PreAssessment

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Data retention periods apply to ____ data. (D5.1, L5.1.1) Question options: A)Medical B)Sensitive C)All D)Secret

All

Integrity

The property that data has not been altered in an unauthorized manner

The common term for systems that ensure proper temperature and humidity in the data center. (D4.3 L4.3.1) Question options: A)RBAC B)HVAC C)MAC

HVAC

If two people want to use symmetric encryption to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.3) Question options: A)1 B)3 C)8 D)none

1

If two people want to use asymmetric communication to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.2) Question options: A) 1 B) 4 C) 8 D) 11

4

If two people want to use asymmetric communication to conduct a confidential conversation, how many keys do they need? (D5.1, L5.1.2) Question options: A)1 B)4 C)8 D)11

4

Carol is browsing the Web. Which of the following ports is she probably using? (D4, L4.1.2) Question options: A)12 B)80 C)247 D)999

80

Which of the following is a biometric access control mechanism? (D3, L3.2.1) Question options: A)A badge reader B)A copper key C)A fence with razor tape on it D)A door locked by a voiceprint identifier

A door locked by a voiceprint identifier

Which of the following is probably most useful at the perimeter of a property? (D3, L3.2.1) Question options: A)A safe B)A fence C)A data center D)A centralized log storage facility

A fence

Which of the following would be considered a logical access control? Question options: A)An iris reader that allows an employee to enter a controlled area B)A fingerprint reader that allows an employee to enter a controlled area C)A fingerprint reader that allows an employee to access a laptop computer D)A chain attached to a laptop computer that connects it to furniture so it cannot be taken

A fingerprint reader that allows an employee to access a laptop computer Logical access controls limit who can gain user access to a device/system

Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1) Question options: A)A credit card presented to a cash machine B)Your password and PIN C)A user ID D)A photograph of your face

A photograph of your face

Sophia is visiting Las Vegas and decides to put a bet on a particular number on a roulette wheel. This is an example of _________. (D1, L1.2.2)

Acceptance

Preenka works at an airport. There are red lines painted on the ground next to the runway; Preenka has been instructed that nobody can step or drive across a red line unless they request, and get specific permission from, the control tower. This is an example of a(n)______ control. (D1, L1.3.1) Question options: A)Physical B)Administrative C)Critical D)Technical

Administrative

Triffid Corporation has a policy that all employees must receive security awareness instruction before using email; the company wants to make employees aware of potential phishing attempts that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1) Question options: A)Administrative B)Finite C)Physical D)Technical

Administrative

The AUP describes how users will be permitted to use the organization's IT assets. B is the correct answer. A, C and D are incorrect; while these are all common policies, they do not serve the same function as the AUP.Security needs to be provided to ____ data. (D5.1, L5.1.1) Question options: A)Restricted B)Illegal C)Private D)All

All

Which of the following is likely to be included in the business continuity plan? (D2, L2.2.1) Question options: A) Alternate work areas for personnel affected by a natural disaster B) The organization's strategic security approach C) Last year's budget information D) Log data from all systems

Alternate work areas for personnel affected by a natural disaster

Which of these is the most important reason to conduct security instruction for all employees. (D5.4, L5.4.1) Question options: A)Reduce liability B)Provide due diligence C)It is a moral imperative D)An informed user is a more secure user

An informed user is a more secure user

Within the organization, who can identify risk? (D1, L1.2.2) Question options: A) The security manager B) Any security team member C) Senior management D) Anyone

Anyone

Within the organization, who can identify risk? (D1, L1.2.2) Question options: A)The security manager B)Any security team member C)Senior management D)Anyone

Anyone

Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into the network. Trina offers to log in for Doug, using Trina's credentials, so that Doug can get some work done. What is the problem with this? (D3, L3.3.1) Question options: A)Doug is a bad person B)If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance C)Anything either of them do will be attributed to Trina D)It is against the law

Anything either of them do will be attributed to Trina

Which of the following will have the most impact on determining the duration of log retention? (D3, L3.2.1) Question options: A)Personal preference B) Applicable laws C) Industry standards D) Type of storage media

Applicable laws

Which of the following will have the most impact on determining the duration of log retention? (D3, L3.2.1) Question options: A)Personal preference B)Applicable laws C)Industry standards D)Type of storage media

Applicable laws

In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1) Question options: A) Vulnerability B) Asset C) Threat D) Likelihood

Asset

In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1) Question options: A)Vulnerability B)Asset C)Threat D)Likelihood

Asset

Bluga works for Triffid, Inc. as a security analyst. Bluga wants to send a message to several people and wants the recipients to know that the message definitely came from Bluga. What type of encryption should Bluga use? (D5.1, L5.1.3) Question options: A) Symmetric encryption B) Asymmetric encryption C) Small-scale encryption D) Hashing

