Review
Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes-Oxley Section 404 compliance? A. Committee of Sponsoring Organizations of the Treadway Commission (COSO) B. BIBA C. National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) D. CCTA Risk Analysis and Management Method (CRAMM)
A
Which of the following is more suitable for a hardware implementation? a. Stream ciphers b. Block ciphers c. Cipher block chaining d. Electronic code book
A
Which of the following services is NOT provided by the digital signature standard (DSS)? a. Encryption b. Integrity c. Digital signature d. Authentication
A
According to the Orange Book, which security level is the first to require a system to protect against covert timing channels? a. A1 b. B3 c. B2 d. B1
B
Which of the following could elicit a Denial of Service (DoS) attack against a credential management system? A. Delayed revocation or destruction of credentials B. Modification of Certificate Revocation List C. Unauthorized renewal or re-issuance D. Token use after decommissioning
B
Which of the following is not a property of the Rijndael block cipher algorithm? a. It employs a round transformation that is comprised of three layers of distinct and invertible transformations. b. It is suited for high speed chips with no area restrictions. c. It operates on 64-bit plaintext blocks and uses a 128 bit key. d. It could be used on a smart card.
C
Which standard below does NOT specify fiber optic cabling as its physical media? A. 1000BaseSX B. 100BaseFX C. 1000BaseCX D. 1000BaseLX
C
Which UTP cable category is rated for 16 Mbps? A. Category 6 B. Category 5 C. Category 7 D. Category 4
D
Behavioral-based systems are also known as? A. Profile-based systems B. Pattern matching systems C. Misuse detective systems D. Rule-based IDS
A
ICMP and IGMP belong to which layer of the OSI model? A. Datagram Layer. B. Network Layer. C. Transport Layer. D. Data Link Layer.
B
In a SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session? A. Both client and server B. The client's browser C. The web server D. The merchant's Certificate Server
B
Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements? A. Validation B. Verification C. Assessment D. Accuracy
B
Which of the following technologies has been developed to support TCP/IP networking over low-speed serial interfaces? A. ISDN B. SLIP C. xDSL D. T1
B
At what Orange Book evaluation levels are design specification and verification FIRST required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above.
C
During which phase of an IT system life cycle are security requirements developed? a. Operation b. Initiation c. Functional design analysis and Planning d. Implementation
C
Which of the following backup methods is most appropriate for off-site archiving? A. Incremental backup method B. Off-site backup method C. Full backup method D. Differential backup method
C
Which of the following would best define a digital envelope? a. A message that is encrypted and signed with a digital certificate. b. A message that is signed with a secret key and encrypted with the sender's private key. c. A message encrypted with a secret key attached with the message. The secret key is encrypted with the public key of the receiver. d. A message that is encrypted with the recipient's public key and signed with the sender's private key.
C
Alternate encoding such as hexadecimal representations is MOST often observed in which of the following forms of attack? A. Smurf B. Rootkit exploit C. Denial of Service (DoS) D. Cross site scripting (XSS)
D
An associative memory operates in which one of the following ways? A. Searches for a specific data value in memory B. Uses indirect addressing only C. Returns values stored in a memory address location specified in the CPU address register D. Searches for values in memory exceeding a specified value
A
An incremental backup process A. Backs up all the files that have changed since the last full or incremental backup and sets the archive bit to 0. B. Backs up the files that been modified since the last full backup. It does not change the archive bit value. C. Backs up all the data and changes the archive bit to 0. D. Backs up all the data and changes the archive bit to 1.
A
Cryptography does NOT concern itself with which of the following choices? a. Availability b. Integrity c. Confidentiality d. Validation
A
In IPSec, if the communication is to be gateway-to-gateway or host-to-gateway: A. Tunnel mode of operation is required B. Only transport mode can be used C. Encapsulating Security Payload (ESP) authentication must be used D. Both tunnel and transport mode can be used
A
Individual privacy rights as defined in the HIPAA Privacy Rule include consent and authorization by the patient for the release of PHI. The difference between consent and authorization as used in the Privacy Rule is: A. Consent grants general permission to use or disclose PHI, and authorization limits permission to the purposes and the parties specified in the authorization. B. Consent grants general permission to use or disclose PHI, and authorization limits permission to the purposes specified in the authorization. C. Authorization grants general permission to use or disclose PHI, and consent limits permission to the purposes and the parties specified in the consent. D. Consent grants general permission to use or disclose PHI, and authorization limits permission to the parties specified in the authorization.
