CISSP Practice Exam Questions and Answers

A.  

Least privilege

B.  

Lattice Based Access Control (LBAC)

C.  

Role Based Access Control (RBAC)

D.  

Lightweight Directory Access Control (LDAP)

A.  

Maintaining an inventory of authorized Access Points (AP) and connecting devices

B.  

Setting the radio frequency to the minimum range required

C.  

Establishing a Virtual Private Network (VPN) tunnel between the WLAN client device and a VPN concentrator

D.  

Verifying that all default passwords have been changed

A.  

Anti-virus software

B.  

Intrusion Prevention System (IPS)

C.  

Anti-spyware software

D.  

Integrity checking software

A.  

Set up a BIOS and operating system password

B.  

Encrypt the virtual drive where confidential files can be stored

C.  

Implement a mandatory policy in which sensitive data cannot be stored on laptops, but only on the corporate network

D.  

Encrypt the entire disk and delete contents after a set number of failed access attempts

A.  

It has normalized severity ratings.

B.  

It has many worksheets and practices to implement.

C.  

It aims to calculate the risk of published vulnerabilities.

D.  

It requires a robust risk management framework to be put in place.

A.  

It uses a Subscriber Identity Module (SIM) for authentication.

B.  

It uses encrypting techniques for all communications.

C.  

The radio spectrum is divided with multiple frequency carriers.

D.  

The signal is difficult to read as it provides end-to-end encryption.

A.  

hardened building construction with consideration of seismic factors.

B.  

adequate distance from and lack of access to adjacent buildings.

C.  

curved roads approaching the data center.

D.  

proximity to high crime areas of the city.

A.  

As part of the SLA renewal process

B.  

Prior to a planned security audit

C.  

Immediately after a security breach

D.  

At regularly scheduled meetings

A.  

INSERT and DELET

E.  

B.  

GRANT and REVOK

E.  

C.  

PUBLIC and PRIVAT

E.  

D.  

ROLLBACK and TERMINAT

E.  

A.  

the policy and procedures manual.

B.  

an existing BCP from a similar organization.

C.  

a review of the business processes and procedures.

D.  

a standard checklist of required items and objectives.

A.  

Capabilities of security resources

B.  

Executive management support

C.  

Effectiveness of security management

D.  

Budget approved for security resources

A.  

Use a thumb drive to transfer information from a foreign computer.

B.  

Do not take unnecessary information, including sensitive information.

C.  

Connect the laptop only to well-known networks like the hotel or public Internet cafes.

D.  

Request international points of contact help scan the laptop on arrival to ensure it is protected.

A.  

Encrypt communications between the servers

B.  

Encrypt the web server traffic

C.  

Implement server-side filtering

D.  

Filter outgoing traffic at the perimeter firewall

A.  

Audit policy

B.  

Security log

C.  

Security policies

D.  

Configuration settings

A.  

periodically during a session.

B.  

for each business process.

C.  

at system sign-off.

D.  

after a period of inactivity.

A.  

Number of system compromises

B.  

Number of audit findings

C.  

Number of staff reductions

D.  

Number of additional assets

A.  

Perform a service provider PCI-DSS assessment on a yearly basis.

B.  

Validate the service provider's PCI-DSS compliance status on a regular basis.

C.  

Validate that the service providers security policies are in alignment with those of the organization.

D.  

Ensure that the service provider updates and tests its Disaster Recovery Plan (DRP) on a yearly basis.

A.  

The amount of light reflected by the retina

B.  

The size, curvature, and shape of the retina

C.  

The pattern of blood vessels at the back of the eye

D.  

The pattern of light receptors at the back of the eye

A.  

Two-factor authentication

B.  

Digital certificates and hardware tokens

C.  

Timed sessions and Secure Socket Layer (SSL)

D.  

Passwords with alpha-numeric and special characters

A.  

Trusted path

B.  

Malicious logic

C.  

Social engineering

D.  

Passive misuse

A.  

To assign responsibility for mitigating the risk to vulnerable systems

B.  

To ensure that information assets receive an appropriate level of protection

C.  

To recognize that the value of any item of information may change over time

D.  

To recognize the optimal number of classification categories and the benefits to be gained from their use

A.  

encrypt the contents of the repository and document any exceptions to that requirement.

B.  

utilize Intrusion Detection System (IDS) set drop connections if too many requests for documents are detected.

C.  

keep individuals with access to high security areas from saving those documents into lower security areas.

D.  

require individuals with access to the system to sign Non-Disclosure Agreements (NDA).

A.  

Transparent Database Encryption (TDE)

B.  

Column level database encryption

C.  

Volume encryption

D.  

