CISSP - Domain 1 - Security & Risk Management - 15%

BCP Project Scope & Planning Phase (4 components)

1. A structured analysis of the org, 2. The creation of a BCP team, 3. An assessment of available resources, and 4. An analysis of the legal and regulatory landscape.

Which one of the following is not normally included in BCP documentation? A. Statement of accounts B. Statement of importance C. Statement of priorities D. Statement of organizational responsibility

A. BCP doc normally includes continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation doc, a vital records program, emergency response guidelines, and doc for maintaining and testing the plan.

A user denies having performed an action under investigation in a security incident. What type of threat has taken place under the STRIDE model? A. repudiation B. information disclosure C. tampering D. elevation of privilege

A. Repudiation threats allow an attacker to deny having performed an action or activity without thee other party being able to prove differently.

What is the formula used to determine risk? A. Risk = Threat * Vulnerability B. Risk = Threat/Vulnerability C. Risk = Asset * Threat D. Risk = Asset/Threat

A. Risks exist when there is an intersection of a threat and a vulnerability.

What important functions do senior managers normally fill on a BCP team? A. arbitrating disputes about criticality B. evaluating the legal environment C. training staff D. designing failure controls

A. Senior managers play several roles on a BCP team, including: setting priorities, obtaining resources, and arbitrating disputes among team members.

A network is bombarded with TCP SYN packets during a denial of service attack. What principle of InfoSec is being violated? A. availability B. integrity C. confidentiality D. denial

A. TCP SYN packets is a smurf attack and jeopardizes availability.

rogue access point

An access point intended to attract new connections by using an apparently legitimate SSID.

evil twin

An attack that relies on an access point to spoof a legitimate access point's SSID and MAC address.

replay

An attack that retransmits captured communication to attempt to cain access to a targeted system.

Which one of the following control categories does not accurately describe a fence around a facility? A. physical B. detective C. deterrent D. preventative

B. A fence does not have the ability to detect intrusions. It does have the ability to prevent and deter an intrusion and is an example for a physical control.

Which of the following laws requires that communications service providers cooperate with law enforcement requests? A. ECPA B. CALEA C. Privacy Act D. HITECH Act

B. The Communications Assistance to Law Enforcement Act CALEA requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Which one of the following is not a requirement for an invention to be patentable? A. It must be new B. It must be invented by an American citizen C. It must be non-obvious D. It must be useful

B. There is no requirement that patents be for inventions made by American citizens.

Users in two offices would like to access each other's file servers over the internet. What control would provide confidentiality for those communications? A. digital signatures B. VPN C. Virtual LAN D. Digital content management

B. VPNs provide secure communications channels over otherwise insecure networks using encryption. Digital signatures are used to provide nonrepudiation, not confidentiality. VLANs provide network segmentation on local networks but not across internet. Digital content management solutions are designed to manage web content, not access shared files on a file server.

Requirement: Add technology that would enable continued access to files located on a server even if a hard drive in a server fails. What integrity control allows you to add robustness without additional servers? A. server clustering B. load balancing C. RAID D. scheduled backups

C. RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Backups protect against data loss but don't provide immediate access to data in the event of a hard drive failure.

Which principle imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances? A. due diligence B. separation of duties C. due care D. least privilege

C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It's a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an internet service provider after it receives a notification of infringement claim from a copyright holder? A. Storage of information by a customer on a provider's server. B. Caching of information by the provider. C. Transmission of information over the provider's network by a customer. D. Caching of information in a provider search engine.

C. Transmission of information over the provider's network by a customer. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. Storage and caching are considered non-transitory actions that require remediation by the provider.

Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multi-factor authentication? A. username B. PIN C. Security question D. Fingerprint scan

D. A fingerprint scan is an example of a 'something you are' factor, which would be appropriate for pairing with a 'something you know' password to achieve MFA. A username is not an authentication factor. PINs and security questions are both 'something you know' and wouldn't achieve MFA when paired with another 'something you know' factor; same factor.

What type of audit will ensure that an external SaaS email vendor's BCP measures are reasonable? A. SOC 1 B. FISMA C. PCI DSS D. SOC 2

D. The Service Organizations Control audit program includes BCP controls in SOC 2 but not SOC 1.

ABC determines an area being considered for their HQ lies within a 100-year flood plain. What is the ARO of a flood in this area? A. 100 B. 1 C. .1 D. .01

D. The annualized rate of occurrence ARO is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years or .01 times per year.

Which of the following technologies is most likely to trigger regulations associated with export control laws compliance? A. memory chips B. office productivity apps C. hard drives D. encryption software

D. The export of encryption software to certain countries is regulated under US export control laws.

war driving

The process of using detection tools to find wireless networks.

