PRACTICE QUESTIONS Flashcards by Michael Tamburri

Which of the following issues is NOT addressed by Kerberos?
A.
Availability
B.
Confidentiality
C.
Integrity
D.
Authentication

Using symmetric key cryptography, Kerberos authenticates clients to other entities on
a network of which a client requires services.

How well did you know this?

Not at all

Perfectly

Which of the following statements is not listed within the 4 canons of the (ISC)2 Code of Ethics?

A.
All information systems security professionals who are certified by (ISC)2 shall observe all
contracts and agreements, express or implied.
B.
All information systems security professionals who are certified by (ISC)2 shall render only those
services for which they are fully competent and qualified.
C.
All information systems security professionals who are certified by (ISC)2 shall promote and
preserve public trust and confidence in information and systems.
D.
All information systems security professionals who are certified by (ISC)2 shall think about the
social consequences of the program they write.

How well did you know this?

Not at all

Perfectly

Regarding codes of ethics covered within the ISC2 CBK, within which of them is the phrase
“Discourage unsafe practice” found?

A.
Computer Ethics Institute commandments
B.
(ISC)2 Code of Ethics
C.
Internet Activities Board's Ethics and the Internet (RFC1087)
D.
CIAC Guidelines

The (ISC)2 Code of Ethics include the phrase Discourage unsafe practices, and preserve and
strengthen the integrity of public infrastructures.

How well did you know this?

Not at all

Perfectly

Which of the following is NOT a factor related to Access Control?

A.
integrity
B.
authenticity
C.
confidentiality
D.
availability

Access Control = CIA - Authentication is not part of the CIA triad

Access controls are security features that control how users and systems communicate and
interact with other systems and resources.
Access controls give organization the ability to control, restrict, monitor, and protect resource
availability, integrity and confidentiality.

How well did you know this?

Not at all

Perfectly

Which of the following is the correct set of assurance requirements for EAL 5?

A.
Semiformally verified design and tested
B.
Semiformally tested and checked
C.
Semiformally designed and tested
D.
Semiformally verified tested and checked

The EAL 5 requirement is: Semiformally designed and tested; this is sought when developing specialized Target of Evaluations for high-risk situations.

How well did you know this?

Not at all

Perfectly

Which of the following is needed for System Accountability?

A.
Audit mechanisms.
B.
Documented design as laid out in the Common Criteria.
C.
Authorization.
D.
Formal verification of system design.

How well did you know this?

Not at all

Perfectly

The major objective of system configuration management is which of the following?

A.
System maintenance.
B.
System stability.
C.
System operations.
D.
System tracking.

The configuration baseline will be tried and tested and known to be stable.
Modifying the configuration settings of a system could lead to system instability.

System configuration management will help to ensure system stability by ensuring a consistent
configuration across the systems.

How well did you know this?

Not at all

Perfectly

The Internet Architecture Board (IAB) characterizes which of the following as unethical behavior
for Internet users?

A.
Writing computer viruses.
B.
Monitoring data traffic.
C.
Wasting computer resources.
D.
Concealing unauthorized accesses.

IAB considers wasting resources (people, capacity, and computers) through purposeful actions
unethical.

How well did you know this?

Not at all

Perfectly

A deviation from an organization-wide security policy requires which of the following?

A.
Risk Acceptance
B.
Risk Assignment
C.
Risk Reduction
D.
Risk Containment

A deviation from an organization-wide security policy is a ‘risk’.

How well did you know this?

Not at all

Perfectly

Which of the following is the most important ISC2 Code of Ethics Canons?

A.
Act honorably, honestly, justly, responsibly, and legally
B.
Advance and protect the profession
C.
Protect society, the commonwealth, and the infrastructure
D.
Provide diligent and competent service to principals

How well did you know this?

Not at all

Perfectly

Within the realm of IT security, which of the following combinations best defines risk?

A.
Threat coupled with a breach.
B.
Threat coupled with a vulnerability.
C.
Vulnerability coupled with an attack.
D.
Threat coupled with a breach of security.

