CISSP Review Questions - Ninth Edition
Assessment - 29 Risk assessment is a process by which the assets, threats, probabilities, and likelihoods are evaluated in order to establish criticality prioritization. What is the formula used to compute the ALE? A) ALE = AV x EF x ARO B) ALE = ARO x EF C) ALE = AV x ARO D) ALE = EF x ARO
ALE = AV * EF * ARO = The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). = This is the longer form of the formula ALE = SLE * ARO, since SLE = AV * EF.
Assessment - 28 Security needs to be designed to support the business objectives, but it also needs to be legally defensible. To defend the security of an organization, a log of events and activities must be created. Auditing is a required factor to sustain and enforce what? A) Accountability B) Confidentiality C) Accessibility D) Redundancy
Accountability = Auditing is a required factor to sustain and enforce accountability. Auditing is one of the elements of the AAA services concept of identification, authentication, authorizations, auditing, and accounting (or accountability).
Assessment - 38 What type of token device produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate? A) HOTP B) HMAC C) SAML D) TOTP
TOTP The two main types of token devices are TOTP and HOTP. = Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals, such as every 60 seconds. =Thus, TOTP produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate.
Chapter 3-14 Lighter than Air Industries expects that it would lose $10 million if a tornado struct its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A) 0.01 B) $10 million C) $100,000 D) 0.10
B
Chapter 3-8 You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche would occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy (SLE) of your shipping facility to avalanches? A) $3 million B) $2, 700,000 C) $270,000 D) $135,000
B
Assessment - 15 TCP operates at the Transport Layer and is a connection-oriented protocol. It uses a special process to establish a session each time a communication takes place. What is the last phase of the TCP three-way handshake sequence? A) SYN flagged packet B) ACK flagged packet C) FIN flagged packet D) SYN/ACK flagged packet
B) ACK flagged packet = The initiating host sends an ACK flagged packet, and the connection is then established.
Assessment - 16 The lack of secure coding practices has enabled an uncountable number of software vulnerabilities that hackers have discovered and exploited. Which one of the following vulnerabilities would be best countered by adequate parameter checking? A) Time-of-check to time-of-use B) Buffer overflow C) SYN flood D) Distributed denial of service (DDoS)
B) Buffer overflow = Parameter checking (i.e., confirming input is within reasonable boundaries) is used to prevent the possibility of buffer overflow attacks.
Assessment - 14 Which one of the following is layer of the ring protection scheme design concept that is not normally implemented? A) Layer-0 B) Layer-1 C) Layer-3 D) Layer-4
B) Layer-1 Layers 1 and 2 contain device drivers but are not normally implemented in practice, since they are often collapsed into layer 0.
Assessment - 3 Some adversaries use DoS attacks as their primary weapon to harm targets, whereas others may use them as weapons of last resort when all other attempts to intrude on a target fail. Which of the following is mostly likely to detect DoS attacks? A) Host-based IDS B) Network-based IDS C) Vulnerability scanner D) Penetration testing
B) Network-based IDS Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including denial of service, or DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected.
Assessment - 10 The security concept of AAA services describes the elements that are necessary to establish subject accountability. Which of the following is not a required component in the support of accountability? A) Logging B) Privacy C) Identification verification D) Authorization
B) Privacy Privacy is not necessary to provide accountability.
Assessment - 12 A data custodian is responsible for security resources after ___________ has assigned the resource a security label. A) Senior management B) The data owner C) An auditor D) Security staff
B) The data owner The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately.
Assessment - 4 Unfortunately, attackers have many options of attacks to perform against their targets. Which of the following is considered a denial-of-service (DoS) attack? A) Pretending to be a technical manager over the phone and asking a receptionist to change their password? B) While surfing the web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU C) Intercepting network traffic by copying the packets as the pass through a specific subnet D) Sending message packets to a recipient who did not request them, simply to be annoying
B) While surfing the web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU = Not all instances of DoS are the result of a malicious attack. Errors in coding Oss, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering (i.e., pretending to be a technical manager) and sniffing (i.e.,intercepting network traffi c) are typically not considered DoS attacks. Sending message packets to a recipient who did not request them simply to be annoying may be a type of social engineering and it is definitely spam, but unless the volume of the messages is significant, it does not warrant the label of DoS.
