CISSP Practice Exam
What are the three types of policies that are missing from the following graphic? A. Regulatory, Informative, Advisory B. Regulatory, Mandatory, Advisory C. Regulatory, Informative, Public D. Regulatory, Informative, Internal Use
A. A Regulatory type of policy ensures that the organization is following standards set by specific industry regulations. It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries. An Informative type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, indicate the company's goals and mission, and provide a general reporting structure in different situations. An Advisory type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, financial transactions, or how to process confidential information.
What type of risk analysis approach does the following graphic provide? A. Quantitative B. Qualitative C. Operationally Correct D. Operationally Critical
B. A qualitative risk analysis approach does not assign monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. Qualitative analysis techniques include judgment, best practices, intuition, and experience. This graphic shows a rating system, which qualitative risk analysis uses instead of percentages and monetary numbers.
Capability Maturity Model Integration (CMMI) came from the software engineering world and is used within organizations to help lay out a pathway of how incremental improvement can take place. This model is used by organizations in self-assessment and to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes. In the CMMI model graphic shown, what is the proper sequence of the levels? A. Initial, Defined, Managed, Quantitatively Managed, Optimizing B. Initial, Defined, Quantitatively Managed, Optimizing, Managed C. Defined, Managed, Quantitatively Managed, Optimizing D. Initial, Managed, Defined, Quantitatively Managed, Optimizing
D. Capability Maturity Model Integration (CMMI) is an organizational development model for process improvement developed by Carnegie Mellon. While organizations know that they need to constantly make their security programs better, it is not always easy to accomplish because "better" is a vague and non quantifiable concept. The only way we can really improve is to know where we are starting from, where we need to go, and the steps we need to take in between. This is how the security industry uses the CMMI model. A security program starts at Level 1 and is chaotic in nature. Processes are not predictable, and the security team is reactive to issues that arise—not proactive. The model uses the following maturity levels: Initial, Managed, Defined, Quantitatively Managed, Optimizing.
Michael is charged with developing a classification program for his company. Which of the following should he do first? A. Understand the different levels of protection that must be provided. B. Specify data classification criteria. C. Identify the data custodians. D. Determine protection mechanisms for each classification level.
A. Before Michael begins developing his company's classification program, he must understand the different levels of protection that must be provided. Only then can he develop the necessary classification levels and their criteria. One company may choose to use only two layers of classification, while another may choose to use more. Regardless, when developing classification levels, he should keep in mind that too many or too few classification levels will render the classification ineffective; there should be no overlap in the criteria definitions between classification levels; and classification levels should be developed for both data and software.
Which of the following is not included in a risk assessment? A. Discontinuing activities that introduce risk B. Identifying assets C. Identifying threats D. Analyzing risk in order of cost or criticality
A. Discontinuing activities that introduce risk Discontinuing activities that introduce risk is a way of responding to risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) in the enterprise. If a company decides not to allow IM activity because there is not enough business need for its use, then prohibiting this service is an example of risk avoidance. Risk assessment does not include the implementation of countermeasures such as this.
When developing a formal architecture (i.e., enterprise security architecture) as illustrated in the following graphic, what is the first item that needs to be identified, and what is the second item that needs to be captured? A. Stakeholders, concerns B. Framework, architecture C. Model, architecture D. Metrics, process improvement model
A. First, the system's stakeholders need to be identified, which is who depends upon the system and who is affected by the success or failure of the system. "System" is a general term that can represent a piece of software, network, or in our context, an enterprise security program. One stakeholder of a security program is the CEO, whose main concern could be the effects security issues have on the company's revenue. Another stakeholder could be the legal department, whose main concern is the liability risk as it pertains to the company's security program. Next, the concerns of the stakeholders need to be understood and captured. The stakeholders' concerns are one of the most important reasons that system architectures as illustrated in the question are developed. The architecture is a tool that allows the stakeholders to best understand if the system is meeting their concerns by being able to understand the system from their viewpoint. Architecture views are representations of the system's architecture that are meaningful to one or more stakeholders. The architect develops a set of views that will enable the architecture to be communicated to, and understood by, all the stakeholders, and enable them to verify that the system will address their concerns.
There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method? A. Risk transference. Share the risk with other entities. B. Risk reduction. Reduce the risk to an acceptable level. C. Risk rejection. Accept the current risk. D. Risk assignment. Assign risk to a specific owner.
A. Once a company knows the amount of total and residual risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. Many types of insurance are available to companies to protect their assets. If a company decides the total or residual risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company.
Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company's e-mail system. What type of approach is her company taking to handle the risk posed by the system? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference
A. Risk mitigation Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. By implementing security controls such as antivirus and antispam software, Sue is reducing the risk posed by her company's e-mail system. This is also referred to as risk mitigation, where the risk is decreased to a level considered acceptable. In addition to the use of IT security controls and countermeasures, risk can be mitigated by improving procedures, altering the environment, erecting barriers to the threat, and implementing early detection methods to stop threats as they occur, thereby reducing their possible damage.