Asymmetric encryption

Bluga works for Triffid, Inc. as a security analyst. Bluga wants to send a message to several people and wants the recipients to know that the message definitely came from Bluga. What type of encryption should Bluga use? (D5.1, L5.1.3) Question options: A)Symmetric encryption B)Asymmetric encryption C)Small-scale encryption D)Hashing

Asymmetric encryption

Authentication

Authentication - is a process to prove the identity of the requestor Something you know: Passwords or paraphrases Something you have: Tokens, memory cards, smart cards Something you are: Biometrics, measurable characteristics

"Wiring _____" is a common term meaning "a place where wires/conduits are often run, and equipment can be placed, in order to facilitate the use of local networks." (D4.3 L4.3.1) Question options: A)Shelf B)Closet C)Bracket D)House

Closet

Question 62 1 / 1 point "Wiring _____" is a common term meaning "a place where wires/conduits are often run, and equipment can be placed, in order to facilitate the use of local networks." (D4.3 L4.3.1) Question options: A) Shelf B) Closet C) Bracket D) House

Closet

Jengi is setting up security for a home network. Jengi decides to configure MAC address filtering on the router, so that only specific devices will be allowed to join the network. This is an example of a(n)_______ control. (D1, L1.3.1) Question options: A)Physical B) Administrative C)Substantial D)Technical

D) Technical This is a difficult question, because it may seem as if there are two possible answers: the router enforces a set of rules as to which MAC addresses may be included on the network, so that sounds like an administrative control. However, the router is an IT system, so that seems as if it is a technical control. In fact, it is considered the latter. In general, it is best to consider the matter this way: if it has a power cord, or electricity running through it, it's a technical control.

Bruce is the branch manager of a bank. Bruce wants to determine which personnel at the branch can get access to systems, and under which conditions they can get access. Which access control methodology would allow Bruce to make this determination? (D3, L3.3.1) Question options: A)MAC (mandatory access control) B)DAC (discretionary access control) C)RBAC (role-based access control) D)Defense-in-depth

DAC (discretionary access control)

Ludwig is a security analyst at Triffid, Inc. Ludwig notices network traffic that might indicate an attack designed to affect the availability of the environment. Which of the following might be the attack Ludwig sees? (D4.2 L4.2.1) Question options: A) DDOS (distributed denial of service) B) Spoofing C) Exfiltrating stolen data D) An insider sabotaging the power supply

DDOS (distributed denial of service)

A tool that inspects outbound traffic to reduce potential threats. (D4.2 L4.2.3) Question options: A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall

DLP (data loss prevention)

The section of the IT environment that is closest to the external world; where we locate IT systems that communicate with the Internet. (D4.3 L4.3.3) Question options: A) VLAN B) DMZ C) MAC D) RBAC

DMZ (demilitarized zone)

Which of the following roles does not typically require privileged account access? (D3, L3.1.1) Question options: A) Security administrator B) Data entry professional C) System administrator D) Help Desk technician

Data entry professional

Archiving is typically done when _________. (D5.1, L5.1.1) Question options: A) Data is ready to be destroyed B) Data has lost all value C) Data is not needed for regular work purposes D) Data has become illegal

Data is not needed for regular work purposes

At Parvi's place of work, the perimeter of the property is surrounded by a fence; there is a gate with a guard at the entrance. All inner doors only admit personnel with badges, and cameras monitor the hallways. Sensitive data and media are kept in safes when not in use. (D3, L3.1.1) This is an example of: Question options: A) Two-person integrity B) Segregation of duties C) Defense in depth D) Penetration testing

Defense in depth

At Parvi's place of work, the perimeter of the property is surrounded by a fence; there is a gate with a guard at the entrance. All inner doors only admit personnel with badges, and cameras monitor the hallways. Sensitive data and media are kept in safes when not in use. (D3, L3.1.1) This is an example of: Question options: A)Two-person integrity B)Segregation of duties C)Defense in depth D)Penetration testing

Defense in depth

When data has reached the end of the retention period, it should be _____. (D5.1, L5.1.1) Question options: A)Destroyed B)Archived C)Enhanced D)Sold

Destroyed

A human guard monitoring a hidden camera could be considered a ______ control. (D3, L3.2.1) Question options: A) Detective B) Preventive C) Deterrent D) Logical

Detective

A human guard monitoring a hidden camera could be considered a ______ control. (D3, L3.2.1) Question options: A)Detective B)Preventive C)Deterrent D)Logical

Detective

Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that operational managers have the utmost personal choice in determining which employees get access to which systems/data. Which method should Handel select? (D3, L3.3.1) Question options: A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Security policy

Discretionary access controls (DAC)

Larry and Fern both work in the data center. In order to enter the data center to begin their workday, they must both present their own keys (which are different) to the key reader, before the door to the data center opens. Which security concept is being applied in this situation? (D3, L3.1.1) Question options: A)Defense in depth B)Segregation of duties C)Least privilege D)Dual control

Dual Control

Larry and Fern both work in the data center. In order to enter the data center to begin their workday, they must both present their own keys (which are different) to the key reader, before the door to the data center opens. Which security concept is being applied in this situation? (D3, L3.1.1) Question options: A) Defense in depth B) Segregation of duties C) Least privilege D) Dual control