Assessment - 19 The General Data Protection Regulation (GDPR) has defined several roles in relation to the protection and management of personally identifiable information (PII). Which of the following statements are true? A) A data processor is the entity assigned a specific responsibility of data asset in order to ensure its protection for use by the organization. B) A data custodian is the entity that performs operations on data. C) A data controller is the entity that makes decisions about the data they are collecting. D) A data owner is the entity assigned or delegated the day-to-day responsibility of proper storage and transport as well as protecting data, assets, and other organizational objects.
C) A data controller is the entity that makes decisions about the data they are collecting. = The correct statement is regarding the data controller.
Assessment - 1 Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity? A) Preventive B) Deterrent C) Detective D) Corrective
C) Detective Detective access controls are used to discover (and document) unwanted or unauthorized activity.
Assessment - 11 Collusion is when two or more people work together to commit a crime or violate a company policy. Which of the following is not a defense against collusion? A) Separation of duties B) Restricted job responsibilities C) Group user accounts D) Job rotation
C) Group user accounts Group user accounts allow for multiple people to log in under a single user account. Thisallows collusion because it prevents individual accountability.
Chapter 1-1 Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives for a security infrastructure. Which of the following is not considered a violation of Confidentiality? A) Stealing passwords using a keystroke logging tool. B) Eavesdropping on wireless network communications. C) Hardware destruction caused by arson. D) Social engineering that tricks a user into providing personal information to a false website.
C) Hardware destruction caused by arson.
Assessment - 13 In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures used to gain a detailed understanding of the software development process? A) Repeatable B) Defined C) Managed D) Optimizing
C) Managed The Managed phase (level 4) of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management.
Assessment - 20 If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike? A) Renee's public key B) Renee's private key C) Mike's public key D) Mike's private key
C) Mike's public key = Any recipient can use Mike's public key to verify the authenticity of the digital signature.
Assessment - 8 Adversaries will use any and all means to harm their targets. This includes mixing attack concepts together to make a more effective campaign. What type of malware uses social engineering to trick a victim into installing it? A) Virus B) Worm C) Trojan horse D) Logic bomb
C) Trojan horse A Trojan horse is a form of malware that uses social engineering tactics to trick a victim into installing it—the trick is to make the victim believe that the only thing they have downloaded or obtained is the host file, when in fact it has a malicious hidden payload.
Chapter 3-17 Matt is supervising the installation of redundant communication links in response to a finding during his organization's BIA. What type of mitigation provision is Matt overseeing? A) Hardening systems B) Defining systems C) Reducing systems D) Alternative systems
D) Alternative systems
Assessment - 9 Security is established by understanding the assets of an organization that need protection and understanding the threats that could cause harm to those assets. Then, controls are selected that provide protection for the CIA Triad of the assets at risk. The CIA Triad consists of what elements? A) Contiguousness, interoperable, arranged B) Authentication authorization, accountability C) Capable, available, integral D) Availability, confidentiality, integrity
D) Availability, confidentiality, integrity The components of the CIA Triad are confidentiality, availability, and integrity.
Assessment - 6 Which type of firewall automatically adjusts its filtering rules based on the content and context of the traffic of existing sessions? A) Static packet filtering B) Application-level gateway C) Circuit-level gateway D) Stateful inspection firewall
D) Stateful inspection firewall Stateful inspection firewalls (aka dynamic packet-filtering firewall) enable the real-time modification of the filtering rules based on traffic content and context.