Jill is establishing a company wide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database? A. Increase the database's security controls and provide more granularity. B. Implement access controls that display each user's permissions each time they access the database. C. Change the database's classification label to a higher security status. D. Decrease the security so that all users can access the information as needed.
A. The best approach to securing the database in this situation would be to increase the controls and assign very granular permissions. These measures would ensure that users cannot abuse their privileges and the confidentiality of the information would be maintained. Granularity of permissions gives network administrators and security professionals additional control over the resources they are charged with protecting, and a fine level of detail enables them to give individuals just the precise level of access they need.
Which of the following is not a characteristic of a company with a security governance program in place? A. Board members are updated quarterly on the company's state of security. B. All security activity takes place within the security department. C. Security products, services, and consultants are deployed in an informed manner. D. The organization has established metrics and goals for improving security.
B. If all security activity takes place within the security department, then security is working within a silo and is not integrated throughout the organization. In a company with a security governance program, security responsibilities permeate the entire organization, from executive management down the chain of command. A common scenario would be executive management holding business unit managements responsible for carrying out risk management activities for their specific business units. In addition, employees are held accountable for any security breaches they participate in, either maliciously or accidentally.
Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this? A. Committee of Sponsoring Organizations of the Treadway Commission B. The Organisation for Economic Co-operation and Development C. CobiT D. International Organization for Standardization
B. The Organisation for Economic Co-operation and Development Almost every country has its own rules pertaining to what constitutes private data and how it should be protected. As the digital and information age came upon us, these different laws started to negatively affect business and international trade. Thus, the Organisation for Economic Co-operation and Development (OECD) developed guidelines for various countries so that data is properly protected and everyone follows the same rules.
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? A. The asset's value in the external marketplace B. The level of insurance required to cover the asset C. The initial and outgoing costs of purchasing, licensing, and supporting the asset D. The asset's value to the organization's production operations
B. The level of insurance required to cover the asset is not a consideration when assigning values to assets. It is actually the other way around: By knowing the value of an asset, an organization can more easily determine the level of insurance coverage to purchase for that asset. In fact, understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it. This knowledge can also help companies perform effective cost/benefit analyses, understand exactly what is at risk, and comply with legal and regulatory requirements.
Jared plays a role in his company's data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared's role? A. Data owner B. Data custodian C. Data user D. Information systems auditor
C. Any individual who routinely uses data for work-related tasks is a data user. Users must have the necessary level of access to the data to perform the duties within their position and are responsible for following operational security procedures to ensure the data's confidentiality, integrity, and availability to others. This means that users must practice due care and act in accordance with both security policy and data classification rules.
List in the proper order from the table that follows the learning objectives that are missing and their proper definitions. A. Understanding, recognition and retention, skill B. Skill, recognition and retention, skill C. Recognition and retention, skill, understanding D. Skill, recognition and retention, understanding image
C. Awareness training and materials remind employees of their responsibilities pertaining to protecting company assets. Training provides skills needed to carry out specific tasks and functions. Education provides management skills and decision-making capabilities.
Which of the following best describes the relationship between CobiT and ITIL? A. CobiT is a model for IT governance, whereas ITIL is a model for corporate governance. B. CobiT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management. C. CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them. D. CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.
C. CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them. The Control Objectives for Information and related Technology (CobiT) is a framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs, not specifically just security needs. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. A customizable framework, ITIL provides the goals, the general activities necessary to achieve these goals, and the input and output values for each process required to meet these determined goals. In essence, CobiT addresses "what is to be achieved," while ITIL addresses "how to achieve it."
As his company's CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company's residual risk? A. threats × vulnerability × asset value = residual risk B. SLE × frequency = ALE, which is equal to residual risk C. (threats × vulnerability × asset value) × control gap = residual risk D. (total risk - asset value) × countermeasures = residual risk
C. Countermeasures are implemented to reduce overall risk to an acceptable level. However, no system or environment is 100 percent secure, and with every countermeasure some risk remains. The leftover risk after countermeasures are implemented is called residual risk. Residual risk differs from total risk, which is the risk companies face when they choose not to implement any countermeasures. While the total risk can be determined by calculating threats × vulnerability × asset value = total risk, residual risk can be determined by calculating (threats × vulnerability × asset value) × control gap = residual risk. Control gap is the amount of protection the control cannot provide.
Assigning data classification levels can help with all of the following except: A. The grouping of classified information with hierarchical and restrictive security B. Ensuring that nonsensitive data is not being protected by unnecessary controls C. Extracting data from a database D. Lowering the costs of protecting data
C. Extracting data from a database Data classification does not involve the extraction of data from a database. However, data classification can be used to dictate who has access to read and write data that is stored in a database. Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed. For example, in a corporation, confidential information may only be accessed by senior management. Auditing could be very detailed and its results monitored daily, and degaussing or zeroization procedures may be required to erase the data. On the other hand, information classified as public may be accessed by all employees, and no special auditing or destruction methods required.
