Review
True or False? The IT department is responsible for creating the organization's business continuity plan. (D2, L2.2.1) Question options:TrueFalse
False
A bollard is a post set securely in the ground in order to prevent a vehicle from entering an area or driving past a certain point. Bollards are an example of ______ controls. (D1, L1.3.1) Question options: A) Physical B) Administrative C) Drastic D) Technical
A) Physical A bollard is a tangible object that prevents a physical act from occurring; this is a physical control.
Sophia is visiting Las Vegas and decides to put a bet on a particular number on a roulette wheel. This is an example of _________. (D1, L1.2.2) Question options: A) Acceptance B) Avoidance C) Mitigation D) Transference
A) Acceptance Sophia is accepting the risk that the money will be lost, even though the likelihood is high; Sophia has decided that the potential benefit (winning the bet), while low in likelihood, is worth the risk.
Triffid Corporation has a policy that all employees must receive security awareness instruction before using email; the company wants to make employees aware of potential phishing attempts that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1) Question options: A) Administrative B) Finite C) Physical D) Technical
A) Administrative Both the policy and the instruction are administrative controls; rules and governance are administrative.
The Business Continuity effort for an organization is a way to ensure critical ______ functions are maintained during a disaster, emergency, or interruption to the production environment. (D2, L 2.2.1) Question options: A) Business B) Technical C) IT D) Financial
A) Business
An attacker outside the organization attempts to gain access to the organization's internal files. This is an example of a(n) ______. (D2, L2.1.1) Question options: A) Intrusion B) Exploit C) Disclosure D) Publication
An intrusion is an attempt (successful or otherwise) to gain unauthorized access
Which of the following would be considered a logical access control? Question options: A) An iris reader that allows an employee to enter a controlled area B) A fingerprint reader that allows an employee to enter a controlled area C) A fingerprint reader that allows an employee to access a laptop computer D) A chain attached to a laptop computer that connects it to furniture so it cannot be taken
C) A fingerprint reader that allows an employee to access a laptop computer Logical access controls limit who can gain user access to a device/system.
Of the following, which would probably not be considered a threat? (D1, L1.2.1) Question options: A) Natural disaster B) Unintentional damage to the system caused by a user C) A laptop with sensitive data on it D) An external attacker trying to gain unauthorized access to the environment
C) A laptop with sensitive data on it A laptop, and the data on it, are assets, not threats.
A set of security controls or system settings used to ensure uniformity of configuration throughout the IT environment. (D5.2, L5.2.1) Question options: A) Patches B) Inventory C) Baseline D) Policy
C) Baseline This is the definition of a baseline.
At Parvi's place of work, the perimeter of the property is surrounded by a fence; there is a gate with a guard at the entrance. All inner doors only admit personnel with badges, and cameras monitor the hallways. Sensitive data and media are kept in safes when not in use. (D3, L3.1.1) This is an example of: Question options: A) Two-person integrity B) Segregation of duties C) Defense in depth D) Penetration testing
C) Defense in depth Defense in depth is the use of multiple different (and different types of) overlapping controls to provide sufficient security.
Larry and Fern both work in the data center. In order to enter the data center to begin their workday, they must both present their own keys (which are different) to the key reader, before the door to the data center opens. Which security concept is being applied in this situation? (D3, L3.1.1)
D) Dual control This is an example of dual control, where two people, each with distinct authentication factors, must be present to perform a function.
Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1) Question options: A) A credit card presented to a cash machine B) Your password and PIN C) A user ID D) A photograph of your face
D) A photograph of your face A facial photograph is something you are—your appearance.
Within the organization, who can identify risk? (D1, L1.2.2) Question options: A) The security manager B) Any security team member C) Senior management D) Anyone
D) Anyone Anyone within the organization can identify risk.
Why is an asset inventory so important? (D5.2, L5.2.1) Question options: A) It tells you what to encrypt B) You can't protect what you don't know you have C) The law requires it D) It contains a price list
The inventory records which assets the organization has, which gives the organization the opportunity to protect those assets.
Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________. (D1, L1.2.2) Question options: A) Risk tolerance B) Risk inversion C) Threat D) Vulnerability
A) Risk tolerance Phrenal has decided there is an acceptable level of risk associated with the online sale of the laptop; this is within Phrenal's risk tolerance.