How well did you know this?

Not at all

Perfectly

Which of the following is considered the weakest link in a security system?

A.
People
B.
Software
C.
Communications
D.
Hardware

How well did you know this?

Not at all

Perfectly

Which one of the following represents an ALE calculation?

A.
Single loss expectancy x annualized rate of occurrence.
B.
Gross loss expectancy x loss frequency.
C.
Actual replacement cost - proceeds of salvage.
D.
Asset value x loss expectancy.

ALE = SLE * ARO

Asset Value × Exposure Factor = SLE

How well did you know this?

Not at all

Perfectly

Which of the following is the best reason for the use of an automated risk analysis tool?

A.
Much of the data gathered during the review cannot be reused for subsequent analysis.
B.
Automated methodologies require minimal training and knowledge of risk analysis.
C.
Most software tools have user interfaces that are easy to use and do not require any training.
D.
Information gathering would be minimized and expedited due to the amount of information already
built into the tool.

The objective of these tools is to reduce the manual effort of these tasks, perform calculations
quickly, estimate future expected losses, and determine the effectiveness and benefits of the
security countermeasures chosen.

How well did you know this?

Not at all

Perfectly

How is Annualized Loss Expectancy (ALE) derived from a threat?

A.
ARO x (SLE - EF)
B.
SLE x ARO
C.
SLE/EF
D.
AV x EF

How well did you know this?

Not at all

Perfectly

What does “residual risk” mean?
A. The security risk that remains after controls have been implemented
B.
Weakness of an asset which can be exploited by a threat
C.
Risk that remains after risk assessment has been performed
D.
A security risk intrinsic to an asset being audited, where no mitigation has taken place.

How well did you know this?

Not at all

Perfectly

Preservation of confidentiality within information systems requires that the information is not
disclosed to:
A.
Authorized persons
B.
Unauthorized persons or processes.
C.
Unauthorized persons.
D.
Authorized persons and processes

How well did you know this?

Not at all

Perfectly

Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson
model?

A.
Prevention of the modification of information by unauthorized users.
B.
Prevention of the unauthorized or unintentional modification of information by authorized users.
C.
Preservation of the internal and external consistency.
D.
Prevention of the modification of information by authorized users.

The Clark-Wilson model enforces the three goals of integrity by using access triple (subject,
software [TP], object), separation of duties, and auditing

How well did you know this?

Not at all

Perfectly

What is called an event or activity that has the potential to cause harm to the information systems
or networks?
A.
Vulnerability
B.
Threat agent
C.
Weakness
D.
Threat

DIFFERENCE BETWEEN THREAT AGENT AND THREAT:

-threat is any potential danger that is associated with the exploitation of a vulnerability (potential)

-threat agent could be an intruder accessing the network through a port on the firewall, a process
accessing data in a way that violates the security policy, a tornado wiping out a facility, or an
employee making an unintentional mistake that could expose confidential information. (Occurring/Occurred)

How well did you know this?

Not at all

Perfectly

A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the
information systems or networks is called:
A.
a vulnerability.
B.
a risk.
C.
a threat.
D.
an overflow.

How well did you know this?

Not at all

Perfectly

What is called the probability that a threat to an information system will materialize?
A.
Threat
B.
Risk
C.
Vulnerability
D.
Hole

How well did you know this?

Not at all

Perfectly

Risk mitigation and risk reduction controls for providing information security are classified within
three main categories, which of the following are being used?
A.
Preventive, corrective, and administrative.
B.
Detective, corrective, and physical.
C.
Physical, technical, and administrative.
D.
Administrative, operational, and logical.

How well did you know this?

Not at all

Perfectly

Which of the following would be best suited to oversee the development of an information security
policy?
A.
System Administrators
B.
End User
C.
Security Officers
D.
Security administrators

How well did you know this?

