Enterprise Security Integration

Question 1

The security triad does not include which of the following? 
A. Availability 
B. Integrity 
C. Authenticity 
D. Confidentiality

Answer 1

C. The security triad consists of confidentiality, availability, and integrity.

Question 2

\_\_\_\_\_\_\_\_\_\_\_\_\_\_ is about proving the veracity of the claim. 
A. Accountability 
B. Authentication 
C. Non-repudiation 
D. Accessibility

Answer 2

B. The purpose of authentication is to prove the veracity of the claim.

Question 3

Granularity is most closely associated with which of the following terms? 
A. Accountability 
B. Authentication 
C. Non-repudiation 
D. Accessibility

Answer 3

B. Granularity is most closely associated with the term authentication.

Question 4

According to the process described in this chapter for building security controls, what is the last step? A. Discover protection needs.
B. Design system security architecture.
C. Audit.
D. Implement system security.

Answer 4

D. According to the process described in this chapter for building security controls, the last step is to implement system security.

Question 5

______________ is the practice of organizing and documenting a company’s IT assets so that planning, management, and expansion can be enhanced. A. Value delivery
B. COBIT
C. Performance measurement
D. Enterprise architecture

Answer 5

D. Enterprise architecture is the practice of organizing and documenting a company’s IT assets so that planning, management, and expansion can be enhanced.

Question 6

For what purpose is software escrow most commonly used? 
A. Offsite backup 
B. Vendor bankruptcy 
C. Redundancy 
D. Insurance coverage

Answer 6

B. Software escrow is most commonly used in cases of vendor bankruptcy.

Question 7

If someone in payroll wanted to commit fraud, which of the following would force them to collude with someone from accounting? 
A. Background checks 
B. Dual control 
C. Mandatory vacation 
D. Job rotation

Answer 7

B. Dual controls would force someone in payroll to collude with someone from accounting in order to commit fraud.

Question 8

A \_\_\_\_\_\_\_\_\_\_\_\_\_\_ is a top-tier security document that provides an overall view of security. 
A. Policy 
B. Procedure 
C. Baseline 
D. Guideline

Answer 8

A. A policy is a top-tier document that gives you an overall view of security.

Question 9

Which of the following does not help in preventing fraud? 
A. Mandatory vacations 
B. Job rotation 
C. Job enlargement 
D. Separation of duties

Answer 9

C. Separation of duties, job rotation, and mandatory vacations are management controls that can help in preventing fraud. Job enlargement does not prevent fraud because it is not a control and its purpose is to expand the scope of an employee’s work.

Question 10

Which type of document defines a minimum level of security? 
A. Policy 
B. Standard 
C. Baseline 
D. Procedure

Answer 10

C. A baseline defines a minimum level of security.

Question 11

Fault tolerance is best described as what type of control? 
A. Recovery 
B. Preventive 
C. Detective 
D. Corrective

Answer 11

D. Fault tolerance is best described as a corrective control.

Question 12

What form of testing verifies inner logic? 
A. Pilot 
B. Black box 
C. White box 
D. Regression

Answer 12

C. White box testing verifies inner logic.

Question 13

Which form of testing is used to verify that program inputs and outputs are correct? 
A. Pilot 
B. Black box 
C. White box 
D. Regression

Answer 13

D. Regression testing is used after a change to verify that inputs and outputs are correct.

Question 14

Security awareness training is best described as a \_\_\_\_\_\_\_\_\_\_\_\_\_\_ control. 
A. Recovery 
B. Preventive 
C. Detective 
D. Corrective

Answer 14

B. Security awareness training is best described as a preventive control.

Question 15

Which of the following is the correct sequence of actions in access control mechanisms?
A. Access profiles, authentication, authorization, and identification
B. Security rules, identification, authorization, and authentication
C. Identification, authentication, authorization, and accountability
D. Audit trails, authorization, accountability, and identification

Answer 15

C. Identification comes before authentication and authorization comes after authentication. Accountability is last, and it is the stage where user actions are recorded.

Question 16

Which of the following controls is used to ensure that you have the right person for a specific job assignment? 
A. Background checks 
B. Dual controls 
C. Mandatory vacations 
D. Job rotation

Answer 16

A. Background checks help determine the right person for the right job.

Question 17

\_\_\_\_\_\_\_\_\_\_\_\_\_\_ are considered a detective control used to uncover employee malfeasance. 
A. Background checks 
B. Dual controls 
C. Mandatory vacations 
D. Job rotations

Answer 17

C. Mandatory vacations are considered a detective control in that an audit can be performed while the employee is on vacation.

Question 18

Which of the following review methods asks participants to write down their responses and hand them to the team lead for review? 
A. Quantitative review 
B. Modified Delphi 
C. Structured review 
D. Performance review

Answer 18

B. The modified Delphi review works by asking participants to write down their responses and hand them to the team leader for review.

Question 19

Applying change, cataloging change, scheduling change, implementing change, and reporting change to management are all steps in what process? 
A. Change control 
B. Life cycle assurance 
C. Operational assurance 
D. Resource management

Answer 19

A. Change control is the process of making changes in an organized manner.

Question 20

Who in the company is most responsible for initiating a risk analysis, directing a risk analysis, defining goals of the analysis, and making sure that the necessary resources are available during the analysis?
A. The company’s information assurance manager
B. The company’s security officer
C. The company’s disaster recovery department and risk analysis team
D. Senior management

Answer 20

D. The items listed in the question are all the responsibility of senior management.

Question 21

For what type of environment is SCEP best suited? A. A company whose users bring their own devices B. A closed environment
C. Publicly traded companies
D. Companies with a COPE policy in place

Answer 21

B. SCEP is best suited for a closed environment.

Question 22

What term describes the installation technique for when a user downloads a mobile device application from outside the normal application-distribution channel? 
A. Unsigned application loading 
B. Over-the-air loading 
C. Sideloading 
D. App’ing

Answer 22

C. Sideloading is downloading or installing an application from outside the normal application-distribution channel.

Question 23

What is the Linux technology akin to virtualization, where each instance runs on top of the host’s kernel but has its own network stack and incremental file system? 
A. Containerization 
B. Hypervization 
C. Virtualization 
D.  Dockerization

Answer 23

A. Containerization is the Linux technology where each instance has its own network stack and incremental file system. Docker is a common software program used to implement containerization.