Derrick logs on to a system in order to read a file. In this example, Derrick is the ______. (D3, L3.3.1) Question options: A) Subject B) Object C) Process D) Predicate
A) Subject Subjects are entities that access objects.
Is it possible to avoid risk? (D1, L1.2.1) Question options: A) Yes B) No C) Sometimes D) Never
A) Yes
Which of the following is probably most useful at the perimeter of a property? (D3, L3.2.1) Question options: A) A safe B) A fence C) A data center D) A centralized log storage facility
B) A fence
A tool that monitors local devices to reduce potential threats from hostile software. (D4.2 L4.2.3) Question options: A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
B) Anti-malware this is the purpose of anti-malware solutions
Which of the following will have the most impact on determining the duration of log retention? (D3, L3.2.1) Question options: A) Personal preference B) Applicable laws C) Industry standards D) Type of storage media
B) Applicable laws Laws will have the most impact on policies, including log retention periods, because laws cannot be contravened. All the other answers may have some impact on retention periods, but they will never have as much impact as applicable laws.
Which of the following is very likely to be used in a disaster recovery (DR) effort? (D2, L 2.3.1) Question options: A) Guard dogs B) Data backups C) Contract personnel D) Anti-malware solutions
B) Data backups
True or False? Business continuity planning is a reactive procedure that restores business operations after a disruption occurs. Question options: A) True B) False
B) False Business continuity planning is proactive preparation for restoring operations after disruption. Members from across the organizations participate in the planning to ensure all systems, processes and operations are accounted for in the plan.
All visitors to a secure facility should be _______. (D3, L3.2.1) Question options: A) Fingerprinted B) Photographed C) Escorted D) Required to wear protective equipment
C) Escorted In a secure facility, visitors should be escorted by an authorized person.
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a ________. (D1, L1.4.1) Question options: A) Policy B) Standard C) Procedure D) Guideline
C) Procedure
Which of the following activities is usually part of the configuration management process, but is also extremely helpful in countering potential attacks? (D4.2 L4.2.3) Question options: A) Annual budgeting B) Conferences with senior leadership C) Updating and patching systems D) The annual shareholders' meeting
C) Updating and patching systems Keeping systems up to date is typically part of both the configuration management process and enacting best security practices.
When should a business continuity plan (BCP) be activated? (D2, L2.2.1) Question options: A) As soon as possible B) At the very beginning of a disaster C) When senior management decides D) When instructed to do so by regulators
C) When senior management decides A senior manager with the proper authority must initiate the BCP.
endpoint <------> Web server Which port number is associated with the protocol typically used in this connection? (D 4.1 L4.1.2) Question options: A) 21 B) 53 C) 80 D) 161
C) 80 This is the port for the HTTP protocol, commonly used for Web traffic.
An attack against the availability of a network/system; typically uses many attacking machines to direct traffic against a given target. (D4.2 L4.2.1) Question options: A) Worm B) Virus C) Stealth D) Distributed-denial-of-service (DDOS)
D) Distributed-denial-of-service (DDOS) This is the description of a DDOS attack.
Network traffic originating from outside the organization might be admitted to the internal IT environment or blocked at the perimeter by a ________. (D3, L3.2.1) Question options: A) Turnstile B) Fence C) Vacuum D) Firewall
D) Firewall A firewall is a solution used to filter traffic between networks, including between the internal environment and the outside world.
A tool that filters inbound traffic to reduce potential threats. (D4.2 L4.2.3) Question options: A) NIDS (network-based intrusion-detection systems) B) Anti-malware C) DLP (data loss prevention) D) Firewall
D) Firewall Firewalls typically filter traffic originating from outside the organization's IT environment.
A common network device used to filter traffic. (D4.1 L4.1.1) Question options: A) Server B) Endpoint C) Ethernet D) Firewall
D) Firewall This is the purpose of a firewall.
A security solution that detects, identifies and often quarantines potentially hostile software. (D4.2, L4.2.2) Question options: A) Firewall B) Guard C) Camera D) Anti-malware
This is the definition of an anti-malware solution.
Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user account, and is requesting Siobhan's full name, home address, credit card number, phone number, email address, the ability to send marketing messages to Siobhan, and permission to share this data with other vendors. Siobhan decides that the item for sale is not worth the value of Siobhan's personal information, and decides to not make the purchase. What kind of risk management approach did Siobhan make? (D1, L1.2.2) Question options: A) Avoidance B) Acceptance C) Mitigation D) Transfer
A) Avoidance
Which of the following is often associated with DR planning? (D2, L 2.3.1) Question options: A) Checklists B) Firewalls C) Motion detectors D) Non-repudiation
A) Checklists
Lakshmi presents a userid and a password to a system in order to log on. Which of the following characteristics must the password have? (D3, L3.3.1) Question options: A) Confidential B) Unique C) Mathematical D) Shared
A) Confidential Passwords, like all authenticating elements, must be kept secret, and known only to the user.
The concept of "secrecy" is most related to which foundational aspect of security? (D1, L1.1.1) Question options: A) Confidentiality B) Integrity C) Availability D) Plausibility
A) Confidentiality
Which of these activities is often associated with DR efforts? (D2, L2.3.1) Question options: A) Employees returning to the primary production location B) Running anti-malware solutions C) Scanning the IT environment for vulnerabilities D) Zero-day exploits
A) Employees returning to the primary production location
What is meant by non-repudiation? (D1, L1.1.1) Question options: A) If a user does something, they can't later claim that they didn't do it. B) Controls to protect the organization's reputation from harm due to inappropriate social media postings by employees, even if on their private accounts and personal time. C) It is part of the rules set by administrative controls. D) It is a security feature that prevents session replay attacks.
A) If a user does something, they can't later claim that they didn't do it.
Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is required to install or remove software. Which of the following could be used to describe Gelbi's account? (D3, L3.1.1) Question options: A) Privileged B) Internal C) External D) User
A) Privileged This is the description of a privileged account; an account that typically needs greater permissions than a basic user.
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees who are assigned to new positions in the company do not retain whatever access they had in their old positions. Which method should Handel select? (D3, L3.3.1) Question options: ***REVIEW*** A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Logging
A) Role-based access controls (RBAC) RBAC can aid in reducing "privilege creep," where employees who stay with the company for a long period of time might get excess permissions within the environment.
Prina is a database manager. Prina is allowed to add new users to the database, remove current users and create new usage functions for the users. Prina is not allowed to read the data in the fields of the database itself. This is an example of: (D3, L3.3.1) Question options: A) Role-based access controls (RBAC) B) Mandatory access controls (MAC) C) Discretionary access controls (DAC) D) Alleviating threat access controls (ATAC)
A) Role-based access controls (RBAC) Role-based access controls often function in this manner, where the employee's job responsibilities dictate exactly which kinds of access the employee has. This also enforces the concept of "least privilege."
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow? (D1, L1.4.2) Question options: A) The law B) The policy C) Any procedures the company has created for the particular activities affected by the law D) Lankesh should be allowed to use personal and professional judgment to make the determination of how to proceed
A) The law
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachi logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. In this situation, what is Prachi? (D3, L3.1.1) Question options: A) The subject B) The rule C) The file D) The object
A) The subject In this situation, Prachi is the subject in the subject-object-rule relationship. Prachi manipulates the database; this makes Prachi the subject.
Grampon municipal code requires that all companies that operate within city limits will have a set of processes to ensure employees are safe while working with hazardous materials. Triffid Corporation creates a checklist of activities employees must follow while working with hazardous materials inside Grampon city limits. The municipal code is a ______, and the Triffid checklist is a ________. (D1, L1.4.2) Question options: A) Law, procedure B) Standard, law C) Law, standard D) Policy, law
A) Law, procedure The municipal code was created by a governmental body and is a legal mandate; this is a law. The Triffid checklist is a detailed set of actions which must be used by Triffid employees in specific circumstances; this is a procedure.
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a: (D1, L1.3.1) Question options: A) Management/Administrative control B) Technical control C) Physical control D) Cloud control
A) Management/Administrative control
In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1) Question options: A) Vulnerability B) Asset C) Threat D) Likelihood
B) Asset An asset is anything with value, and a security practitioner may need to protect assets.
Which of the following roles does not typically require privileged account access? (D3, L3.1.1) Question options: A) Security administrator B) Data entry professional C) System administrator D) Help Desk technician
B) Data entry professional Data entry professionals do not usually need privileged access.