Data tokenization

A.  

a report from an external auditor.

B.  

responding to a customer's security questionnaire.

C.  

a formal report from an internal auditor.

D.  

a site visit by a customer's security team.

A.  

Ensuring the media is not labeled in any way that indicates the organization's name.

B.  

Disassembling the media and removing parts that may contain sensitive dat

A.  

C.  

Physically breaking parts of the media that may contain sensitive dat

A.  

D.  

Establishing a contract with the third party regarding the secure handling of the medi

A.  

A.  

False Acceptance Rate (FAR)

B.  

False Rejection Rate (FRR)

C.  

Crossover Error Rate (CER)

D.  

Rejection Error Rate

A.  

Data integrity

B.  

Access accountability

C.  

Encryption logging format

D.  

Segregation of duties

A.  

Workplace privacy laws

B.  

Level of organizational trust

C.  

Results of background checks

D.  

Business ethical considerations

A.  

The entire enterprise network infrastructure.

B.  

The handheld devices, wireless access points and border gateway.

C.  

The end devices, wireless access points, WLAN, switches, management console, and firewall.

D.  

The end devices, wireless access points, WLAN, switches, management console, and Internet

A.  

Brute force attack

B.  

Frequency analysis

C.  

Social engineering

D.  

Dictionary attack

A.  

Payload encryption and transport encryption

B.  

Authentication Headers (AH)

C.  

Keyed-Hashing for Message Authentication

D.  

Point-to-Point Encryption (P2PE)

A.  

Mandating security policy acceptance

B.  

Changing individual behavior

C.  

Evaluating security awareness training

D.  

Filtering malicious e-mail content

A.  

Delayed revocation or destruction of credentials

B.  

Modification of Certificate Revocation List

C.  

Unauthorized renewal or re-issuance

D.  

Token use after decommissioning

A.  

Addresses and protocols of network-based logs are analyzed.

B.  

Host-based system logging has files stored in multiple locations.

C.  

Properly handled network-based logs may be more reliable and valid.

D.  

Network-based systems cannot capture users logging into the console.

A.  

Patches on the network are difficult to keep current.

B.  

It is the responsibility of the systems administrator.

C.  

User ID and passwords are never set to expire.

D.  

Network diagrams are not up to date.

A.  

Systems administration and operating systems

B.  

System incompatibility and patch management

C.  

Third-party applications and change controls

D.  

Improper stress testing and application interfaces

A.  

address-based authentication.

B.  

Address Resolution Protocol (ARP).

C.  

Reverse Address Resolution Protocol (RARP).

D.  

Transmission Control Protocol (TCP) hijacking.

A.  

Only the functional specifications are known to the test planner.

B.  

Only the source code and the design documents are known to the test planner.

C.  

Only the source code and functional specifications are known to the test planner.

D.  

Only the design documents and the functional specifications are known to the test planner.

A.  

exploit security weaknesses in the IS.

B.  

measure system performance on systems with weak security controls.

C.  

evaluate the effectiveness of security controls.

D.  

prepare for Disaster Recovery (DR) planning.

A.  

It contains the keys of all clients.

B.  

It always operates at root privilege.

C.  

It contains all the tickets for services.

D.  

It contains the Internet Protocol (IP) address of all network entities.

A.  

Mandatory Access Control (MAC).

B.  

owner-administered control.

C.  

owner-dependent access control.

D.  

Discretionary Access Control (DAC).

A.  

Degaussing

B.  

Encryption

C.  

Data Loss Prevention (DLP)

D.  

Authentication

A.  

Time of data validation after disaster

B.  

Time of data restoration from backup after disaster

C.  

Time of application resumption after disaster

D.  

Time of application verification after disaster

A.  

Formal acceptance of the security strategy

B.  

Disciplinary actions taken against unethical behavior

C.  

Development of an awareness program for new employees

D.  

Audit of all organization system configurations for faults

A.  

Removing employee's full access to the computer

B.  

Supervising their child's use of the computer

C.  

Limiting computer's access to only the employee

D.  

Ensuring employee understands their business conduct guidelines

A.  

Block all client side web exploits at the perimeter.

B.  

Remove all non-essential client-side web services from the network.

C.  

Screen for harmful exploits of client-side services before implementation.

D.  

Harden the client image before deployment.

A.  

Experience in the industry

B.  

Definition of security profiles

C.  

Human resource planning efforts

D.  

Procedures in systems development

A.  

The application can be protected in the production environment.

B.  

Large amounts of code can be tested using fewer resources.

C.  

The application will fail less when tested using these tools.

D.  

Detailed testing of code functions can be performed.

A.  

Automatically create exceptions for specific actions or files

B.  