A
Qualitative loss resulting from the business interruption does NOT usually include: A. Loss of revenue B. Loss of competitive advantage or market share C. Loss of public confidence and credibility D. Loss of market leadership
A
Risk analysis is MOST useful when applied during which phase of the system development process? A. Project initiation and Planning B. Functional Requirements definition C. System Design Specification D. Development and Implementation
A
The end result of implementing the principle of least privilege means which of the following? A. Users would get access to only the info for which they have a need to know B. Users can access all systems. C. Users get new privileges added when they change positions. D. Authorization creep.
A
What is a hot-site facility? A. A site with pre-installed computers, raised flooring, air conditioning, telecommunications and networking equipment, and UPS. B. A site in which space is reserved with pre-installed wiring and raised floors. C. A site with raised flooring, air conditioning, telecommunications, and networking equipment, and UPS. D. A site with readymade work space with telecommunications equipment, LANs, PCs, and terminals for work groups.
A
When you update records in multiple locations or you make a copy of the whole database at a remote location as a way to achieve the proper level of fault tolerance and redundancy, it is known as? A. Shadowing B. Data mirroring C. Backup D. Archiving
A
Which book of the Rainbow series addresses the Trusted Network Interpretation (TNI)? A. Red Book B. Purple Book C. Orange Book D. Green Book
A
Which choice below is the BEST definition of advisory policies? A. Non-mandated policies, but strongly suggested B. Mandatory policies implemented as a consequence of legal action C. Policies implemented due to public regulation D. Policies implemented for compliance reasons
A
Which choice describes the Forest Green Book? A. It is a Rainbow series book that defines the secure handling of storage media. B. It is a Rainbow series book that defines guidelines for implementing access control lists. C. It does not exist; there is no Forest Green Book. D. It is a tool that assists vendors in data gathering for certifiers.
A
Which element of Configuration Management listed below involves the use of Configuration Items (CIs)? A. Configuration Identification B. Configuration Control C. Configuration Audit D. Configuration Accounting
A
Which of the following BEST describes a function relying on a shared secret key that is used along with a hashing algorithm to verify the integrity of the communication content as well as the sender? a. Message Authentication Code - MAC b. PAM - Pluggable Authentication Module c. NAM - Negative Acknowledgement Message d. Digital Signature Certificate
A
Which of the following best describes what would be expected at a "hot site"? A. Computers, climate control, cables and peripherals B. Computers and peripherals C. Computers and dedicated climate control systems. D. Dedicated climate control systems
A
Which of the following ensures that security is NOT breached when a system crash or other system failure occurs? A. Trusted recovery B. Hot swappable C. Redundancy D. Secure boot
A
Which of the following is NOT a media viability control used to protect the viability of data storage media? A. clearing B. marking C. handling D. storage
A
Which of the following is NOT defined in the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087) as unacceptable and unethical activity? A. uses a computer to steal B. destroys the integrity of computer-based information C. wastes resources such as people, capacity and computers through such actions D. involves negligence in the conduct of Internet-wide experiments
A
Which of the following is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet? a. Secure Electronic Transaction (SET) b. MONDEX c. Secure Shell (SSH-2) d. Secure Hypertext Transfer Protocol (S-HTTP)
A
Which of the following is an advantage of a qualitative over a quantitative risk analysis? A. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. B. It provides specific quantifiable measurements of the magnitude of the impacts. C. It makes a cost-benefit analysis of recommended controls easier. D. It can easily be automated.
