CISSP2

CISSP3

1 / 40

What MUST each information owner do when a system contains data from multiple information owners?

Provide input to the Information System (IS) owner regarding the security requirements of the data

Review the Security Assessment report (SAR) for the Information System (IS) and authorize the IS to operate.

Develop and maintain the System Security Plan (SSP) for the Information System (IS) containing the data

Move the data to an Information System (IS) that does not contain data owned by other information owners

2 / 40

The security accreditation task of the System Development Life Cycle (SDLC) process is completed at the
end of which phase?

System acquisition and development

System operations and maintenance

System initiation

System implementation

3 / 40

As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed?

Use a web scanner to scan for vulnerabilities within the website.

Perform a code review to ensure that the database references are properly addressed.

Establish a secure connection to the web server to validate that only the approved ports are open.

Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.

4 / 40

What is the BEST location in a network to place Virtual Private Network (VPN) devices when an internal review reveals network design flaws in remote access?

In a dedicated Demilitarized Zone (DMZ)

In its own separate Virtual Local Area Network (VLAN)

At the Internet Service Provider (ISP)

Outside the external firewall

5 / 40

A vulnerability assessment report has been submitted to a client. The client indicates that one third of the hosts that were in scope are missing from the report.
In which phase of the assessment was this error MOST likely made?

Enumeration

Reporting

Detection

Discovery

6 / 40

An organization plan on purchasing a custom software product developed by a small vendor to support its business model.
Which unique consideration should be made part of the contractual agreement potential long-term risks associated with creating this dependency?

A source code escrow clause

Right to request an independent review of the software source code

Due diligence form requesting statements of compliance with security requirements

Access to the technical documentation

7 / 40

In a High Availability (HA) environment, what is the PRIMARY goal of working with a virtual router address as the gateway to a network?

The second of two routers can periodically check in to make sure that the first router is operational.

The second of two routers can better absorb a Denial of Service (DoS) attack knowing the first router is present.

The first of two routers fails and is reinstalled, while the second handles the traffic flawlessly.

The first of two routers can better handle specific traffic, while the second handles the rest of the traffic seamlessly.

8 / 40

An organization recently conducted a review of the security of its network applications. One of the vulnerabilities found was that the session key used in encrypting sensitive information to a third party server had been hard-coded in the client and server applications.
Which of the following would be MOST effective in mitigating this vulnerability?

Diffle-Hellman (DH) algorithm

Elliptic Curve Cryptography (ECC) algorithm

Digital Signature algorithm (DSA)

Rivest-Shamir-Adleman (RSA) algorithm

9 / 40

What does electronic vaulting accomplish?

It protects critical files.

It ensures the fault tolerance of Redundant Array of Independent Disks (RAID) systems

It stripes all database records

It automates the Disaster Recovery Process (DRP)

10 / 40

Which of the following is the MOST important security goal when performing application interface testing?

Confirm that all platforms are supported and function properly

Evaluate whether systems or components pass data and control correctly to one another

Verify compatibility of software, hardware, and network connections

Examine error conditions related to external interfaces to prevent application details leakage

11 / 40

Which of the following is a responsibility of the information owner?

Ensure that users and personnel complete the required security training to access the Information System (IS)

Defining proper access to the Information System (IS), including privileges or access rights

Managing identification, implementation, and assessment of common security controls

Ensuring the Information System (IS) is operated according to agreed upon security requirements

12 / 40

A company receives an email threat informing of an Imminent Distributed Denial of Service (DDoS) attack targeting its web application, unless ransom is paid. Which of the following techniques BEST addresses that threat?

Deploying load balancers to distribute inbound traffic across multiple data centers

Set Up Web Application Firewalls (WAFs) to filter out malicious traffic

Implementing reverse web-proxies to validate each new inbound connection

Coordinate with and utilize capabilities within Internet Service Provider (ISP)

13 / 40

Which of the following is the MOST important part of an awareness and training plan to prepare employees for emergency situations?

Having emergency contacts established for the general employee population to get information

Conducting business continuity and disaster recovery training for those who have a direct role in the recovery

Designing business continuity and disaster recovery training programs for different audiences

Publishing a corporate business continuity and disaster recovery plan on the corporate website

14 / 40

What is the MAIN reason for testing a Disaster Recovery Plan (DRP)?

To ensure Information Technology (IT) staff knows and performs roles assigned to each of them

To validate backup sites’ effectiveness

To find out what does not work and fix it

To create a high level DRP awareness among Information Technology (IT) staff

15 / 40

Which of the following is the BEST Identity-as-a-Service (IDaaS) solution for validating users?

Single Sign-On (SSO)

Security Assertion Markup Language (SAML)

Lightweight Directory Access Protocol (LDAP)

Open Authentication (OAuth)

16 / 40

Which of the following is the MOST effective method to mitigate Cross-Site Scripting (XSS) attacks?

Use Software as a Service (SaaS)

Whitelist input validation

Require client certificates

Validate data output

17 / 40

An Information Technology (IT) professional attends a cybersecurity seminar on current incident response methodologies.
What code of ethics canon is being observed?