Determine which files are unsafe to access and blacklist them

C.  

Automatically whitelist actions or files known to the system

D.  

Build a baseline of normal or safe system events for review

A.  

Time of the access

B.  

Security classification

C.  

Denied access attempts

D.  

Associated clearance

A.  

application dismissal.

B.  

business procedures.

C.  

digital certificates expiration.

D.  

regulatory compliance.

A.  

Scan the application for vulnerabilities

B.  

Contract the vendor for patching

C.  

Negotiate end user application training

D.  

Escrow a copy of the software

A.  

Legal

B.  

Logical

C.  

Physical

D.  

Procedural

A.  

Ensure that data is destroyed properly.

B.  

Ensure that data recovery can be done on the dat

A.  

C.  

Ensure the integrity and availability of data for a predetermined amount of time.

D.  

Ensure the integrity and confidentiality of data for a predetermined amount of time.

A.  

Users are authenticated to one system at a time.

B.  

Users are identified to multiple systems with several credentials.

C.  

Users are authenticated to multiple systems with one login.

D.  

Only one user is using the system at a time.

A.  

Temporal Key Integrity Protocol (TKIP)

B.  

Wi-Fi Protected Access (WPA) Pre-Shared Key (PSK)

C.  

Wi-Fi Protected Access 2 (WPA2) Enterprise

D.  

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

A.  

User A

B.  

User B

C.  

User C

D.  

User D

A.  

Data access

B.  

Data backup

C.  

Data recovery

D.  

Data disposal

A.  

Network activity monitoring

B.  

Security awareness training

C.  

Corporate policy and procedures

D.  

Strong file and directory permissions

A.  

Remove their computer access

B.  

Require them to turn in their badge

C.  

Conduct an exit interview

D.  

Reduce their physical access level to the facility

A.  

Program change control

B.  

Regression testing

C.  

Export exception control

D.  

User acceptance testing

A.  

system's past security record.

B.  

size of the system's database.

C.  

sensitivity of the system's dat

A.  

D.  

age of the system.

A.  

Vulnerability to crime

B.  

Adjacent buildings and businesses

C.  

Proximity to an airline flight path

D.  

Vulnerability to natural disasters

A.  

ensure that everyone understands the organization's policies and procedures.

B.  

communicate that access to information will be granted on a need-to-know basis.

C.  

warn all users that access to all systems will be monitored on a daily basis.

D.  

comply with regulations related to data and information protection.

A.  

makes key management and distribution easier.

B.  

protects data from start to finish through the entire network.

C.  

improves the efficiency of the transmission.

D.  

encrypts all information, including headers and routing information.

A.  

Regularly perform account re-validation and approval

B.  

Account provisioning based on multi-factor authentication

C.  

Frequently review performed activities and request justification

D.  

Account information to be provided by supervisor or line manager

A.  

Authorization and integrity

B.  

Availability and integrity

C.  

Integrity and confidentiality

D.  

Authorization and confidentiality

A.  

Encryption routines

B.  

Random number generator

C.  

Obfuscated code

D.  

Botnet command and control

A.  

Diffusion

B.  

Encapsulation

C.  

Obfuscation

D.  

Permutation

A.  

Chief Financial Officer (CFO)

B.  

Chief Information Security Officer (CISO)

C.  

Originator or nominated owner of the information

D.  

Department head responsible for ensuring the protection of the information

A.  

flexible.

B.  

confidential.

C.  

focused.

D.  

achievable.

A.  

Physical access to the electronic hardware

B.  

Regularly scheduled maintenance process

C.  

Availability of the network connection

D.  

Processing delays

A.  

Hot site

B.  

Cold site

C.  

Warm site

D.  

Mobile site

A.  

Programs that write to system resources

B.  

Programs that write to user directories

C.  

Log files containing sensitive information

D.  

Log files containing system calls

A.  

confidentiality, authentication, and authorization.

B.  

confidentiality, non-repudiation, and authentication.

C.  

non-repudiation, authorization, and authentication.

D.  

non-repudiation, confidentiality, and authorization.

A.  

Log all activities associated with sensitive systems

B.  

Provide links to security policies

C.  

Confirm that confidentially agreements are signed

D.  

Employ strong access controls

A.  

Mutual authentication

B.  

Server authentication

C.  

User authentication

D.  

Streaming ciphertext data

A.  

Difference between a new and an established connection

B.  

Originating network location

C.  

Difference between a malicious and a benign packet payload

D.  

Originating application session

A.  

Perform a compliance review

B.  

Perform a penetration test

C.  

Train the technical staff

D.  

Survey the technical staff

A.  

Known-plaintext attack

B.  