Not at all

Perfectly

Which of the following is the MOST important aspect relating to employee termination?
A.
The details of employee have been removed from active payroll files.
B.
Company property provided to the employee has been returned.
C.
User ID and passwords of the employee have been deleted.
ISC CISSP Exam
“Leading the way in IT Testing & Certification Tools” - www.testking.com 16
D.
The appropriate company staff is notified about the termination

All are correct, HOWEVER D is the inclusive correct answer

How well did you know this?

Not at all

Perfectly

``` Making sure that only those who are supposed to access the data can access is which of the following? A. confidentiality B. capability C. integrity D. availability ```

``` Related to information security, confidentiality is the opposite of which of the following? A. closure B. disclosure C. disposal D. disaster ```

``` Related to information security, integrity is the opposite of which of the following? A. abstraction B. alteration C. accreditation D. application ```

``` Making sure that the data is accessible when and where it is needed is which of the following? A. confidentiality B. integrity C. acceptability D. availability ```

``` Related to information security, availability is the opposite of which of the following? A. delegation B. distribution C. documentation D. destruction ```

``` Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following? A. Confidentiality B. Integrity C. Availability D. capability ```

``` Good security is built on which of the following concept? A. The concept of a pass-through device that only allows certain traffic in and out. B. The concept of defense in depth. C. The concept of preventative controls. D. The concept of defensive controls. ```

``` The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP: A. Honesty B. Ethical behavior C. Legality D. Control ```

One of these statements about the key elements of a good configuration process is NOT true A. Accommodate the reuse of proven standards and best practices B. Ensure that all requirements remain clear, concise, and valid C. Control modifications to system hardware in order to prevent resource changes D. Ensure changes, standards, and requirements are communicated promptly and precisely

C Configuration management should not be designed to prevent resource changes

Which of the following is NOT part of user provisioning? ``` A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration ```

B User provisioning involves the creation, maintenance, and deactivation of user objects and attributes

``` Which of the following is MOST appropriate to notify an internal user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement ```

D Not "A" because this is an internal user and an internal user is met face-to-face and therefore can sign an agreement.

``` What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month? A. 100 B. 120 C. 1 D. 1200 ```

Which of the following is NOT defined in the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087) as unacceptable and unethical activity? A. uses a computer to steal B. destroys the integrity of computer-based information C. wastes resources such as people, capacity and computers through such actions D. involves negligence in the conduct of Internet-wide experiments

A Stealing using a computer is not addressed in RFC 1087.

Keeping in mind that these are objectives that are provided for information only within the CBK as they only apply to the committee and not to the individuals. Which of the following statements pertaining to the (ISC)2 Code of Ethics is NOT true? A. All information systems security professionals who are certified by (ISC)2 recognize that such a certification is a privilege that must be both earned and maintained. B. All information systems security professionals who are certified by (ISC)2 shall provide diligent and competent service to principals. C. All information systems security professionals who are certified by (ISC)2 shall forbid behavior such as associating or appearing to associate with criminals or criminal behavior. D. All information systems security professionals who are certified by (ISC)2 shall promote the understanding and acceptance of prudent information security measures.

C The ISC Code of Ethics does not explicitly state that an individual who are certified by (ISC)2 should not associate with criminals or with criminal behavior.

``` Which approach to a security program ensures people responsible for protecting the company's assets are driving the program? A. The Delphi approach. B. The top-down approach. C. The bottom-up approach. D. The technology approach. ```

B A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program. A bottom-up approach is commonly less effective

``` Which of the following is NOT a part of a risk analysis? A. Identify risks B. Quantify the impact of potential threats C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure D. Choose the best countermeasure ```

D Choosing the best countermeasure is not part of risk analysis. Choosing the best countermeasure would be part of risk mitigation.

``` How should a risk be handled when the cost of the countermeasure outweighs the cost of the risk? A. Reject the risk. B. Perform another risk analysis. C. Accept the risk. D. Reduce the risk. ```

``` Which of the following is NOT an administrative control? A. Logical access control mechanisms B. Screening of personnel C. Development of policies, standards, procedures and guidelines D. Change control procedures ```

A “Logical control” also known as a “Technical control"

Which of the following outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations? A. The Computer Security Act of 1987. B. The Federal Sentencing Guidelines of 1991. C. The Economic Espionage Act of 1996. D. The Computer Fraud and Abuse Act of 1986.