A portion of the organization's network that interfaces directly with the outside world; typically, this exposed area has more security controls and restrictions than the rest of the internal IT environment. (D4.3 L4.3.3) Question options: A) National Institute of Standards and Technology (NIST) B) Demilitarized zone (DMZ) C) Virtual private network (VPN) D) Virtual local area network (VLAN)
B) Demilitarized zone (DMZ) DMZ is the term we typically use to describe an outward-facing portion of the IT environment owned by an organization.
You are working in your organization's security office. You receive a call from a user who has tried to log in to the network several times with the correct credentials, with no success. This is an example of a(n)_______. (D2, L2.1.1) Question options: A) Emergency B) Event C) Policy D) Disaster
B) Event
Which is a physical control that prevents "piggybacking" or "tailgating"; that is, an unauthorized person following an authorized person into a controlled area? (D3, L3.2.1) Question options: A) Bollard B) Turnstile C) Fence D) Wall
B) Turnstile A turnstile typically uses a revolving mechanism which only allows one person to be admitted at a time, reducing the possibility of an unauthorized person following an authorized person into a controlled area.
Zarma is an (ISC)² member and a security analyst for Triffid Corporation. One of Zarma's colleagues is interested in getting an (ISC)2 certification and asks Zarma what the test questions are like. What should Zarma do? (D1, L1.5.1) Question options: A) Inform (ISC)² B) Explain the style and format of the questions, but no detail C) Inform the colleague's supervisor D) Nothing
B) Explain the style and format of the questions, but no detail It is all right to explain the format of the exam, and even to share your own impressions of how challenging and difficult you found the exam to be. But in order to protect the security of the test, and to adhere to the (ISC)² Code of Ethics ("advance and protect the profession"), Zarma should not share any explicit information about details of the exam or reveal any actual questions.
The common term used to describe the mechanisms that control the temperature and humidity in a data center. (D4.3 L4.3.1) Question options: A) VLAN (virtual local area network) B) HVAC (heating, ventilation and air conditioning) C) STAT (system temperature and timing) D) TAWC (temperature and water control)
B) HVAC (heating, ventilation and air conditioning) This is a common term in the industry.
A security solution installed on an endpoint in order to detect potentially anomalous activity. (D4.2 L4.2.2) Question options: A) Router B) Host-based intrusion prevention system C) Switch D) Security incident and event management system (SIEM)
B) Host-based intrusion prevention system A HIPS is installed on an endpoint to detect potentially harmful activity.
You are working in your organization's security office. You receive a call from a user who has tried to log in to the network several times with the correct credentials, with no success. After a brief investigation, you determine that the user's account has been compromised. This is an example of a(n)_______. (D2, L2.1.1) Question options: A) Risk management B) Incident detection C) Malware D) Disaster
B) Incident detection
An external entity has tried to gain access to your organization's IT environment without proper authorization. This is an example of a(n) _________. (D2, L2.1.1) Question options: A) Exploit B) Intrusion C) Event D) Malware
B) Intrusion
A ready visual cue to let anyone in contact with the data know what the classification is. (D5.1, L5.1.1) Question options: A) Encryption B) Label C) Graphics D) Photos
B) Label The label reflects the classification of a given piece of data.
Cyril wants to ensure all the devices on his company's internal IT environment are properly synchronized. Which of the following protocols would aid in this effort? (D4, L4.1.2) Question options: A) FTP (File Transfer Protocol) B) NTP (Network Time Protocol) C) SMTP (Simple Mail Transfer Protocol) D) HTTP (Hypertext Transfer Protocol)
B) NTP (Network Time Protocol) this is the purpose of NTP
Which common cloud deployment model typically features only a single customer's data/functionality stored on specific systems/hardware? (D4.3 L4.3.2) Question options: A) Public B) Private C) Community D) Hybrid
B) Private this is the defining feature of private cloud.
The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects health and human safety. The security office is tasked with writing a detailed set of processes on how employees should wear protective gear such as hardhats and gloves when in hazardous areas. This detailed set of processes is a _________. (D1, L1.4.1) Question options: A) Policy B) Procedure C) Standard D) Law
B) Procedure A detailed set of processes used by a specific organization is a procedure.
Sinka is considering a physical deterrent control to dissuade unauthorized people from entering the organization's property. Which of the following would serve this purpose? (D3, L3.2.1) Question options: A) A wall B) Razor tape C) A sign D) A hidden camera
B) Razor tape Razor tape at the top of a fence or wall is very intimidating, and acts as an excellent deterrent.