Denial of Service (DoS)

C.  

Cookie manipulation

D.  

Structured Query Language (SQL) injection

A.  

Define additional security controls directly after the merger

B.  

Include a procurement officer in the merger team

C.  

Verify all contracts before a merger occurs

D.  

Assign a compliancy officer to review the merger conditions

A.  

Application connection successes resulting in data leakage

B.  

Administrative costs for restoring systems after connection failure

C.  

Employee system timeouts from implementing wrong limits

D.  

Help desk costs required to support password reset requests

A.  

Systems owner

B.  

Authorizing Official (AO)

C.  

Information owner

D.  

Security officer

A.  

Penetration

B.  

System

C.  

Performance

D.  

Vulnerability

A.  

Enumeration

B.  

Reporting

C.  

Detection

D.  

Discovery

A.  

In a dedicated Demilitarized Zone (DMZ)

B.  

In its own separate Virtual Local Area Network (VLAN)

C.  

At the Internet Service Provider (ISP)

D.  

Outside the external firewall

A.  

Use a web scanner to scan for vulnerabilities within the website.

B.  

Perform a code review to ensure that the database references are properly addressed.

C.  

Establish a secure connection to the web server to validate that only the approved ports are open.

D.  

Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.

A.  

Mandatory Access Control (MAC)

B.  

Access Control List (ACL)

C.  

Discretionary Access Control (DAC)

D.  

Authorized user control

A.  

Establish an information security policy.

B.  

Identify factors affecting information security.

C.  

Establish baseline security controls.

D.  

Identify critical security infrastructure.

A.  

Stateful firewall

B.  

Distributed antivirus

C.  

Log analysis

D.  

Passive honeypot

A.  

parameterized database queries

B.  

whitelist input values

C.  

synchronized session tokens

D.  

use strong ciphers

A.  

Trusted platforms

B.  

Host-based firewalls

C.  

Token-based authentication

D.  

Wireless Access Points (AP)

A.  

User access modification

B.  

user access recertification

C.  

User access termination

D.  

User access provisioning

A.  

To choose the primary development language

B.  

To choose the integrated development environment

C.  

To match the software requirements to the delivery plan

D.  

To project manage the software delivery

A.  

Chief Information Officer (CIO)

B.  

Chief Information Security Officer (CISO)

C.  

Chief internal auditor

D.  

Chief Executive Officer (CEO)

A.  

Determining system security scopes

B.  

Generating attack libraries

C.  

Enumerating threats

D.  

Evaluating Denial of Service (DoS) attacks

A.  

Payment Card Industry Data Security Standards (PCI-DSS)

B.  

Common Criteria (CC)

C.  

Health Insurance Portability and Accountability Act (HIPAA)

D.  

Sarbanes-Oxley (SOX)

A.  

Morale

B.  

Reputation

C.  

Equipment

D.  

Information

A.  

Confirm that all platforms are supported and function properly

B.  

Evaluate whether systems or components pass data and control correctly to one another

C.  

Verify compatibility of software, hardware, and network connections

D.  

Examine error conditions related to external interfaces to prevent application details leakage

A.  

Compartmentalization

B.  

Segmentation

C.  

Error correction

D.  

Virtual Local Area Network (VLAN) tagging

A.  

Diffle-Hellman (DH) algorithm

B.  

Elliptic Curve Cryptography (ECC) algorithm

C.  

Digital Signature algorithm (DSA)

D.  

Rivest-Shamir-Adleman (RSA) algorithm

A.  

Non-repudiation

B.  

Efficiency

C.  

Confidentially

D.  

Privacy

A.  

Mandatory Access Controls (MAC)

B.  

Enterprise security architecture

C.  

Enterprise security procedures

D.  

Role Based Access Controls (RBAC)

A.  

Information input validation

B.  

Non-repudiation controls and data encryption

C.  

Multi-Factor Authentication (MFA)

D.  

Server identity and data confidentially

A.  

System acquisition and development

B.  

System operations and maintenance

C.  

System initiation

D.  

System implementation

A.  

Application proxy

B.  

Port filter

C.  

Network boundary router

D.  

Access layer switch

A.  

Attribute Based Access Control (ABAC)

B.  

Discretionary Access Control (DAC)

C.  

Mandatory Access Control (MAC)

D.  

Role-Based Access Control (RBAC)

A.  

It is tested

B.  

It is logged

C.  

It is verified

D.  

It is untrusted

A.  

Automated dynamic analysis

B.  

Automated static analysis

C.  

Manual code review

D.  

Fuzzing

A.  

Accept the risk on behalf of the organization.

B.  

Report findings to the business to determine security gaps.

C.  