Chapter 1-14 Supply chain risk management (SCRM) is the means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations. Which of the following are true statements. 1) Each link in the supply chain should be responsible and accountable to the next link in the chain. 2) Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips. 3) If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements. 4) Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms. A) 1, 2, 4 B) 2 C) 2, 3, 4 D) 1, 4
A
Chapter 1-16 Whenever an organization works with a third party, its supply chain risk management (SCRM) process should be applied. One of the common requirements is the establishment of minimum security requirements of the third party. What should these requirements be based on? A) Existing security policy B) Third-party audit C) On-site assessment D) Vulnerability scan results
A
Chapter 1-7 Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting put for crafting of a customized IT security solution within an established infrastructure? A) ITIL B) ISO 27000 C) CIS D) CSF
A
Chapter 2-11 During the annual review of the company's deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated? A) ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B) ALE before safeguard x ARO of safeguard C) ALE After implementing safeguard + annual cost of safeguard - controls gap D) Total risk - controls gap
A
Chapter 2-13 A new web application was installed onto the company's public web server last week. Over the weekend a malicious hacker was able to exploit the new code and gained access to data files hosted on the system. This is an example of what issue? A) Inherent risk B) Risk matrix C) Qualitative assessment D) Residual risk
A
Chapter 2-2 Due to recent organization restructuring, the CEO believes that new workers should be hired to perform necessary work tasks and support the mission and goals of the organization. When seeking to hire new employees, what is the first step? A) Create a job description B) Set position classification C) Screen candidates D) Request Resumes
A
Chapter 2-6 Match the term to its definition: 1) Asset 2) Threat 3) Vulnerability 4) Exposure 5) Risk I. the weakness in an asset, or the absence or the weakness of a safeguard or countermeasure. II. Anything used in a business process or task. III. Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited. IV. The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result. V. Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or a specific access. A) I-II; 2-V; 3-I; 4-III; 5-IV B) 1-I; 2-II; 3-IV; 4-II; 5-V C) I-II; 2-V; 3-I; 4-IV; 5-III D) 1-IV; 2-V; 3-III; 4-II; 5-I
A
Chapter 3-10 You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hire a team of architects and engineers, who determine that the average hurricane will destroy approximately 50 percent of the building. What is the annualized loss expectance (ALE)? A) $750,000 B) $1.5 million C) $7.5 million D) $15 million
A
Chapter 3-19 Darren is concerned about the risk of a serious power outage affecting his organization's data center. He consults the organization's business impact analysis and determines that the ARO of a power outage is 20 percent. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year's assessment, assuming that none of the circumstances underlying the analysis have changed? A) 20 percent B) 50 percent C) 75 percent D) 100 percent
A
Chapter 3-5 Ryan is assisting with his organization's annual business impact analysis effort. He's been asked to assign quantitative values to assets as part of the priority identification process. What unit of measure should he use? A) Monetary B) Utility C) Importance D) Time
A
Assessment - 17 Computers are based on binary mathematics. All computer functions are derived from the basic set of Boolean operations. What is the value of the logical operation shown here? X: 0 1 1 0 1 0 Y: 0 0 1 1 0 1 _________________ X (+) Y: ? A) 0 1 0 1 1 1 B) 0 0 1 0 0 0 C) 0 1 1 1 1 1 D) 1 0 0 1 0 1
A) 0 1 0 1 1 1 = The ⊕ symbol represents the XOR function and returns a true value when only one of the input values is true. If both values are false or both values are true, the output of the XOR function is false.
Assessment - 22 The _________ is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. A) Data owner B) Data controller C) Data processor D) Data custodian
A) Data owner = The data owner is the person(s) (or entity) assigned specific responsibility for a data asset in order to ensure its protection for use by the organization.
Assessment - 31 Many events can threaten the operation, existence, and stability of an organization. Some of those threats are human caused, whereas others are from natural events. Which of the following represent natural events that can pose a threat or risk to an organization? A) Earthquake B) Flood C) Tornado D) All of the above
A) Earthquake B) Flood C) Tornado All of the above = Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornadoes, wildfires, and other acts of nature.
Assessment - 2 Define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices. A) Is difficult to guess or unpredictable B) Meets minimum lD) All of the above length requirements C) Meets specific complexity requirements D) All of the above
A) Is difficult to guess or unpredictable B) Meets minimum lD) All of the above length requirements C) Meets specific complexity requirements D) All of the above Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They maybe randomly generated and use all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn't be transmitted in the clear.
Assessment - 5 Hardware networking devices operate within the protocol stack just like protocols themselves. Thus, hardware networking devices can be associated with an OSI model layer related to the protocols they manage or control. At which layer of the OSI model does a router operate? A) Network layer B) Layer 1 C) Transport Layer D) Layer 5
A) Network layer - Layer 3 Network hardware devices, including routers, function at layer 3, the Network layer.
Assessment - 7 A VPN can be a significant security improvement for many communication links. A VPN can be established over which of the following? A) Wireless LAN connection B) Remote access dial-up connection C) WAN link D) All of the above
A) Wireless LAN connection B) Remote access dial-up connection C) WAN link All of the Above = A virtual private network (VPN) link can be established over any network communication connection. = This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an internet connection used by a client for access to the office LAN.
