(ISC)2 Practice Exam 3
What is meant by non-repudiation? (D1, L1.1.1)
If a user does something, they can't later claim that they didn't do it.
Which of the following tools can be used to grant remote users access to the internal IT environment? (D4.3 L4.3.3)
VPN (virtual private network)
Is it possible to avoid risk? (D1, L1.2.1)
Yes
Which of the following is a subject? (D3, L3.1.1)
a user
A security solution that detects, identifies and often quarantines potentially hostile software. (D4.2 L4.2.3)
anti-malware
Which of the following is always true about logging? (D5.1.3, L5.1.3)
logs should be stored separately from the systems they're logging
A cloud arrangement whereby the provider owns and manages the hardware, operating system, and applications in the cloud, and the customer owns the data. (D4.3 L4.3.2)
platform as a service (PaaS)
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a ________. (D1, L1.4.1)
procedure
What is the most important aspect of security awareness/training? (D5.4, L5.4.1)
protecting health and human safety
Sinka is considering a physical deterrent control to dissuade unauthorized people from entering the organization's property. Which of the following would serve this purpose? (D3, L3.2.1)
razor tape
Common network device used to connect networks. (D4.1 L4.1.1)
router
Why is an asset inventory so important? (D5.2.1, L5.2.1)
you can't protect what you don't know you have
Which port number is associated with the protocol typically used in this connection? (D4.1 L4.1.2)
80
The concept of "secrecy" is most related to which foundational aspect of security? (D1, L1.1.1)
Confidentiality
Which of the following is NOT one of the four typical ways of managing risk? (D1, L1.2.1)
Conflate
True or False? The IT department is responsible for creating the organization's business continuity plan. (D2, L2.2.1)
False
The common term used to describe the mechanisms that control the temperature and humidity in a data center. (D4.3 L4.3.1)
HVAC (heating, ventilation and air conditioning)
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a: (D1, L1.3.1)
Management/Administrative control
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do? (D1, L1.5.1)
Report the candidate to (ISC)2.
Which is a physical control that prevents "piggybacking" or "tailgating"; that is, an unauthorized person following an authorized person into a controlled area? (D3, L3.2.1)
Turnstile
Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user account, and is requesting Siobhan's full name, home address, credit card number, phone number, email address, the ability to send marketing messages to Siobhan, and permission to share this data with other vendors. Siobhan decides that the item for sale is not worth the value of Siobhan's personal information, and decides to not make the purchase. What kind of risk management approach did Siobhan make? (D1, L1.2.2)
avoidance
Which of these components is very likely to be instrumental to any disaster recovery (DR) effort? (D2, L2.3.1)
backups
A set of security controls or system settings used to ensure uniformity of configuration throughout the IT environment. (D5.2.1, L5.2.1)
baseline
The Business Continuity effort for an organization is a way to ensure critical ______ functions are maintained during a disaster, emergency, or interruption to the production environment. (D2, L 2.2.1)
business
Which of the following is often associated with DR planning? (D2, L 2.3.1)
checklists
Lakshmi presents a userid and a password to a system in order to log on. Which of the following characteristics must the password have? (D3, L3.3.1)
confidential
Which of the following is very likely to be used in a disaster recovery (DR) effort? (D2, L 2.3.1)
data backups
Which of the following can be used to map data flows through an organization and the relevant security controls used at each point along the way? (D5.1, L5.1)
data life cycle
A portion of the organization's network that interfaces directly with the outside world; typically, this exposed area has more security controls and restrictions than the rest of the internal IT environment. (D4.3 L4.3.3)
demilitarized zone (DMZ)
An attack against the availability of a network/system; typically uses many attacking machines to direct traffic against a given target. (D4.2 L4.2.1)
distributed-denial-of-service (DDOS)
Which of these activities is often associated with DR efforts? (D2, L2.3.1)
employees returning to the primary production location
You are working in your organization's security office. You receive a call from a user who has tried to log in to the network several times with the correct credentials, with no success. This is an example of a(n)_______. (D2, L2.1.1)
event
A common network device used to filter traffic. (D4.1 L4.1.1)
firewall
Which of these combinations of physical security controls share a single point of failure? (D3, L3.2.1)
high-illumination lighting and cameras
A security solution installed on an endpoint in order to detect potentially anomalous activity. (D4.2 L4.2.2)
host-based intrusion prevention system
You are working in your organization's security office. You receive a call from a user who has tried to log in to the network several times with the correct credentials, with no success. After a brief investigation, you determine that the user's account has been compromised. This is an example of a(n)_______. (D2, L2.1.1)
incident detection
An external entity has tried to gain access to your organization's IT environment without proper authorization. This is an example of a(n) _________. (D2, L2.1.1)
intrusion
A ready visual cue to let anyone in contact with the data know what the classification is. (D5.1.1, L5.1.1)
label
Lia works in the security office. During research, Lia learns that a configuration change could better protect the organization's IT environment. Lia makes a proposal for this change, but the change cannot be implemented until it is approved, tested, and then cleared for deployment by the Change Control Board. This is an example of __________. (D3, L3.1.1)
segregation of duties
Who is responsible for publishing and signing the organization's policies? (D5.3.1, L5.3.1)
senior management
Derrick logs on to a system in order to read a file. In this example, Derrick is the ______. (D3, L3.3.1)
subject
A mode of encryption for ensuring confidentiality efficiently, with a minimum amount of processing overhead (D5.1.2, L5.1.2)
symmetric
Which organizational policy is most likely to indicate which types of smartphones can be used to connect to the internal IT environment? (D5.3, L5.3.1)
the BYOD policy (bring your own device)
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow? (D1, L1.4.2)
the law
Which entity is most likely to be tasked with monitoring and enforcing security policy? (D5.3, L5.3.1)
the security office
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation? (D1, L1.5.1)
the users
Clyde is the security analyst tasked with finding an appropriate physical control to reduce the possibility that unbadged people will follow badged employees through the entrance of the organization's facility. Which of the following can address this risk? (D3, L3.2.1)
turnstiles
Duncan and Mira both work in the data center at Triffid, Inc. There is a policy in place that requires both of them to be present in the data center at the same time; if one of them has to leave for any reason, the other has to step out, too, until they can both re-enter. This is called ________. (D3, L3.1.1)
two-person integrity
Lakshmi presents a userid and a password to a system in order to log on. Which of the following characteristics must the userid have? (D3, L3.3.1)
unique
When responding to a security incident, your team determines that the vulnerability that was exploited was not widely known to the security community, and that there are no currently known definitions/listings in common vulnerability databases or collections. This vulnerability and exploit might be called ______.
zero-day