Quantify the risk to the business for product selection.

D.  

Approve the application that best meets security requirements.

A.  

Confidentiality

B.  

Integrity

C.  

Availability

D.  

Accessibility

A.  

Integrity

B.  

Confidentiality

C.  

Availability

D.  

Access Control

A.  

The estimated period of time a business critical database can remain down before customers are affected.

B.  

The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning

C.  

The estimated period of time a business can remain interrupted beyond which it risks never recovering

D.  

The fixed length of time in a DR process before redundant systems are engaged

A.  

List of components involved

B.  

Number of changes being made

C.  

Business case justification

D.  

A stakeholder communication

A.  

To identify system threats, vulnerabilities, and acceptable level of risk

B.  

To formalize the confirmation of compliance to security policies and standards

C.  

To formalize the confirmation of completed risk mitigation and risk analysis

D.  

To verify that system architecture and interconnections with other systems are effectively implemented

A.  

Establishing a sandboxing environment

B.  

Setting up a Virtual Private Network (VPN) tunnel

C.  

Monitoring and reviewing privileged sessions

D.  

Introducing a job rotation program

A.  

Secure Hash Algorithm 1 (SHA-1)

B.  

Secure Sockets Layer (SSL)

C.  

Cipher Block Chaining Message Authentication Code (CBC-MAC)

D.  

Transport Layer Security (TLS)

A.  

Cryptographic approach that does not require a fixed-length key

B.  

Military-strength security that does not depend upon secrecy of the algorithm

C.  

Opportunity to use shorter keys for the same level of security

D.  

Ability to use much longer keys for greater security

A.  

Excessive access rights to systems and data

B.  

Segregation of duties conflicts within business applications

C.  

Lack of system administrator activity monitoring

D.  

Inappropriate access requests

A.  

Lightweight Directory Access Protocol (LDAP)

B.  

Security Assertion Markup Language (SAML)

C.  

Internet Mail Access Protocol

D.  

Transport Layer Security (TLS)

A.  

IEEE 802.1F

B.  

IEEE 802.1H

C.  

IEEE 802.1Q

D.  

IEEE 802.1X

A.  

Application Layer

B.  

Physical Layer

C.  

Data-Link Layer

D.  

Network Layer

A.  

Ineffective data classification

B.  

Lack of data access controls

C.  

Ineffective identity management controls

D.  

Lack of Data Loss Prevention (DLP) tools

A.  

Service Level Agreement (SLA)

B.  

Business Continuity Plan (BCP)

C.  

Business Impact Analysis (BIA)

D.  

Crisis management plan

A.  

Concept, Development, Production, Utilization, Support, Retirement

B.  

Stakeholder Requirements Definition, Architectural Design, Implementation, Verification, Operation

C.  

Acquisition, Measurement, Configuration Management, Production, Operation, Support

D.  

Concept, Requirements, Design, Implementation, Production, Maintenance, Support, Disposal

A.  

Reduced risk to internal systems.

B.  

Prepare the server for potential attacks.

C.  

Mitigate the risk associated with the exposed server.

D.  

Bypass the need for a firewall.

A.  

Virtual device drivers

B.  

Virtual machine monitor

C.  

Virtual machine instance

D.  

Virtual machine file system

A.  

Transport

B.  

Data link

C.  

Network

D.  

Application

A.  

Review automated patch deployment reports

B.  

Periodic third party vulnerability assessment

C.  

Automated vulnerability scanning

D.  

Perform vulnerability scan by security team

A.  

Radio Frequency (RF) attack

B.  

Denial of Service (DoS) attack

C.  

Data modification attack

D.  

Application-layer attack

A.  

Hierarchical inheritance

B.  

Dynamic separation of duties

C.  

The Clark-Wilson security model

D.  

The Bell-LaPadula security model

A.  

enhance the skills required to create, maintain, and execute the plan.

B.  

provide for a high level of recovery in case of disaster.

C.  

describe the recovery organization to new employees.

D.  

provide each recovery team with checklists and procedures.

A.  

cost of redundant systems and backups.

B.  

cost to recover from an outage.

C.  

overall long-term impact of the outage.

D.  

revenue lost during the outage.

A.  

Examines log messages or other indications on the system.

B.  

Monitors alarms sent to the system administrator

C.  

Matches traffic patterns to virus signature files

D.  

Examines the Access Control List (ACL)

A.  

Assess vulnerability risk and program effectiveness.

B.  

Assess vulnerability risk and business impact.

C.  

Disconnect all systems with critical vulnerabilities.

D.  

Disconnect systems with the most number of vulnerabilities.

A.  

Implement full-disk encryption

B.  