Dual control

Which of the following is probably the main purpose of configuration management? (D5.2, L5.2.1) Question options: A) Keeping out intruders B) Ensuring the organization adheres to privacy laws C) Keeping secret material protected D) Ensuring only authorized modifications are made to the IT environment

Ensuring only authorized modifications are made to the IT environment

All visitors to a secure facility should be _______. (D3, L3.2.1) Question options: A)Fingerprinted B)Photographed C)Escorted D)Required to wear protective equipment

Escorted

Zarma is an (ISC)² member and a security analyst for Triffid Corporation. One of Zarma's colleagues is interested in getting an (ISC)2 certification and asks Zarma what the test questions are like. What should Zarma do? (D1, L1.5.1) Question options: A)Inform (ISC)² B)Explain the style and format of the questions, but no detail C)Inform the colleague's supervisor D)Nothing

Explain the style and format of the questions, but no detail

All of the following are important ways to practice an organization disaster recovery (DR) effort; which one is the most important? (D2, L2.3.1) Question options: A) Practice restoring data from backups B) Facility evacuation drills C) Desktop/tabletop testing of the plan D) Running the alternate operating site to determine if it could handle critical functions in times of emergency

Facility evacuation drills

True or False? Business continuity planning is a reactive procedure that restores business operations after a disruption occurs. Question options: A) True B) False

False

Visitors to a secure facility need to be controlled. Controls useful for managing visitors include all of the following except: (D3, L3.2.1) Question options: A) Sign-in sheet/tracking log B) Fence C) Badges that differ from employee badges D) Receptionist

Fence

A device that filters network traffic in order to enhance overall security/performance. (D4.1 L4.1.1) Question options: A)Endpoint B)Laptop C)MAC (media access control) D)Firewall

Firewall

A device that is commonly useful to have on the perimeter between two networks. (D4.3 L4.3.3) Question options: A)User laptop B)IoT C)Camera D)Firewall

Firewall

A tool that filters inbound traffic to reduce potential threats. (D4.2 L4.2.3) Question options: A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall

Firewall

Inbound traffic from an external source seems to indicate much higher rates of communication than normal, to the point where the internal systems might be overwhelmed. Which security solution can often identify and potentially counter this risk? (D4.2 L4.2.2) Question options: A)Firewall B)Turnstile C)Anti-malware D)Badge system

Firewall

Network traffic originating from outside the organization might be admitted to the internal IT environment or blocked at the perimeter by a ________. (D3, L3.2.1) Question options: A)Turnstile B)Fence C)Vacuum D)Firewall

Firewall

Which of the following is not a typical benefit of cloud computing services? (D4.3 L4.3.2) Question options: A)Reduced cost of ownership/investment B)Metered usage C)Scalability D)Freedom from legal constraints

Freedom from legal constraints

Triffid, Inc., has many remote workers who use their own IT devices to process Triffid's information. The Triffid security team wants to deploy some sort of sensor on user devices in order to recognize and identify potential security issues. Which of the following is probably most appropriate for this specific purpose? (D4.2 L4.2.2) Question options: A) HIDS (host-based intrusion-detection systems) B) NIDS (network-based intrusion-detection systems) C) LIDS (logistical intrusion-detection systems) D) Firewalls

HIDS (host-based intrusion-detection systems)

Triffid, Inc., has many remote workers who use their own IT devices to process Triffid's information. The Triffid security team wants to deploy some sort of sensor on user devices in order to recognize and identify potential security issues. Which of the following is probably most appropriate for this specific purpose? (D4.2 L4.2.2) Question options: A)HIDS (host-based intrusion-detection systems) B)NIDS (network-based intrusion-detection systems) C)LIDS (logistical intrusion-detection systems) D)Firewalls

HIDS (host-based intrusion-detection systems)

Cheryl is browsing the Web. Which of the following protocols is she probably using? (D4, L4.1.2) Question options: A) SNMP (Simple Network Management Protocol) B) FTP (File Transfer Protocol) C) TFTP (Trivial File Transfer Protocol) D) HTTP (Hypertext Transfer Protocol)

HTTP (Hyperptext transfer protocol)

Cheryl is browsing the Web. Which of the following protocols is she probably using? (D4, L4.1.2) Question options: A)SNMP (Simple Network Management Protocol) B)FTP (File Transfer Protocol) C)TFTP (Trivial File Transfer Protocol) D)HTTP (Hypertext Transfer Protocol)

HTTP (Hypertext Transfer Protocol)HTTP (Hypertext Transfer Protocol)

The common term for systems that ensure proper temperature and humidity in the data center. (D4.3 L4.3.1) Question options: A) RBAC B) HVAC C) MAC

HVAC

Dieter wants to send a message to Lupa and wants to be sure that Lupa knows the message has not been modified in transit. What technique/tool could Dieter use to assist in this effort? (D5.1, L5.1.3) Question options: A) Hashing B) Clockwise rotation C) Symmetric encryption D) Asymmetric encryption