Provide diligent and competent service to principals

Protect society, the commonwealth, and the infrastructure

Advance and protect the profession

Act honorable, honesty, justly, responsibly, and legally

18 / 40

Mandatory Access Controls (MAC) are based on:

security classification and security clearance

data segmentation and data classification

data labels and user access permissions

user roles and data encryption

19 / 40

What is the MAIN purpose of a change management policy?

To assure management that changes to the Information Technology (IT) infrastructure are necessary

To identify the changes that may be made to the Information Technology (IT) infrastructure

To verify that changes to the Information Technology (IT) infrastructure are approved

To determine the necessary for implementing modifications to the Information Technology (IT) infrastructure

20 / 40

Which of the following is a characteristic of an internal audit?

An internal audit is typically shorter in duration than an external audit.

The internal audit schedule is published to the organization well in advance.

The internal auditor reports to the Information Technology (IT) department

Management is responsible for reading and acting upon the internal audit results

21 / 40

What Is the GREATEST challenge of an agent-based patch management solution?

Time to gather vulnerability information about the computers in the program

The significant amount of network bandwidth while scanning computers

The consistency of distributing patches to each participating computer

Requires that software be installed, running, and managed on all participating computers

22 / 40

The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity?

Application authentication

Input validation

Digital signing

Device encryption

23 / 40

Between which pair of Open System Interconnection (OSI) Reference Model layers are routers used as a communications device?

Transport and Session

Data-Link and Transport

Network and Session

Physical and Data-Link

24 / 40

As a best practice, the Security Assessment Report (SAR) should include which of the following sections?

Data classification policy

Software and hardware inventory

Remediation recommendations

Names of participants

25 / 40

In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ?

Reduced risk to internal systems.

Prepare the server for potential attacks.

Mitigate the risk associated with the exposed server.

Bypass the need for a firewall.

26 / 40

When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?

To force the software to fail and document the process

To find areas of compromise in confidentiality and integrity

To allow for objective pass or fail decisions

To identify malware or hidden code within the test results

27 / 40

The goal of a Business Impact Analysis (BIA) is to determine which of the following?

Cost effectiveness of business recovery

Cost effectiveness of installing software security patches

Resource priorities for recovery and Maximum Tolerable Downtime (MTD)

Which security measures should be implemented

28 / 40

What is the difference between media marking and media labeling?

Media marking refers to the use of human-readable security attributes, while media labeling refers to the use of security attributes in internal data structures.

Media labeling refers to the use of human-readable security attributes, while media marking refers to the use of security attributes in internal data structures.

Media labeling refers to security attributes required by public policy/law, while media marking refers to security required by internal organizational policy.

Media marking refers to security attributes required by public policy/law, while media labeling refers to security attributes required by internal organizational policy.

29 / 40

Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test?

Reversal

Gray box

Blind

White box

30 / 40

From a cryptographic perspective, the service of non-repudiation includes which of the following features?

Validity of digital certificates

Validity of the authorization rules

Proof of authenticity of the message

Proof of integrity of the message

31 / 40

An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is

organization policy.

industry best practices.

industry laws and regulations.

management feedback.

32 / 40

A database administrator is asked by a high-ranking member of management to perform specific changes to the accounting system database. The administrator is specifically instructed to not track or evidence the change in a ticket. Which of the following is the BEST course of action?

Ignore the request and do not perform the change.

Perform the change as requested, and rely on the next audit to detect and report the situation.

Perform the change, but create a change ticket regardless to ensure there is complete traceability.

Inform the audit committee or internal audit directly using the corporate whistleblower process.

33 / 40

An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the following is the BEST action to take?

Revoke access temporarily.

Block user access and delete user account after six months.

Block access to the offices immediately.

Monitor account usage temporarily.

34 / 40

The PRIMARY purpose of accreditation is to:

comply with applicable laws and regulations.

allow senior management to make an informed decision regarding whether to accept the risk of operating the system.

protect an organization’s sensitive datA.

verify that all security controls have been implemented properly and are operating in the correct manner.

35 / 40

What is the BEST way to encrypt web application communications?

Secure Hash Algorithm 1 (SHA-1)

Secure Sockets Layer (SSL)

Cipher Block Chaining Message Authentication Code (CBC-MAC)

Transport Layer Security (TLS)

36 / 40

At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a datagram handled?

Transport Layer

Data-Link Layer

Network Layer

Application Layer

37 / 40

Which of the following is the MAIN reason for using configuration management?

To provide centralized administration

To reduce the number of changes

To reduce errors during upgrades

To provide consistency in security controls

38 / 40

What is an advantage of Elliptic Curve Cryptography (ECC)?

Cryptographic approach that does not require a fixed-length key

Military-strength security that does not depend upon secrecy of the algorithm

Opportunity to use shorter keys for the same level of security

Ability to use much longer keys for greater security

39 / 40

What does the Maximum Tolerable Downtime (MTD) determine?

The estimated period of time a business critical database can remain down before customers are affected.

The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning

The estimated period of time a business can remain interrupted beyond which it risks never recovering

The fixed length of time in a DR process before redundant systems are engaged

40 / 40

Which one of the following activities would present a significant security risk to organizations when employing a Virtual Private Network (VPN) solution?

VPN bandwidth

Simultaneous connection to other networks

Users with Internet Protocol (IP) addressing conflicts

Remote users with administrative rights

Your score is

0%

Leave a Reply Cancel reply