Security Operations & Administration (Domain 2)

Which one of the following security practices suggests that an organization should deploy multiple, overlapping security controls to meet security objectives? A. Defense in depth B. Security through obscurity C. Least privilege D. Separation of duties

A. The defense-in-depth principle states that an organization should prepare for the failure of a single security control by ensuring that each security objective is covered by two or more overlapping controls.

Who should the organization appoint to manage the policies and procedures surrounding change management? A. Project manager B. Change manager C. System security officer D. Architect

B. Organizations adopting change management practices should appoint a change manager who will be responsible for managing policies and procedures. The change manager is also responsible for developing and maintaining the processes for requesting, approving, testing, and controlling changes.

Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs? A. CCTV B. IPS C. Turnstiles D. Faraday cages

A. Closed-circuit television (CCTV) systems act as a secondary verification mechanism for physical presence because they allow security officials to view the interior of the facility when a motion alarm sounds to determine the current occupants and their activities.

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing? A. Integrity B. Availability C. Confidentiality D. Denial

A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information.

Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred? A. Availability B. Confidentiality C. Disclosure D. Distributed

A. The message displayed is an example of ransomware, which encrypts the contents of a user's computer to prevent legitimate use. This is an example of an availability attack.

Juan is retrofitting an existing door to his facility to include a lock with automation capabilities. Which one of the following types of lock is easiest to install as a retrofit to the existing door? A. Mantrap B. Electric lock C. Magnetic lock D. Turnstile

C. A magnetic lock may usually be retrofitted to an existing door with a minimum of effort. Installing an electric lock usually requires replacing the entire door. Mantraps and turnstiles will require significant renovation projects.

Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce? A. Denial B. Confidentiality C. Integrity D. Availability

D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.

You are also concerned about the availability of data stored on each office's server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers? A. Server clustering B. Load balancing C. RAID D. Scheduled backups

C. RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

Which one of the following is an example of physical infrastructure hardening? A. Antivirus software B. Hardware-based network firewall C. Two-factor authentication D. Fire suppression system

D. Fire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.

Match each of the numbered security controls listed with exactly one of the lettered categories shown. Choose the category that best describes each control. You may use each control category once, more than once, or not at all. Controls 1. Password 2. Account reviews 3. Badge readers 4. MFA 5. IDP Categories A. Administrative B. Technical C. Physical

The security controls match with the categories as follows: 1. Password: B. Technical 2. Account reviews: A. Administrative 3. Badge readers: C. Physical 4. MFA: B. Technical 5. IDP: B. Technical Passwords, multifactor authentication (MFA) techniques, and intrusion prevention systems (IPS) are all examples of technical controls. Account reviews are an administrative control, while using badges to control access is a physical control.

Rhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown here. What type of card is this? A. Smart card B. Proximity card C. Magnetic stripe card D. Phase three card

A. The card shown in the image has a smart chip underneath the American flag. Therefore, it is an example of a smart card. This is the most secure type of identification card technology.

What principle of information security states that an organization should implement overlapping security controls whenever possible? A. Least privilege B. Separation of duties C. Defense in depth D. Security through obscurity

C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure.

Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add? A. Hashing B. ACLs C. Read-only attributes D. Firewalls

A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

Referring to the figure shown here, what is the name of the security control indicated by the arrow? Image reprinted from CISSP (ISC) 2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission. A. Mantrap B. Turnstile C. Intrusion prevention system D. Portal

A. Mantraps use a double set of doors to prevent piggybacking by allowing only a single individual to enter a facility at a time.

Which one of the following control categories does not accurately describe a fence around a facility? A. Physical B. Detective C. Deterrent D. Preventive

B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.

Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing? A. Policy B. Baseline C. Guideline D. Procedure

B. Baselines provide the minimum level of security that every system throughout the organization must meet.

Which of the following access control categories would not include a door lock? A. Physical B. Directive C. Preventative D. Deterrent

B. Locks can be preventative access controls by stopping unwanted access, can deter potential intruders by making access difficult, and are physical access controls. They are not directive controls because they don't control the actions of subjects.

Which one of the following is not a canon of the (ISC)2 code of ethics? A. Protect society, the common good, necessary public trust and confidence, and the infrastructure. B. Promptly report security vulnerabilities to relevant authorities. C. Act honorably, honestly, justly, responsibly, and legally. D. Provide diligent and competent service to principals.

B. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence and the infrastructure; act honorably, honestly, justly, responsibly and legally; provide diligent and competent service to principals; and advance and protect the profession.

Which one of the following facilities would have the highest level of physical security requirements? A. Data center B. Network closet C. SCIF D. Cubicle work areas

C. Sensitive compartmented information facilities (SCIFs) are highly secure government facilities designed for processing classified information. They would have stricter physical security requirements than any other type of facility.

Tracy is preparing to apply a patch to her organization's enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning? A. Unit testing B. Acceptance testing C. Regression testing D. Vulnerability testing

C. Baseline configurations serve as the starting point for configuring secure systems and applications. They contain the security settings necessary to comply with an organization's security policy and may then be customized to meet the specific needs of an implementation. While security policies and guidelines may contain information needed to secure a system, they do not contain a set of configuration settings that may be applied to a system. The running configuration of a system is the set of currently applied settings, which may or may not be secure.

Which of the following is not true about the (ISC)2 code of ethics? A. Adherence to the code is a condition of certification. B. Failure to comply with the code may result in revocation of certification. C. The code applies to all members of the information security profession. D. Members who observe a breach of the code are required to report the possible violation.

C. The (ISC)2 code of ethics applies only to information security professionals who are members of (ISC)2. Adherence to the code is a condition of certification, and individuals found in violation of the code may have their certifications revoked. (ISC)2 members who observe a breach of the code are required to report the possible violation by following the ethics complaint procedures.

For questions 22-25, please refer to the following scenario. Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper's software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches. Jasper would like to establish a governing body for the organization's change management efforts. What individual or group within an organization is typically responsible for reviewing the impact of proposed changes? A. Chief information officer B. Senior leadership team C. Change control board D. Software developer

C. The change control board (CCB) has primary responsibility for reviewing the impact of a proposed change and coordinating the review and approval processes.

What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water? A. Wet pipe B. Dry pipe C. Deluge D. Preaction

D. A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.

Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding? A. Training B. Education C. Indoctrination D. Awareness

D. Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.

Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow? A. Destroy, validate, document B. Clear, purge, document C. Purge, document, validate D. Purge, validate, document

D. The NIST SP 800-88 process for sanitization and disposition shows that media that will be reused and was classified at a moderate level should be purged and then that purge should be validated. Finally, it should be documented.

What term is used to describe a set of common security configurations, often provided by a third party? A. Security policy B. Baseline C. DSS D. NIST SP 800-53

B. A baseline is a set of security configurations that can be adopted and modified to fit an organization's security needs. A security policy is written to describe an organization's approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP-800 series of documents address computer security in a variety of areas.

Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing? A. Need to know B. Least privilege C. Two-person control D. Transitive trust

B. The principle of least privilege says that an individual should only have the privileges necessary to complete their job functions. Removing administrative privileges from nonadministrative users is an example of least privilege.

Which one of the following actions might be taken as part of a business continuity plan? A. Restoring from backup tapes B. Implementing RAID C. Relocating to a cold site D. Restarting business operations

B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Which one of the following elements is not a crucial component of a change request? A. Description of the change B. Implementation plan C. Backout plan D. Incident response plan

D. An organization's incident response plan may be invoked as a result of a change gone awry, but the incident response plan itself is a stand-alone process and does not need to be included in a change request. The change request should definitely include a description of the change, an implementation plan, and a backout plan, among other components.

Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it? Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission. A. Incipient B. Smoke C. Flame D. Heat

A. Fires may be detected as early as the incipient stage. During this stage, air ionization takes place, and specialized incipient fire detection systems can identify these changes to provide early warning of a fire.

Frank discovers a keylogger hidden on the laptop of his company's chief executive officer. What information security principle is the keylogger most likely designed to disrupt? A. Confidentiality B. Integrity C. Availability D. Denial

A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following? A. Need to know B. Least privilege C. Separation of duties D. Two-person control

A. Lydia is following the need-to-know principle. While the user may have the appropriate security clearance to access this information, there is no business justification provided, so she does not know that the user has an appropriate need to know the information.

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this? A. His supply chain B. His vendor contracts C. His post-purchase build process D. The original equipment manufacturer (OEM)

A. Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.

As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce? A. Segregation of duties B. Aggregation C. Two-person control D. Defense in depth

A. The matrix shown in the figure is known as a segregation of duties matrix. It is used to ensure that one person does not obtain two privileges that would create a potential conflict. Aggregation describes the unintentional accumulation of privileges over time, also known as privilege creep. Two-person control is used when two people must work together to perform a sensitive action. Defense in depth is a general security principle used to describe a philosophy of overlapping security controls.

Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information? A. Information classification B. Remanence C. Transmitting data D. Clearing

A. The need to protect sensitive data drives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isn't a driver for an administrative process to protect sensitive data, and clearing is a technical process for removing data from media.

Darlene was recently offered a consulting opportunity as a side job. She is concerned that the opportunity might constitute a conflict of interest. Which one of the following sources is most likely to provide her with appropriate guidance? A. Organizational code of ethics B. (ISC)2 code of ethics C. Organizational security policy D. (ISC)2 security policy

A. The situation Darlene finds herself in is an ethical dilemma, and a code of ethics would be the best place to look for guidance. This situation is specific to her employer, so she should turn to her organization's code of ethics, rather than the more general (ISC)2 Code of Ethics.

Which one of the following is an administrative control that can protect the confidentiality of information? A. Encryption B. Nondisclosure agreement C. Firewall D. Fault tolerance

B. Nondisclosure agreements (NDAs) protect the confidentiality of sensitive information by requiring that employees and affiliates not share confidential information with third parties. NDAs normally remain in force after an employee leaves the company.

Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce? A. Availability B. Denial C. Confidentiality D. Integrity

C. Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

Glenda is investigating a potential privacy violation within her organization. The organization notified users that it was collecting data for product research that would last for six months and then disposed of the data at the end of that period. During the time that they had the data, they also used it to target a marketing campaign. Which principle of data privacy was most directly violated? A. Data minimization B. Accuracy C. Storage limitations D. Purpose limitations

D. In this case, the organization used the data that they collected for a purpose other than the one that they obtained consent for from the data subjects. This is a violation of purpose limitations. There is no evidence presented that the organization collected more data than was necessary, which would violate data minimization. They disposed of the data promptly, so there was no violation of storage limitations. There is also no indication that any of the data was inaccurate.

An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud? A. Separation of duties B. Least privilege C. Defense in depth D. Mandatory vacation

D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will ideally disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Retaining and maintaining information for as long as it is needed is known as what? A. Data storage policy B. Data storage C. Asset maintenance D. Record retention

D. Record retention is the process of retaining and maintaining information for as long as it is needed. A data storage policy describes how and why data is stored, while data storage is the process of actually keeping the data. Asset maintenance is a process for maintaining physical assets that is not related to information security.

Which one of the following does not describe a standard physical security requirement for wiring closets? A. Place only in areas monitored by security guards. B. Do not store flammable items in the closet. C. Use sensors on doors to log entries. D. Perform regular inspections of the closet.

A. While it would be ideal to have wiring closets in a location where they are monitored by security staff, this is not feasible in most environments. Wiring closets must be distributed geographically in multiple locations across each building used by an organization.

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? A. Mandatory vacation B. Separation of duties C. Defense in depth D. Job rotation

B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.

Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks? A. Firewall B. Intrusion detection system C. Parameter checking D. Vulnerability scanning

C. Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.

Tracy is preparing to apply a patch to her organization's enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning? A. Unit testing B. Acceptance testing C. Regression testing D. Vulnerability testing

C. Regression testing is software testing that runs a set of known inputs against an application and then compares the results to those produced by an earlier version of the software. It is designed to capture unanticipated consequences of deploying new code versions prior to introducing them into a production environment.

Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for? A. Erasing B. Clearing C. Sanitization D. Destruction

C. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don't make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution because of the cost involved.

What type of access control is composed of policies and procedures that support regulations, requirements, and the organization's own policies? A. Corrective B. Logical C. Compensating D. Administrative

D. Administrative access controls are procedures and the policies from which they derive. They are based on regulations, requirements, and the organization's own policies. Corrective access controls return an environment to its original status after an issue, while logical controls are technical access controls that rely on hardware or software to protect systems and data. Compensating controls are used in addition to or as an alternative to other controls.

Which one of the following is not an example of a technical control? A. Router ACL B. Firewall rule C. Encryption D. Data classification

D. Router ACLs, encryption, and firewall rules are all examples of technical controls. Data classification is an administrative control.

Which one of the following is the first step in developing an organization's vital records program? A. Identifying vital records B. Locating vital records C. Archiving vital records D. Preserving vital records

A. An organization pursuing a vital records management program should begin by identifying all of the documentation that qualifies as a vital business record. This should include all of the records necessary to restart the business in a new location should the organization invoke its business continuity plan.

Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option? A. Purchasing insurance B. Encrypting the database contents C. Removing the data D. Objecting to the exception

B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

During what phase of the change management process does the organization conduct peer review of the change for accuracy and completeness? A. Recording B. Analysis/Impact Assessment C. Approval D. Decision Making and Prioritization

B. During the Analysis/Impact Assessment phase, the organization subjects the change to peer review. In the peer review, technologists verify the accuracy and completeness of the change request and attempt to uncover any impact on other systems that might occur as a result of the change.

For questions 53-54, please refer to the following scenario. Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program. 53. As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions? A. Separation of duties B. Least privilege C. Aggregation D. Separation of privileges

B. Gary should follow the least privilege principle and assign users only the permissions they need to perform their job responsibilities. Aggregation is a term used to describe the unintentional accumulation of privileges over time, also known as privilege creep. Separation of duties and separation of privileges are principles used to secure sensitive processes.

When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following? A. Least privilege B. Separation of duties C. Job rotation D. Security through obscurity

B. Hilda's design follows the principle of separation of duties. Giving one user the ability to both create new accounts and grant administrative privileges combines two actions that would result in a significant security change that should be divided among two users.

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing? A. Least privilege B. Two-person control C. Job rotation D. Separation of duties

B. In this scenario, Helen designed a process that requires the concurrence of two people to perform a sensitive action. This is an example of two-person control.

Maddox is conducting an information audit for his organization. Which one of the following elements that he discovered is least likely to be classified as PII when used in isolation? A. Street addresses B. Item codes C. Mobile phone numbers D. Social Security numbers

B. Privacy is of the utmost concern when handling personally identifiable information (PII). PII includes any information that may be reasonably tied to a specific person. This would include street addresses, telephone numbers, and national ID numbers (such as Social Security numbers). Item codes, when not tied to a name or other identifier, would not constitute PII.

Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks? A. Awareness B. Training C. Education D. Indoctrination

B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.

The (ISC)2 code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code? A. Protect society, the common good, the necessary public trust and confidence, and the infrastructure. B. Disclose breaches of privacy, trust, and ethics. C. Provide diligent and competent service to the principles. D. Advance and protect the profession.

B. The (ISC)2 code of ethics also includes "Act honorably, honestly, justly, responsibly, and legally" but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

For questions 13-15, please refer to the following scenario. Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization's security. Users in the two offices would like to access each other's file servers over the Internet. What control would provide confidentiality for those communications? A. Digital signatures B. Virtual private network C. Virtual LAN D. Digital content management

B. Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the Internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office's server over the Internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the Internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.

Connor's company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced? A. Espionage B. Confidentiality breach C. Sabotage D. Integrity breach

C. An attack committed against an organization by an insider, such as an employee, is known as sabotage. Espionage and confidentiality breaches involve the theft of sensitive information, which is not alleged to have occurred in this case. Integrity breaches involve the unauthorized modification of information, which is not described in this scenario.

What technology asset management practice would an organization use to ensure that systems meet baseline security standards? A. Change management B. Patch management C. Configuration management D. Identity management

C. Configuration management practices ensure that an organization manages the configuration of systems in an organized and automated fashion. This would include ensuring that systems remain in compliance with the baseline requirements of the organization's security standards.

Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline? A. It applies in all circumstances, allowing consistent security controls. B. They are approved by industry standards bodies, preventing liability. C. They provide a good starting point that can be tailored to organizational needs. D. They ensure that systems are always in a secure state.

C. Security baselines provide a starting point to scope and tailor security controls to your organization's needs. They aren't always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, and they do not prevent liability.

Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve? A. Authentication B. Authorization C. Integrity D. Nonrepudiation

D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

Which one of the following is not a goal of a formal change management program? A. Implement change in an orderly fashion. B. Test changes prior to implementation. C. Provide rollback plans for changes. D. Inform stakeholders of changes after they occur.

D. Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.

Carl recently assisted in the implementation of a new set of security controls designed to comply with legal requirements. He is concerned about the long-term maintenance of those controls. Which one of the following is a good way for Carl to ease his concerns? A. Firewall rules B. Policy documents C. Security standards D. Periodic audits

D. While all of the items listed are components of a strong security program, periodic audits would provide Carl with the assurance that controls continue to operate effectively over the long term.

You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated? A. Integrity B. Denial C. Availability D. Confidentiality

D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.