There are several methods an intruder can use to gain access to company assets. Which of the following best describes masquerading? A. Changing an IP packet's source address B. Elevating privileges to gain access C. An attempt to gain unauthorized access as another user D. Creating a new authorized user with hacking tools
C. Masquerading is an attempt to gain unauthorized access by impersonating an authorized user. Masquerading is commonly used by attackers carrying out phishing attacks and has been around for a long time. For example, in 1996 hackers posed as AOL staff members and sent messages to victims asking for their passwords in order to verify correct billing information or verify information about the AOL accounts. Today, phishers often masquerade as large banking companies and well-known Internet entities like Amazon.com and eBay. Masquerading is a type of active attack because the attacker is actually doing something instead of sitting back and gathering data.
Jane has been charged with ensuring that clients' personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to? A. HIPAA B. NIST SP 800-66 C. Safe Harbor D. European Union Principles on Privacy
C. Safe Harbor The Safe Harbor requirements were created to harmonize the data privacy practices of the U.S. with the European Union's stricter privacy controls, and to prevent accidental information disclosure and loss. The framework outlines how any entity that is going to move private data to and from Europe must go about protecting it. By certifying against this rule base, U.S. companies that work with European entities can more quickly and easily transfer data.
As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim's responsibility as information owner? A. Assigning information classifications B. Dictating how data should be protected C. Verifying the availability of data D. Determining how long to retain data
C. Verifying the availability of data The responsibility of verifying the availability of data is the only responsibility listed that does not belong to the information owner. Rather, it is the responsibility of the information custodian. The information custodian is also responsible for maintaining and protecting data as dictated by the information owner. This includes performing regular backups of data, restoring data from backup media, retaining records of activity, and fulfilling information security and data protection requirements in the company's policies, guidelines, and standards. Information owners work at a higher level than the custodians. The owners basically state, "This is the level of integrity, availability, and confidentiality that needs to be provided—now go do it." The custodian must then carry out these mandates and follow up with the installed controls to make sure they are working properly.
Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks? A. FAP B. OCTAVE C. ANZ 4360 D. NIST SP 800-30
C. While ANZ 4360 can be used to analyze security risks, it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methodologies, such as NIST and OCTAVE, which focus on IT threats and information security risks. ANZ 4360 can be used to understand a company's financial, capital, human safety, and business decisions risks.
Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining? A. Security policy committee B. Audit committee C. Risk management committee D. Security steering committee
D. Security steering committee Steve is joining a security steering committee, which is responsible for making decisions on tactical and strategic security issues within the enterprise. The committee should consist of individuals from throughout the organization and meet at least quarterly. In addition to the responsibilities listed in the question, the security steering committee is responsible for establishing a clearly defined vision statement that works with and supports the organizational intent of the business. It should provide support for the goals of confidentiality, integrity, and availability as they pertain to the organization's business objectives. This vision statement should, in turn, be supported by a mission statement that provides support and definition to the processes that will apply to the organization and allow it to reach its business goals.
Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role? A. Ensuring the protection of partner data B. Ensuring the accuracy and protection of company financial information C. Ensuring that security policies are defined and enforced D. Ensuring the protection of customer, company, and employee data
D. The Chief Privacy Officer (CPO) position is being created by companies in response to the increasing demands on organizations to protect myriad types of data. The CPO is responsible for ensuring the security of customer, company, and employee data, which keeps the company free from legal prosecution and—hopefully—out of the headlines. Thus, the CPO is directly involved with setting policies on how data is collected, protected, and distributed to third parties. The CPO is usually an attorney and reports to the Chief Security Officer.
The following graphic contains a commonly used risk management scorecard. Identify the proper quadrant and its description. A. Top-right quadrant is high impact, low probability. B. Top-left quadrant is high impact, medium probability. C. Bottom-left quadrant is low impact, high probability. D. Bottom-right quadrant is low impact, high probability.
D. The bottom-right quadrant contains low-impact, high-probability risks. This means that there is a high chance that specific threats will exploit specific vulnerabilities. Although these risks are commonly frequent, their business impact is low. Out of the four quadrants, the risks that reside in this quadrant should be dealt with after the first two higher quadrants. An example of a risk that could reside in this quadrant is a virus that infects a user workstation. Since viruses are so common this would mean that this risk has a high probability of taking place. This is only a user workstation and not a production system, so the impact would be low.
The integrity of data is not related to which of the following? A. Unauthorized manipulation or changes to data B. The modification of data without authorization C. The intentional or accidental substitution of data D. The extraction of data to share with unauthorized entities
D. The extraction of data to share with unauthorized entities is a confidentiality issue, not an integrity issue. Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Integrity, on the other hand, is the principle that signifies the data has not been changed or manipulated in an unauthorized manner.