Hashing

Glen is an (ISC)² member. Glen receives an email from a company offering a set of answers for an (ISC)² certification exam. What should Glen do? (D1, L1.5.1) Question options: A) Nothing B) Inform (ISC)² C) Inform law enforcement D) Inform Glen's employer

Inform (ISC)²

Glen is an (ISC)² member. Glen receives an email from a company offering a set of answers for an (ISC)² certification exam. What should Glen do? (D1, L1.5.1) Question options: A)Nothing B)Inform (ISC)² C)Inform law enforcement D)Inform Glen's employer

Inform (ISC)²

Aphrodite is a member of (ISC)² and a data analyst for Triffid Corporation. While Aphrodite is reviewing user log data, Aphrodite discovers that another Triffid employee is violating the acceptable use policy and watching streaming videos during work hours. What should Aphrodite do? (D1, L1.5.1) Question options: A)Inform (ISC)² B)Inform law enforcement C)Inform Triffid management D)Nothing

Inform Triffid management

Which common cloud service model offers the customer the most control of the cloud environment? (D4.3 L4.3.2) Question options: A) Lunch as a service (LaaS) B) Infrastructure as a service (IaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)

Infrastructure as a service (IaaS)

Which common cloud service model offers the customer the most control of the cloud environment? (D4.3 L4.3.2) Question options: A)Lunch as a service (LaaS) B)Infrastructure as a service (IaaS) C)Platform as a service (PaaS) D)Software as a service (SaaS)

Infrastructure as a service (IaaS)

Log data should be kept ______. (D5.1, L5.1.2) Question options: A) On the device that the log data was captured from B) In an underground bunker C) In airtight containers D) On a device other than where it was captured

On a device other than where it was captured

Chad is a security practitioner tasked with ensuring that the information on the organization's public website is not changed by anyone outside the organization. This task is an example of ensuring _________. (D1, L1.1.1) Question options: A)Confidentiality B)Integrity C)Availability D)Confirmation

Integrity

The logical address of a device connected to the network or Internet. (D4.1 L4.1.1) Question options: A) Media access control (MAC) address B) Internet Protocol (IP) address C) Geophysical address D) Terminal address

Internet Protocol (IP) address

An attacker outside the organization attempts to gain access to the organization's internal files. This is an example of a(n) ______. (D2, L2.1.1) Question options: A) Intrusion B) Exploit C) Disclosure D) Publication

Intrusion

Which of the following statements is true? (D3, L3.3.1) Question options: A)Logical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls B)Physical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls C)Administrative access controls can protect the IT environment perfectly; there is no reason to deploy any other controls D)It is best to use a blend of controls in order to provide optimum security

It is best to use a blend of controls in order to provide optimum security

What is the goal of Business Continuity efforts? (D2, L2.2.1) Question options: A) Save money B) Impress customers C) Ensure all IT systems continue to operate D) Keep critical business functions operational

Keep critical business functions operational

What is the goal of Business Continuity efforts? (D2, L2.2.1) Question options: A)Save money B)Impress customers C)Ensure all IT systems continue to operate D)Keep critical business functions operational

Keep critical business functions operational

Every document owned by Triffid, Inc., whether hardcopy or electronic, has a clear, 24-point word at the top and bottom. Only three words can be used: "Sensitive," "Proprietary" and "Public." This is an example of _____. (D5.1, L5.1.1) Question options: A)Secrecy B)Privacy C)Inverting D)Labeling

Labeling

All of the following are typically perceived as drawbacks to biometric systems, except: (D3, L3.2.1) Question options: A) Lack of accuracy B) Potential privacy concerns C) Retention of physiological data past the point of employment D) Legality

Lack of accuracy Biometric systems can be extremely accurate, especially when compared with other types of access controls

The city of Grampon wants to ensure that all of its citizens are protected from malware, so the city council creates a rule that anyone caught creating and launching malware within the city limits will receive a fine and go to jail. What kind of rule is this? (D1, L1.4.1) Question options: A)Policy B)Procedure C)Standard D)Law

Law

The city of Grampon wants to ensure that all of its citizens are protected from malware, so the city council creates a rule that anyone caught creating and launching malware within the city limits will receive a fine and go to jail. What kind of rule is this? (D1, L1.4.1) Question options: A)Policy B)Procedure C)Standard D)Law

Law D is correct. The city council is a governmental body making a legal mandate; this is a law. A is incorrect; the rule is not a policy used by a specific organization, but instead applies to anyone within the jurisdiction of the Grampon city council. B is incorrect; this rule is not a process to follow. C is incorrect; this rule is not recognized outside the jurisdiction of the Grampon city council.