Enable multifactor authentication

C.  

Deploy file integrity checkers

D.  

Disable use of portable devices

A.  

Derived credential

B.  

Temporary security credential

C.  

Mobile device credentialing service

D.  

Digest authentication

A.  

Limit access to predefined queries

B.  

Segregate the database into a small number of partitions each with a separate security level

C.  

Implement Role Based Access Control (RBAC)

D.  

Reduce the number of people who have access to the system for statistical purposes

A.  

Trusted third-party certification

B.  

Lightweight Directory Access Protocol (LDAP)

C.  

Security Assertion Markup language (SAML)

D.  

Cross-certification

A.  

Audit logs

B.  

Role-Based Access Control (RBAC)

C.  

Two-factor authentication

D.  

Application of least privilege

A.  

Only when assets are clearly defined

B.  

Only when standards are defined

C.  

Only when controls are put in place

D.  

Only procedures are defined

A.  

Install mantraps at the building entrances

B.  

Enclose the personnel entry area with polycarbonate plastic

C.  

Supply a duress alarm for personnel exposed to the public

D.  

Hire a guard to protect the public area

A.  

Application

B.  

Storage

C.  

Power

D.  

Network

A.  

Development, testing, and deployment

B.  

Prevention, detection, and remediation

C.  

People, technology, and operations

D.  

Certification, accreditation, and monitoring

A.  

determine the risk of a business interruption occurring

B.  

determine the technological dependence of the business processes

C.  

Identify the operational impacts of a business interruption

D.  

Identify the financial impacts of a business interruption

A.  

Owner’s ability to realize financial gain

B.  

Owner’s ability to maintain copyright

C.  

Right of the owner to enjoy their creation

D.  

Right of the owner to control delivery method

A.  

Network redundancies are not implemented

B.  

Security awareness training is not completed

C.  

Backup tapes are generated unencrypted

D.  

Users have administrative privileges

A.  

Ensure the fire prevention and detection systems are sufficient to protect personnel

B.  

Review the architectural plans to determine how many emergency exits are present

C.  

Conduct a gap analysis of a new facilities against existing security requirements

D.  

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

A.  

Examine the device for physical tampering

B.  

Implement more stringent baseline configurations

C.  

Purge or re-image the hard disk drive

D.  

Change access codes

A.  

Remote Desktop Protocol (RDP)

B.  

Federated identity management (FIM)

C.  

Single sign-on (SSO)

D.  

Multi-factor authentication (MFA)

A.  

Data Loss Protection (DIP), firewalls, data classification

B.  

Least privilege access, Data Loss Protection (DLP), physical access controls

C.  

Staff vetting, least privilege access, Data Loss Protection (DLP)

D.  

Background checks, data encryption, web proxies

A.  

SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an organization’s controls

B.  

SOC 2 Type 2 reports include information of interest to the service organization’s management

C.  

SOC 2 Type 2 reports assess internal controls for financial reporting

D.  

SOC 3 Type 2 reports assess internal controls for financial reporting

A.  

Development / Acquisition

B.  

Initiation

C.  

Enumeration

D.  

Operation / Maintenance

A.  

Fail-Closed

B.  

Fail-Open

C.  

Fail-Safe

D.  

Failover

A.  

Presenting distorted graphics of text for authentication

B.  

Transmitting a hash based on the user's password

C.  

Using a password history blacklist

D.  

Requiring the use of non-consecutive numeric characters

A.  

Strict-Transport-Security

B.  

X-XSS-Protection

C.  

X-Frame-Options

D.  

Content-Security-Policy

A.  

Design

B.  

Test

C.  

Development

D.  

Deployment

A.  

Insecure communications link

B.  

Data leakage

C.  

Malware infection

D.  

Data spoofing

A.  

Remote Authentication Dial-In User Service (RADIUS)

B.  

Terminal Access Controller Access Control System Plus (TACACS+)

C.  

Open Authentication (OAuth)

D.  

Security Assertion Markup Language (SAML)

A.  

Development/Acquisition

B.  

Initiation

C.  

Implementation/ Assessment

D.  

Disposal

A.  

Digital devices that can turn equipment off and continuously cycle rapidly in order to increase supplies and conceal activity on the hospital network

B.  

Standardized building controls system software with high connectivity to hospital networks

C.  

Lock out maintenance personnel from the building controls system access that can impact critical utility supplies

D.  

Digital protection and control devices capable of minimizing the adverse impact to critical utility

A.  

raise security awareness.

B.  

detect efforts to open the case.

C.  

expedite physical auditing.

D.  

make it difficult to steal internal components.

A.  

Ensuing Quality and validation trough periodic audits for ongoing data integrity

B.  

