ISC2 CC Pre-Course Assessment
All of the following are typically perceived as drawbacks to biometric systems, except: (D3, L3.2.1) A) Lack of accuracy B) Potential privacy concerns C) Retention of physiological data past the point of employment D) Legality
A) Lack of accuracy A is correct. Biometric systems can be extremely accurate, especially when compared with other types of access controls. B, C and D are all potential concerns when using biometric data, so those answers are incorrect in this context.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees transferring from one department to another, getting promoted, or cross-training to new positions can get access to the different assets they'll need for their new positions, in the most efficient manner. Which method should Handel select? (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Barbed wire
A) Role-based access controls (RBAC) RBAC is the most efficient way to assign permissions to users based on their job duties. A is the correct answer. B and C are incorrect; MAC and DAC don't offer the same kind of efficiency in this regard. D is incorrect; barbed wire is a physical control, and won't be useful in this context.
Triffid, Inc., wants to host streaming video files for the company's remote users, but wants to ensure the data is protected while it's streaming. Which of the following methods are probably best for this purpose? (D5.1, L5.1.3) A) Symmetric encryption B) Hashing C) Asymmetric encryption D) VLANs
A) Symmetric encryption A is the correct answer; symmetric encryption offers confidentiality of data with the least amount of processing overhead, which makes it the preferred means of protecting streaming data. B is incorrect; hashing would not provide confidentiality of the data. C is incorrect; asymmetric encryption requires more processing overhead than symmetric encryption, and is therefore not preferable for streaming purposes. D is incorrect; VLANs are useful for logical segmentation of networks, but do not serve a purpose for streaming data to remote users.
If two people want to use asymmetric communication to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.2) A) 1 B) 4 C) 8 D) 11
B) 4 In asymmetric encryption, each party needs their own key pair (a public key and a private key) to engage in confidential communication. B is the correct answer. A, C and D are incorrect; in asymmetric encryption, each party needs their own key pair for confidential communication.
Carol is browsing the Web. Which of the following ports is she probably using? (D4, L4.1.2) A) 12 B) 80 C) 247 D) 999
B) 80 B is the correct answer; port 80 is used for HTTP traffic, and HTTP is a Web-browsing protocol. A, C and D are incorrect; these ports are not used by Web browsers.
Which of these is an example of a physical access control mechanism? (D3, L3.2.1) A) Software-based firewall at the perimeter of the network B) A lock on a door C) Network switches that filter according to MAC addresses D) A process that requires two people to act at the same time to perform a function
B) A lock on a door B is correct. A lock on a door restricts physical access to the area on the other side of the door to only those personnel who have the appropriate entry mechanism (key, badge, etc.). A and C are both technical/logical controls. D is an administrative control.
One of the benefits of computer-based training (CBT): (D5.4, L5.4.1) A) Expensive B) Scalable C) Personal interaction with instructor D) Interacting with other participants
B) Scalable B is the correct answer. CBT is completely scalable, because it can be replicated uniformly for any number of users. A, C and D are incorrect; these are not characteristics of CBT.
Bert wants to add a flashlight capability to a smartphone. Bert searches the internet for a free flashlight app, and downloads it to the phone. The app allows Bert to use the phone as a flashlight, but also steals Bert's contacts list. What kind of app is this? (D4.2 L4.2.1) A) DDOS B) Trojan C) Side channel D) On-path
B) Trojan This is a textbook example of a Trojan horse application. Bert has intentionally downloaded the application with the intent to get a desired service, but the app also includes a hostile component Bert is unaware of. A is incorrect; DDOS involves multiple attacking machines trying to affect the availability of the target. C is incorrect; a side channel attack is passive and generally only observes operational activity, instead of capturing and exfiltrating specific data. D is incorrect; an on-path attack involves the attackers inserting themselves between communicating parties.
A _____ is a record of something that has occurred. (D3, L3.2.1) A) Biometric B) Law C) Log D) Firewall
C) Log C is correct. This is a description of a log. A is incorrect; "biometrics" is a term used to describe access control systems that use physiological traits of individuals in order to grant/deny access. B is incorrect; laws are legal mandates. D is incorrect; a firewall is a device for filtering traffic.
When should a business continuity plan (BCP) be activated? (D2, L2.2.1) A) As soon as possible B) At the very beginning of a disaster C) When senior management authorizes D) When instructed to do so by regulators
C) When senior management authorizes C is correct. A senior manager with the proper authority must initiate the BCP. A is incorrect; this answer has no context—there is no way to know when "as soon as possible" would be. B is incorrect; typically, it is impossible to determine the "beginning" of a disaster. D is incorrect; not all organizations are in regulated industries, and regulators do not supervise disaster response.
Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1) A) A credit card presented to a cash machine B) Your password and PIN C) A user ID D) A photograph of your face
D) A photograph of your face D is correct. A facial photograph is something you are—your appearance. A is incorrect because a credit card is an example of an authentication factor that is something you have. B is incorrect because passwords and PINs are examples of authentication factors that are something you know. C is incorrect because a user ID is an identity assertion, not an authentication factor.