Trina is a security practitioner at Triffid, Inc. Trina has been tasked with selecting a new product to serve as a security control in the environment. After doing some research, Trina selects a particular product. Before that product can be purchased, a manager must review Trina's selection and determine whether to approve the purchase. This is a description of: (D3, L3.1.1) A) Two-person integrity B) Segregation of duties C) Software D) Defense in depth
B) Segregation of duties Segregation of duties, also called separation of duties, is used to reduce the potential for corruption or fraud within the organization. More than one person must be involved in a given process in order to complete that process.
Who approves the incident response policy? (D2, L2.1.1) Question options: A) (ISC)² B) Senior management C) The security manager D) Investors
B) Senior management The organization's senior management are the only entities authorized to accept risk on behalf of the organization, and therefore all organizational policies must be approved by senior management
In order for a biometric security to function properly, an authorized person's physiological data must be ______. (D3, L3.2.1) Question options: A) Broadcast B) Stored C) Deleted D) Modified
B) Stored A biometric security system works by capturing and recording a physiological trait of the authorized person and storing it for comparison whenever that person presents the same trait in the future
A mode of encryption for ensuring confidentiality efficiently, with a minimum amount of processing overhead (D5.1, L5.1.3) Question options: A) Asymmetric B) Symmetric C) Hashing D) Covert
B) Symmetric Symmetric encryption provides confidentiality with the least amount of processing overhead.
For which of the following assets is integrity probably the most important security aspect? (D1, L1.1.1) Question options: A) One frame of a streaming video B) The file that contains passwords used to authenticate users C) The color scheme of a marketing website D) Software that checks the spelling of product descriptions for a retail website
B) The file that contains passwords used to authenticate users If a password file is modified, the impact to the environment could be significant; there is a possibility that all authorized users could be denied access, or that anyone (including unauthorized users) could be granted access. The integrity of the password file is probably the most crucial of the four options listed.
Which of the following tools can be used to grant remote users access to the internal IT environment? (D 4.3 L4.3.3) Question options: A) VLAN (virtual local area network) B) VPN (virtual private network) C) DDOS (distributed denial-of-service) D) MAC (media access control)
B) VPN (virtual private network) A VPN allows external users to gain access to the internal environment in a secure manner.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess a particular threat, and he suggests that the best way to counter this threat would be to purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2) Question options: A) Acceptance B) Avoidance C) Mitigation D) Transference
C) Mitigation Applying a security solution (a type of control) is an example of mitigation
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization's offices. Which sort of security control would probably be best for this purpose? (D1, L1.3.1) Question options: A) Technical B) Obverse C) Physical D) Administrative
C) Physical Because laptops are tangible objects, and Druna is trying to ensure that these objects are not moved from a certain place, physical controls are probably best for the purpose.
Steve is a security practitioner assigned to come up with a protective measure for ensuring cars don't collide with pedestrians. What is probably the most effective type of control for this task? (D1, L1.3.1) Question options: A) Administrative B) Technical C) Physical D) Nuanced
C) Physical Physical controls, such as fences, walls and bollards, will be most likely to ensure cars cannot collide with pedestrians by creating actual barriers between cars and pedestrians.
What is the overall objective of a disaster recovery (DR) effort? (D2, L2.3.1) ** REVIEW ** Question options: A) Save money B) Return to normal, full operations C) Preserve critical business functions during a disaster D) Enhance public perception of the organization
C) Preserve critical business functions during a disaster DR efforts are intended to return the organization to normal, full operations.
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do? (D1, L1.5.1) Question options: A) Nothing—each person is responsible for their own actions. B) Yell at the other candidate for violating test security. C) Report the candidate to (ISC)2. D) Call local law enforcement.
C) Report the candidate to (ISC)2.
Common network device used to connect networks. (D4.1 L4.1.1) Question options: A) Server B) Endpoint C) Router D) Switch
C) Router Routers are used to connect networks.
Who is responsible for publishing and signing the organization's policies? (D5.3, L5.3.1) Question options: A) The security office B) Human Resources C) Senior management D) The legal department
C) Senior management Policies are direct organizational mandates from senior management.
