Domain 6

Question 1

1. Internal audits are the preferred approach when which of the following is true?
   A. The organization lacks the organic expertise to conduct them.
   B. Regulatory requirements dictate the use of a third-party auditor.
   C. The budget for security testing is limited or nonexistent.
   D. There is concern over the spillage of proprietary or confidential information.

Answer 1

C. Third-party auditors are almost always fairly expensive, so if the organization’s budget does not support their use, it may be necessary to use internal assets to
conduct the audit.

Question 2

All of the following are steps in the security audit process except
A. Document the results.
B. Convene a management review.
C. Involve the right business unit leaders.
D. Determine the scope.

Answer 2

B. The management review is not a part of any audit. Instead, this review typically uses the results of one or more audits in order to make strategic decisions.

Question 3

Which of the following is an advantage of using third-party auditors?
A. They may have knowledge that an organization wouldn’t otherwise be able to leverage.
B. Their cost.
C. The requirement for NDAs and supervision.
D. Their use of automated scanners and reports.

Answer 3

A. Because they perform audits in multiple other organizations, and since their knowledge is constantly refreshed, third-party auditors almost always have knowledge and insights that would otherwise be unavailable to the organization.

Question 4

Choose the term that describes an audit performed to demonstrate that an organization is complying with its contractual obligations to another organization.
A. Internal audit
B. Third-party audit
C. External audit
D. Compliance audit

Answer 4

C. External audits are used to ensure that contractors are meeting their contractual obligations, so that is the best answer. A compliance audit would
apply to regulatory or industry standards and would almost certainly be a third party audit, which makes answer D a poor fit in most cases

Question 5

Which of the following is true of a vulnerability assessment?
A. The aim is to identify as many vulnerabilities as possible.
B. It is not concerned with the effects of the assessment on other systems.
C. It is a predictive test aimed at assessing the future performance of a system.
D. Ideally it is fully automated, with no human involvement.

Answer 5

A. One of the principal goals of a vulnerability assessment is to identify as many security flaws as possible within a given system, while being careful not to disrupt
other systems.

Question 6

An assessment whose goal is to assess the susceptibility of an organization to social engineering attacks is best classified as
A. Physical testing
B. Personnel testing
C. Vulnerability testing
D. Network testing

Answer 6

B. Social engineering is focused on people, so personnel testing is the best answer.

Question 7

Which of the following is an assessment that affords the auditor detailed knowledge
of the system’s architecture before conducting the test?
A. White box testing
B. Gray box testing
C. Black box testing
D. Zero knowledge testing

Answer 7

A. White box testing gives the tester detailed information about the internal workings of the system under study. Gray box testing provides some information,
so it is not the best answer to this question.

Question 8

Vulnerability scans normally involve all the following except
A. The identification of active hosts on the network
B. The identification of malware on all hosts
C. The identification of misconfigured settings
D. The identification of operating systems

Answer 8

B. Vulnerability testing does not normally include scanning hosts for malware. Instead, it focuses on finding flaws that malware could potentially exploit.

Question 9

Security event logs can best be protected from tampering by which of the following?
A. Encrypting the contents using asymmetric key encryption
B. Ensuring every user has administrative rights on their own workstations
C. Using remote logging over simplex communications media
D. Storing the event logs on DVD-RW

Answer 9

C. Using a remote logging host raises the bar for attackers because if they are able to compromise one host, they would have to compromise the remote logger in
order to tamper with the logs. The use of a simplex channel further hinders the attackers.

Question 10

Synthetic transactions are best described as
A. Real user monitoring (RUM)
B. Transactions that fall outside the normal purpose of a system
C. Transactions that are synthesized from multiple users’ interactions with the system
D. A way to test the behavior and performance of critical services

Answer 10

D. Synthetic transactions are those that simulate the behavior of real users, but are not the result of real user interactions with the system. They allow an organization to ensure that services are behaving properly without having to rely
on user complaints to detect problems.

Question 11

Suppose you want to study the actions an adversary may attempt against your system and test the effectiveness of the controls you have emplaced to mitigate
the associated risks. Which of the following approaches would best allow you to accomplish this goal?
A. Misuse case testing
B. Use case testing
C. Real user monitoring (RUM)
D. Fuzzing

Answer 11

A. Misuse case testing allows us to document both an adversary’s desired actions on a system and the controls that are meant to thwart that adversary. It is similar
to developing use cases, but with a malicious user’s actions in mind instead of those of legitimate users.