An organization must always be prepared to ______ when applying a patch. (D5.2, L5.2.1) A) Pay for the updated content B) Buy a new system C) Settle lawsuits D) Rollback
D) Rollback Patches can sometimes cause unintended problems in the environment, so an organization must always be prepared to rollback the environment to the last known good state prior to when the patch was applied. D is the correct answer. A is incorrect; typically, vendors offer patches as part of long-term support for their products, at no extra cost. B is incorrect; we patch systems so that we do not have to replace them with new ones. C is incorrect; patching does not often lead to lawsuits.
Security controls on log data should reflect ________. (D5.1, L5.1.2) A) The organization's commitment to customer service B) The local culture where the log data is stored C) The price of the storage device D) The sensitivity of the source device
D) The sensitivity of the source device Log data should be protected with security as high, or higher, than the security level of the systems or devices that log was captured from. D is the correct answer. A, B and C are incorrect; these are not qualities that dictate security level of protection on log data.
Which of the following probably poses the most risk? (D1, L1.2.1) A) A high-likelihood, high-impact event B) A high-likelihood, low-impact event C) A low-likelihood, high-impact event D) A low-likelihood, low-impact event
A) A high-likelihood, high-impact event A is correct. An event that is has a significant probability of occurring ("high-likelihood") and also has a severe negative consequence ("high-impact") poses the most risk. The other answers all pose less risk, because either the likelihood or impact is described as "low." This is not to say that these risks can be dismissed, only that they are less significant than the risk posed by answer A.
Triffid Corporation has a policy that all employees must receive security awareness instruction before using email; the company wants to make employees aware of potential phishing attempts that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1) A) Administrative B) Finite C) Physical D) Technical
A) Administrative A is correct. Both the policy and the instruction are administrative controls; rules and governance are administrative. B is incorrect; "finite" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; training is not a tangible object, so this is not a physical control. D is incorrect; training is not part of the IT environment, so it is not a technical control.
When data has reached the end of the retention period, it should be _____. (D5.1, L5.1.1) A) Destroyed B) Archived C) Enhanced D) Sold
A) Destroyed At the end of the retention period, data should be securely destroyed. A is the correct answer. B, C and D are incorrect; data must be securely destroyed at the end of the retention period.
A human guard monitoring a hidden camera could be considered a ______ control. (D3, L3.2.1) A) Detective B) Preventive C) Deterrent D) Logical
A) Detective A is correct. The guard monitoring the camera can identify anomalous or dangerous activity; this is a detective control. B is incorrect; neither the guard nor the camera is actually preventing any activity before it occurs. C is incorrect; because the attacker is unaware of the guard and the camera, there is no deterrent benefit. D is incorrect; the guard is a physical control.
Inbound traffic from an external source seems to indicate much higher rates of communication than normal, to the point where the internal systems might be overwhelmed. Which security solution can often identify and potentially counter this risk? (D4.2 L4.2.2) A) Firewall B) Turnstile C) Anti-malware D) Badge system
A) Firewall Firewalls can often identify hostile inbound traffic, and potentially counter it. A is the correct answer. B and D are incorrect; these are physical controls and aren't effective in identifying/countering communications attacks. C is incorrect; anti-malware is not typically useful in countering attacks that employ excess traffic as an attack mechanism.
Triffid, Inc., has many remote workers who use their own IT devices to process Triffid's information. The Triffid security team wants to deploy some sort of sensor on user devices in order to recognize and identify potential security issues. Which of the following is probably most appropriate for this specific purpose? (D4.2 L4.2.2) A) HIDS (host-based intrusion-detection systems) B) NIDS (network-based intrusion-detection systems) C) LIDS (logistical intrusion-detection systems) D) Firewalls
A) HIDS (host-based intrusion-detection systems) Host-based intrusion-detection systems are expressly designed for this purpose; each HIDS is installed on each endpoint machine. A is the correct answer. B is incorrect; NIDS are useful for monitoring internal traffic, but a HIDS would be better for distributed users/devices. C is incorrect; LIDS is not a term standard within our industry, and was just made up and used here as a distractor. D is incorrect; firewalls limit traffic, and can be used to identify potential threats, but a HIDS is specifically intended for this purpose.
Grampon municipal code requires that all companies that operate within city limits will have a set of processes to ensure employees are safe while working with hazardous materials. Triffid Corporation creates a checklist of activities employees must follow while working with hazardous materials inside Grampon city limits. The municipal code is a ______, and the Triffid checklist is a ________. (D1, L1.4.2) A) Law, procedure B) Standard, law C) Law, standard D) Policy, law
A) Law, procedure A is correct. The municipal code was created by a governmental body and is a legal mandate; this is a law. The Triffid checklist is a detailed set of actions which must be used by Triffid employees in specific circumstances; this is a procedure. B and C are incorrect; neither document is recognized throughout the industry, so neither is a standard. D is incorrect; neither document is a strategic internal overview issued by senior management, so neither is a policy.