Assessment - 18 Which of the following are considered standard data type classifications used either in a government / military or a private sector organization? (Check all that apply) 1) Public 6) Proprietary 11) For your eyes only 2) Healthy 7) Essential 3) Private 8) Certified 4) Internal 9) Critical 5) Sensitive 10) Confidential A) 1, 3, 4, 5, 9, 10 B) 1, 3, 5, 6, 9, 11 C) 1, 3, 5, 6, 8, 9 D) 1, 3, 5, 6, 9, 10
1) Public, 3) Private, 5) Sensitive, 6) Proprietary, 9) Critical, 10) Confidential
Chapter 3-1 James was recently asked by his organization's CIO to lead a core team of four experts through a business continuity planning process for his organization. What is the first step that this core team should under take? A) BCP team selection B) Business organization analysis C) Resource analysis D) Legal and regulatory assessment
B
Chapter 1-10 In today's business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements? 1) Due diligence is establishing a plan, policy, and process to protect the interests of an organization. 2) Due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. 3) Due diligence is the continued application of a security structure onto the IT infrastructure of an organization. 4) Due care is practicing the individual activities that maintain the security effort. 5) Due care is knowing what should be done and planning for it. 6) Due diligence is doing the right action at the right time. A) 1 B) 1, 4 C) 3, 6 D) 4, 5
B
Chapter 1-11 Security documentation is an essential element of a successful security program. Understanding the components is an early step in crafting the security documentation. Match the following components to their respective definitions. 1) Policy 2) Standard 3) Procedure 4) Guideline i. A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. II. A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. III. A minimum level of security that every system throughout the organization must meet. IV. Offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users. V. Defines compulsory
B
Chapter 1-13 A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threats and risks of their solutions and integrates against unwanted outcomes. What concept of threat modeling is this? A) Threat hunting B) Proactive approach C) Qualitative approach D) Adversarial approach
B
Chapter 1-16 Cathy's employer has asked her to perform a document review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers several serious issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Caty do in response to this finding? A) Write up a report and submit it to the CIO B) Void the ATO of the vendor C) Require that the vendor review their terms and conditions D) Have the vendor sign an NDA
B
Chapter 1-2 Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security? A) A network's border perimeter. B) The CIA Triad C) AAA Services D) Ensuring that subject activities are recorded.
B
Chapter 1-3 James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated? A) Identification B) Availability C) Encryption D) Layering
B
Chapter 1-8 A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional responsibility for security, including writing the security policy and implementing it. A) Senior Management B) Security Professional C) Custodian D) Auditor
B
Chapter 2-15 The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection; implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF has seven steps or phases. Which phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable? A) Categorize B) Authorize C) Assess D) Monitor
B
Chapter 2-19 Often a _______________ is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. ____________ are often non-security employees who take up the mantel to encourage others to support and adopt more security practices and behaviors. A) CISO(s) B) Security champion(s) C) Security auditor(s) D) Custodian(s)
B
Chapter 2-3 _________ is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. A) Reissue B) Onboarding C) Background checks D) Site survey
B
Chapter 2-4 After repeated events of retraining, a particular worker was caught for the fourth time attempting to access documents that were not relevant to their job position. The CSO decides this was the last chance and the worker is to be fired. The CSO reminds you that the organization has a formal termination process that should be followed. Which of the following is an important task to perform during the termination procedure to reduce future security issues related to this ex-employee? A) Return the exiting employee's personal belongings. B) Review the nondisclosure agreement. C) Evaluate the exiting employee's performance. D) Cancel the existing employee's parking permit.