A
Which of the following is from the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087)? A. Access to and use of the Internet is a privilege and should be treated as such by all users of the systems. B. Users should execute responsibilities in a manner consistent with the highest standards of their profession. C. There must not be personal data record-keeping systems whose very existence is secret. D. There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another
A
Which of the following protocols that provide integrity and authentication for IPSec, can also provide non-repudiation in IPSec? a. Authentication Header (AH) b. Encapsulating Security Payload (ESP) c. Secure Sockets Layer (SSL) d. Secure Shell (SSH-2)
A
Which of the following statements is NOT true of IPSec Transport mode? A. It is required for gateways providing access to internal systems B. Set-up when end-point is host or communications terminates at end-points C. If used in gateway-to-host communication, gateway must act as host D. When ESP is used for the security protocol, the hash is only applied to the upper layer protocols contained in the packet
A
Which of the following steps is NOT one of the eight detailed steps of a Business Impact Assessment (BIA)? A. Notifying senior management of the start of the assessment. B. Creating data gathering techniques. C. Identifying critical business functions. D. Calculating the risk for each different business function.
A
Which of the following would BEST classify as a management control? A. Review of security controls B. Personnel security C. Physical and environmental protection D. Documentation
A
Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment? A. A baseline B. A standard C. A procedure D. A guideline
A
The Linux root user password is typically kept in where?(Choose two) A. etc/shadow B. cmd/passwd C. etc/passwd D. windows/system32 E. var/sys F. var/password
AC
A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization's Information Technology (IT) department discovers that a peer-to-peer program has been installed on the computer using the employee's access. Which of the following methods is the MOST effective way of removing the Peer-to-Peer (P2P) program from the computer? A. Run software uninstall B. Re-image the computer C. Find and remove all installation files D. Delete all cookies stored in the web browser cache
B
In which phase of the System Development Lifecycle (SDLC) is Security Accreditation Obtained? a. Functional Requirements Phase b. Testing and evaluation control c. Acceptance Phase d. Postinstallation Phase
B
PGP uses which of the following to encrypt data? a. An asymmetric encryption algorithm b. A symmetric encryption algorithm c. A symmetric key distribution system d. An X.509 digital certificate
B
Regarding codes of ethics covered within the ISC2 CBK, within which of them is the phrase "Discourage unsafe practice" found? A. Computer Ethics Institute commandments B. (ISC)2 Code of Ethics C. Internet Activities Board's Ethics and the Internet (RFC1087) D. CIAC Guidelines
B
The Orange Book requires auditing mechanisms for any systems evaluated at which of the following levels? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above.
B
The Structured Query Language (SQL) implements Discretionary Access Controls (DAC) using A. INSERT and DELETE. B. GRANT and REVOKE. C. PUBLIC and PRIVATE. D. ROLLBACK and TERMINATE.
B
The equation y 2 = x3 + ax + b, denotes the: A. RSA Factoring problem B. Elliptic curve and the elliptic curve discrete logarithm problem C. ElGamal discrete logarithm problem D. Knapsack problem
B
The modes of DES do NOT include: A. Output Feedback. B. Variable Block Feedback. C. Electronic Code Book. D. Cipher Block Chaining.
B
The principles of Notice, Choice, Access, Security, and Enforcement refer to which of the following? A. Nonrepudiaton B. Privacy C. Authorization D. Authentication
B
There are more than 20 books in the Rainbow Series. Which of the following covers password management guidelines? A. Orange Book B. Green Book C. Red Book D. Lavender Book
B
This type of supporting evidence is used to help prove an idea or a point, however it cannot stand on its own, it is used as a supplementary tool to help prove a primary piece of evidence. What is the name of this type of evidence? A. Circumstantial evidence B. Corroborative evidence C. Opinion evidence D. Secondary evidence
B
What is the correct sequence which enables an authorized agency to use the Law Enforcement Access Field (LEAF) to decrypt a message sent by using the Clipper Chip? The following designations are used for the respective keys involved Kf, the family key; Ks, the session key; U, a unique identifier for each Clipper Chip and Ku, the unit key that is unique to each Clipper Chip. A. Decrypt the LEAF with the family key, Kf; recover U; obtain a court order to obtain Ks, the session key. Use the session key to decrypt the message. B. Decrypt the LEAF with the family key, Kf; recover U; obtain a court order to obtain the two halves of Ku; recover Ku; and then recover Ks, the session key. Use the session key to decrypt the message. C. Obtain a court order to acquire the family key, Kf; recover U and Ku; then recover Ks, the session key. Use the session key to decrypt the message. D. Obtain a court order to acquire the two halves of Ku, the unit key. Recover Ku. Decrypt the LEAF with Ku and then recover Ks, the session key. Use the session key to decrypt the message.