Tekila works for a government agency. All data in the agency is assigned a particular sensitivity level, called a "classification." Every person in the agency is assigned a "clearance" level, which determines the classification of data each person can access. What is the access control model being implemented in Tekila's agency? (D3, L3.3.1) A) MAC (mandatory access control) B) DAC (discretionary access control) C) RBAC (role-based access control) D) FAC (formal access control)
A) MAC (mandatory access control) This is an example of how MAC can be implemented. A is the correct answer. B is incorrect; in discretionary access control, operational managers are granted authority to determine which personnel have access to assets the manager controls. C is incorrect; in RBAC, personnel might not have clearance levels, and assets might not have classifications. D is incorrect; FAC is not a term used in this context, and is only included here as a distractor.
A system that collects transactional information and stores it in a record in order to show which users performed which actions is an example of providing ________. (D1, L1.1.1) A) Non-repudiation B) Multifactor authentication C) Biometrics D) Privacy
A) Non-repudiation A is correct. Non-repudiation is the concept that users cannot deny they have performed transactions that they did, in fact, conduct. A system that keeps a record of user transactions provides non-repudiation. B and C are incorrect because nothing in the question referred to authentication at all. D is incorrect because non-repudiation does not support privacy (if anything, non-repudiation and privacy are oppositional).
Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________. (D1, L1.2.2 A) Risk tolerance B) Risk inversion C) Threat D) Vulnerability
A) Risk tolerance A is correct. Phrenal has decided there is an acceptable level of risk associated with the online sale of the laptop; this is within Phrenal's risk tolerance. B is incorrect; "risk inversion" is a term with no actual meaning, and is used here only as a distractor. C is incorrect; a threat is something or someone that poses risk—the sale of the laptop does not pose risk to Phrenal, only a lesser or greater benefit. D is incorrect; the sale of the laptop is not an avenue of attack against Phrenal.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees who are assigned to new positions in the company do not retain whatever access they had in their old positions. Which method should Handel select? (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Logging
A) Role-based access controls (RBAC) RBAC can aid in reducing "privilege creep," where employees who stay with the company for a long period of time might get excess permissions within the environment. A is the correct answer. B and C are incorrect; MAC and DAC do not offer this type of assurance. D is incorrect; logging will demonstrate user activity, but doesn't aid in reducing excess permissions.
Olaf is a member of ISC2 and a security analyst for Triffid Corporation. During an audit, Olaf is asked whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not adhering to that standard in that particular situation, but that saying this to the auditors will reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1) A) Tell the auditors the truth B) Ask supervisors for guidance C) Ask ISC2 for guidance D) Lie to the auditors
A) Tell the auditors the truth A is the best answer. The ISC2 Code of Ethics requires that members "act honorably, honestly, justly, responsibly" and also "advance and protect the profession." Both requirements dictate that Olaf should tell the truth to the auditors. While the Code also says that Olaf should "provide diligent and competent service to principals," and Olaf's principal is Triffid in this case, lying does not serve Triffid's best long-term interests, even if the truth has some negative impact in the short term.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the database? (D3, L3.1.1) A) The object B) The rule C) The subject D) The site
A) The object A is correct. Prachi is manipulating the database, so the database is the object in the subject-object-rule relationship in this case. B and C are incorrect, because the database is the object in this situation. D is incorrect because "site" has no meaning in this context.
The output of any given hashing algorithm is always _____. (D5.1, L5.1.3) A) The same length B) The same characters C) The same language D) Different for the same inputs
A) The same length Hashing algorithms create output of a fixed length. A is the correct answer. B is incorrect; the characters in the output will change depending on the input. C is incorrect; hashing algorithms do not create output in any particular language—usually, the output is a mix of alphanumeric characters. D is incorrect; hash outputs should be the same when the same input is used.
Guillermo logs onto a system and opens a document file. In this example, Guillermo is: (D3, L3.1.1) A) The subject B) The object C) The process D) The software
A) The subject A is correct. Guillermo is the subject in this example. B is incorrect; in this example, the file is the object. C is incorrect; in this example, the process is logging on and opening the file. D is incorrect; in this example, the application used to open the file is the software.
Which type of fire-suppression system is typically the least expensive? (D4.3 L4.3.1) A) Water B) Dirt C) Oxygen-depletion D) Gaseous
A) Water Water is typically the least expensive type of fire-suppression system, as water is one of the most common chemicals on the planet. A is correct. B is incorrect; dirt is usually only used in the suppression of forest fires. C and D are incorrect; gaseous/oxygen depletion systems are typically much, much more expensive than water-based systems.
A tool that monitors local devices to reduce potential threats from hostile software. (D4.2 L4.2.3) A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
B) Anti-malware B is correct; this is the purpose of anti-malware solutions. A, C and D are incorrect; these solutions are not typically designed to identify and counter malware.
