PRACTICE QUESTIONS Flashcards
Which of the following issues is NOT addressed by Kerberos? A. Availability B. Confidentiality C. Integrity D. Authentication
A
Using symmetric key cryptography, Kerberos authenticates clients to other entities on
a network of which a client requires services.
Which of the following statements is not listed within the 4 canons of the (ISC)2 Code of Ethics?
A.
All information systems security professionals who are certified by (ISC)2 shall observe all
contracts and agreements, express or implied.
B.
All information systems security professionals who are certified by (ISC)2 shall render only those
services for which they are fully competent and qualified.
C.
All information systems security professionals who are certified by (ISC)2 shall promote and
preserve public trust and confidence in information and systems.
D.
All information systems security professionals who are certified by (ISC)2 shall think about the
social consequences of the program they write.
D
Regarding codes of ethics covered within the ISC2 CBK, within which of them is the phrase
“Discourage unsafe practice” found?
A. Computer Ethics Institute commandments B. (ISC)2 Code of Ethics C. Internet Activities Board's Ethics and the Internet (RFC1087) D. CIAC Guidelines
B
The (ISC)2 Code of Ethics include the phrase Discourage unsafe practices, and preserve and
strengthen the integrity of public infrastructures.
Which of the following is NOT a factor related to Access Control?
A. integrity B. authenticity C. confidentiality D. availability
B
Access Control = CIA - Authentication is not part of the CIA triad
Access controls are security features that control how users and systems communicate and
interact with other systems and resources.
Access controls give organization the ability to control, restrict, monitor, and protect resource
availability, integrity and confidentiality.
Which of the following is the correct set of assurance requirements for EAL 5?
A. Semiformally verified design and tested B. Semiformally tested and checked C. Semiformally designed and tested D. Semiformally verified tested and checked
C
The EAL 5 requirement is: Semiformally designed and tested; this is sought when developing specialized Target of Evaluations for high-risk situations.
Which of the following is needed for System Accountability?
A. Audit mechanisms. B. Documented design as laid out in the Common Criteria. C. Authorization. D. Formal verification of system design.
A
The major objective of system configuration management is which of the following?
A. System maintenance. B. System stability. C. System operations. D. System tracking.
B
The configuration baseline will be tried and tested and known to be stable.
Modifying the configuration settings of a system could lead to system instability.
System configuration management will help to ensure system stability by ensuring a consistent
configuration across the systems.
The Internet Architecture Board (IAB) characterizes which of the following as unethical behavior
for Internet users?
A. Writing computer viruses. B. Monitoring data traffic. C. Wasting computer resources. D. Concealing unauthorized accesses.
C
IAB considers wasting resources (people, capacity, and computers) through purposeful actions
unethical.
A deviation from an organization-wide security policy requires which of the following?
A. Risk Acceptance B. Risk Assignment C. Risk Reduction D. Risk Containment
A
A deviation from an organization-wide security policy is a ‘risk’.
Which of the following is the most important ISC2 Code of Ethics Canons?
A.
Act honorably, honestly, justly, responsibly, and legally
B.
Advance and protect the profession
C.
Protect society, the commonwealth, and the infrastructure
D.
Provide diligent and competent service to principals
C
Within the realm of IT security, which of the following combinations best defines risk?
A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Vulnerability coupled with an attack. D. Threat coupled with a breach of security.
B
Which of the following is considered the weakest link in a security system?
A. People B. Software C. Communications D. Hardware
A
Which one of the following represents an ALE calculation?
A. Single loss expectancy x annualized rate of occurrence. B. Gross loss expectancy x loss frequency. C. Actual replacement cost - proceeds of salvage. D. Asset value x loss expectancy.
A
ALE = SLE * ARO
Asset Value × Exposure Factor = SLE
Which of the following is the best reason for the use of an automated risk analysis tool?
A.
Much of the data gathered during the review cannot be reused for subsequent analysis.
B.
Automated methodologies require minimal training and knowledge of risk analysis.
C.
Most software tools have user interfaces that are easy to use and do not require any training.
D.
Information gathering would be minimized and expedited due to the amount of information already
built into the tool.
D
The objective of these tools is to reduce the manual effort of these tasks, perform calculations
quickly, estimate future expected losses, and determine the effectiveness and benefits of the
security countermeasures chosen.
How is Annualized Loss Expectancy (ALE) derived from a threat?
A. ARO x (SLE - EF) B. SLE x ARO C. SLE/EF D. AV x EF
B
What does “residual risk” mean?
A. The security risk that remains after controls have been implemented
B.
Weakness of an asset which can be exploited by a threat
C.
Risk that remains after risk assessment has been performed
D.
A security risk intrinsic to an asset being audited, where no mitigation has taken place.
A
Preservation of confidentiality within information systems requires that the information is not disclosed to: A. Authorized persons B. Unauthorized persons or processes. C. Unauthorized persons. D. Authorized persons and processes
B
Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson
model?
A.
Prevention of the modification of information by unauthorized users.
B.
Prevention of the unauthorized or unintentional modification of information by authorized users.
C.
Preservation of the internal and external consistency.
D.