Separation of Duties

The security concept in which critical, significant, and sensitive work tasks are divided amongst several individuals.

NIST Risk Management Framework

1. CATEGORIZE Information System 2. SELECT Security Controls 3. IMPLEMENT Security Controls 4. ASSESS Security Controls 5. AUTHORIZE Information System 6. MONITOR Security Controls

Which one of the following is used as an authorization tool? A. ACL B. token C. username D. password

A. Access control lists (ACL's) are used for determining a user's authorization level. Usernames are identification tools, and passwords and tokens are authentication tools.

What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA? A. 13 B. 15 C. 17 D. 18

A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.

A DR facility for data processing that includes HVAC, power, and communications circuits but no hardware is what type of facility? A. Cold site B. Warm site C. Hot site D. Mobile site

A. Cold site - includes the basic capabilities required for data center operations: space, power, HVAC, and communications. It doesn't include any hardware to restore operations.

Which of the following is not normally addressed in an SLA? A. confidentiality of customer information B. failover time C. uptime D. maximum consecutive downtime

A. Confidentiality of customer info. Those provisions are normally included in an NDA.

A US law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis. A. GLBA B. PCI DSS C. HIPAA D. SOX

A. GLBA

Which one of the following laws applies to privacy issues relating to customer checking accounts? A. GLBA B. SOX C. HIPAA D. FERPA

A. Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions.

Requirement: Historical records on a server that should never be modified. Add an integrity control that allows you to verify that files were not modified. What control can you add? A. hashing B. ACLs C. read-only attributes D. firewalls

A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes may prevent unauthorized modification, but they can't verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

Implementing a new student info system and testing code to ensure that students are not able to alter their own grades. What InfoSec principle is being enforced? A. integrity B. availability C. confidentiality D. denial

A. Integrity controls are designed to prevent unauthorized modification of information.

Error message on computer: Your personal files are encrypted. Enter a method of payment to retrieve them. What type of attack has occurred? A. availability B. confidentiality C. disclosure D. distributed

A. It's an example of ransomware, which encrypts the contents of a computer to prevent legitimate usage. This is an example of an availability attack.

What InfoSec principle is a keylogger most likely designed to disrupt? A. Confidentiality B. Integrity C. Availability D. Denial

A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

Which one of the following elements of information is not considered personally identifiable information that would trigger most US state data breach laws? A. student identification number B. social security number C. Driver's license number D. credit card number

A. Most state data breach notification laws are modeled after California's law, which covers ssn, driver's license #, state ID card #, credit/debit card #'s, bank account #'s and PIN's, medical records, and health insurance information.

What type of IP protection prevents against unauthorized use of the manufacturing process for microprocessors? A. patent B. trade secret C. copyright D. trademark

A. Patents and trade secrets can both protect IP related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization.

What law applies to information systems involved in contracts to conduct sponsored research as a government contractor? A. FISMA B. PCI DSS C. HIPAA D. GISRA

A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in 11/2002. HIPAA and PCI DSS apply to healthcare and credit card info, respectively.

What government agency is responsible for the evaluation and registration of trademarks? A. USPTO B. Library of Congress C. TVA D. NIST

A. The US Patent and Trademark Office (USPTO) is responsible for registration of trademarks.

Which of the following is responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies? A. data custodian B. data owner C. user D. auditor

A. The data custodian is responsible for implementing security controls defined by policy and senior management. Data owners bear ultimate responsibility for the tasks but is typically a senior leader who delegates operational responsibility to the data custodian.

Which one of the following components should be included in an org's emergency response guidelines? A. list of individuals who should be notified of an emergency incident B. long-term business continuity protocols C. activation procedures for the org's cold sites D. contact info for ordering equipment

A. The emergency response guidelines should include the immediate steps an org should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They don't include long-term actions, such as activating business continuity protocols, ordering equipment, or activating DR sites.

What is the missing step in the NIST risk management framework? 1. Categorize Information Systems 2. Select security controls 3. Implement security controls 4. 5. Authorize Information Systems 6. Monitor Security controls A. Assess security controls B. Determine control gaps C. Remediate control gaps D. Evaluate user activity

A. The fourth step of the NIST risk management framework is Assessing security controls

ABC's risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one here. Which quadrant contains the risks that require the most immediate attention? Probability ^ II I III IV Impact ----> A. I B. II C. III D. IV

A. These are the risks with a high probability of occurrence and a high impact on the org if so.

What type of protection would not apply to software IP? A. trademark B. copyright C. patent D. trade secret

A. Trademarks protect words and images that represent a product or service and would not protect software.

Which one of the following would not be automatically subject to the terms of HIPAA if they engage in electronic transactions? A. healthcare provider B. health and fitness app developer C. health information clearinghouse D. health insurance plan

B. A health and fitness app developer wouldn't necessarily be collecting or processing healthcare data. HIPAA regulates: healthcare providers, health information clearinghouses, and health insurance plans and their business associates.