The section of the IT environment that is closest to the external world; where we locate IT systems that communicate with the Internet. (D4.3 L4.3.3) A) VLAN B) DMZ C) MAC D) RBAC
B) DMZ B is the correct answer; we often call this portion of the environment the "demilitarized zone." A is incorrect; a VLAN is a way to segment portions of the internal network. C is incorrect; MAC is the physical address of a given networked device. D is incorrect; RBAC is an access control model.
Which of the following roles does not typically require privileged account access? (D3, L3.1.1) A) Security administrator B) Data entry professional C) System administrator D) Help Desk technician
B) Data entry professional B is correct. Data entry professionals do not usually need privileged access. A, C and D are all incorrect; those are roles that typically need privileged access.
You are reviewing log data from a router; there is an entry that shows a user sent traffic through the router at 11:45 am, local time, yesterday. This is an example of a(n) _______. (D2, L2.1.1) A) Incident B) Event C) Attack D) Threat
B) Event An event is any observable occurrence within the IT environment. (Any observable occurrence in a network or system. (Source: NIST SP 800-61 Rev 2) While an event might be part of an incident, attack, or threat, no other information about the event was given in the question, so B is the correct answer.
Zarma is an ISC2 member and a security analyst for Triffid Corporation. One of Zarma's colleagues is interested in getting an ISC2 certification and asks Zarma what the test questions are like. What should Zarma do? (D1, L1.5.1) A) Inform ISC2 B) Explain the style and format of the questions, but no detail C) Inform the colleague's supervisor D) Nothing
B) Explain the style and format of the questions, but no detail B is the best answer. It is all right to explain the format of the exam, and even to share your own impressions of how challenging and difficult you found the exam to be. But in order to protect the security of the test, and to adhere to the ISC2 Code of Ethics ("advance and protect the profession"), Zarma should not share any explicit information about details of the exam or reveal any actual questions.
All of the following are important ways to practice an organization disaster recovery (DR) effort; which one is the most important? (D2, L2.3.1) A) Practice restoring data from backups B) Facility evacuation drills C) Desktop/tabletop testing of the plan D) Running the alternate operating site to determine if it could handle critical functions in times of emergency
B) Facility evacuation drills B is the only answer that directly addresses health and human safety, which is the paramount concern of all security efforts. All the other answers are good exercises to perform as DR preparation, but B is the correct answer.
Visitors to a secure facility need to be controlled. Controls useful for managing visitors include all of the following except: (D3, L3.2.1) A) Sign-in sheet/tracking log B) Fence C) Badges that differ from employee badges D) Receptionist
B) Fence B is the best answer. A fence is useful for controlling visitors, authorized users and potential intruders. This is the only control listed among the possible answers that is not specific to visitors. A, C and D are all controls that should be used to manage visitors.
The common term for systems that ensure proper temperature and humidity in the data center. (D4.3 L4.3.1) A) RBAC B) HVAC C) MAC
B) HVAC HVAC stands for "heating, ventilation and air conditioning," and is a common industry term. B is correct. A is incorrect; RBAC is an access control model. C is incorrect; MAC is the physical address of an IT device.
Glen is an ISC2 member. Glen receives an email from a company offering a set of answers for an ISC2 certification exam. What should Glen do? (D1, L1.5.1) A) Nothing B) Inform ISC2 C) Inform law enforcement D) Inform Glen's employer
B) Inform ISC2 B is correct. The ISC2 Code of Ethics requires that members "advance and protect the profession"; this includes protecting test security for ISC2 certification material. ISC2 (and every ISC2 member) has a vested interest in protecting test material, and countering any entity that is trying to undermine the validity of the certifications. This is, however, not a matter for law enforcement; if it turns out that law enforcement must be involved, ISC2 will initiate that activity. Glen's employer has no bearing on this matter.
Cyril wants to ensure all the devices on his company's internal IT environment are properly synchronized. Which of the following protocols would aid in this effort? (D4, L4.1.2) A) FTP (File Transfer Protocol) B) NTP (Network Time Protocol) C) SMTP (Simple Mail Transfer Protocol) D) HTTP (Hypertext Transfer Protocol)
B) NTP (Network Time Protocol) B is the correct answer; this is the purpose of NTP. A, C and D are incorrect; these do not serve the purpose of synchronization.
Siobhan is an ISC2 member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1) A) Inform ISC2 B) Pay the parking ticket C) Inform supervisors at Triffid D) Resign employment from Triffid
B) Pay the parking ticket B is the best answer. A parking ticket is not a significant crime, besmirchment of character or moral failing, and has nothing to do with Siobhan's duties for Triffid. Even though the ISC2 Code of Ethics requires that members act "legally," and "protect the profession," a parking ticket does not reflect poorly on Siobhan, Triffid, ISC2, or the security profession. Siobhan should, however, pay the ticket.