Grampon municipal code requires that all companies that operate within city limits will have a set of processes to ensure employees are safe while working with hazardous materials. Triffid Corporation creates a checklist of activities employees must follow while working with hazardous materials inside Grampon city limits. The municipal code is a ______, and the Triffid checklist is a ________. (D1, L1.4.2) Question options: A)Law, procedure B)Standard, law C)Law, standard D)Policy, law

Law, procedure

Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachis logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. Which security concept is being applied in this situation? (D3, L3.1.1) Question options: A) Defense in depth B) Layered defense C) Two-person integrity D) Least privilege

Least privilege

A _____ is a record of something that has occurred. (D3, L3.2.1) Question options: A) Biometric B) Law C) Log D) Firewall

Log

A VLAN is a _____ method of segmenting networks. (D4.3 L4.3.3) Question options: A)Secret B)Physical C)Regulated D)Logical

Logical

For which of the following systems would the security concept of availability probably be most important? (D1, L1.1.1) Question options: A) Medical systems that store patient data B)Retail records of past transactions C) Online streaming of camera feeds that display historical works of art in museums around the world D) Medical systems that monitor patient condition in an intensive care unit

Medical systems that monitor patient condition in an intensive care unit

Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess a particular threat, and he suggests that the best way to counter this threat would be to purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2) Question options: A)Acceptance B)Avoidance C)Mitigation D)Transference

Mitigation

Cyril wants to ensure all the devices on his company's internal IT environment are properly synchronized. Which of the following protocols would aid in this effort? (D4, L4.1.2) Question options: A)FTP (File Transfer Protocol) B)NTP (Network Time Protocol) C)SMTP (Simple Mail Transfer Protocol) D)HTTP (Hypertext Transfer Protocol)

NTP (Network Time Protocol)

A system that collects transactional information and stores it in a record in order to show which users performed which actions is an example of providing ________. (D1, L1.1.1) Question options: A)Non-repudiation B)Multifactor authentication C)Biometrics D)Privacy

Non-repudiation

A system that collects transactional information and stores it in a record in order to show which users performed which actions is an example of providing ________. (D1, L1.1.1) Question options: A)Non-repudiation B)Multifactor authentication C)Biometrics D)Privacy

Non-repudiation A is correct. Non-repudiation is the concept that users cannot deny they have performed transactions that they did, in fact, conduct. A system that keeps a record of user transactions provides non-repudiation. B and C are incorrect because nothing in the question referred to authentication at all. D is incorrect because non-repudiation does not support privacy (if anything, non-repudiation and privacy are oppositional).

Gary is an attacker. Gary is able to get access to the communication wire between Dauphine's machine and Linda's machine and can then surveil the traffic between the two when they're communicating. What kind of attack is this? (D4.2 L4.2.1) Question options: A) Side channel B) DDOS C) On-path D) Physical

On-path

Gary is an attacker. Gary is able to get access to the communication wire between Dauphine's machine and Linda's machine and can then surveil the traffic between the two when they're communicating. What kind of attack is this? (D4.2 L4.2.1) Question options: A)Side channel B)DDOS C)On-path D)Physical

On-path

Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1) Question options: A)Inform (ISC)² B)Pay the parking ticket C)Inform supervisors at Triffid D)Resign employment from Triffid

Pay the parking ticket

A bollard is a post set securely in the ground in order to prevent a vehicle from entering an area or driving past a certain point. Bollards are an example of ______ controls. (D1, L1.3.1) Question options: A)Physical B)Administrative C)Drastic D)Technical

Physical

An IoT (Internet of Things) device is typified by its effect on or use of the _____ environment. (D4.3 L4.3.3) Question options: A) Philosophical B) Remote C) Internal D) Physical

Physical

An IoT (Internet of Things) device is typified by its effect on or use of the _____ environment. (D4.3 L4.3.3) Question options: A)Philosophical B)Remote C)Internal D)Physical

Physical

Steve is a security practitioner assigned to come up with a protective measure for ensuring cars don't collide with pedestrians. What is probably the most effective type of control for this task? (D1, L1.3.1) Question options: A)Administrative B)Technical C)Physical D)Nuanced

Physical

The Triffid Corporation publishes a strategic overview of the company's intent to secure all the data the company possesses. This document is signed by Triffid senior management. What kind of document is this? (D1, L1.4.1) Question options: A) Policy B) Procedure C) Standard D) Law

Policy

The Triffid Corporation publishes a strategic overview of the company's intent to secure all the data the company possesses. This document is signed by Triffid senior management. What kind of document is this? (D1, L1.4.1) Question options: A)Policy B)Procedure C)Standard D)Law

Policy

By far, the most crucial element of any security instruction program. (D5.4, L5.4.1) Question options: A) Protect assets B) Preserve health and human safety C) Ensure availability of IT systems D) Preserve shareholder value

Preserve health and human safety

What is the most important goal of a business continuity effort? (D2, L2.2.1) Question options: A)Ensure all IT systems function during a potential interruption B)Ensure all business activities are preserved during a potential disaster C)Ensure the organization survives a disaster D)Preserve health and human safety