Question 12

Code reviews include all of the following except
A. Ensuring the code conforms to applicable coding standards
B. Discussing bugs, design issues, and anything else that comes up about the code
C. Agreeing on a “disposition” for the code
D. Fuzzing the code

Answer 12

D. Fuzzing is a technique for detecting flaws in the code by bombarding it with massive amounts of random data. This is not part of a code review, which focuses on analyzing the source code, not its response to random data.

Question 13

Interface testing could involve which of the following?
A. The application programming interface (API)
B. The graphical user interface (GUI)
C. Both of the above
D. None of the above

Answer 13

C. Interface testing covers the exchange points within different components of the system. The API is the exchange point between the system and the libraries it leverages, while the GUI is the exchange point between the system and the users. Testing either of these would constitute an interface test.

Question 14

What is a key performance indicator (KPI)?
A. A value for a factor that denotes that some condition is met
B. The result of comparing multiple measurements
C. A significant indicator that shows the performance of an ISMS
D. A quantitative observation of a factor of an ISMS at a point in time

Answer 14

C. Key performance indicators (KPIs) are indicators that are particularly significant in showing the performance of an ISMS compared to its stated goals.
Because every KPI is a metric, answer B (the partial definition of a metric) would also be correct but would not be the best answer since it leaves out the significance and purpose of the metric

Question 15

Which of the following is true about key risk indicators (KRIs)?
A. They tell managers where an organization stands with regard to its goals.
B. They are inputs to the calculation of single loss expectancy (SLE).
C. They tell managers where an organization stands with regard to its risk appetite.
D. They represent an interpretation of one or more metrics that describes the
effectiveness of the ISMS.

Answer 15

C. Key risk indicators (KRIs) allow managers to understand when specific activities of the organization are moving it toward a higher level of risk. They are
useful to understanding changes and managing the overall risk.

Question 16

All of the following are normally legitimate reasons to suspend rather than delete
user accounts except
A. Regulatory compliance
B. Protection of the user’s privacy
C. Investigation of a subsequently discovered event
D. Data retention policy

Answer 16

B. If the organization was intentionally attempting to protect the privacy of its user, suspension of the account would be a poor privacy measure compared to
outright deletion.

Question 17

Data backup verification efforts should
A. Have the smallest scope possible
B. Be based on the threats to the organization
C. Maximize impact on business
D. Focus on user data

Answer 17

B. The verification of data backups should focus on assessing the organization’s ability to respond to the threats identified during the threat modeling and risk
management processes. If the organization can’t respond to these threats, then its backups may be useless.

Question 18

What is the difference between security training and security awareness training?
A. Security training is focused on skills, while security awareness training is focused on recognizing and responding to issues.
B. Security training must be performed, while security awareness training is an
aspirational goal.
C. Security awareness training is focused on security personnel, while security training is geared toward all users.
D. There is no difference. These terms refer to the same process

Answer 18

A. Security training is the process of teaching a skill or set of skills that will enable people to perform specific functions better. Security awareness training, on the other hand, is the process of exposing people to security issues so that they are able to recognize and respond to them better. Security training is typically provided to security personnel, while security awareness training should be
provided to every member of the organization.

Question 19

Which of the following is not a form of social engineering?
A. Pretexting
B. Fishing
C. Whaling
D. Blackmailing

Answer 19

B. The correct term for social engineering conducted over digital communications means is phishing, not fishing.

Question 20

When assessing the performance of your organization during a disaster recovery
drill, which is the highest priority?
A. Safeguarding sensitive assets
B. Notifying the appropriate authorities
C. Preventing looting and vandalism
D. Protection of life

Answer 20

D. In any situation where loss or harm to human lives is a possible outcome, protection of life is the top priority. The other options are all part of a disaster recovery process, but are never the top priority.

Question 21

Which of the following is true about vulnerability remediation after an organizational security assessment?
A. All vulnerabilities uncovered must be remediated as soon as possible.
B. It entails applying patches to all vulnerable software systems.
C. Properly done, it should never impact the business.
D. It requires the support of everyone from the very top of the organization.

Answer 21

D. Because most remediations will have some impact on the business, they require the support of everyone. This is particularly true of organizational (as opposed
to system-specific) assessments because not all vulnerabilities will involve just a software patch.

Question 22

Which of the following is true of management reviews?
A. They happen periodically and include results of audits as a key input.
B. They happen in an ad hoc manner as the needs of the organization dictate.
C. They are normally conducted by mid-level managers, but their reports are presented to the key business leaders.
D. They are focused on assessing the management of the information systems.

Answer 22

A. Management reviews work best when they are regularly scheduled events involving the key organizational leaders, because this allows the subordinate
leaders to plan and conduct the assessments, such as audits that provide inputs to the review