The senior leadership of Triffid Corporation decides that the best way to minimize liability for the company is to demonstrate the company's commitment to adopting best practices recognized throughout the industry. Triffid management issues a document that explains that Triffid will follow the best practices published by SANS, an industry body that addresses computer and information security. The Triffid document is a ______, and the SANS documents are ________. (D1, L1.4.2) A) Law, policy B) Policy, standard C) Policy, law D) Procedure, procedure
B) Policy, standard B is the correct answer. The Triffid document is a strategic, internal rule published by senior management; this is a policy. The SANS documents are industry best practices recognized globally; these are standards. A and C are incorrect, because neither document was issued by a governmental body, so they are not laws. D is incorrect because neither document is a detailed set of instructions, so they are not procedures.
Which common cloud deployment model typically features only a single customer's data/functionality stored on specific systems/hardware? (D4.3 L4.3.2) A) Public B) Private C) Community D) Hybrid
B) Private B is correct; this is the defining feature of private cloud. A is incorrect; in public cloud, multiple customers (or "tenants") typically share the underlying systems. C is incorrect; in community cloud, multiple customers from a shared affinity group/industry typically share access to the underlying infrastructure. D is incorrect; in hybrid cloud, more than one customer may use underlying infrastructure.
The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects health and human safety. The security office is tasked with writing a detailed set of processes on how employees should wear protective gear such as hardhats and gloves when in hazardous areas. This detailed set of processes is a _________. (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
B) Procedure B is correct. A detailed set of processes used by a specific organization is a procedure. A is incorrect; the policy is the overarching document that requires the procedure be created and implemented. C is incorrect. The procedure is not recognized and implemented throughout the industry; it is used internally. D is incorrect; the procedure was created by Triffid Corporation, not a governmental body.
A vendor sells a particular operating system (OS). In order to deploy the OS securely on different platforms, the vendor publishes several sets of instructions on how to install it, depending on which platform the customer is using. This is an example of a ________. (D1, L1.4.2) A) Law B) Procedure C) Standard D) Policy
B) Procedure B is correct. This is a set of instructions to perform a particular task, so it is a procedure (several procedures, actually—one for each platform). A is incorrect; the instructions are not a governmental mandate. C is incorrect, because the instructions are particular to a specific product, not accepted throughout the industry. D is incorrect, because the instructions are not particular to a given organization.
What is the overall objective of a disaster recovery (DR) effort? (D2, L2.3.1) A) Save money B) Return to normal, full operations C) Preserve critical business functions during a disaster D) Enhance public perception of the organization
B) Return to normal, full operations B is correct. DR efforts are intended to return the organization to normal, full operations. A is incorrect; DR is often quite expensive, and not a cost-saving measure. C is incorrect; this is the goal of business continuity (BC) efforts. D is incorrect; DR efforts are intended to return the organization to normal, full operations, not enhance public perception.
Tina is an ISC2 member and is invited to join an online group of IT security enthusiasts. After attending a few online sessions, Tina learns that some participants in the group are sharing malware with each other, in order to use it against other organizations online. What should Tina do? (D1, L1.5.1) A) Nothing B) Stop participating in the group C) Report the group to law enforcement D) Report the group to ISC2
B) Stop participating in the group B is the best answer. The ISC2 Code of Ethics requires that members "protect society, the common good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition against disseminating and deploying malware for offensive purposes. However, the Code does not make ISC2 members into law enforcement officers; there is no requirement to get involved in legal matters beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for Tina's own protection) document when participation started and stopped, but no other action is necessary on Tina's part.
In order for a biometric security to function properly, an authorized person's physiological data must be ______. (D3, L3.2.1) A) Broadcast B) Stored C) Deleted D) Modified
B) Stored B is correct. A biometric security system works by capturing and recording a physiological trait of the authorized person and storing it for comparison whenever that person presents the same trait in the future. A is incorrect; access control information should not be broadcast. C is incorrect; if all biometric data is erased, the data cannot be used for comparison purposes to grant access later. D is incorrect; biometric data should not be modified, or it may become useless for comparison purposes.
When Pritha started working for Triffid, Inc., Pritha had to sign a policy that described how Pritha would be allowed to use Triffid's IT equipment. What policy was this? (D5.3, L5.3.1) A) The organizational security policy B) The acceptable use policy (AUP) C) The bring-your-own-device (BYOD) policy D) The workplace attire policy
B) The acceptable use policy (AUP) The AUP describes how users will be permitted to use the organization's IT assets. B is the correct answer. A, C and D are incorrect; while these are all common policies, they do not serve the same function as the AUP.
For which of the following assets is integrity probably the most important security aspect? (D1, L1.1.1) A) One frame of a streaming video B) The file that contains passwords used to authenticate users C) The color scheme of a marketing website D) Software that checks the spelling of product descriptions for a retail website
B) The file that contains passwords used to authenticate users B is correct. If a password file is modified, the impact to the environment could be significant; there is a possibility that all authorized users could be denied access, or that anyone (including unauthorized users) could be granted access. The integrity of the password file is probably the most crucial of the four options listed. A is incorrect because one frame of an entire film, if modified, probably would have little to no effect whatsoever on the value of the film to the viewer; a film has thousands (or tens of thousands, or millions) of frames. C is incorrect because a change in marketing material, while significant, is not as crucial as the integrity of the password file described in Answer B. D is incorrect because a typo in a product description is not likely to be as important as the integrity of the password file described in Answer B.