A cloud arrangement whereby the provider owns and manages the hardware, operating system, and applications in the cloud, and the customer owns the data. (D4.3 L4.3.2) Question options: A) Infrastructure as a service (IaaS) B) Morphing as a service (MaaS) C) Platform as a service (PaaS) D) Software as a service (SaaS)
D) Software as a service (SaaS) This is a description of SaaS.
(ISC)² publishes a Common Body of Knowledge (CBK) that IT security practitioners should be familiar with; this is recognized throughout the industry as a set of material that is useful for practitioners to refer to. Certifications can be issued for demonstrating expertise in this Common Body of Knowledge. What kind of document is the Common Body of Knowledge? (D1, L1.4.1) Question options: A) Policy B) Procedure C) Standard D) Law
C) Standard The Common Body of Knowledge is used throughout the industry, recognized among many people, countries and organizations. This is a standard.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules that merchants must follow if the merchants choose to accept payment via credit card. These rules describe best practices for securing credit card processing technology, activities for securing credit card information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2) Question options: **REVIEW** A) Law B) Policy C) Standard D) Procedure
C) Standard This set of rules is known as the Data Security Standard, and it is accepted throughout the industry.
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation? (D1, L1.5.1) Question options: A) The governments of the countries where the company operates B) The company Kristal works for C) The users D) (ISC)2
C) The users
Duncan and Mira both work in the data center at Triffid, Inc. There is a policy in place that requires both of them to be present in the data center at the same time; if one of them has to leave for any reason, the other has to step out, too, until they can both re-enter. This is called ________. (D 3, L3.1.1) Question options: A) Blockade B) Multifactor authentication C) Two-person integrity D) Defense in depth
C) Two-person integrity This policy ensures a single person is not alone with extremely sensitive assets, and reduces the potential for inappropriate activity.
Lakshmi presents a userid and a password to a system in order to log on. Which of the following characteristics must the userid have? (D3, L3.3.1) Question options: A) Confidential B) Complex C) Unique D) Long
C) Unique Identity assertions must be unique, to differentiate between various users.
A software firewall is an application that runs on a device and prevents specific types of traffic from entering that device. This is a type of ________ control. (D1, L1.3.1) Question options: A) Physical B) Administrative C) Passive D) Technical
D) Technical A software firewall is a technical control, because it is a part of the IT environment.
Which of these components is very likely to be instrumental to any disaster recovery (DR) effort? (D2, L2.3.1) Question options: A) Routers B) Laptops C) Firewalls D) Backups
D) Backups
Which of the following is NOT one of the four typical ways of managing risk? (D1, L1.2.1) Question options: A) Avoid B) Accept C) Mitigate D) Conflate
D) Conflate
Which of the following can be used to map data flows through an organization and the relevant security controls used at each point along the way? (D5.1, L5.1.1) Question options: A) Encryption B) Hashing C) Hard copy D) Data life cycle
D) Data life cycle The data life cycle is a notional tool that can be used to map data flows.
Which of these combinations of physical security controls share a single point of failure? (D3, L3.2.1) Question options: A) Guards and fences B) Badge readers and walls C) Dogs and bollards D) High-illumination lighting and cameras
D) High-illumination lighting and cameras Both lighting and cameras require power; a power failure will disable both the cameras and the lights.
Which of the following statements is true? (D3, L3.3.1) Question options: A) Logical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls B) Physical access controls can protect the IT environment perfectly; there is no reason to deploy any other controls C) Administrative access controls can protect the IT environment perfectly; there is no reason to deploy any other controls D) It is best to use a blend of controls in order to provide optimum security
D) It is best to use a blend of controls in order to provide optimum security The use of multiple types of controls enhances overall security.
The city of Grampon wants to ensure that all of its citizens are protected from malware, so the city council creates a rule that anyone caught creating and launching malware within the city limits will receive a fine and go to jail. What kind of rule is this? (D1, L1.4.1) Question options: A) Policy B) Procedure C) Standard D) Law
D) Law The city council is a governmental body making a legal mandate; this is a law.
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users, but is not allowed to read or modify the data in the database itself. When Prachis logs onto the system, an access control list (ACL) checks to determine which permissions Prachi has. Which security concept is being applied in this situation? (D3, L3.1.1) Question options: A) Defense in depth B) Layered defense C) Two-person integrity D) Least privilege
D) Least privilege This is an example of least privilege; Prachi needs to be able to add or delete users from the database in order to perform as a database administrator, but does not need to view or modify the data in the database itself in order to perform the job.