B Senior management could be responsible for monetary damages up to $10 million or twice the gain of the offender for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991.

What are the three FUNDAMENTAL principles of security? A. Accountability, confidentiality and integrity B. Confidentiality, integrity and availability C. Integrity, availability and accountability D. Availability, accountability and confidentiality

``` What would BEST define risk management? A. The process of eliminating the risk B. The process of assessing the risks C. The process of reducing risk to an acceptable level D. The process of transferring risk ```

``` Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment? A. A baseline B. A standard C. A procedure D. A guideline ```

``` Related to information security, the guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered is an example of which of the following? A. Integrity B. Confidentiality C. Availability D. Identity ```

``` Which of the following is NOT a technical control? A. Password and resource management B. Identification and authentication methods C. Monitoring for physical intrusion D. Intrusion Detection Systems ```

Which of the following would NOT violate the Due Diligence concept? A. Security policy being outdated B. Data owners not laying out the foundation of data protection C. Network administrator not taking mandatory two-week vacation as planned D. Latest security patches for servers being installed as per the Patch Management process

Ensuring least privilege does NOT require: A. Identifying what the user's job is. B. Ensuring that the user alone does not have sufficient rights to subvert an important process. C. Determining the minimum set of privileges required for a user to perform their duties. D. Restricting the user to required privileges and nothing more.

B The answer is an example of separation of duties where it would take collusion between two or more people to subvert the process.

``` Who is responsible for providing reports to the senior management on the effectiveness of the security controls? ISC CISSP Exam "Leading the way in IT Testing & Certification Tools" - www.testking.com 34 A. Information systems security professionals B. Data owners C. Data custodians D. Information systems auditors ```

What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 30%? A. $300,000 B. $150,000 C. $60,000 D. $1,500

C The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. For example, if the probability of a fire taking place and damaging our data warehouse is once every ten years, the ARO value is 0.1. In this question, the EF is $1,000,000 x 30% = $300,000. The ARO is once every five years which equals 0.2 (1 / 5). Therefore, the highest amount a company should spend annually on countermeasures is $300,000 x 0.2 = $60,000.

``` Which of the following statements pertaining to quantitative risk analysis is NOT true? A. Portion of it can be automated B. It involves complex calculations C. It requires a high volume of information D. It requires little experience to apply ```

``` Which property ensures that only the intended recipient can access the data and nobody else? A. Confidentiality B. Capability C. Integrity D. Availability ```

``` Making sure that the data has not been changed unintentionally, due to an accident or malice is: A. Integrity. B. Confidentiality. C. Availability. D. Auditability. ```

Which of the following are the steps usually followed in the development of documents such as security policy, standards and procedures? A. design, development, publication, coding, and testing B. design, evaluation, approval, publication, and implementation C. initiation, evaluation, development, approval, publication, implementation, and maintenance D. feasibility, development, approval, implementation, and integration

What is the goal of the Maintenance phase in a common development process of a security policy? A. to review the document on the specified review date B. publication within the organization C. to write a proposal to management that states the objectives of the policy D. to present the document to an approving body

