ISC2 CISSP Chapter 1
Which principle limits resource access to only authorized subjects? A. Authentication B. Integrity C. Availability D. Confidentiality
Confidentiality
Kevin is assessing his organization's obligations under state data breach notification laws. Which one of the following pieces of information would generally not be covered by a data breach notification law when it appears in conjunction with a person's name? A. Social Security number B. Driver's license number C. Credit card number D. Student identification number
D
Leonard and Sheldon recently coauthored a paper describing a new superfluid vacuum theory. How long will the copyright on their paper last? A. 70 years after publication B. 70 years after completion of the first draft C. 70 years after the death of the first author D. 70 years after the death of the last author
D
Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property (IP) protection best suits their needs? A. Copyright B. Trademark C. Patent D. Trade secret
D
Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance? A. Security governance ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. B. Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. C. Security governance is a documented set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.
D
Renee's organization is establishing a partnership with a firm located in France that will involve the exchange of personal information. Her partners in France want to ensure that the transfer will be compliant with the GDPR. What mechanism would be most appropriate? A. Binding corporate rules B. Privacy Shield C. Privacy Lock D. Standard contractual clauses
D
STRIDE is often used in relation to assessing threats against applications or operating systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation? A. S B. T C. R D. I E. D F. E
D
What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures? A. Criminal law B. Common law C. Civil law D. Administrative law
D
Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However, a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what product component in this scenario? A. Software B. Services C. Data D. Hardware
D
Which principle focuses on protecting the reliability and correctness of data? A. Authorization B. Integrity C. Availability D. Confidentiality
Integrity
Matthew recently authored an innovative algorithm for solving a mathematical problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property (IP) protection. Which type of protection is best suited to his needs? A. Copyright B. Trademark C. Patent D. Trade secret
A
The Children's Online Privacy Protection Act (COPPA) was designed to protect the privacy of children using the internet. What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent? A. 13 B. 14 C. 15 D. 16
A
Tom is an adviser to a federal government agency that collects personal information from constituents. He would like to facilitate a research relationship between that firm that involves the sharing of personal information with several universities. What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances? A. Privacy Act B. Electronic Communications Privacy Act C. Health Insurance Portability and Accountability Act D. Gramm-Leach-Bliley Act
A
Wendy recently accepted a position as a senior cybersecurity administrator at a U.S. government agency and is concerned about the legal requirements affecting her new position. Which law governs information security operations at federal agencies? A. FISMA B. FERPA C. CFAA D. ECPA
A
What U.S. state was the first to pass a comprehensive privacy law modeled after the requirements of the European Union's General Data Protection Regulation? A. California B. New York C. Vermont D. Texas
A
Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establish-ment of minimum security requirements of the third party. What should these requirements be based on? A. Existing security policy B. Third-party audit C. On-site assessment D. Vulnerability scan results
A
Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change, which focuses on under- standing how IT and security need to be integrated with and aligned to the objectives of an organization, and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure? A. ITIL B. ISO 27000 C. CIS D. CSF
A
In today's business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements? (Choose all that apply.) A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization. B. Due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. C. Due diligence is the continued application of a security structure onto the IT infrastructure of an organization. D. Due care is practicing the individual activities that maintain the security effort. E. Due care is knowing what should be done and planning for it. F. Due diligence is doing the right action at the right time.
A, D
Control Objectives for Information and Related Technology (COBIT) is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the map- ping of IT security ideals to business objectives. COBIT is based on six key principles for governance and management of enterprise IT. Which of the following are among these key principles? (Choose all that apply.) A. Holistic Approach B. End-to-End Governance System C. Provide Stakeholder Value D. Maintaining Authenticity and Accountability E. Dynamic Governance System
A,B,C,E
Supply chain risk management (SCRM) is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations. Which of the following are true statements? (Choose all that apply.) A. Each link in the supply chain should be responsible and accountable to the next link in the chain. B. Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips. C. If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements. D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.
A,B,D
Annaliese's organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are example of those risks? (Choose all that apply.) A. Inappropriate information disclosure B. Increased worker compliance C. Data loss D. Downtime E. Additional insight into the motivations of inside attackers F. Failure to achieve sufficient return on investment (ROI)
A,C,D,F
Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following are terms that relate to or are based on defense in depth? (Choose all that apply.) A. Layering B. Classifications C. Zones D. Realms E. Compartments F. Silos G. Segmentations H. Lattice structure I. Protection rings
All of them
A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threats, and risks of their solution and integrates protections against unwanted outcomes. What concept of threat modeling is this? A. Threat hunting B. Proactive approach C. Qualitative approach D. Adversarial approach
B
A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional responsibility for security, including writing the security policy and implementing it? A. Senior management B. Security professional C. Custodian D. Auditor
B
Cathy's employer has asked her to perform a documentation review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers several serious issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding? A. Write up a report and submit it to the CIO. B. Void the ATO of the vendor. C. Require that the vendor review their terms and conditions. D. Have the vendor sign an NDA.