Who is the ideal person to approve an org's BCP? A. CIO B. CEO C. CISO D. COO

B. Although the CEO would not normally serve on a BCP team, it's best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.

Which of the following is an example of an administrative control? A. IDS (Intrusion Detection System) B. security awareness training C. firewalls D. security guards

B. Awareness training is an administrative control. Firewalls and IDS are technical controls. Security guards are physical controls.

What type of document provides configuration information regarding the minimum level of security that every system in an organization must meet? A. policy B. baseline C. guideline D. procedure

B. Baselines provide the minimum level of security that every system throughout the organization must meet.

Ben is responsible for the security of PCI stored in a database. Policy directs he remove the info from the database, but he can't do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What's the best option? A. purchasing insurance B. encrypting the database contents C. removing the data D. objecting to the exception

B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The org has already made a policy exception, so he shouldn't react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

What law requires financial institutions to send privacy notices to account holders? A. FERPA B. GLBA C. HIPAA D. HITECH

B. Gramm-Leach-Bliley Act GLBA places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.

Which framework is widely accepted around the world and focuses specifically on InfoSec controls? A. ITIL B. ISO 27002 C. CMM D. PMBOK Guide

B. ISO 27002 is an international standard focused on InfoSec and titled 'Info technology - Security techniques - Code of practice for InfoSec management'. The ITIL does contain security management practices, but it is not the sole focus of the doc, and the iTIL security section is derived from ISO 27002. The Capability Maturity Model CMM is focused on software development, and the Project Management Body of Knowledge PMBOK guide focuses on project management.

An industry standard that covers orgs that handle credit cards. A. GLBA B. PCI DSS C. HIPAA D. SOX

B. PCI DSS

Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence? A. quantitative B. qualitative C. annualized loss expectancy D. reduction

B. Qualitative tools are often used in business impact assessments to capture the impact on intangible factors, such as customer confidence, employee morale, and repudiation.

Which one of the following actions might be taken as part of a BCP? A. restoring from backup tapes B. implementing RAID C. relocating to a cold site D. restarting business operations

B. RAID provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all DR actions.

A company is concerned that an accountant may be able to create a 'false' vendor and issue it fraudulent checks. What security control can help prevent this? A. mandatory vacation B. separation of duties C. Defense in Depth D. job rotation

B. Separation of duties principle states critical tasks will be divided into discrete components and ensure that no one person has the ability to perform multiple types of tasks. 'checks and balances'

Which organizations are most likely to be covered by the provisions of FISMA? A. banks B. defense contractors C. school districts D. hospitals

B. The Federal Information Security Management Act applies to federal government agencies and contractors.

What law serves as the basis for privacy rights in the US? A. Privacy Act of 1974 B. Fourth Amendment C. Fifth Amendment D. Electronic Communications Privacy Act of 1986

B. The Fourth Amendment directly prohibits government agents from searching private property without a warrant and probable cause. Courts have expanded its interpretation to include protections against other invasions of privacy.

What standard provides guidelines for securing credit card systems? A. HIPAA B. PCI DSS C. SOX D. GLBA

B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card info.

Which one of the following individuals would be the most effective organizational owner for an information security program? A. CISSP-certified analyst B. CIO C. Manager of network security D. President and CEO

B. The owner of InfoSec programs may be different from the individual responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. A CEO is unlikely to have the time to focus on security.

What IP protection guards against theft and republishing e-commerce/website content? A. trade secret B. copyright C. trademark D. patent

B. Written works, such as website content, are normally protected by copyright law. Trade secret doesn't apply because content is available outside the company; online. Patents protect inventions, and trademarks protect words and symbols used to represent a brand.

What InfoSec principle enforces the classification of data in an attempt to apply extra security controls that will limit thee likelihood of a data breach? A. Availability B. Denial C. Confidentiality D. Integrity

C. Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

What principle of InfoSec states that an org should implement overlapping security controls whenever possible? A. least privilege B. separation of duties C. Defense in Depth D. Security through Obscurity

C. Defense in Depth states that orgs should have overlapping security controls designed to meet the same security objectives whenever possible. This provides security in the event of a single control failure.

