Open messages are encrypted with the private key of a sender. They can be decrypted by anyone having the corresponding public key.

Question 25

following statements is true about data encryption as a method of protecting data?

Answer 25

It requires careful key management

Question 26

Operations Security seeks to primarily protect against

Answer 26

asset threats

Question 27

Degaussing is used to clear data from all of the following medias except:

Answer 27

Read-Only Media

Question 28

Which of the following is not appropriate in addressing object reuse?

Answer 28

Deleting files on disk before reusing the space.

Question 29

the following is the BEST way to detect software license violations?

Answer 29

Regularly scanning PCs in use to ensure that unauthorized copies of software have not been loaded on the PC.

Question 30

which encryption method is where we share one of our keys for everyone to use and keep one for our use only?

Answer 30

Public-Key Infrastructure

Question 31

Modifying the list of security controls within a baseline so that they align with the mission of the organization is referred to as?

Answer 31

Tailoring

Question 32

When it comes to magnetic media sanitization, what difference can be made between clearing and purging information?

Answer 32

Clearing renders data only recoverable with laboratory techniques and purging cannot be restored by any known technique.

Question 33

A review of system access audit records would be an example of which of the basic security functions?

Answer 33

detection.

Question 34

common category/classifications of threat to an IT system

Answer 34

Human
Natural
Technological