Information Security Final Exam
Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? - Dictionary attack - Rainbow table attack - Social engineering attack - Brute-force attack
Brute-force attack
What information should an auditor share with the client during an exit interview? - Draft copy of the audit report - Final copy of the audit report - Details on major issues - The auditor should not share any information with the client at this phase
Details on major issues
What is the first step in a disaster recovery effort? - Respond to the disaster. - Follow the disaster recovery plan (DRP). - Communicate with all affected parties. - Ensure that everyone is safe
Ensure that everyone is safe
Which one of the following is an example of a disclosure threat? - Espionage - Alteration - Denial - Destruction
Espionage
Bob recently accepted a position as the information security and compliance manager for a medical practice. Which regulation is likely to most directly apply to Bob's employer? - Federal Information Security Management Act (FISMA) - Health Insurance Portability and Accountability Act (HIPAA) - Children's Internet Protection Act (CIPA) - Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
What federal government agency is charged with the responsibility of creating information security standards and guidelines for use within the federal government and more broadly across industries? - National Security Administration (NSA) - National Institute of Standards and Technology (NIST) - Department of Defense (DoD) - Federal Communications Commission (FCC)
National Institute of Standards and Technology (NIST)
Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? - Job rotation - Least privilege - Need-to-know - Separation of duties
Separation of duties
Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type? - Service level agreement (SLA) - Blanket purchase agreement (BPA) - Memorandum of understanding (MOU) - Interconnection security agreement (ISA)
Service level agreement (SLA)
Which term describes an action that can damage or compromise an asset? - Risk - Vulnerability - Countermeasure - Threat
Threat
Which term describes any action that could damage an asset? -Risk -Countermeasure -Vulnerability -Threat
Threat
Which of the following items would generally NOT be considered personally identifiable information (PII)? - Name - Driver's license number - Trade secret - Social Security number
Trade secret
Yuri is a skilled computer security expert who attempts to break into the systems belonging to his clients. He has permission from the clients to perform this testing as part of a paid contract. What type of person is Yuri? - Cracker - White-hat hacker - Black-hat hacker - Grey-hat hacker
White-hat hacker
Which audit data collection method helps ensure that the information-gathering process covers all relevant areas? - Checklist - Interviews - Questionnaires - Observation
Checklist
Which one of the following is an example of a logical access control? - Key for a lock - Password - Access card - Fence
Password
Users throughout Alison's organization have been receiving unwanted commercial messages over the organization's instant messaging program. What type of attack is taking place? - Spam - Phishing - Social engineering - Spim
Spim
Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? - Accuracy - Reaction time - Dynamism - Acceptability
Acceptability
Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? - Reduced operating costs - Access to a high level of expertise - Developing in-house talent - Building internal knowledge
Access to a high level of expertise
What is NOT a good practice for developing strong professional ethics? - Set the example by demonstrating ethics in daily activities - Encourage adopting ethical guidelines and standards - Assume that information should be free - Inform users through security awareness training
Assume that information should be free
During which phase of the access control process does the system answer the question,"What can the requestor access?" - Identification - Authentication - Authorization - Accountability
Authorization
Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? - Identification - Authentication - Accountability - Authorization
Authorization
Howard is leading a project to commission a new information system that will be used by a federal government agency. He is working with senior officials to document and accept the risk of operation prior to allowing use. What step of the risk management framework is Howard completing? - Implement security controls in IT systems. - Assess security controls for effectiveness. - Authorize the IT system for processing. - Continuously monitor security controls.
Authorize the IT system for processing.
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort? Disaster recovery plan (DRP) - Business impact analysis (BIA) - Business continuity plan (BCP) - Service level agreement (SLA)
Business continuity plan (BCP)
Federal agencies are required to name a senior official in charge of information security. What title is normally given to these individuals? - Chief information officer (CIO) - Chief technology officer (CTO) - Chief information security officer (CISO) - Chief financial officer (CFO)
Chief information security officer (CISO)
Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)? - Seeking to gain unauthorized access to resources - Disrupting intended use of the Internet - Enforcing the integrity of computer-based information - Compromising the privacy of users
Enforcing the integrity of computer-based information
Erin is a system administrator for a federal government agency. What law contains guidance on how she may operate a federal information system? - Family Educational Rights and Privacy Act (FERPA) - Federal Information Security Management Act (FISMA) - Gramm-Leach-Bliley Act (GLBA) - Sarbanes-Oxley (SOX) Act
Federal Information Security Management Act (FISMA)
Rachel is investigating an information security incident that took place at the high school where she works. She suspects that students may have broken into the student records system and altered their grades. If correct, which one of the tenets of information security did this attack violate? - Confidentiality - Integrity - Availability - Nonrepudiation
Integrity
Which Internet of Things (IoT) challenge involves the difficulty of developing and implementing protocols that allow devices to communicate in a standard fashion? - Security - Privacy - Interoperability - Compliance
Interoperability
Which of the following would NOT be considered in the scope of organizational compliance efforts? - Laws - Company policy - Internal audit - Corporate culture
Laws
Which type of denial of service attack exploits the existence of software flaws to disrupt a service? - SYN flood attack - Smurf attack - Logic attack - Flooding attack
Logic attack
Which item is an auditor least likely to review during a system controls audit? - Resumes of system administrators - Incident records - Application logs - Penetration test results
Resumes of system administrators
Which formula is typically used to describe the components of information security risks? - Risk = Likelihood X Vulnerability - Risk = Threat X Vulnerability - Risk = Threat X Likelihood - Risk = Vulnerability X Cost
Risk = Threat X Vulnerability
Earl is preparing a risk register for his organization's risk management program. Which data element is LEAST likely to be included in a risk register? - Description of the risk - Expected impact - Risk survey results - Mitigation steps
Risk survey results
Which one of the following is NOT an example of store-and-forward messaging? - Telephone call - Voicemail - Unified messaging - Email
Telephone call
Bob is using a port scanner to identify open ports on a server in his environment. He is scanning a web server that uses Hypertext Transfer Protocol (HTTP). Which port should Bob expect to be open to support this service? 21 23 80 443
80
What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)? - An organization should collect only what it needs. - An organization should share its information. - An organization should keep its information up to date. - An organization should properly destroy its information when it is no longer needed
An organization should share its information.