B
Chapter 2-7 While performing a risk analysis, you identify a threat of fire and a vulnerability of things being flammable because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A) Virus infection B) Damage to equipment C) System malfunction D) Unauthorized access to confidential information
B
Chapter 1-18 It is common the pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization's valuable assets. Which of the following is a risk-centric threat-modeling approach that aims at selecting or developing counter measures in relation to the value of the assets to be protected? A) VAST B) SD3+C C) PASTA D) STRIDE
C
Chapter 1-19 The next step after threat modeling is reduction analysis. Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements. Which of the following are key components to identify when performing a decomposition. 1) Patch or update versions 5) Input points 2) Trust Boundaries 6) Privileged operations 3) Dataflow paths 7) Details about security stance and approach 4) Open vs. closed source code use A) 1, 2, 3 B) 3, 4, 6, 7 C) 2, 3, 5, 6, 7 D) 1, 3, 5, 6, 7
C
Chapter 1-5 You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization's security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create? A) Tactical plan B) Operational Plan C) Strategic Plan D) Rollback Plan
C
Chapter 1-6 Annaliese's organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following examples of these risks? 1) Inappropriate information disclosure 4) Downtime 2) Increased worker compliance 5) Additional insight into the motivations of inside attackers 3) Data loss 6) Failure to achieve sufficient return on investment (ROI) A) 1, 4, 5, 6 B) 1, 2, 3, 4 C) 1, 3, 4, 6 D) 3, 4, 6
C
Chapter 2-10 During a risk management project, an evaluation of several controls determines that none are cost-effective in reducing the risk related to a specific important asset. What risk response is being exhibited by this situation? A) Mitigation B) Ignoring C) Acceptance D) Assignment
C
Chapter 2-12 Which of the following are valid definitions of risk? 1) An assessment of probability, possibility, or chance 2) Anything that removes a vulnerability or protects against one or more specific threats 3) Risk = threat x vulnerability 4) Every instance of exposure 5) The presence of a vulnerability when a related threat exists A) 1, 2 B) 2, 3, 4 C) 1, 3, 4 D) 3, 4, 5
C
Chapter 2-14 Your organization is courting a new business partner. During the negotiations the other party defines several requirements of your organization's security that must be met prior to the signing of the SLA and the business partners agreement (BPA). One of the requirements is that your organization demonstrate their level of achievement on the Risk Maturity Model (RMM). The requirement is specifically that a common or standardized risk framework is adopted organization-wide. Which of the five possible levels of RMM is being required of your organization. A) Preliminary B) Integrated C) Defined D) Optimized
C
Chapter 2-17 What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A) Education B) Awareness C) Training D) Termination
C
Chapter 2-18 Which of the following could be classified as a form of social engineering attack: 1) A user logs in to their workstation and then decides to get a soda from a vending machine in the stairwell. AQs soon as the user walks away from their workstation, another person sites down at their desk and copies all the files from a local folder onto a network share. 2) You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it, since it indicates the presence of the virus. 3) A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to download the access software. 4) A secretary receives a phone person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO'
C
Chapter 2-5 Which of the following is a true statement in regard to vendor, consultant, and contractor controls? A) Using business email compromise (BEC) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization. B) Outsourcing can be used as a risk response option known as acceptance or appetite. C) Multiparty risks exist when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, and security priorities of those involved. D) Risk management strategies implemented by one party do not cause additional risks against or from another party.
C
Chapter 2-9 You have performed a risk assessment and determined the threats that represent the most significant concern to your organization. When evaluating safeguards, what is the rule that should be followed in most cases? A) The expected annual cost of asset loss should not exceed the annual costs of safeguards. B) The annual costs of safeguards should equal the value of the asset. C) The annual costs of safeguards should not exceed the expected annual cost of asset value loss. D) The annual costs of safeguards should not exceed 10 percent of the security budget.
C
Chapter 3- 7 Jake is conducting a business impact analysis for his organization. As part of the process, he asks leaders from different units to provide input on how long the enterprise resource planning (ERP) system could be unavailable without causing irreparable harm to the organization. What measure is he seeking to determine? A) SLE B) EF C) MTD D) ARO
C
Chapter 3-11 Chris is completing the risk acceptance documentation for his organization's business continuity plan. Which of the following items is Chris LEAST likely to include in this documentation? A) Listing of the risks deemed acceptable. B) Listing of future events that might warrant reconsideration of risk acceptance decisions. C) Risk mitigation controls put in place to address acceptable risks. D) Rationale for determining that risks were acceptable.
C
Chapter 3-13 Ricky is conducting the quantitative portion of his organization's business impact analysis. Which one of the following concerns is LEAST suitable for quantitative measurement during this assessment? A) Loss of a plant B) Damage to a vehicle C) Negative publicity D) Power outage
C
Chapter 3-15 Referring to the scenario in question 14, (Lighter than Air Industries expects that it would lose $10 million if a tornado struct its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years). What is the annualized loss expectancy? A) 0.01 B) $10 million C) $100,000 D) 0.10
C
Chapter 3-16 In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team? A) Strategy development B) Business impact analysis C) Provisions and processes D) Resource prioritization
C
Chapter 3-18 Helen is working on her organization's resilience plans, and her manager asks her whether the organization has sufficient technical controls in place to recover operations after a disruption. What type of plan would address the technical controls associated with alternate processing facilities, backups, and fault tolerance? A) Business continuity plan B) Business impact analysis C) Disaster recovery plan D) Vulnerability assessment
C
Chapter 3-2 Tracy is preparing for her organization's annual business continuity exercise and encounters resistance from some managers who don's see the exercise as important and feel it is a waste of resources. She has already told the managers it will only take half a day for their employees to participate. What argument could Tracy make to best address these concerns? A) The exercise is required by policy. B) The exercise is already scheduled and canceling it would be difficult. C) The exercise is crucial to ensuring that the organization is prepared for emergancies. D) The exercise will not be very time-consuming.