Preserve health and human safety

Which common cloud deployment model typically features only a single customer's data/functionality stored on specific systems/hardware? (D4.3 L4.3.2) Question options: A) Public B) Private C) Community D) Hybrid

Private

The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects health and human safety. The security office is tasked with writing a detailed set of processes on how employees should wear protective gear such as hardhats and gloves when in hazardous areas. This detailed set of processes is a _________. (D1, L1.4.1) Question options: A) Policy B) Procedure C) Standard D) Law

Procedure B is correct. A detailed set of processes used by a specific organization is a procedure. A is incorrect; the policy is the overarching document that requires the procedure be created and implemented. C is incorrect. The procedure is not recognized and implemented throughout the industry; it is used internally. D is incorrect; the procedure was created by Triffid Corporation, not a governmental body

What is the goal of an incident response effort? (D2, L2.1.1) Question options: A) No incidents ever happen B) Reduce the impact of incidents on operations C) Punish wrongdoers D) Save money

Reduce the impact of incidents on operations

What is the goal of an incident response effort? (D2, L2.1.1) Question options: A)No incidents ever happen B)Reduce the impact of incidents on operations C)Punish wrongdoers D)Save money

Reduce the impact of incidents on operations

To adequately ensure availability for a data center, it is best to plan for both resilience and _______ of the elements in the facility. (D4.3 L4.3.1) Question options: A)Uniqueness B)Destruction C)Redundancy D)Hue

Redundancy

Data _____ is data left behind on systems/media after normal deletion procedures have been attempted. (D5.1, L5.1.1) Question options: A) Fragments B) Packets C) Remanence D) Residue

Remanence

What is the overall objective of a disaster recovery (DR) effort? (D2, L2.3.1) Question options: A) Save money B) Return to normal, full operations C) Preserve critical business functions during a disaster D) Enhance public perception of the organization

Return to normal, full operations

Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________. (D1, L1.2.2) Question options: A)Risk tolerance B)Risk inversion C)Threat D)Vulnerability

Risk Tolerance

Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________. (D1, L1.2.2) Question options: A)Risk tolerance B)Risk inversion C)Threat D)Vulnerability

Risk tolerance

Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees transferring from one department to another, getting promoted, or cross-training to new positions can get access to the different assets they'll need for their new positions, in the most efficient manner. Which method should Handel select? (D3, L3.3.1) Question options: A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Barbed wire

Role-based access controls (RBAC)

Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees who are assigned to new positions in the company do not retain whatever access they had in their old positions. Which method should Handel select? (D3, L3.3.1) Question options: A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Logging

Role-based access controls (RBAC)

Prina is a database manager. Prina is allowed to add new users to the database, remove current users and create new usage functions for the users. Prina is not allowed to read the data in the fields of the database itself. This is an example of: (D3, L3.3.1) Question options: A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Alleviating threat access controls (ATAC)

Role-based access controls (RBAC)

Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees who are assigned to new positions in the company do not retain whatever access they had in their old positions. Which method should Handel select? (D3, L3.3.1) Question options: A)Role-based access controls (RBAC) B)Mandatory access controls (MAC) C)Discretionary access controls (DAC) D)Logging

Role-based access controls (RBAC) RBAC can aid in reducing "privilege creep," where employees who stay with the company for a long period of time might get excess permissions within the environment

An organization must always be prepared to ______ when applying a patch. (D5.2, L5.2.1) Question options: A)Pay for the updated content B)Buy a new system C)Settle lawsuits D)Rollback

Rollback

Barry wants to upload a series of files to a web-based storage service, so that people Barry has granted authorization can retrieve these files. Which of the following would be Barry's preferred communication protocol if he wanted this activity to be efficient and secure? (D4, L4.1.2) Question options: A)SMTP (Simple Mail Transfer Protocol) B)FTP (File Transfer Protocol) C)SFTP (Secure File Transfer Protocol) D)SNMP (Simple Network Management Protocol)

SFTP (Secure File Transfer Protocol) SFTP is designed specifically for this purpose

One of the benefits of computer-based training (CBT): (D5.4, L5.4.1) Question options: A) Expensive B) Scalable C) Personal interaction with instructor D) Interacting with other participants

Scalable

Proper alignment of security policy and business goals within the organization is important because: (D5.3, L5.3.1) Question options: A)Security should always be as strict as possible B)Security policy that conflicts with business goals can inhibit productivity C)Bad security policy can be illegal D)Security is more important than business

Security policy that conflicts with business goals can inhibit productivity

Trina is a security practitioner at Triffid, Inc. Trina has been tasked with selecting a new product to serve as a security control in the environment. After doing some research, Trina selects a particular product. Before that product can be purchased, a manager must review Trina's selection and determine whether to approve the purchase. This is a description of: (D3, L3.1.1) Question options: A) Two-person integrity B)Segregation of duties C) Software D) Defense in depth