B
What is the key size of the International Data Encryption Algorithm (IDEA)? a. 64 bits b. 128 bits c. 160 bits d. 192 bits
B
Which choice below MOST accurately describes a Covert Storage Channel? A. A process that manipulates observable system resources in a way that affects response time B. An information transfer that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process C. A communication channel that allows a process to transfer information in a manner that violates the systems security policy D. An information transfer path within a system
B
Which division of the Orange Book deals with discretionary protection (need-to-know)? A. D B. C C. B D. A
B
Which of the following Orange Book ratings represents the highest level of trust? A. B1 B. B2 C. F6 D. C2
B
Which of the following best describes the Secure Electronic Transaction (SET) protocol? A. Originated by VISA and MasterCard as an Internet credit card protocol using Message Authentication Code. B. Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. C. Originated by VISA and MasterCard as an Internet credit card protocol using the transport layer. D. Originated by VISA and American Express as an Internet credit card protocol using SSL.
B
Which of the following determines that the product developed meets the projects goals? A. verification B. validation C. concurrence D. accuracy
B
Which of the following is NOT true about IPSec Tunnel mode? A. Fundamentally an IP tunnel with encryption and authentication B. Works at the Transport layer of the OSI model C. Have two sets of IP headers D. Established for gateway service
B
Which of the following is TRUE about digital certificate? a. It is the same as digital signature proving Integrity and Authenticity of the data b. Electronic credential proving that the person the certificate was issued to is who they claim to be. c. You can only get digital certificate from Verisign, RSA if you wish to prove the key belong to a specific user. d. Can't contain geography data such as country for example.
B
Which of the following outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations? A. The Computer Security Act of 1987. B. The Federal Sentencing Guidelines of 1991. C. The Economic Espionage Act of 1996. D. The Computer Fraud and Abuse Act of 1986.
B
Which of the following statements pertaining to Secure Sockets Layer (SSL) is FALSE? a. The SSL protocol was developed by Netscape to secure Internet client-server transactions. b. The SSL protocol's primary use is to authenticate the client to the server using public key cryptography and digital certificates. c. Web pages using the SSL protocol start with HTTPS d. SSL can be used with applications such as Telnet, FTP and email protocols.
B
Which of the following was developed in order to protect against fraud in electronic fund transfers (EFT) by ensuring the message comes from its claimed originator and that it has not been altered in transmission? a. Secure Electronic Transaction (SET) b. Message Authentication Code (MAC) c. Cyclic Redundancy Check (CRC) d. Secure Hash Standard (SHS)
B
An organization experiencing a negative financial impact is forced to reduce budgets and the number of Information Technology (IT) operations staff performing basic logical access security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles. Which of the following will indicate where the IT budget is BEST allocated during this time? A. Policies B. Frameworks C. Metrics D. Guidelines
C
Convert Channel Analysis, Trusted Facility Management, and Trusted Recovery are parts of which book in the TCSEC Rainbow Series? A. Red Book B. Dark Green Book C. Orange Book D. Green Book
C
Fault tolerance countermeasures are designed to combat threats to which of the following? A. an uninterruptible power supply. B. backup and retention capability. C. design reliability. D. data integrity.
C
Frame relay and X.25 networks are part of which of the following? A. Circuit-switched services B. Cell-switched services C. Packet-switched services D. Dedicated digital services
C
In an object-oriented system, polymorphism denotes: A. Objects of many different classes that are unrelated but respond to some common set of operations in the same way. B. Objects of many different classes that are related by some common superclass; thus, all objects denoted by this name can respond to some common set of operations in identical fashion. C. Objects of many different classes that are related by some common superclass; thus, any object denoted by this name can respond to some common set of operations in a different way. D. Objects of the same class; thus, any object denoted by this name can respond to some common set of operations in the same way.