C
Chapter 3-20 Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A) Vice president of operations B) Chief information officer C) Chief executive officer D) Business continuity Manager
C
Chapter 3-3 The board of directors of Clashmore Circuits conducts an annual review of the business continuity planning process to ensure that adequate measures are in place to minimize the effort of a disaster on the organization's continued viability. What obligation are they satisfying by this review? A) Corporate responsibility B) Disaster requirement C) Due diligence D) Going concern responsiblity
C
Chapter 3-6 Renee is reporting the results of her organization's BIA to senior leaders. They express frustration at all of the detail, and one of them says, "Look, we just want to know how much we should expect these risks to cost each year." What measure could Renee provide to best answer this question? A) ARO B) SLE C) ALE D) EF
C
Assessment - 37 A new update has been released by the vendor of an important software product that is an essential element of a critical business task. The chief security officer (CSO) indicates that the new software version needs to be tested and evaluated in a virtual lab, which has a cloned simulation of many of the company's production systems. Furthermore, the results of this evaluation must be reviewed before a decision is made as to whether the software update should be installed and, if so, when to install it. What security principle is the CSO demonstrating? A) Business continuity planning (BCP) B) Onboarding C) Change management D) Static analysis
Change management = The CSO in this scenario is demonstrating the need to follow the security principle of change management. = Change management usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms.
Assessment - 35 DevOps manager John is concerned with the CEO's plan to minimize his department and outsource code development to a foreign programming group. John has a meeting scheduled with the board of directors to encourage them to retain code development in house due to several concerns. Which of the following should John include in his presentation? 1) Code from third parties will need to be manually reviewed for function and security. 2) If the third party goes out of business, existing code may need to be abandoned. 3) Third-party code development is always more expensive. 4) A software escrow agreement should be established.
Code from third parties will need to be manually reviewed for function and security. If the third party goes out of business, existing code may need to be abandoned. = If your organization depends on custom-developed software or software products produced through outsourced code development, then the risks of that arrangement need to be evaluated and mitigated. = First, the quality and security of the code needs to be assessed. = Second, if the third-party development group goes out of business, can you continue to operate with the code as is? = You may need to abandon the existing code to switch to a new development group.
Chapter 1-12 STRIDE is often used in relation to assessing threats against applications or operating systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation? 1) Spoofing 2) Tampering 3) Repudiation 4) Information Disclosure 5) Denial of Service 6) Elevation of Privilege A) 1 B) 2 C) 3 D) 4
D
Chapter 1-15 Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However, a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what product component in this scenario? A) Software B) Services C) Data D) Hardware
D
Chapter 1-20 Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following are terms that relate to or are based on defense in depth 1) Layering 6) Silos 2) Classifications 7) Segmentations 3) Zones 8) Lattice structure 4) Realms 9) Protection Rings 5) Compartments A) 1, 3, 4, 5, 7, 9 B) 1, 2, 6, 7 C) 4, 5, 6, 7 D) All of the above
D
Chapter 1-4 Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance? A) Security governance ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. B) Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. C) Security governance is a documented set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. D) Security Governance seeks to compare the security processes and infrastructure used within the organization with knowle
D
Chapter 1-9 Control Objectives for Information and Related Technology (COBIT) is a documented set of best IT practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on six key principals for governance and management of enterprise IT. Which of the following are among these key principles? 1) Holistic Approach 2) End-to-End Governance System 3) Provide Stakeholder Value 4) Maintaining Authenticity and Accountability 5) Dynamic Governance System A) 2, 3, 4 B) 1, 3, 4 C) 1, 2, 3 D) 1, 2, 3, 5
D
Chapter 2-1 You have been tasked with overseeing the security improvement for your organization. The goal is to reduce the current risk profile to a lower level without spending a considerable amount of money. You decide to focus on the largest concern mentioned by your CISO. Which is likely the element of the organization that is considered the weakest? A) Software products B) Internet connections C) Security policies D) Humans
D