Segregation of duties

Trina is a security practitioner at Triffid, Inc. Trina has been tasked with selecting a new product to serve as a security control in the environment. After doing some research, Trina selects a particular product. Before that product can be purchased, a manager must review Trina's selection and determine whether to approve the purchase. This is a description of: (D3, L3.1.1) Question options: A)Two-person integrity B)Segregation of duties C)Software D)Defense in depth

Segregation of duties

Who approves the incident response policy? (D2, L2.1.1) Question options: A) (ISC)² B) Senior management C) The security manager D) Investors

Senior management

Who approves the incident response policy? (D2, L2.1.1) Question options: A)(ISC)² B)Senior management C)The security manager D)Investors

Senior management

Who dictates policy? (D5.3, L5.3.1) Question options: A)The security manager B)The Human Resources office C)Senior management D)Auditors

Senior management

Which common cloud service model only offers the customer access to a given application? (D4.3 L4.3.2) Question options: A)Lunch as a service (LaaS) B)Infrastructure as a service (IaaS) C)Platform as a service (PaaS) D)Software as a service (SaaS)

Software as a Service

Which common cloud service model only offers the customer access to a given application? (D4.3 L4.3.2) Question options: A) Lunch as a service (LaaS) B) Infrastructure as a service (IaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)

Software as a service (SaaS)

The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules that merchants must follow if the merchants choose to accept payment via credit card. These rules describe best practices for securing credit card processing technology, activities for securing credit card information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2) Question options: A)Law B)Policy C)Standard D)Procedure

Standard

(ISC)² publishes a Common Body of Knowledge (CBK) that IT security practitioners should be familiar with; this is recognized throughout the industry as a set of material that is useful for practitioners to refer to. Certifications can be issued for demonstrating expertise in this Common Body of Knowledge. What kind of document is the Common Body of Knowledge? (D1, L1.4.1) Question options: A)Policy B)Procedure C)Standard D)Law

Standard C is correct. The Common Body of Knowledge is used throughout the industry, recognized among many people, countries and organizations. This is a standard. A is incorrect; the CBK is not a set of internal rules used for a particular organization; it is used throughout the industry. B is incorrect. The CBK is not a process that is followed; it is a set of information. D is incorrect; the CBK is not mandated by a governmental body.

Suvid works at Triffid, Inc. When Suvid attempts to log in to the production environment, a message appears stating that Suvid has to reset the password. What may have occurred to cause this? Question options: A) Suvid broke the law B) Suvid's password has expired C) Suvid made the manager angry D) Someone hacked Suvid's machine

Suvid's password has expired

Triffid, Inc., wants to host streaming video files for the company's remote users, but wants to ensure the data is protected while it's streaming. Which of the following methods are probably best for this purpose? (D5.1, L5.1.3) Question options: A)Symmetric encryption B)Hashing C)Asymmetric encryption D)VLANs

Symmetric encryption

A software firewall is an application that runs on a device and prevents specific types of traffic from entering that device. This is a type of ________ control. (D1, L1.3.1) Question options: A) Physical B) Administrative C) Passive D) Technical

Technical

A software firewall is an application that runs on a device and prevents specific types of traffic from entering that device. This is a type of ________ control. (D1, L1.3.1) Question options: A)Physical B)Administrative C)Passive D)Technical

Technical

Jengi is setting up security for a home network. Jengi decides to configure MAC address filtering on the router, so that only specific devices will be allowed to join the network. This is an example of a(n)_______ control. (D1, L1.3.1) Question options: A)Physical B)Administrative C)Substantial D)Technical

Technical

The city of Grampon wants to know where all its public vehicles (garbage trucks, police cars, etc.) are at all times, so the city has GPS transmitters installed in all the vehicles. What kind of control is this? (D1, L1.3.1) Question options: A)Administrative B)Entrenched C)Physical D)Technical

Technical

When Pritha started working for Triffid, Inc., Pritha had to sign a policy that described how Pritha would be allowed to use Triffid's IT equipment. What policy was this? (D5.3, L5.3.1) Question options: A)The organizational security policy B)The acceptable use policy (AUP) C)The bring-your-own-device (BYOD) policy D)The workplace attire policy

The Acceptable Use policy (AUP)

When Pritha started working for Triffid, Inc., Pritha had to sign a policy that described how Pritha would be allowed to use Triffid's IT equipment. What policy was this? (D5.3, L5.3.1) Question options: A) The organizational security policy B) The acceptable use policy (AUP) C) The bring-your-own-device (BYOD) policy D) The workplace attire policy

The acceptable use policy (AUP)

Confidentiality

The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes

For which of the following assets is integrity probably the most important security aspect? (D1, L1.1.1) Question options: A)One frame of a streaming video B)The file that contains passwords used to authenticate users C)The color scheme of a marketing website D)Software that checks the spelling of product descriptions for a retail website

The file that contains passwords used to authenticate users

What is the risk associated with delaying resumption of full normal operations after a disaster? (D2, L2.3.1) Question options: A)People might be put in danger B)The impact of running alternate operations for extended periods C)A new disaster might emerge D)Competition