What is the risk associated with delaying resumption of full normal operations after a disaster? (D2, L2.3.1) A) People might be put in danger B) The impact of running alternate operations for extended periods C) A new disaster might emerge D) Competition
B) The impact of running alternate operations for extended periods B is correct. Alternate operations are typically more costly than normal operations, in terms of impact to the organization; extended alternate operations could harm the organization as much as a disaster. A is incorrect; typically, alternate operations are safer than normal operations. C is incorrect; this would actually be an argument for delaying alternate operations, but it doesn't make much sense. D is incorrect; competition is always a risk, but doesn't have anything to do with DR efforts.
In risk management concepts, a(n) ___________ is something or someone that poses risk to an organization or asset. (D1, L1.2.1) A) Fear B) Threat C) Control D) Asset
B) Threat B is correct. A threat is something or someone that poses risk to the organization; this is the definition of a threat. A is incorrect because "fear" is not generally a term associated with risk management. C is incorrect; a control is something used to mitigate risk. D is incorrect; an asset is something of value, which may need protection.
Triffid, Inc., has deployed anti-malware solutions across its internal IT environment. What is an additional task necessary to ensure this control will function properly? (D4.2 L4.2.3) A) Pay all employees a bonus for allowing anti-malware solutions to be run on their systems B) Update the anti-malware solution regularly C) Install a monitoring solution to check the anti-malware solution D) Alert the public that this protective measure has been taken
B) Update the anti-malware solution regularly B is the correct answer. Anti-malware solutions typically work with signatures for known malware; without continual updates, these tools lose their efficacy. A, C and D are incorrect; these measures will not aid in the effectiveness of anti-malware solutions.
Data retention periods apply to ____ data. (D5.1, L5.1.1) A) Medical B) Sensitive C) All D) Secret
C) All All data should have specific retention periods (even though retention periods may differ for various types of data). C is the correct answer. A, B and D are incorrect; retention periods affect all data
Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into the network. Trina offers to log in for Doug, using Trina's credentials, so that Doug can get some work done. What is the problem with this? (D3, L3.3.1) A) Doug is a bad person B) If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance C) Anything either of them do will be attributed to Trina D) It is against the law
C) Anything either of them do will be attributed to Trina If two users are sharing one set of credentials, then the actions of both users will be attributed to that single account; the organization will be unable to discern exactly who performed which action, which can be troublesome if either user does something negligent or wrong. C is the correct answer. A is incorrect; we don't know enough about Doug from the question. B is incorrect; while true, getting Doug to remember credentials shouldn't be the priority of the situation. D is incorrect; regardless of whether sharing credentials is against the law (and it might or might not be, depending on the jurisdiction), the important point is that both users' actions must be distinct.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that operational managers have the utmost personal choice in determining which employees get access to which systems/data. Which method should Handel select? (D3, L3.3.1) A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Security policy
C) Discretionary access controls (DAC) DAC gives managers the most choice in determining which employees get access to which assets. C is the correct answer. A and B are incorrect; RBAC and MAC do not offer the same kind of flexibility that DAC does. D is incorrect; "security policy" is too broad and vague to be applicable; C is the better answer.
Aphrodite is a member of ISC2 and a data analyst for Triffid Corporation. While Aphrodite is reviewing user log data, Aphrodite discovers that another Triffid employee is violating the acceptable use policy and watching streaming videos during work hours. What should Aphrodite do? (D1, L1.5.1) A) Inform ISC2 B) Inform law enforcement C) Inform Triffid management D) Nothing
C) Inform Triffid management C is the best answer. Aphrodite is required by the ISC2 Code of Ethics to "provide diligent and competent service to principals." This includes reporting policy violations to Triffid management (Triffid is the principal, in this case). A policy violation of this type is not a crime, so law enforcement does not need to be involved, and ISC2 has no authority over Triffid policy enforcement or employees.
Barry wants to upload a series of files to a web-based storage service, so that people Barry has granted authorization can retrieve these files. Which of the following would be Barry's preferred communication protocol if he wanted this activity to be efficient and secure? (D4, L4.1.2) A) SMTP (Simple Mail Transfer Protocol) B) FTP (File Transfer Protocol) C) SFTP (Secure File Transfer Protocol) D) SNMP (Simple Network Management Protocol)
C) SFTP (Secure File Transfer Protocol) C is the correct answer; SFTP is designed specifically for this purpose. A, B and D are incorrect; these protocols are either not efficient or not secure in Barry's intended use.
A device typically accessed by multiple users, often intended for a single purpose, such as managing email or web pages. (D4.1 L4.1.1) A) Router B) Switch C) Server D) Laptop
C) Server A server typically offers a specific service, such as hosting web pages or managing email, and is often accessed by multiple users. C is the correct answer. A and B are incorrect; routers and switches are used to vector network traffic, not to provide specific services. D is incorrect; a laptop is typically only assigned to a single user.
ISC2 publishes a Common Body of Knowledge (CBK) that IT security practitioners should be familiar with; this is recognized throughout the industry as a set of material that is useful for practitioners to refer to. Certifications can be issued for demonstrating expertise in this Common Body of Knowledge. What kind of document is the Common Body of Knowledge? (D1, L1.4.1) A) Policy B) Procedure C) Standard D) Law
C) Standard C is correct. The Common Body of Knowledge is used throughout the industry, recognized among many people, countries and organizations. This is a standard. A is incorrect; the CBK is not a set of internal rules used for a particular organization; it is used throughout the industry. B is incorrect. The CBK is not a process that is followed; it is a set of information. D is incorrect; the CBK is not mandated by a governmental body.
Which of the following activities is usually part of the configuration management process, but is also extremely helpful in countering potential attacks? (D4.2 L4.2.3) A) Annual budgeting B) Conferences with senior leadership C) Updating and patching systems D) The annual shareholders' meeting
C) Updating and patching systems C is the correct answer. Keeping systems up to date is typically part of both the configuration management process and enacting best security practices. A, B and D are incorrect; these activities are neither part of the configuration management process nor a best security practice.
Security needs to be provided to ____ data. (D5.1, L5.1.1) A) Restricted B) Illegal C) Private D) All
D) All D is the correct answer. All data needs some form of security; even data that is not sensitive (such as data intended for public view) needs protection to ensure availability. A, B and C are incorrect; all data needs some form of security protection.
Which of these is the most important reason to conduct security instruction for all employees. (D5.4, L5.4.1) A) Reduce liability B) Provide due diligence C) It is a moral imperative D) An informed user is a more secure user
D) An informed user is a more secure user While all the answers are true, D is the single most important reason to conduct security instruction, because it leads to all the others. A, B and C are incorrect; while true, they are not the most important reason(s).
Larry and Fern both work in the data center. In order to enter the data center to begin their workday, they must both present their own keys (which are different) to the key reader, before the door to the data center opens. Which security concept is being applied in this situation? (D3, L3.1.1) A) Defense in depth B) Segregation of duties C) Least privilege D) Dual control
D) Dual control D is correct. This is an example of dual control, where two people, each with distinct authentication factors, must be present to perform a function. A is incorrect; defense in depth requires multiple controls protecting assets—there is no description of multiple controls in this situation. B is incorrect; in segregation of duties, the parts of a given transaction are split among multiple people, and the task cannot be completed unless each of them takes part. Typically, in segregation of duties, the people involved do not have to take part simultaneously; their actions can be spread over time and distance. This differs from dual control, where both people must be present at the same time. C is incorrect; the situation described in the question does not reduce the permissions of either person involved or limit their capabilities to their job function.
Which of the following is probably the main purpose of configuration management? (D5.2, L5.2.1) A) Keeping out intruders B) Ensuring the organization adheres to privacy laws C) Keeping secret material protected D) Ensuring only authorized modifications are made to the IT environment
D) Ensuring only authorized modifications are made to the IT environment The main purpose of configuration management is to ensure that there is uniformity throughout the IT environment, and that only authorized modifications are made. D is the correct answer. A, B and C are incorrect; these may be overall security goals, and configuration management may assist for these purposes, but these are not the main goal of configuration management.
A device that filters network traffic in order to enhance overall security/performance. (D4.1 L4.1.1) A) Endpoint B) Laptop C) MAC (media access control) D) Firewall
D) Firewall Firewalls filter traffic in order to enhance the overall security or performance of the network, or both. D is the correct answer. A is incorrect; "endpoint" is the term used to describe a device involved in a networked communication, at either "end" of a conversation. B is incorrect; laptops are not typically employed to filter network traffic. C is incorrect; MAC is the physical address of a device on a network.
Which of the following statements is true? (D3, L3.3.1) A) Logical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls B) Physical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls C) Administrative access controls can protect the IT environment perfectly; there is no reason to deploy any other controls D) It is best to use a blend of controls in order to provide optimum security
D) It is best to use a blend of controls in order to provide optimum security The use of multiple types of controls enhances overall security. D is correct. A, B and C are all incorrect, because no single type of control can provide adequate protection of an environment.
What is the goal of Business Continuity efforts? (D2, L2.2.1) A) Save money B) Impress customers C) Ensure all IT systems continue to operate D) Keep critical business functions operational
D) Keep critical business functions operational D is correct. Business Continuity efforts are about sustaining critical business functions during periods of potential interruption, such as emergencies, incidents, and disasters. A is incorrect; Business Continuity efforts often require significant financial expenditures. B is incorrect; Business Continuity efforts are important regardless of whether customers are impressed. C is incorrect; Business Continuity efforts should focus specifically on critical business functions, not the entire IT environment.