What is the difference between Advisory and Regulatory security policies? A. there is no difference between them B. regulatory policies are high level policy, while advisory policies are very detailed C. Advisory policies are not mandated. Regulatory policies must be implemented. D. Advisory policies are mandated while Regulatory policies are not

``` Risk analysis is MOST useful when applied during which phase of the system development process? A. Project initiation and Planning B. Functional Requirements definition C. System Design Specification D. Development and Implementation ```

What is the main purpose of Corporate Security Policy? A. To transfer the responsibility for the information security to all users of the organization B. To communicate management's intentions in regards to information security C. To provide detailed steps for performing specific actions D. To provide a common framework for all development activities

B dictates what role security plays within the organization.

Which of the following is from the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087)? A. Access to and use of the Internet is a privilege and should be treated as such by all users of the systems. B. Users should execute responsibilities in a manner consistent with the highest standards of their profession. C. There must not be personal data record-keeping systems whose very existence is secret. D. There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another purpose without their consent.

A RFC 1087 is called “Ethics and the Internet.” This RFC outlines the concepts pertaining to what the IAB considers unethical and unacceptable behavior.

Out of the steps listed below, which one is not one of the steps conducted during the Business Impact Analysis (BIA)? A. Alternate site selection B. Create data-gathering techniques C. Identify the company’s critical business functions D. Select individuals to interview for data gathering

A Its part of the BCP, not BIA

``` In the CIA triad, what does the letter A stand for? A. Auditability B. Accountability C. Availability D. Authentication ```

Controls are implemented to: A. eliminate risk and reduce the potential for loss. B. mitigate risk and eliminate the potential for loss. C. mitigate risk and reduce the potential for loss. D. eliminate risk and eliminate the potential for loss.

``` What can be described as a measure of the magnitude of loss or impact on the value of an asset? A. Probability B. Exposure factor C. Vulnerability D. Threat ```

B The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset

``` The scope and focus of the Business continuity plan development depends most on: A. Directives of Senior Management B. Business Impact Analysis (BIA) C. Scope and Plan Initiation D. Skills of BCP committee ```

``` Which of the following best allows risk management results to be used knowledgeably? A. A vulnerability analysis B. A likelihood assessment C. An uncertainty analysis D. Threat identification ```

C uncertainty analysis attempts to document this so that the risk management results can be used knowledgeably. There are two primary sources of uncertainty in the risk management process: (1) a lack of confidence or precision in the risk management model or methodology and (2) a lack of sufficient information to determine the exact value of the elements of the risk model, such as threat frequency, safeguard effectiveness, or consequences.

Which of the following control pairings include: organizational policies and procedures, preemployment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Administrative Pairing

``` What can best be defined as high-level statements, beliefs, goals and objectives? A. Standards B. Policies C. Guidelines D. Procedures ```

B A policy is defined as a high-level document that outlines senior management’s security directives A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy.

In an organization, an Information Technology security function should: A. Be a function within the information systems function of an organization. B. Report directly to a specialized business unit such as legal, corporate security or insurance. C. Be led by a Chief Security Officer and report directly to the CEO. D. Be independent but report to the Information Systems function.

C All correct except D, but "C" is the best answer

Qualitative loss resulting from the business interruption does NOT usually include: A. Loss of revenue B. Loss of competitive advantage or market share C. Loss of public confidence and credibility D. Loss of market leadership

A Qualitative does not have to do with money. Qualitative is used for strategic decision-making. Qualitative impact includes such factors as reputation, goodwill, value of the brand and lost opportunity, among others

Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)? A. Calculate the risk for each different business function. B. Identify the company’s critical business functions. C. Calculate how long these functions can survive without these resources. D. Develop a mission statement.

Which of the following is NOT a common integrity goal? A. Prevent unauthorized users from making modifications. B. Maintain internal and external consistency. C. Prevent authorized users from making improper modifications. D. Prevent paths that could lead to inappropriate disclosure.

``` At what Orange Book evaluation levels are design specification and verification FIRST required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above. ```

C NO IDEA WHAT THIS IS... RESEARCH THIS B1: Labeled Security: Each data object must contain a classification label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subject’s and object’s security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement, and the design specifications are reviewed and verified. This security rating is intended for environments that require systems to handle classified data.

Which of the following is an advantage of a qualitative over a quantitative risk analysis? A. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. B. It provides specific quantifiable measurements of the magnitude of the impacts. C. It makes a cost-benefit analysis of recommended controls easier. D. It can easily be automated.

A One risk assessment methodology is called FRAP, which stands for Facilitated Risk Analysis Process.

An effective information security policy should NOT have which of the following characteristic? A. Include separation of duties B. Be designed with a short- to mid-term focus C. Be understandable and supported by all stakeholders D. Specify areas of responsibility and authority

B It should be created with the intention of having the policies in place for several years at a time

Which of the following choices is NOT normally part of the questions that would be asked in regards to an organization's information security policy? A. Who is involved in establishing the security policy? B. Where is the organization's security policy defined? C. What are the actions that need to be performed in case of a disaster? D. Who is responsible for monitoring compliance to the organization's security policy?