The impact of running alternate operations for extended periods

Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the database? (D3, L3.1.1) Question options: A) The object B) The rule C) The subject D) The site

The object

Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the ACL? (D3, L3.1.1) Question options: A) The subject B) The object C) The rule D) The firmware

The rule

Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is the ACL? (D3, L3.1.1) Question options: A)The subject B)The object C)The rule D)The firmware

The rule

Security controls on log data should reflect ________. (D5.1, L5.1.2) Question options: A) The organization's commitment to customer service B) The local culture where the log data is stored C) The price of the storage device D) The sensitivity of the source device

The sensitivity of the source device

Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is Prachi? (D3, L3.1.1) Question options: A) The subject B) The rule C) The file D) The object

The subject

Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is Prachi? (D3, L3.1.1) Question options: A)The subject B)The rule C)The file D)The object

The subject

In risk management concepts, a(n) ___________ is something or someone that poses risk to an organization or asset. (D1, L1.2.1) Question options: A)Fear B)Threat C)Control D)Asset

Threat

In risk management concepts, a(n) ___________ is something or someone that poses risk to an organization or asset. (D1, L1.2.1) Question options: A)Fear B)Threat C)Control D)Asset

Threat B is correct. A threat is something or someone that poses risk to the organization; this is the definition of a threat. A is incorrect because "fear" is not generally a term associated with risk management. C is incorrect; a control is something used to mitigate risk. D is incorrect; an asset is something of value, which may need protection.

Triffid, Inc., has deployed anti-malware solutions across its internal IT environment. What is an additional task necessary to ensure this control will function properly? (D4.2 L4.2.3) Question options: A) Pay all employees a bonus for allowing anti-malware solutions to be run on their systems B) Update the anti-malware solution regularly C) Install a monitoring solution to check the anti-malware solution D) Alert the public that this protective measure has been taken

Update the anti-malware solution regularly Anti-malware solutions typically work with signatures for known malware; without continual updates, these tools lose their efficacy

Which of the following activities is usually part of the configuration management process, but is also extremely helpful in countering potential attacks? (D4.2 L4.2.3) Question options: A) Annual budgeting B) Conferences with senior leadership C) Updating and patching systems D) The annual shareholders' meeting

Updating and patching systems

Which of the following is one of the common ways potential attacks are often identified? (D4.2 L4.2.2) Question options: A)The attackers contact the target prior to the attack, in order to threaten and frighten the target B)Victims notice excessive heat coming from their systems C)The power utility company warns customers that the grid will be down and the internet won't be accessible D)Users report unusual systems activity/response to Help Desk or the security office

Users report unusual systems activity/response to Help Desk or the security office

Which of the following is one of the common ways potential attacks are often identified? (D4.2 L4.2.2) Question options: A) The attackers contact the target prior to the attack, in order to threaten and frighten the target B) Victims notice excessive heat coming from their systems C) The power utility company warns customers that the grid will be down and the internet won't be accessible D) Users report unusual systems activity/response to Help Desk or the security office

Users report unusual systems activity/response to Help Desk or the security office Users often act as an attack-detection capability (although many user reports might be false-positives).

______ is used to ensure that configuration management activities are effective and enforced. (D5.2, L5.2.1) Question options: A) Inventory B) Baseline C) Identification D) Verification and audit

Verification and audit

When should a business continuity plan (BCP) be activated? (D2, L2.2.1) Question options: A)As soon as possible B)At the very beginning of a disaster C)When senior management decides D)When instructed to do so by regulators

When senior management decides

Garfield is a security analyst at Triffid, Inc. Garfield notices that a particular application in the production environment is being copied very quickly, across systems and devices utilized by many users. What kind of attack could this be? (D4.2 L4.2.1) Question options: A) Spoofing B) Side channel C) Trojan D) Worm

Worm

authentication

access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is know to the system

availability

ensuring timely and reliable access to and use of information by authorized users

Hoshi is an (ISC)2 member who works for the Triffid Corporation as a data manager. Triffid needs a new firewall solution, and Hoshi is asked to recommend a product for Triffid to acquire and implement. Hoshi's cousin works for a firewall vendor; that vendor happens to make the best firewall available. What should Hoshi do? (D1, L1.5.1) Question options: A)recommend a different vendor/product B)recommend the cousin's product C)Hoshi should ask to be recused from the task D)disclose the relationship, but recommend the vendor/product

disclose the relationship, but recommend the vendor/product

Non-repudiation

the inability to deny taking an action, such as sending an email message.

privacy

the right of an individual to control the distribution of information about themselves

authorization

the right or a permission that is granted to a system entity to access a system resource

Question 63 0 / 1 point The output of any given hashing algorithm is always _____. (D5.1, L5.1.3) Question options: A) The same length B) The same characters C) The same language D) Different for the same inputs

the same length


Kaugnay na mga set ng pag-aaral

Personality Psychology: Exam 1 Study Set

View Set