Every document owned by Triffid, Inc., whether hardcopy or electronic, has a clear, 24-point word at the top and bottom. Only three words can be used: "Sensitive," "Proprietary" and "Public." This is an example of _____. (D5.1, L5.1.1) A) Secrecy B) Privacy C) Inverting D) Labeling
D) Labeling Labeling is the practice of annotating assets with classification markings. D is the correct answer. A is incorrect; "secrecy" is too broad a term in this context, and not accurate—the markings are visible. B is incorrect; privacy is associated with information that identifies a specific person (or specific people). C is incorrect; this term has no meaning in this context, and is used here only as a distractor.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachis logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. Which security concept is being applied in this situation? (D3, L3.1.1) A) Defense in depth B) Layered defense C) Two-person integrity D) Least privilege
D) Least privilege D is correct. This is an example of least privilege; Prachi needs to be able to add or delete users from the database in order to perform as a database administrator, but does not need to view or modify the data in the database itself in order to perform the job. A and B are incorrect; "defense in depth" and "layered defense" are two terms that mean the same thing: multiple (and multiple types of) overlapping controls to protect assets. Nothing in the question describes multiple controls. C is incorrect; no second person is involved in Prachi's activity.
An IoT (Internet of Things) device is typified by its effect on or use of the _____ environment. (D4.3 L4.3.3) A) Philosophical B) Remote C) Internal D) Physical
D) Physical IoT devices typically have some interaction with the physical realm, either by having some physical effect (a vacuum cleaner, refrigerator, light) or by monitoring the physical environment itself (a camera, sensor, etc.). A, B and C are incorrect; IoT is typified by effects on or use of the physical environment.
What is the most important goal of a business continuity effort? (D2, L2.2.1) A) Ensure all IT systems function during a potential interruption B) Ensure all business activities are preserved during a potential disaster C) Ensure the organization survives a disaster D) Preserve health and human safety
D) Preserve health and human safety In all security efforts, preserving health and human safety is paramount, so D is the correct answer. A, B and C are incorrect because D takes precedence over any of them.
The city of Grampon wants to know where all its public vehicles (garbage trucks, police cars, etc.) are at all times, so the city has GPS transmitters installed in all the vehicles. What kind of control is this? (D1, L1.3.1) A) Administrative B) Entrenched C) Physical D) Technical
D) Technical D is correct. A GPS unit is part of the IT environment, so this is a technical control. A is incorrect. The GPS unit itself is not a rule or a policy or a process; it is part of the IT environment, so D is a better answer. B is incorrect; "entrenched" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; while a GPS unit is a tangible object, it is also part of the IT environment, and it does not interact directly with other physical objects in order to prevent action, so "technical" is a better descriptor, and D is a better answer.
Jengi is setting up security for a home network. Jengi decides to configure MAC address filtering on the router, so that only specific devices will be allowed to join the network. This is an example of a(n)_______ control. (D1, L1.3.1) A) Physical B) Administrative C) Substantial D) Technical
D) Technical This is a difficult question, because it may seem as if there are two possible answers: the router enforces a set of rules as to which MAC addresses may be included on the network, so that sounds like an administrative control. However, the router is an IT system, so that seems as if it is a technical control. In fact, it is considered the latter. In general, it is best to consider the matter this way: if it has a power cord, or electricity running through it, it's a technical control. So D is the correct answer. A is incorrect; while the router is a tangible object, it does not act on the physical realm, affecting other tangible objects; it's an electronic device that is part of the IT environment. C is incorrect; "substantial" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.
Which of the following is one of the common ways potential attacks are often identified? (D4.2 L4.2.2) A) The attackers contact the target prior to the attack, in order to threaten and frighten the target B) Victims notice excessive heat coming from their systems C) The power utility company warns customers that the grid will be down and the internet won't be accessible D) Users report unusual systems activity/response to Help Desk or the security office
D) Users report unusual systems activity/response to Help Desk or the security office Users often act as an attack-detection capability (although many user reports might be false-positives). D is the correct answer. A and C are incorrect; unfortunately, we rarely get advance notification of impending threats to the environment. B is incorrect; attacks are not typically identified by physical manifestations.
Garfield is a security analyst at Triffid, Inc. Garfield notices that a particular application in the production environment is being copied very quickly, across systems and devices utilized by many users. What kind of attack could this be? (D4.2 L4.2.1) A) Spoofing B) Side channel C) Trojan D) Worm
D) Worm Activity of this type, where an application or file is replicating rapidly across an entire environment, is often indicative of a worm. D is correct. A is incorrect; spoofing uses captured credentials for the attack, not replication of apps. B is incorrect; a side channel attack is typically entirely passive. C is incorrect; while a Trojan horse method might be used to introduce a worm to the environment, not all Trojans are worms.