Chapter 2-16 Company proprietary data are discovered on a public social media posting by the CEO. While investigating, a significant number of similar emails were discovered to have been sent to employees, which included links to malicious sites. Some employees report that they had received similar messages to their personal email accounts as well. What improvements should the company implement to address this issue. 1) Deploy a web application firewall 2) Block access to personal email from the company network 3) Update the company email server 4) Implement multifactor authentication (MFA) on the company email server 5) Perform an access review of all company files. 6) Prohibit access to social networks on company equipment. A) 1, 2 B) 2, 3, 4 C) 3, 4, 5 D) 2, 6
D
Chapter 2-20 The CSO has expressed concern that after years of security training and awareness programs, the level of minor security violations has actually increased. A new security team member reviews the training materials and notices that it was crafted four years ago. They suggest that the materials to be revised and to be more engaging and to include elements that allow for the ability to earn recognition, team up with coworkers, and strive toward a common goal. They claim these efforts will improve security compliance and foster security behavior change. What is the approach being recommended? A) Program effectiveness evaluation B) Onboarding C) Compliance enforcement D) Gamification
D
Chapter 2-8 During a meeting of company leadership and the security team, discussion focuses on defining the value of assets in dollars, inventorying threats, predicting the specific amount of harm a breach, and determining the number of times a threat could cause harm to the company each year. What is being performed? A) Qualitative risk assessment B) Delphi technique C) Risk avoidance D) Quantitative risk assessment.
D
Chapter 3-12 Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans? A) Physical plant B) Infrastructure C) Financial D) People
D
Chapter 3-4 Darcy is leading the BCP effort for her organization and is currently in the project scope and planning phase. What should she expect will be the major resource consumed by the BCP process during this phase? A) Hardware B) Software C) Process time D) Personnel
D
Chapter 3-9 Referring to the scenario in question 8, (You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche would occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself.) what is the annualized loss expectancy? A) $3 million B) $2, 700,000 C) $270,000 D) $135,000
D
Assessment - 21 A systems administrator is setting up a new data management system. It will be gathering data from numerous locations across the network, even from remote offsite locations. The data will be moved centralized facility, where it will be stored on a massive RAID array. The data will be encrypted on the storage system using AES-256, and most files will be signed as well. The location of this data warehouse is secured so that only authorized personnel can enter the room and all digital access is limited to a set of security administrators. Which of the following describes the data? A) The data is encrypted in transit B) The data is encrypted in processing C) The data is redundantly stored D) The data is encrypted at rest
D) The data is encrypted at rest = In this scenario, the data is encrypted at rest with AES-256. There is no mention of encryption for transfer or processing.
Assessment - 23 A security auditor is seeking evidence of how sensitive documents made their way out of the organization and onto a public document distribution site. It is suspected that an insider exfiltrated the data over a network connection to an external server, but this is only a guess. Which of the following would be useful in determining whether this suspicion is accurate? NAC Log analysis DLP alerts Malware scanner reports Syslog integrity monitory
Data loss prevention (DLP) alerts Log analysis = In this scenario, the data loss prevention (DLP) alerts and log analysis are the only options that would potentially include useful information in regard to an insider exfiltrating the sensitive documents.
Assessment - 39 Your organization is moving a significant portion of their data processing from an on-premises solution to the cloud. When evaluating a cloud service provider (CSP), which one of the following is the most important security concern? A) Data retention policy B) Number of customers C) Hardware used to support VMs D) Whether they offer MassS, IDaaS, and SaaS
Data retention policy = The most important security concern from this list of options in relation to a CSP is the data retention policy. = The data retention policy defines what information or data is being collected by the CSP, how long it will be kept, how it is destroyed, why it is kept, and who can access it.
Assessment - 34 Any evidence to be used in a court proceeding must abide by the Rules of Evidence to be admissible. What type of evidence refers to written documents that are brought into court to prove a fact? A) Best evidence B) Parol evidence C) Documentary evidence D) Testimonial evidence
Documentary evidence = Written documents brought into court to prove the facts of a case are referred to as documentary evidence.