C
Keeping in mind that these are objectives that are provided for information only within the CBK as they only apply to the committee and not to the individuals. Which of the following statements pertaining to the (ISC)2 Code of Ethics is NOT true? A. All information systems security professionals who are certified by (ISC)2 recognize that such a certification is a privilege that must be both earned and B. All information systems security professionals who are certified by (ISC)2 shall provide diligent and competent service to principals. C. All information systems security professionals who are certified by (ISC)2 shall forbid behavior such as associating or appearing to associate with criminals or D. All information systems security professionals who are certified by (ISC)2 shall promote the understanding and acceptance of prudent information security
C
The copyright law ("original works of authorship") protects the right of the owner in all of the following except? A. The public distribution of the idea B. Reproduction of the idea C. The idea itself D. Display of the idea
C
Which DES modes can best be used for authentication? A. Cipher Block Chaining and Electronic Code Book. B. Cipher Block Chaining and Output Feedback. C. Cipher Block Chaining and Cipher Feedback. D. Output Feedback and Electronic Code Book.
C
Which of the following are necessary components of a Multi-Level Security Policy? A. Sensitivity Labels and a "system high" evaluation. B. Sensitivity Labels and Discretionary Access Control. C. Sensitivity Labels and Mandatory Access Control. D. Object Labels and a "system high" evaluation.
C
Which of the following best allows risk management results to be used knowledgeably? A. A vulnerability analysis B. A likelihood assessment C. An uncertainty analysis D. Threat identification
C
Which of the following concerning the Rijndael block cipher algorithm is NOT true? a. The design of Rijndael was strongly influenced by the design of the block cipher Square. b. A total of 25 combinations of key length and block length are possible c. Both block size and key length can be extended to multiples of 64 bits. d. The cipher has a variable block length and key length.
C
Which of the following is NOT a common term in object-oriented systems? A. Method B. Behavior C. Function D. Message
C
Which of the following is NOT a technical control? A. Password and resource management B. Identification and authentication methods C. Monitoring for physical intrusion D. Intrusion Detection Systems
C
Which of the following is a problem regarding computer investigation issues? A. Information is tangible. B. Evidence is easy to gather. C. Computer-generated records are only considered secondary evidence, thus are not as reliable as best evidence. D. In many instances, an expert or specialist is not required.
C
Which of the following phases of a software development life cycle normally incorporates the security specifications, determines access controls, and evaluates encryption options? A. Detailed design B. Implementation C. Product design D. Software plans and requirements
C
Which of the following phases of a system development life-cycle is most concerned with establishing a good security policy as the foundation for design? a. Development/acquisition b. Implementation c. Initiation d. Maintenance
C
Which of the following risk handling technique involves the practice of being proactive so that the risk in QUESTION is not realized? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer
C
Which of the following should NOT be performed by an operator? A. Implementing the initial program load B. Monitoring execution of the system C. Data entry D. Controlling job flow
C
Which of the following should be emphasized during the Business Impact Analysis (BIA) considering that the BIA focus is on business processes? A. Composition B. Priorities C. Dependencies D. Service levels
C
Which of the following statements is MOST accurate regarding a digital signature? a. It is a method used to encrypt confidential data. b. It is the art of transferring handwritten signature to electronic media. c. It allows the recipient of data to prove the source and integrity of data. d. It can be used as a signature system and a cryptosystem.
C
Which of the following statements pertaining to block ciphers is NOT true? a. It operates on fixed-size blocks of plaintext. b. It is more suitable for software than hardware implementations. c. Plain text is encrypted with a public key and decrypted with a private key. d. Some Block ciphers can operate internally as a stream.
C
Which one of the following statements BEST describes the operation of the Digital Signature Algorithm (DSA) (National Institute of Standards and Technology, NIST FIPS PUB 186, Digital Signature Standard, A. A message of < 264 bits is input to the DSA, and the resultant message digest bits is fed into the Secure Hash Algorithm (SHA), which generates the digital signature of the message. B. A message of < 264 bits is input to the Secure Hash Algorithm (SHA), and the resultant message digest bits is used as the digital signature of the message. C. A message of < 264 bits is input to the Secure Hash Algorithm (SHA), and the resultant message digest bits is fed into the DSA, which generates the digital signature of the message. D. A message of < 264 bits is input to the Secure Hash Algorithm (SHA), and the resultant message digest bits is fed into the DSA, which generates the digital signature of the message.
C
Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data? A. Business and functional managers B. IT Security practitioners C. System and information owners D. Chief information officer
C
At what stage of the applications development process should the security department become involved? A. Prior to the implementation B. Prior to systems testing C. During unit testing D. During requirements development
D
At which of the Orange Book evaluation levels is configuration management required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above.
D
Authentication Headers (AH) and Encapsulating Security Payload (ESP) protocols are the driving force of IPSec. Authentication Headers (AH) provides the following service except: A. Authentication B. Integrity C. Replay resistance and non-repudiations D. Confidentiality
D
During a fingerprint verification process, which of the following is used to verify identity and authentication? A. A pressure value is compared with a stored template B. Sets of digits are matched with stored values C. A hash table is matched to a database of stored value D. A template of minutiae is compared with a stored template
D
From a security perspective, which of the following is a best practice to configure a Domain Name Service (DNS) system? A. Configure secondary servers to use the primary server as a zone forwarder. B. Block all Transmission Control Protocol (TCP) connections. C. Disable all recursive queries on the name servers. D. Limit zone transfers to authorized devices.
D
Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? A. LCL and MAC; IEEE 802.2 and 802.3 B. LCL and MAC; IEEE 802.1 and 802.3 C. Network and MAC; IEEE 802.1 and 802.3 D. LLC and MAC; IEEE 802.2 and 802.3
D
What can be defined as a value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity? a. A digital envelope b. A cryptographic hash c. A Message Authentication Code d. A digital signature
D
What type of firewall architecture employs two network cards and a single screening router? A. A dual-homed host firewall B. An application-level proxy server C. A screened-subnet firewall D. A screened-host firewall
D
Which TCSEC (Orange Book) rating or level requires the system to clearly identify functions of the security administrator to perform security-related functions? A. C2 B. B1 C. B2 D. B3
D
Which of the following is NOT a preventive operational control? A. Protecting laptops, personal computers and workstations. B. Controlling software viruses. C. Controlling data media access and disposal. D. Conducting security awareness and technical training.
D
Which of the following is covered under Crime Insurance Policy Coverage? A. Inscribed, printed and Written documents B. Manuscripts C. Accounts Receivable D. Money and Securities
D
Which of the following is defined as a key establishment protocol based on the Diffie-Hellman algorithm proposed for IPsec but superseded by IKE? a. Diffie-Hellman Key Exchange Protocol b. Internet Security Association and Key Management Protocol (ISAKMP) c. Simple Key-management for Internet Protocols (SKIP) d. OAKLEY
D
Which of the following phases of a software development life cycle normally addresses Due Care and Due Diligence? A. Implementation B. System feasibility C. Product design D. Software plans and requirements
D
Which of the following service is not provided by a public key infrastructure (PKI)? a. Access control b. Integrity c. Authentication d. Reliability
D
Which of the following statements is TRUE for point-to-point microwave transmissions? A. They are not subject to interception due to encryption. B. Interception only depends on signal strength. C. They are too highly multiplexed for meaningful interception. D. They are subject to interception by an antenna within proximity.
D
Which of the following statements pertaining to quantitative risk analysis is NOT true? A. Portion of it can be automated B. It involves complex calculations C. It requires a high volume of information D. It requires little experience to apply
D
Which of the following statements relating to the Biba security model is FALSE? a. It is a state machine model. b. A subject is not allowed to write up. c. Integrity levels are assigned to subjects and objects. d. Programs serve as an intermediate layer between subjects and objects.
D
Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)? A. Calculate the risk for each different business function. B. Identify the company's critical business functions. C. Calculate how long these functions can survive without these resources. D. Develop a mission statement.
D
Which statement below is accurate about Evaluation Assurance Levels (EALs) in the Common Criteria (CC)? A. A security level equal to the security level of the objects to which the subject has both read and write access B. Requirements that specify the security behavior of an IT product or system C. A statement of intent to counter specified threats D. Predefined packages of assurance components that make up security confidence rating scale
D