Which of the following is always true about logging? (D5.1, L5.1.3) Question options: A) Logs should be very detailed B) Logs should be in English C) Logs should be concise D) Logs should be stored separately from the systems they're logging
D) Logs should be stored separately from the systems they're logging It is important to store log data somewhere other than on the machine where the data is gathered.
For which of the following systems would the security concept of availability probably be most important? (D1, L1.1.1) Question options: A) Medical systems that store patient data B) Retail records of past transactions C) Online streaming of camera feeds that display historical works of art in museums around the world D) Medical systems that monitor patient condition in an intensive care unit
D) Medical systems that monitor patient condition in an intensive care unit Information that reflects patient condition is data that necessarily must be kept available in real time, because that data is directly linked to the patients' well-being (and possibly their life). This is, by far, the most important of the options listed.
What is the most important goal of a business continuity effort? (D2, L2.2.1) Question options: A) Ensure all IT systems function during a potential interruption B) Ensure all business activities are preserved during a potential disaster C) Ensure the organization survives a disaster D) Preserve health and human safety
D) Preserve health and human safety In all security efforts, preserving health and human safety is paramount
What is the most important aspect of security awareness/training? (D5.4, L5.4.1) Question options: A) Protecting assets B) Maximizing business capabilities C) Ensuring the confidentiality of data D) Protecting health and human safety
D) Protecting health and human safety There is nothing more important than health and human safety.
Which of the following are not typically involved in incident detection? (D2, L2.1.1) Question options: A) Users B) Security analysts C) Automated tools D) Regulators
D) Regulators Typically, regulators do not detect incidents, nor alert organizations to the existence of incidents
Which of the following is not an appropriate control to add to privileged accounts? (D3, L3.1.1) Question options: A) Increased logging B) Multifactor authentication C) Increased auditing D) Security deposit
D) Security deposit We typically do not ask privileged account holders for security deposits.
Lia works in the security office. During research, Lia learns that a configuration change could better protect the organization's IT environment. Lia makes a proposal for this change, but the change cannot be implemented until it is approved, tested, and then cleared for deployment by the Change Control Board. This is an example of __________. (D3, L3.1.1) Question options: A) Defense in depth B) Holistic security C) Threat intelligence D) Segregation of duties
D) Segregation of duties Lia can make a recommendation for a change to the IT environment, but cannot enact the change without participation from another entity in the organization.
Which organizational policy is most likely to indicate which types of smartphones can be used to connect to the internal IT environment? (D5.3, L5.3.1) Question options: A) The CM policy (change management) B) The password policy C) The AUP (acceptable use policy) D) The BYOD policy (bring your own device)
D) The BYOD policy (bring your own device) The BYOD policy typically describes which devices can be used to process data and access networks belonging to the organization.
Which entity is most likely to be tasked with monitoring and enforcing security policy? (D5.3, L5.3.1) Question options: A) The Human Resources office B) The legal department C) Regulators D) The security office
D) The security office While the policy is dictated by senior management, the security office is often tasked with monitoring/enforcing it.
Clyde is the security analyst tasked with finding an appropriate physical control to reduce the possibility that unbadged people will follow badged employees through the entrance of the organization's facility. Which of the following can address this risk? (D3, L3.2.1) Question options: A) Fences B) Dogs C) Bollards D) Turnstiles
D) Turnstiles Turnstiles reduce the possibility of unauthorized personnel following behind authorized personnel, known as "tailgating" or "piggybacking."
A means to allow remote users to have secure access to the internal IT environment. (D4.3 L4.3.3) A) Internet B) VLAN C) MAC D) VPN
D) VPN a virtual private network protects communication traffic over untrusted media.
When responding to a security incident, your team determines that the vulnerability that was exploited was not widely known to the security community, and that there are no currently known definitions/listings in common vulnerability databases or collections. This vulnerability and exploit might be called ______. (D2, L 2.1.1) Question options: A) Malware B) Critical C) Fractal D) Zero-day
D) Zero-day
Which of the following is a subject? (D 3, L3.1.1) Question options: A) A file B) A fence C) A filename D) A user
D) A user A user is a subject; something trying to get access to objects.