``` The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system is referred to as? A. Confidentiality B. Availability C. Integrity D. Reliability ```

``` Which of the following would BEST classify as a management control? A. Review of security controls B. Personnel security C. Physical and environmental protection D. Documentation ```

A Management controls are largely procedural. REVIEWING is a procedure

``` Valuable paper insurance coverage does cover damage to which of the following? A. Inscribed, printed and Written documents B. Manuscripts C. Records D. Money and Securities ```

D Covers all these things, however D is the best answer

Which of the following statements pertaining to a security policy is NOT true? A. Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets. B. It specifies how hardware and software should be used throughout the organization. C. It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective. D. It must be flexible to the changing environment.

B Security policy does not specify how hardware and software should be used throughout the org. This is what the AUP is for.

If your property Insurance has Actual Cash Valuation (ACV) clause, your damaged property will be compensated based on: A. Value of item on the date of loss B. Replacement with a new item for the old one regardless of condition of lost item C. Value of item one month before the loss D. Value of item on the date of loss plus 10 percent

``` The preliminary steps to security planning include all of the following EXCEPT which of the following? A. Establish objectives. B. List planning assumptions. C. Establish a security audit function. D. Determine alternate courses of action ```

C Security planning should include establishing objectives, listing assumptions and determining alternate courses of action. Security planning does not include establishing a security audit function. Auditing security is performed to ensure that the security measures implemented as described in the security plan are effective.

``` Step-by-step instructions used to satisfy control requirements are called a: A. policy. B. standard. C. guideline. D. procedure. ```

One purpose of a security awareness program is to modify: A. employee's attitudes and behaviors towards enterprise's security posture. B. management's approach towards enterprise's security posture. C. attitudes of employees with sensitive data. D. corporate attitudes about safeguarding data.

A The goal is for each employee to understand the importance of security to the company as a whole and to each individual This can best be achieved through a formalized process of security-awareness training.

What is a security policy? A. High level statements on management's expectations that must be met in regards to security B. A policy that defines authentication to the network. ISC CISSP Exam "Leading the way in IT Testing & Certification Tools" - www.testking.com 57 C. A policy that focuses on ensuring a secure posture and expresses management approval. It explains in detail how to implement the requirements. D. A statement that focuses on the authorization process for a system

The end result of implementing the principle of least privilege means which of the following? A. Users would get access to only the info for which they have a need to know B. Users can access all systems. C. Users get new privileges added when they change positions. D. Authorization creep.

Which of the following exemplifies proper separation of duties? A. Operators are not permitted modify the system time. B. Programmers are permitted to use the system console. C. Console operators are permitted to mount tapes and disks. D. Tape operators are permitted to use the system console.

``` An access control policy for a bank teller is an example of the implementation of which of the following? A. Rule-based policy B. Identity-based policy C. User-based policy D. Role-based policy ```

``` At which of the Orange Book evaluation levels is configuration management required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above. ```