Determining the impact the information has on the mission of the organization

C.  

Maintaining fundamental data availability, including data storage and archiving

D.  

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

A.  

SOC 1 Type 1

B.  

SOC 2 Type 1

C.  

SOC 2 Type 2

D.  

SOC 3

A.  

Allow it to be opened by an alarmed emergency button.

B.  

Do not allow anyone to enter it alone.

C.  

Do not allow it to be observed by dosed-circuit television (CCTV) cameras.

D.  

Allow it be opened when the inner door of the mantrap is also open

A.  

Statically typed

B.  

Weakly typed

C.  

Strongly typed

D.  

Dynamically typed

A.  

Deduplication

B.  

Compression

C.  

Replication

D.  

Caching

A.  

SOC 1 Type 1

B.  

SOC 2 Type 2

C.  

SOC 2 Type 2

D.  

SOC 3 Type 1

A.  

Master Boot Record (MBR)

B.  

Pre-boot environment

C.  

Basic Input Output System (BIOS)

D.  

Hibernation file

A.  

Stock the source address at the firewall.

B.  

Have this service provide block the source address.

C.  

Block all inbound traffic until the flood ends.

D.  

Have the source service provider block the address

A.  

Configuration management (CM)

B.  

Information Rights Management (IRM)

C.  

Policy creation

D.  

Data classification

A.  

Diffie-Hellman algorithm

B.  

Secure Sockets Layer (SSL)

C.  

Advanced Encryption Standard (AES)

D.  

Message Digest 5 (MD5)

A.  

Code signing

B.  

Class authentication

C.  

Sandboxing

D.  

Type safety

A.  

Data owner

B.  

Data architect

C.  

Chief Information Security Officer (CISO)

D.  

Chief Information Officer (CIO)

A.  

Hashing the data before encryption

B.  

Hashing the data after encryption

C.  

Compressing the data after encryption

D.  

Compressing the data before encryption

A.  

Implementation Phase

B.  

Initialization Phase

C.  

Cancellation Phase

D.  

Issued Phase

A.  

Common Vulnerabilities and Exposures (CVE)

B.  

Common Vulnerability Scoring System (CVSS)

C.  

Asset Reporting Format (ARF)

D.  

Open Vulnerability and Assessment Language (OVAL)

A.  

Confidentiality

B.  

Integrity

C.  

Identification

D.  

Availability

A.  

After the system preliminary design has been developed and the data security categorization has been performed

B.  

After the vulnerability analysis has been performed and before the system detailed design begins

C.  

After the system preliminary design has been developed and before the data security categorization begins

D.  

After the business functional analysis and the data security categorization have been performed

A.  

Lack of software documentation

B.  

License agreements requiring release of modified code

C.  

Expiration of the license agreement

D.  

Costs associated with support of the software

A.  

System acquisition and development

B.  

System operations and maintenance

C.  

System initiation

D.  

System implementation

A.  

Debug the security issues

B.  

Migrate to newer, supported applications where possible

C.  

Conduct a security assessment

D.  

Protect the legacy application with a web application firewall

A.  

Least privilege

B.  

Privilege escalation

C.  

Defense in depth

D.  

Privilege bracketing

A.  

Check arguments in function calls

B.  

Test for the security patch level of the environment

C.  

Include logging functions

D.  

Digitally sign each application module

A.  

Purchase software from a limited list of retailers

B.  

Verify the hash key or certificate key of all updates

C.  

Do not permit programs, patches, or updates from the Internet

D.  

Test all new software in a segregated environment

A.  

Take the computer to a forensic lab

B.  

Make a copy of the hard drive

C.  

Start documenting

D.  

Turn off the computer

A.  

Continuously without exception for all security controls

B.  

Before and after each change of the control

C.  

At a rate concurrent with the volatility of the security control

D.  

Only during system implementation and decommissioning

A.  

Hardware and software compatibility issues

B.  

Applications’ critically and downtime tolerance

C.  

Budget constraints and requirements

D.  

Cost/benefit analysis and business objectives

A.  

Certify and approve releases to the environment

B.  

Provide version rollbacks for system changes

C.  

Ensure that all applications are approved

D.  

Ensure accountability for changes to the environment

A.  

Determine the cause of the incident

B.  

Disconnect the system involved from the network

C.  

Isolate and contain the system involved

D.  

Investigate all symptoms to confirm the incident

A.  

Warm site

B.  

Hot site

C.  

Mirror site

D.  

Cold site

A.  

Guaranteed recovery of all business functions

B.  

Minimization of the need decision making during a crisis

C.  

Insurance against litigation following a disaster

D.  