Assessment - 25 When securing a mobile device, what types of authentication can be used that depend on the user's physical attributes? (Check all that apply) Fingerprint Gait TOTP (time-based one-time password) Phone call Voice Facial recognition SMS (short message service) Smartcard Retina Password
Fingerprint Voice Retina Facial recognition Biometrics are authentication factors that are based on a user's physical attributes; they include fingerprints, voice, retina, and facial recognition.
Assessment - 36 When TLS is being used to secure web communications, what URL prefix appears in the web browser address bar to signal this fact? A) SHTTP:// B) TLS:// C) FTPS:// D) HTTPS://
HTTPS:// = HTTPS:// is the correct prefix for the use of HTTP (Hypertext Transfer Protocol) over TLS (Transport Layer Security). = This was the same prefix when SSL (Secure Sockets Layer) was used to encrypt HTTP, but SSL has been deprecated.
Assessment - 32 What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately, upon failure of the primary facility? A) Hot site B) Warm site C) Cold site D) All of the above
Hot site = Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations.
Assessment - 30 Incident response plans, business continuity plans, and disaster recovery plans are crafted when implementing business-level redundancy. These plans are derived from the information obtained when performing a business impact assessment (BIA). What is the first step of the BIA process? A) Identification of priorities B) Likelihood assessment C) Risk identification D) Resource prioritization
Identification of priorities = Identification of priorities is the first step of the business impact assessment process.
Assessment - 33 During an account review, an auditor provided the following report: User Last Login Length Last Password Change Bob 4 Hours 87 days Sue 3 hours 38 days John 1 hours 935 days Kesha 3 hours 49 days The security manager reviews the account policies of the organization and takes note of the following requirements: - Passwords must be at least 12 characters long - Passwords must include at least one example of three different character types - Passwords must be changed every 180 days - Passwords cannot be reused Which of the following security controls should be corrected to enforce the password policy? A) Minimum password length B) Account lockout C) Password history and minimum age D) Password maximum age
Password maximum age = The issue revealed by the audit report is that one account has a password that is older than the requirements allow for; thus, correcting the password maximum age security setting should resolve this.
Assessment - 27 Security should be designed and integrated into the organization as a means to support and maintain the business objectives. However, the only way to know if the implemented security is sufficient is to test it. Which of the following is a procedure designed to test and perhaps bypass a system's security controls? A) Logging usage data B) War dialing C) Penetration testing D) Deploying secured desktop applications
Penetration testing = Penetration testing is the attempt to bypass security controls to test overall system security.
Assessment - 26 A recently acquired piece of equipment is not working properly. Your organization does not have a trained repair technician on staff, so you have to bring in an outside expert. What type of account should be issued to a trusted third-party repair technician? A) Guest account B) Privileged account C) Service account D) User account
Privileged account = A repair technician typically requires more than a normal level of access to perform their duties, so a privileged account for even a trusted third-party technician is appropriate.
Assessment - 24 A new Wireless Application Protocol (WAP) is being installed to add wireless connectivity to the company network. The configuration policy indicates that WPA3 is to be used and thus only newer or updated endpoint devices can connect. The policy also states that ENT authentication will not be implemented. What authentication mechanism can be implemented in this situation? A) IEEE 802.1X B) IEEE 802.1q C) Simultaneous authentication of equals (SAE) D) EAP-FAST
Simultaneous authentication of equals (SAE) =WPA3 supports ENT (Enterprise Wi-Fi authentication, aka IEEE 802.1X) and SAEauthentication. = Simultaneous authentication of equals (SAE) still uses a password, but it no longer encrypts and sends that password across the connection to perform authentication. Instead, SAE performs a zero-knowledge proof process known as Dragonfly Key Exchange, which is itself a derivative of Diffie-Hellman.
Assessment - 40 Most software vulnerabilities exist because of a lack of secure or defensive coding practices used by the developers. Which of the following is considered a secure coding technique? Using immutable systems Using server-side validation Using stored procedures Optimizing file sizes Using code signing Using third-party software libraries
Using immutable systems Using stored procedures Using server-side validation Using code signing = Using immutable systems is not a secure coding technique; instead, an immutable system is a server or software product that, once configured and deployed, is never altered in place. Programmers need to adopt secure coding practices, which include using stored procedures, code signing, and server-side validation. = A stored procedure is a subroutine or software module that can be called on or accessed by applications interacting with a relational database management system (RDBMS). = Code signing is the activity of crafting a digital signature of a software program in order to confirm that it was not changed and who it is from. = Server-side data validation is suited for protecting a system against input submitted by a malicious user.