D Configuration management consists of identifying, controlling, accounting for, and auditing all changes made to a particular system or equipment during its life cycle. In particular, as related to equipment used to process classified information, equipment can be identified in categories of COMSEC, TEMPEST, or as a Trusted Computer Base (TCB). The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by configuration management.

``` Which type of security control is also known as "Logical" control? A. Physical B. Technical C. Administrative D. Risk ```

B Technical controls, which are also known as logical controls, are software or hardware components such as firewalls, IDS, encryption, identification and authentication mechanisms

Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes—Oxley Section 404 compliance? A. Committee of Sponsoring Organizations of the Treadway Commission (COSO) B. BIBA C. National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) D. CCTA Risk Analysis and Management Method (CRAMM)

A COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them. There have been laws in place since the 1970s that basically state that it was illegal for a corporation to cook its books (manipulate its revenue and earnings reports), but it took the Sarbanes–Oxley Act (SOX) of 2002 to really put teeth into those existing laws. SOX is a U.S. federal law that, among other things, could send executives to jail if it was discovered that their company was submitting fraudulent accounting findings to the Security Exchange Commission (SEC). SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model. Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain their internal COSO structure.

The Widget Company decided to take their company public and while they were in the process of doing so had an external auditor come and look at their company. As part of the external audit they brought in a technology expert, who incidentally was a new CISSP. The auditor's expert asked to see their last risk analysis from the technology manager. The technology manager did not get back to him for a few days and then the Chief Financial Officer gave the auditors a 2 page risk assessment that was signed by both the Chief Financial Officer and the Technology Manager. While reviewing it, the auditor noticed that only parts of their financial data were being backed up on site and nowhere else; the Chief Financial Officer accepted the risk of only partial financial data being backed up with no off-site copies available. Who owns the risk with regards to the data that is being backed up and where it is stored? A. Only the Chief Financial Officer B. Only the most Senior Management such as the Chief Executive Officer C. Both the Chief Financial Officer and Technology Manager D. Only The Technology Manager

A The chief financial officer (CFO) is a member of the board. The board members are responsible for setting the organization’s strategy and risk appetite (how much risk the company should take on). In this question, the Chief Financial Officer accepted the risk of only partial financial data being backed up with no off-site copies available. The Chief Financial Officer therefore owns the risk.

``` The control measures that are intended to reveal the violations of security policy using software and hardware are associated with: A. preventive/physical. B. detective/technical. C. detective/physical. D. detective/administrative ```

Which of the following steps is NOT one of the eight detailed steps of a Business Impact Assessment (BIA)? A. Notifying senior management of the start of the assessment. B. ISC CISSP Exam "Leading the way in IT Testing & Certification Tools" - www.testking.com 63 Creating data gathering techniques. C. Identifying critical business functions. D. Calculating the risk for each different business function.

A Notifying senior management of the start of the assessment is not one of the eight steps in the BIA process. Note: The steps of a Business Impact Assessment are: Step 1: Determine information gathering techniques. Step 2: Select interviewees (i.e. stakeholders.) Step 3: Customize questionnaire to gather economic and operational impact information. Step 4: Analyze collected impact information. Step 5: Determine time-critical business systems. Step 6: Determine maximum tolerable downtimes (MTD). Step 7: Prioritize critical business systems based on MTD. Step 8: Document findings and report recommendations.

Which of the following provides enterprise management with a prioritized list of time-critical business processes, and estimates a recovery time objective for each of the time critical processes and the components of the enterprise that support those processes? A. Business Impact Assessment B. Current State Assessment C. Risk Mitigation Assessment. D. Business Risk Assessment.

``` Which of the following answers is the BEST example of Risk Transference? A. Insurance B. Results of Cost Benefit Analysis C. Acceptance D. Not hosting the services at all ```

``` Which of the following answer BEST relates to the type of risk analysis that involves committees, interviews, opinions and subjective input from staff? A. Qualitative Risk Analysis B. Quantitative Risk Analysis C. Interview Approach to Risk Analysis D. Managerial Risk Assessment ```

A Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews

``` Regarding risk reduction, which of the following answers is BEST defined by the process of giving only just enough access to information necessary for them to perform their job functions? A. Least Privilege Principle B. Minimum Privilege Principle C. Mandatory Privilege Requirement D. Implicit Information Principle ```

``` Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated with: A. preventive/physical. B. detective/technical. C. detective/physical. D. detective/administrative. ```

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS auditor? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer

Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer

Brainscape's Knowledge GenomeTM

PRACTICE QUESTIONS Flashcards

Brainscape's Knowledge Genome^TM