Joe is the CEO of a company that handles medical billing for several regional hospital systems. How would Joe's company be classified under the Health Insurance Portability and Accountability Act (HIPAA)? - Covered entity as a health plan - Covered entity as a healthcare clearinghouse - Covered entity as a provider - Business associate of a covered entity
Business associate of a covered entity
Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? - False acceptance rate (FAR) - False rejection rate (FRR) - Crossover error rate (CER) - Reaction time
Crossover error rate (CER)
Curtis is conducting an audit of an identity management system. Which question is NOT likely to be in the scope of his audit? - Does the organization have an effective password policy? - Does the firewall properly block unsolicited network connection attempts? - Who grants approval for access requests? - Is the password policy uniformly enforced?
Does the firewall properly block unsolicited network connection attempts?
Vincent recently went to work for a hospital system. He is reading about various regulations that apply to his new industry. What law applies specifically to health records? - Health Insurance Portability and Accountability Act (HIPAA) - Sarbanes-Oxley (SOX) Act - Payment Card Industry Data Security Standard (PCI DSS) - Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
What is a set of concepts and policies for managing IT infrastructure, development, and operations? - ISO 27002 - Control Objectives for Information and related Technology (COBIT) - IT Infrastructure Library (ITIL) - NIST Cybersecurity Framework (CSF)
IT Infrastructure Library (ITIL)
Alison retrieved data from a company database containing personal information on customers. When she looks at the SSN field, she sees values that look like this: "XXX-XX-9142." What has happened to these records? - Encryption - Truncation - Hashing - Masking
Masking
Which one of the following measures the average amount of time that it takes to repair a system, application, or component? - Uptime - Mean time to failure (MTTF) - Mean time to repair (MTTR) - Recovery time objective (RTO)
Mean time to repair (MTTR)
Which agreement type is typically less formal than other agreements and expresses areas of common interest? - Service level agreement (SLA) - Blanket purchase agreement (BPA) - Memorandum of understanding (MOU) - Interconnection security agreement (ISA)
Memorandum of understanding (MOU)
Tony is working with a law enforcement agency to place a wiretap pursuant to a legitimate court order. The wiretap will monitor communications without making any modifications. What type of wiretap is Tony placing? - Active wiretap - Between-the-lines wiretap - Piggyback-entry wiretap - Passive wiretap
Passive wiretap
Gwen's company is planning to accept credit cards over the Internet. Which one of the following governs this type of activity and includes provisions that Gwen should implement before accepting credit card transactions? - Health Insurance Portability and Accountability Act (HIPAA) - Family Educational Rights and Privacy Act (FERPA) - Communications Assistance for Law Enforcement Act (CALEA) - Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS)
Which regulatory standard would NOT require audits of companies in the United States? - Sarbanes-Oxley Act (SOX) - Personal Information Protection and Electronic Documents Act (PIPEDA) - Health Insurance Portability and Accountability Act (HIPAA) - Payment Card Industry Data Security Standard (PCI DSS)
Personal Information Protection and Electronic Documents Act (PIPEDA)
Which tool can capture the packets transmitted between systems over a network? - Wardialer - OS fingerprinter - Port scanner - Protocol analyzer
Protocol analyzer
What is NOT a goal of information security awareness programs? - Teach users about security objectives - Inform users about trends and threats in security - Motivate users to comply with security policy - Punish users who violate policy
Punish users who violate policy
Alan is developing a business impact assessment for his organization. He is working with business units to determine the maximum allowable time to recover a particular function. What value is Alan determining? - Recovery time objective (RTO) - Recovery point objective (RPO) - Business recovery requirements - Technical recovery requirements
Recovery time objective (RTO)
Emily is the information security director for a large company that handles sensitive personal information. She is hiring an auditor to conduct an assessment demonstrating that her firm is satisfying requirements regarding customer private data. What type of assessment should she request? - SOC 1 (Service Organization Control 1) - SOC 2 (Service Organization Control 2) - SOC 3 (Service Organization Control 3) - SOC 4 (Service Organization Control 4)
SOC 3 (Service Organization Control 3)