Which InfoSec goal is impacted when an organization experiences a DoS or DDoS attack? A. Confidentiality B. Integrity C. Availability D. Denial

C. Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

Which one of the following is not normally considered a business continuity task? A. Business impact assessment B. Emergency response guidelines C. Electronic vaulting D. Vital records program

C. Electronic vaulting is a data backup task that is part of DR; not business continuity.

Who should receive initial BCP training in an organization? A. senior executives B. those with specific business continuity roles C. everyone in the organization D. first responders

C. Everyone in the organization should receive a basic awareness training for the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

A US law that provides data privacy and security requirements for medical info. A. GLBA B. PCI DSS C. HIPAA D. SOX

C. HIPAA

What tool is used for thread modeling and decomposes the system into key elements vial flow chart? A. vulnerability assessment B. fuzzing C. reduction analysis D. data modeling

C. In reduction analysis, the security professional breaks the system down into 5 key elements: trust boundaries, data flow paths, input points, privileged ops, and details about security controls.

Which one of the following agreements typically requires a vendor not disclose confidential info learned during the scope of an engagement? A. NCA B. SLA C. NDA D. RTO

C. NDA's typically require either mutual or one-way confidentiality in a business relationship. SLA's specify service uptime and other performance measures. Non-compete agreements NCA's limit future employment possibilities of employees. Recovery time objectives RTO's are used in BCP.

What is the minimum # of physical hard disks needed to build a RAID 5 system? A. 1 B. 2 C. 3 D. 5

C. RAID 5 is disk striping with parity and requires a minimum of 3 hard disks to operate.

What type of risk management strategy involves implementing an intrusion prevention system to block common network attacks from affecting an organization? A. risk acceptance B. risk avoidance C. risk mitigation D. risk transference

C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. IPS attempt to reduce the probability of a successful attack and are examples of risk mitigation.

A federal agency announces a new administrative law that will impact business operations. Where can the text of the law be found? A. US Code B. Supreme Court rulings C. Code of Federal Regulations D. Compendium of Laws

C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The US Code contains criminal and civil law. Compendium of Laws doesn't exist.

What is the threshold for malicious damage to a federal computer system that triggers the Computer Fraud and Abuse Act? A. $500 B. $2,500 C. $5,000 D. $10,000

C. The Computer Fraud and Abuse Act (CFAA) makes it a federal crime to maliciously cause damage in excess of $5,000 to a federal computer system during any one-year period.

In 1991, the Federal Sentencing Guidelines formalized a rule that requires senior execs to take personal responsibility for information security matters. What is the name of this rule? A. Due diligence rule B. Personal liability rule C. Prudent man rule D. Due process rule

C. The prudent man rule requires that senior execs take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. It was originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in '91.

Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed? A. The right to access B. Privacy by design C. The right to be forgotten D. The right of data portability

C. The right to be forgotten, also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.

Which one of the following stakeholders is not typically included on a BCP team? A. core business function leaders B. Info Tech staff C. CEO D. support departments

C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role.

When developing a business impact analysis, the team should first create a list of assets. What should happen next? A. identify vulnerabilities in each asset B. determine the risks facing the asset C. develop a value for each asset D. identify threats facing each asset

C. develop a value for each asset

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator? A. password B. retinal scan C. username D. token

C. usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

An employee is conducting a risk assessment for an organization and is attempting to assign an asset value to the servers in the data center. The organization's primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which of the following asset valuation methods would be most appropriate? A. purchase cost B. depreciated cost C. replacement cost D. opportunity cost

C.If the organization's primary concern is the cost of rebuilding the data center, the replacement cost method should be used to determine the current market price for equivalent servers.

ABC decided to stop offering public NTP services because of fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did ABC implement? A. Risk Mitigation B. Risk Acceptance C. Risk Transference D. Risk Avoidance

D. ABC stopped the offering because of the risk, which is a risk avoidance strategy. It eliminated the risk of NTP misuse.

Which of the following actions is not normally part of the project scope and planning phase of BCP? A. Structured analysis of the org B. Review of the legal and regulatory landscape C. Creation of a BCP team D. Documentation of the plan

D. BCP project scope and planning phase includes 4 actions: a structured analysis of the org, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.

Tony is developing a BCP and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use? A. Quantitative risk assessment B. Qualitative risk assessment C. Neither quantitative or qualitative risk assessment D. Combination of quantitative and qualitative risk assessment

D. Combine elements of quantitative and qualitative risk assessments. Quantitative RA's excel at analyzing financial risk, while qualitative RA's are a good tool for intangible risks. Combining the two would account for both types of assets.