Prevention of the modification of information by authorized users.
D
The Clark-Wilson model enforces the three goals of integrity by using access triple (subject,
software [TP], object), separation of duties, and auditing
What is called an event or activity that has the potential to cause harm to the information systems or networks? A. Vulnerability B. Threat agent C. Weakness D. Threat
D
DIFFERENCE BETWEEN THREAT AGENT AND THREAT:
-threat is any potential danger that is associated with the exploitation of a vulnerability (potential)
-threat agent could be an intruder accessing the network through a port on the firewall, a process
accessing data in a way that violates the security policy, a tornado wiping out a facility, or an
employee making an unintentional mistake that could expose confidential information. (Occurring/Occurred)
A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks is called: A. a vulnerability. B. a risk. C. a threat. D. an overflow.
A
What is called the probability that a threat to an information system will materialize? A. Threat B. Risk C. Vulnerability D. Hole
B
Risk mitigation and risk reduction controls for providing information security are classified within
three main categories, which of the following are being used?
A.
Preventive, corrective, and administrative.
B.
Detective, corrective, and physical.
C.
Physical, technical, and administrative.
D.
Administrative, operational, and logical.
C
Which of the following would be best suited to oversee the development of an information security policy? A. System Administrators B. End User C. Security Officers D. Security administrators
C
Which of the following is the MOST important aspect relating to employee termination?
A.
The details of employee have been removed from active payroll files.
B.
Company property provided to the employee has been returned.
C.
User ID and passwords of the employee have been deleted.
ISC CISSP Exam
“Leading the way in IT Testing & Certification Tools” - www.testking.com 16
D.
The appropriate company staff is notified about the termination
D
All are correct, HOWEVER D is the inclusive correct answer
Making sure that only those who are supposed to access the data can access is which of the following? A. confidentiality B. capability C. integrity D. availability
A
Related to information security, confidentiality is the opposite of which of the following? A. closure B. disclosure C. disposal D. disaster
B
Related to information security, integrity is the opposite of which of the following? A. abstraction B. alteration C. accreditation D. application
B
Making sure that the data is accessible when and where it is needed is which of the following? A. confidentiality B. integrity C. acceptability D. availability
D
Related to information security, availability is the opposite of which of the following? A. delegation B. distribution C. documentation D. destruction
D
Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following? A. Confidentiality B. Integrity C. Availability D. capability
A
Good security is built on which of the following concept? A. The concept of a pass-through device that only allows certain traffic in and out. B. The concept of defense in depth. C. The concept of preventative controls. D. The concept of defensive controls.
B
The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP: A. Honesty B. Ethical behavior C. Legality D. Control
D
One of these statements about the key elements of a good configuration process is NOT true
A.
Accommodate the reuse of proven standards and best practices
B.
Ensure that all requirements remain clear, concise, and valid
C.
Control modifications to system hardware in order to prevent resource changes
D.
Ensure changes, standards, and requirements are communicated promptly and precisely
C
Configuration management should not be designed to prevent resource changes
Which of the following is NOT part of user provisioning?
A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration
B
User provisioning involves the creation, maintenance, and deactivation of user objects and
attributes
Which of the following is MOST appropriate to notify an internal user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement
D
Not “A” because this is an internal user and an internal user is met face-to-face and therefore can sign an agreement.
What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month? A. 100 B. 120 C. 1 D. 1200
D
Which of the following is NOT defined in the Internet Architecture Board (IAB) Ethics and the
Internet (RFC 1087) as unacceptable and unethical activity?
A.
uses a computer to steal
B.
destroys the integrity of computer-based information
C.
wastes resources such as people, capacity and computers through such actions
D.
involves negligence in the conduct of Internet-wide experiments
A
Stealing using a computer is not addressed in RFC 1087.
Keeping in mind that these are objectives that are provided for information only within the CBK as
they only apply to the committee and not to the individuals. Which of the following statements
pertaining to the (ISC)2 Code of Ethics is NOT true?
A.
All information systems security professionals who are certified by (ISC)2 recognize that such a
certification is a privilege that must be both earned and maintained.
B.
All information systems security professionals who are certified by (ISC)2 shall provide diligent and
competent service to principals.
C.
All information systems security professionals who are certified by (ISC)2 shall forbid behavior
such as associating or appearing to associate with criminals or criminal behavior.
D.
All information systems security professionals who are certified by (ISC)2 shall promote the
understanding and acceptance of prudent information security measures.
C
The ISC Code of Ethics does not explicitly state that an individual who are certified by (ISC)2
should not associate with criminals or with criminal behavior.
Which approach to a security program ensures people responsible for protecting the company's assets are driving the program? A. The Delphi approach. B. The top-down approach. C. The bottom-up approach. D. The technology approach.
B
A top-down approach makes sure the people
actually responsible for protecting the company’s assets (senior management) are driving the
program.
A bottom-up approach is commonly less effective
Which of the following is NOT a part of a risk analysis? A. Identify risks B. Quantify the impact of potential threats C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure D. Choose the best countermeasure
D
Choosing the best countermeasure is not part of risk analysis. Choosing the best countermeasure
would be part of risk mitigation.