B
Congress passed CALEA in 1994, requiring that what type of organizations cooperate with law enforcement investigations? A. Financial institutions B. Communications carriers C. Healthcare organizations D. Websites
B
Frances learned that a user in her organization recently signed up for a cloud service without the knowledge of her supervisor and is storing corporate information in that service. Which one of the following statements is correct? A. If the user did not sign a written contract, the organization has no obligation to the service provider. B. The user most likely agreed to a click-through license agreement binding the organization. C. The user's actions likely violate federal law. D. The user's actions likely violate state law.
B
Greg recently accepted a position as the cybersecurity compliance officer with a privately held bank. What law most directly impacts the manner in which his organization handles personal information? A. HIPAA B. GLBA C. SOX D. FISMA
B
James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated? A. Identification B. Availability C. Encryption D. Layering
B
Roger is the CISO at a healthcare organization covered under HIPAA. He would like to enter into a partnership with a vendor who will manage some of the organization's data. As part of the relationship, the vendor will have access to protected health information (PHI). Under what circumstances is this arrangement permissible under HIPAA? A. This is permissible if the service provider is certified by the Department of Health and Human Services. B. This is permissible if the service provider enters into a business associate agreement. C. This is permissible if the service provider is within the same state as Roger's organization. D. This is not permissible under any circumstances.
B
Security documentation is an essential element of a successful security program. Under- standing the components is an early step in crafting the security documentation. Match the following components to their respective definitions. 1. Policy 2. Standard 3. Procedure 4. Guideline I. A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. II. A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. III. A minimum level of security that every system throughout the organization must meet. IV. Offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users. V. Defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. 1 - I. 2 - IV. 3 - II. 4 - V B. 1 - II. 2 - V. 3 - I. 4 - IV C. 1 - IV. 2 - II. 3 - V. 4 - I D. 1 - V. 2 - I. 3 - IV. 4 - III
B
Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security? A. A network's border perimeter B. The CIA Triad C. AAA services D. Ensuring that subject activities are recorded
B
What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities? A. Privacy Act B. Fourth Amendment C. Second Amendment D. Gramm-Leach-Bliley Act
B
The next step after threat modeling is reduction analysis. Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its inter- actions with external elements. Which of the following are key components to identify when performing decomposition? (Choose all that apply.) A. Patch or update versions B. Trust boundaries C. Dataflow paths D. Open vs. closed source code use E. Input points F. Privileged operations G. Details about security stance and approach
B, C, E, F, G
Brianna is working with a U.S. software firm that uses encryption in its products and plans to export their product outside of the United States. What federal government agency has the authority to regulate the export of encryption software? A. NSA B. NIST C. BIS D. FTC
C
Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrastructure. Which of the following is not considered a violation of confidentiality? A. Stealing passwords using a keystroke logging tool B. Eavesdropping on wireless network communications C. Hardware destruction caused by arson D. Social engineering that tricks a user into providing personal information to a false website
C
It's common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization's valuable assets. Which of the following is a risk-centric threat-modeling approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected? A. VAST B. SD3+C C. PASTA D. STRIDE
C
Justin is a cybersecurity consultant working with a retailer on the design of their new point-of-sale (POS) system. What compliance obligation relates to the processing of credit card information that might take place through this system? A. SOX B. HIPAA C. PCI DSS D. FERPA
C
Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status? A. © B. ® C. ™ D. †
C
Ruth recently obtained a utility patent covering a new invention that she created. How long will she retain legal protection for her invention? A. 14 years from the application date B. 14 years from the date the patent is granted C. 20 years from the application date D. 20 years from the date the patent is granted
C
Ryan is reviewing the terms of a proposed vendor agreement between the financial institution where he works and a cloud service provider. Which one of the following items should represents the least concern to Ryan? A. What security audits does the vendor perform? B. What provisions are in place to protect the confidentiality, integrity, and availability of data? C. Is the vendor compliant with HIPAA? D. What encryption algorithms and key lengths are used?
C
You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization's security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create? A. Tactical plan B. Operational plan C. Strategic plan D. Rollback plan
C