Protection from loss of organization resources

A.  

When it has been validated by the Business Continuity (BC) manager

B.  

When it has been validated by the board of directors

C.  

When it has been validated by all threat scenarios

D.  

When it has been validated by realistic exercises

A.  

Walkthrough

B.  

Simulation

C.  

Parallel

D.  

White box

A.  

Collecting security events and correlating them to identify anomalies

B.  

Facilitating system-wide visibility into the activities of critical user accounts

C.  

Encompassing people, process, and technology

D.  

Logging both scheduled and unscheduled system changes

A.  

Consolidation of multiple providers

B.  

Directory synchronization

C.  

Web based logon

D.  

Automated account management

A.  

Absence of a Business Intelligence (BI) solution

B.  

Inadequate cost modeling

C.  

Improper deployment of the Service-Oriented Architecture (SOA)

D.  

Insufficient Service Level Agreement (SLA)

A.  

Disable all unnecessary services

B.  

Ensure chain of custody

C.  

Prepare another backup of the system

D.  

Isolate the system from the network

A.  

Ensuring quality and validation through periodic audits for ongoing data integrity

B.  

Maintaining fundamental data availability, including data storage and archiving

C.  

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

D.  

Determining the impact the information has on the mission of the organization

A.  

Platform as a Service (PaaS)

B.  

Identity as a Service (IDaaS)

C.  

Desktop as a Service (DaaS)

D.  

Software as a Service (SaaS)

A.  

Assigned security label

B.  

Multilevel Security (MLS) architecture

C.  

Minimum query size

D.  

Passage of time

A.  

Identify the contractual security obligations that apply to the organizations

B.  

Understand the value of the information assets

C.  

Identify the level of residual risk that is tolerable to management

D.  

Identify relevant legislative and regulatory compliance requirements

A.  

Personal Identity Verification (PIV)

B.  

Cardholder Unique Identifier (CHUID) authentication

C.  

Physical Access Control System (PACS) repeated attempt detection

D.  

Asymmetric Card Authentication Key (CAK) challenge-response

A.  

The department should report to the business owner

B.  

Ownership of the asset should be periodically reviewed

C.  

Individual accountability should be ensured

D.  

All members should be trained on their responsibilities

A.  

The process will require too many resources

B.  

It will be difficult to apply to both hardware and software

C.  

It will be difficult to assign ownership to the data

D.  

The process will be perceived as having value

A.  

system security managers

B.  

business managers

C.  

Information Technology (IT) managers

D.  

end users

A.  

Transport layer

B.  

Application layer

C.  

Network layer

D.  

Session layer

A.  

Packet filtering

B.  

Port services filtering

C.  

Content filtering

D.  

Application access control

A.  

Intrusion Prevention Systems (IPS)

B.  

Intrusion Detection Systems (IDS)

C.  

Stateful firewalls

D.  

Network Behavior Analysis (NBA) tools

A.  

Implement packet filtering on the network firewalls

B.  

Install Host Based Intrusion Detection Systems (HIDS)

C.  

Require strong authentication for administrators

D.  

Implement logical network segmentation at the switches

A.  

WEP uses a small range Initialization Vector (IV)

B.  

WEP uses Message Digest 5 (MD5)

C.  

WEP uses Diffie-Hellman

D.  

WEP does not use any Initialization Vector (IV)

A.  

To send excessive amounts of data to a process, making it unpredictable

B.  

To intercept network traffic without authorization

C.  

To disguise the destination address from a target’s IP filtering devices

D.  

To convince a system that it is communicating with a known entity

A.  

Link layer

B.  

Physical layer

C.  

Session layer

D.  

Application layer

A.  

Add a new rule to the application layer firewall

B.  

Block access to the service

C.  

Install an Intrusion Detection System (IDS)

D.  

Patch the application source code

A.  

Layer 2 Tunneling Protocol (L2TP)

B.  

Link Control Protocol (LCP)

C.  

Challenge Handshake Authentication Protocol (CHAP)

D.  

Packet Transfer Protocol (PTP)

A.  

Change management processes

B.  

User administration procedures

C.  

Operating System (OS) baselines

D.  

System backup documentation

A.  

Quarterly access reviews

B.  

Security continuous monitoring

C.  

Business continuity testing

D.  

Annual security training

A.  

Encryption of audit logs

B.  

No archiving of audit logs

C.  

Hashing of audit logs

D.  

Remote access audit logs

A.  

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

B.  

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

C.  

Management teams will understand the testing objectives and reputational risk to the organization

D.  

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

A.  

Host VM monitor audit logs

B.  

Guest OS access controls

C.  

Host VM access controls

D.  

Guest OS audit logs