What is the final step of a quantitative risk analysis? A. Determine asset value. B. Assess the annualized rate of occurrence. C. Derive the annualized loss expectancy. D. Conduct a cost/benefit analysis.

D. Conduct a cost/benefit analysis.

What US government agency is responsible for administering the terms of privacy shield agreements between the EU and the US under EU GDPR? A. Department of Defense B. Department of the Treasury C. State Department D. Department of Commerce

D. Department of Commerce. This framework replaced an earlier framework known as Privacy Shield, which was ruled insufficient in the wake of the NSA surveillance disclosures.

Which one of the steps is most important to coordinate in time with a meeting to terminate an employee? A. informing other employees of the termination B. retrieving the employee's photo ID C. calculating the final paycheck D. revoking electronic access rights

D. Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action.

Which one of the following is an example of physical infrastructure hardening? A. antivirus software B. hardware-based network firewall C. TFA D. fire suppression system

D. Fire suppression systems protect infrastructure from physical damage. Along with UPS, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and TFA are examples of logical controls.

What risk management strategy involves evaluating risk and determining that the cost of responding outweighs the benefits of implementing any of the controls resulting in the company taking no action at this time? A. risk avoidance B. risk mitigation C. risk transference D. risk acceptance

D. In a risk acceptance strategy, the org decides that taking no action is the most beneficial route to managing a risk.

An attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with admin rights. What type of attack took place under the STRIDE threat model? A. spoofing B. repudiation C. tampering D. elevation of privilege

D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.

From a risk management perspective, what metric would be lowered by enabling an application firewall, designed to block many types of app attacks? A. impact B. RPO C. MTO D. likelihood

D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.

Implementing a new website architecture that uses multiple small web servers behind a load balancer is enforcement of what InfoSec principle? A. Denial B. Confidentiality C. Integrity D. Availability

D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available for users.

Which of the following controls provides for protection against an employee transferring money to a personal account and shifting funds around between other accounts every day to disguise the fraud? A. separation of duties B. least privilege C. Defense in depth D. Mandatory vacation

D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time; attempts to expose cover-ups. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Design a messaging system for a bank that includes a feature that allows the recipient of a message to prove to a 3rd party that the message did, indeed, come from the purported originator. What goal will this achieve? A. Authentication B. Authorization C. Integrity D. Nonrepudiation

D. Nonrepudiation allows a recipient to prove to a 3rd party that a message came from a purported source. Authentication would provide proof that the sender was authentic but would not prove it to a 3rd party.

Which one of the following is not an example of a technical control? A. router ACL B. firewall rule C. encryption D. data classification

D. Router ACL's, encryption, and firewall rules are all examples of technical controls. Data classification is an administrative control.

A US law that requires internal controls assessments, including iT transaction flows for publicly traded companies. A. GLBA B. PCI DSS C. HIPAA D. SOX

D. SOX

Which of the following is not one of the three common threat modeling techniques? A. Focused on assets B. Focused on attackers C. Focused on software D. Focused on social engineering

D. Social engineering is a subject of attackers.

Which one of the following is not a goal of a formal change management program? A. implement change in an orderly fashion B. test changes prior to implementation C. provide rollback plans for changes D. inform stakeholders of changes after they occur

D. Stakeholders should be informed of changes before, not after, they occur. The other items are goals of change management programs.

What type of security plan has a 3- to 5-year planning horizon? A. operational B. tactical C. summary D. strategic

D. Strategic plan horizons are up to 5 years. Operational and tactical plans are 1 year or less.

The Computer Security Act of 1987 gave a federal agency responsibility for developing computer security standards and guidelines for federal computer systems. To what agency did the act give this responsibility? A. NSA B. FCC C. DOD D. NIST

D. The Computer Security Act of 1987 gave NIST the responsibility for developing standards and guidelines for federal computer systems. NIST draws upon the technical advice and assistance from the NSA, where appropriate.

What law provides IP protection to the holders of trade secrets? A. Copyright Law B. Lanham Act C. Glass-Steagall Act D. Economic Espionage Act

D. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation.

What type of IP protection is used for logos? A. copyright B. patent C. trade secret D. trademark

D. Trademark protection extends to words and symbols used to represent an organization, product, or service.

You're completing your BCP and have decided to accept one of the risks. What should you do next? A. Implement new security controls to reduce the risk level. B. Design a DR plan. C. Repeat the business impact assessment. D. Document your decision-making process.

D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a DR plan, or repeating the business impact analysis.

A user on your network has been using Wireshark for illicit purposes. What pillar of InfoSec has been violated? A. Integrity B. Denial C. Availability D. Confidentiality

D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.

Principle of Least Privilege

In a secured environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities.