CISSP Chapter 5 Review Questions, Chapter 3, Chap1 questions, Computer Security (Ch. 7), Intro to Security (Chapter 4), Intro to Security (Chapter2)
You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)? A. $750,000 B. $1.5 million C. $7.5 million D. $15 million
A. $750,000
Which one of the following identifies the primary a purpose of information classification processes? A. Define the requirements for protecting sensitive data. B. Define the requirements for backing up data. C. Define the requirements for storing data. D. Define the requirements for transmitting data.
A. A primary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data. Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing any data. Similarly, information classification processes will typically include requirements to protect sensitive data in transit, but not any data.
An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the are house during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data. Which of the following administrator actions might have prevented this incident? A. Mark the tapes before sending them to the warehouse. B. Purge the tapes before backing up data to them. C. Degauss the tapes before backing up data to them. D. Add the tapes to an asset management database.
A. If the tapes were marked before they left the datacenter, employees would recognize their value and it is more likely someone would challenge their storage in an unmanned warehouse. Purging or degaussing the tapes before using them will erase previously held data but won't help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn't prevent this incident.
What are the two common data classification schemes? A. Military and private sector B. Personal and government C. Private sector and unrestricted sector D. Classified and unclassified
A. Military and private sector
What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment? A. Monetary B. Utility C. Importance D. Time
A. Monetary
Vulnerabilities and risks are evaluated based on their threats against which of the following? A. One or more of the CIA Triad principles B. Data usefulness C. Due care D. Extent of liability
A. One or more of the CIA Triad principles
Which of the following is not considered an example of data hiding? A. Preventing an authorized reader of an object from deleting that object B. Keeping a database from being accessed by unauthorized visitors C. Restricting a subject at a lower classification level from accessing data at a higher classification level D. Preventing an application from accessing hardware directly
A. Preventing an authorized reader of an object from deleting that object
What is the formula used to compute the single loss expectancy for a risk scenario? A. SLE = AV × EF B. SLE = RO × EF C. SLE = AV × ARO D. SLE = EF × ARO
A. SLE = AV × EF
Within the context of the European Union (EU) Data Protection law, what is a data processor? A. The entity that processes personal data on behalf of the data controller B. The entity that controls processing of data C. The computing system that processes data D. The network that processes data
A. The EU Data Protection law defines a data processor as "a natural or legal person which processes personal data solely on behalf of the data controller." The data controller is the entity that controls processing of the data and directs the data processor. Within the context of the EU Data Protection law, the data processor is not computing system or network.
Which one of the following data roles is most likely to assign permissions to grant users access to data? A. Administrator B. Custodian C. Owner D. User
A. The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.
What do the principles of notice, choice, onward transfer, and access closely apply to? A. Privacy B. Identification C. Retention D. Classification
A. These are the first four principles in the Safe Harbor principles and they apply to maintaining the privacy of data. They do not address identification or retention of data. They primarily refer to privacy data such as personally identifiable information (PII), and while that may be considered a classification, classification isn't the primary purpose of the seven Safe Harbor principles.
Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A. 0.01 B. $10,000,000 C. $100,000 D. 0.10
B. $10,000,000
You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches? A. $3,000,000 B. $2,700,000 C. $270,000 D. $135,000
B. $2,700,000
Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects? A. Identification B. Availability C. Encryption D. Layering
B. Availability
Once the BCP team is selected, what should be the first item placed on the team's agenda? A. Business impact assessment B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment
B. Business organization analysis
What is the first step that individuals responsible for the development of a business continuity plan should perform? A. BCP team selection B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment
B. Business organization analysis
When determining the classification of data, which one of the following is the most important consideration? A. Processing system B. Value C. Storage media D. Accessibility
B. Data is classified based on its value to the organization. In some cases, it is classified based on the potential negative impact if unauthorized personnel can access it, which represents a negative value. It is not classified based on the processing system, but the processing system is classified based on the data it processes. Similarly, the storage media is classified based on the data classification, but the data is not classified based on where it is stored. Accessibility is affected by the classification, but the accessibility does not determine the classification. Personnel implement controls to limit accessibility of sensitive data.
Which of the following is the lowest military data classification for classified data? A. Sensitive B. Secret C. Proprietary D. Private
B. Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.
An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the are house during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data. Of the following choices, what policy was not followed regarding the backup media? A. Media destruction B. Record retention C. Configuration management D. Versioning
B. Personnel did not follow the record retention policy. The scenario states that administrators purge onsite email older than six months to comply with the organization's security policy, but offsite backups included backups for the last 20 years. Personnel should follow media destruction policies when the organization no longer needs the media, but some backups are needed. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning is applied to applications, not backup tapes.
Which commercial business/private sector data classification is used to control information about individuals within an organization? A. Confidential B. Private C. Sensitive D. Proprietary
B. Private
Which of the following is the most important and distinctive concept in relation to layered security? A. Multiple B. Series C. Parallel D. Filter
B. Series
Which of the following is typically not a characteristic considered when classifying data? A. Value B. Size of object C. Useful lifetime D. National security implications
B. Size of object
Which of the following contains the primary goals and objectives of security? A. A network's border perimeter B. The CIA Triad C. A stand-alone system D. The Internet
B. The CIA Triad
What is the primary objective of data classification schemes? A. To control access to objects for authorized subjects B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity C. To establish a transaction trail for auditing accountability D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality
B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
Referring to the scenario in question 14, what is the annualized loss expectancy? A. 0.01 B. $10,000,000 C. $100,000 D. 0.10
C. $100,000
Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year? A. ARO B. SLE C. ALE D. EF
C. ALE
If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _________________________ the data, objects, and resources. A. Control B. Audit C. Access D. Repudiate
C. Access
Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A. Vice president of business operations B. Chief information officer C. Chief executive officer D. Business continuity manager
C. Chief executive officer
18. What type of plan outlines the procedures to follow when a disaster interrupts the normal operations of a business? A. Business continuity plan B. Business impact assessment C. Disaster recovery plan D. Vulnerability assessment
C. Disaster recovery plan
What is the term used to describe the responsibility of a firm's officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability? A. Corporate responsibility B. Disaster requirement C. Due diligence D. Going concern responsibility
C. Due diligence
Which of the following is not considered a violation of confidentiality? A. Stealing passwords B. Eavesdropping C. Hardware destruction D. Social engineering
C. Hardware destruction
Data classifications are used to focus security controls over all but which of the following? A. Storage B. Processing C. Layering D. Transfer
C. Layering
Which one of the following is based on Blowfish and helps protect against rainbow table attacks? A. 3DES B. AES C. Bcrypt D. SCP
C. Linux systems use bcrypt to encrypt passwords, and bcrypt is based on Blowfish. Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks. Advanced Encryption Standard (AES) and Triple DES (or 3DES) are separate symmetric encryption protocols, and neither one is based on Blowfish, or directly related to protecting against rainbow table attacks. Secure Copy (SCP) uses Secure Shell (SSH) to encrypt data transmitted over a network.
What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization? A. SLE B. EF C. MTD D. ARO
C. MTD (Maximum Tolerable Downtime)
Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment? A. Loss of a plant B. Damage to a vehicle C. Negative publicity D. Power outage
C. Negative publicity
What ensures that the subject of an activity or event cannot deny that the event occurred? A. CIA Triad B. Abstraction C. Nonrepudiation D. Hash totals
C. Nonrepudiation
Which of the following is the most secure method of deleting data on a DVD? A. Formatting B. Deleting C. Destruction D. Degaussing
C. Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux so degaussing a DVD doesn't destroy data.
____________ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed. A. Seclusion B. Concealment C. Privacy D. Criticality
C. Privacy
In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team? A. Strategy development B. Business impact assessment C. Provisions and processes D. Resource prioritization
C. Provisions and processes
Which would an administrator do to classified media before reusing it in a less secure environment? A. Erasing B. Clearing C. Purging D. Overwriting
C. Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.
Which of the following statements correctly identifies a problem with sanitization methods? A. Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data. B. Even fully incinerated media can offer extractable data. C. Personnel can perform sanitization steps improperly. D. Stored data is physically etched into the media.
C. Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.
Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases? A. Resource prioritization B. Likelihood assessment C. Strategy development D. Provisions and processes
C. Strategy development
Which of the following best defines "rules of behavior" established by a data owner? A. Ensuring users are granted access to only what they need B. Determining who has access to a system C. Identifying appropriate use and protection of data D. Applying security controls to a system
C. The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.
Which of the following is not true? A. Violations of confidentiality include human error. B. Violations of confidentiality include management oversight. C. Violations of confidentiality are limited to direct intentional attacks. D. Violations of confidentiality can occur when a transmission is not properly encrypted.
C. Violations of confidentiality are limited to direct intentional attacks.
Referring to the scenario in question 8, what is the annualized loss expectancy? A. $3,000,000 B. $2,700,000 C. $270,000 D. $135,000
D. $135,000
Which one of the following tasks would a custodian most likely perform? A. Access the data B. Classify the data C. Assign permissions to the data D. Back up data
D. A data custodian performs day to day tasks to protect the integrity security of data and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.
What type of mitigation provision is utilized when redundant communications links are installed? A. Hardening systems B. Defining systems C. Reducing systems D. Alternative systems
D. Alternative systems
An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the are house during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data. Of the following choices, what would have prevented this loss without sacrificing security? A. Mark the media kept offsite. B. Don't store data offsite. C. Destroy the backups offsite. D. Use a secure offsite storage facility.
D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won't protect it if it is stored in an unmanned warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite, or offsite backups are destroyed, security is sacrificed by risking availability.
What is the most important aspect of marking media? A. Date labeling B. Content description C. Electronic labeling D. Classification
D. Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn't as important as marking the classification. Electronic labels or marks can be used, but when they are used, the most important information is still the classification of the data.
Which of the following answers would not be included as sensitive data? A. Personally identifiable information (PII) B. Protected health information (PHI) C. Proprietary data D. Data posted on a website
D. Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.
Which of the following does not erase data? A. Clearing B. Purging C. Overwriting D. Remanence
D. Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data.
STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE? A. Spoofing B. Elevation of privilege C. Repudiation D. Disclosure
D. Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
Which resource should you protect first when designing continuity plan provisions and processes? A. Physical plant B. Infrastructure C. Financial D. People
D. People
What will be the major resource consumed by the BCP process during the BCP phase? A. Hardware B. Software C. Processing time D. Personnel
D. Personnel
What is the primary goal of change management? A. Maintaining documentation B. Keeping users informed of changes C. Allowing rollback of failed changes D. Preventing security compromises
D. Preventing security compromises
Which of the following choices is the most reliable method of destroying data on a solid state drive? A. Erasing B. Degaussing C. Deleting D. Purging
D. Purging is the most reliable method of the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure data is removed. While not an available answer choice, destruction of the drive is a more reliable method. Erasing or deleting processes rarely remove the data from media, but instead mark it for deletion. Solid state drives (SSDs) do not have magnetic flux so degaussing an SSD doesn't destroy data.
Which one of the following would administrators use to connect to a remote server securely for administration? A. Telnet B. Secure File Transfer Protocol (SFTP) C. Secure Copy (SCP) D. Secure Shell (SSH)
D. SSH is a secure alternative to Telnet because it encrypts data transmitted over a network. In contrast, Telnet transmits data in clear text. SFTP and SCP are good methods for transmitting sensitive data over a network, but not for administration purposes.
An organization is implementing a preselected baseline of security controls, but finds not all of the controls apply. What should they do? A. Implement all of the controls anyway. B. Identify another baseline. C. Re-create a baseline. D. Tailor the baseline to their needs.
D. Scoping and tailoring processes allow an organization to tailor security baselines to its needs. There is no need to implement security controls that do not apply, and it is not necessary to identify or re‐create a different baseline.
What element of data categorization management can override all other forms of access control? A. Classification B. Physical access C. Custodian responsibilities D. Taking ownership
D. Taking ownership
All but which of the following items requires awareness for all individuals affected? A. Restricting personal email B. Recording phone conversations C. Gathering information about surfing habits D. The backup mechanism used to retain email messages
D. The backup mechanism used to retain email messages
Acme Widgets currently uses a 1,024-bit RSA encryption standard companywide. The company plans to convert from RSA to an elliptic curve cryptosystem. If it wants to maintain the same cryptographic strength, what ECC key length should it use? A. 160 bits B. 512 bits C. 1,024 bits D. 2,048 bits
a
How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap
a
John wants to produce a message digest of a 2,048-byte message he plans to send to Mary. If he uses the SHA-1 hashing algorithm, what size will the message digest for this particular message be? A. 160 bits B. 512 bits C. 1,024 bits D. 2,048 bits
a
Matthew recently authored an innovative algorithm for solving a mathematical problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property protection. Which type of protection is best suited to his needs? A. Copyright B. Trademark C. Patent D. Trade secret
a
The Children's Online Privacy Protection Act was designed to protect the privacy of children using the Internet. What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent? A. 13 B. 14 C. 15 D. 16
a
What act updated the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA)? A. HITECH B. CALEA C. CFAA D. CCCA
a
What encryption technique does WPA use to protect wireless communications? A. TKIP B. DES C. 3DES D. AES
a
What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances? A. Privacy Act B. Electronic Communications Privacy Act C. Health Insurance Portability and Accountability Act D. Gramm‐Leach‐Bliley Act
a
When a safeguard or a countermeasure is not present or is not sufficient, what remains? A. Vulnerability B. Exposure C. Risk D. Penetration
a
When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request resumes
a
Which law first required operators of federal interest computer systems to undergo periodic training in computer security issues? A. Computer Security Act B. National Infrastructure Protection Act C. Computer Fraud and Abuse Act D. Electronic Communications Privacy Act
a
Which of the following is not specifically or directly related to managing the security function of an organization? A. Worker job satisfaction B. Metrics C. Information security strategies D. Budget
a
Which of the following represents accidental or intentional exploitations of vulnerabilities? A. Threat events B. Risks C. Threat agents D. Breaches
a
Which of the following tools can be used to improve the effectiveness of a brute-force password cracking attack? A. Rainbow tables B. Hierarchical screening C. TKIP D. Random enhancement
a
Which one of the following is not a requirement that Internet service providers must satisfy in order to gain protection under the "transitory activities" clause of the Digital Millennium Copyright Act? A. The service provider and the originator of the message must be located in different states. B. The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider. C. Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients and must not be retained for longer than reasonably necessary. D. The transmission must be originated by a person other than the provider.
a
How is single loss expectancy (SLE) calculated? A. Threat + vulnerability B. Asset value ($) * exposure factor C. Annualized rate of occurrence * vulnerability D. Annualized rate of occurrence * asset value * exposure factor
b
If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security? A. Asset identification B. Third-party governance C. Exit interview D. Qualitative analysis
b
In the RSA public key cryptosystem, which one of the following numbers will always be largest? A. e B. n C. p D. q
b
Richard received an encrypted message sent to him from Sue. Which key should he use to decrypt the message? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
b
Richard wants to digitally sign a message he's sending to Sue so that Sue can be sure the message came from him without modification while in transit. Which key should he use to encrypt the message digest? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
b
What cryptosystem provides the encryption/decryption technology for the commercial version of Phil Zimmerman's Pretty Good Privacy secure email system? A. ROT13 B. IDEA C. ECC D. El Gamal
b
What does IPsec define? A. All possible security classifications for a specific configuration B. A framework for setting up a secure communication channel C. The valid transition states in the Biba model D. TCSEC security categories
b
What industry is most directly impacted by the provisions of the Gramm‐Leach‐Bliley Act? A. Health care B. Banking C. Law enforcement D. Defense contractors
b
What is the major disadvantage of using certificate revocation lists? A. Key management B. Latency C. Record keeping D. Vulnerability to brute-force attacks
b
What law formalizes many licensing arrangements used by the software industry and attempts to standardize their use from state to state? A. Computer Security Act B. Uniform Computer Information Transactions Act C. Digital Millennium Copyright Act D. Gramm-Leach_Bililey Act
b
What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities? A. Privacy Act B. Fourth Amendment Review Questions 153 C. Second Amendment D. Gramm‐Leach‐Bliley Act
b
When an employee is to be terminated, which of the following should be done? A. Inform the employee a few hours before they are officially terminated. B. Disable the employee's network access just as they are informed of the termination. C. Send out a broadcast email informing everyone that a specific employee is to be terminated. D. Wait until you and the employee are the only people remaining in the building before announcing the termination.
b
Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for secure electronic communication? A. X.500 B. X.509 C. X.900 D. X.905
b
Which cryptographic algorithm forms the basis of the El Gamal cryptosystem? A. RSA B. Diffie-Hellman C. 3DES D. IDEA
b
Which of the following is a primary purpose of an exit interview? A. To return the exiting employee's personal belongings B. To review the nondisclosure agreement C. To evaluate the exiting employee's performance D. To cancel the exiting employee's network access accounts
b
Which of the following is not a valid definition for risk? A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure
b
Which one of the following types of licensing agreements does not require that the user acknowledge that they have read the agreement prior to executing it? A. Standard license agreement B. Shrink‐wrap agreement C. Click‐wrap agreement D. Verbal agreement
b
While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information
b
If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which key does he use to encrypt the message? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
c
If a 2,048-bit plaintext message were encrypted with the El Gamal public key cryptosystem, how long would the resulting ciphertext message be? A. 1,024 bits B. 2,048 bits C. 4,096 bits D. 8,192 bits
c
Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status? A. © B. ® C. ™ D. †
c
What TCP/IP communications port is used by Transport Layer Security traffic? A. 80 B. 220 C. 443 D. 559
c
What compliance obligation relates to the processing of credit card information? A. SOX B. HIPAA C. PCI DSS D. FERPA
c
What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended? A. Government‐owned systems B. Federal interest systems C. Systems used in interstate commerce D. Systems located in the United States
c
What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination
c
What security control is directly focused on preventing collusion? A. Principle of least privilege B. Job descriptions C. Separation of duties D. Qualitative risk analysis
c
What type of cryptographic attack rendered Double DES (2DES) no more effective than standard DES encryption? A. Birthday attack B. Chosen ciphertext attack C. Meet-in-the-middle attack D. Man-in-the-middle attack
c
When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset loss. D. The annual costs of safeguards should not exceed 10 percent of the security budget.
c
Which criminal law was the first to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer system(s)? A. Computer Security Act B. National Infrastructure Protection Act C. Computer Fraud and Abuse Act D. Electronic Communications Privacy Act
c
Which federal government agency has responsibility for ensuring the security of government computer systems that are not used to process sensitive and/or classified information? A. National Security Agency B. Federal Bureau of Investigation C. National Institute of Standards and Technology D. Secret Service
c
Which of the following is not an element of the risk analysis process? A. Analyzing an environment for risks B. Creating a cost/benefit report for safeguards to present to upper management C. Selecting appropriate safeguards and implementing them D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage
c
Which of the following links would be protected by WPA encryption? A. Firewall to firewall B. Router to firewall C. Client to wireless access point D. Wireless access point to router
c
Which of the following statements is not true? A. IT security can provide protection only against logical or technical attacks. B. The process by which the goals of risk management are achieved is known as risk analysis. C. Risks to an IT infrastructure are all computer based. D. An asset is anything used in a business process or task.
c
Which one of the following algorithms is not supported by the Digital Signature Standard? A. Digital Signature Algorithm B. RSA C. El Gamal DSA D. Elliptic Curve DSA
c
Which one of the following is not a valid legal reason for processing information about an individual under the European Union's data privacy directive? A. Contract B. Legal obligation C. Marketing needs D. Consent
c
Which one of the following laws is not designed to protect the privacy rights of consumers and Internet users? A. Health Insurance Portability and Accountability Act B. Identity Theft Assumption and Deterrence Act C. USA PATRIOT Act D. Gramm‐Leach‐Bliley Act
c
Which one of the following technologies is considered flawed and should no longer be used? A. SHA-2 B. PGP C. WEP D. TLS
c
A portion of the ______________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk. A. Hybrid assessment B. Risk aversion process C. Countermeasure selection D. Documentation review
d
Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection best suits their needs? A. Copyright B. Trademark C. Patent D. Trade secret
d
What is the standard duration of patent protection in the United States? A. 14 years from the application date B. 14 years from the date the patent is granted C. 20 years from the application date D. 20 years from the date the patent is granted
d
What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures? A. Criminal law B. Common law C. Civil law D. Administrative law
d
Which of the following is the weakest element in any security solution? A. Software products B. Internet connections C. Security policies D. Humans
d
Which of the following would generally not be considered an asset in a risk analysis? A. A development process B. An IT infrastructure C. A proprietary system resource D. Users' personal files
d
Which one of the following encryption algorithms is now considered insecure? A. El Gamal B. RSA C. Skipjack D. Merkle-Hellman Knapsack
d
You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? a. Exposure factor b. Single loss expectancy c. Asset value d. Annualized rate of occurrence
d