CISSP2

CISSP3

1 / 40

What is the MAIN goal of information security awareness and training?

To inform users of the latest malware threats

To inform users of information assurance responsibilities

To comply with the organization information security policy

To prepare students for certification

2 / 40

A security compliance manager of a large enterprise wants to reduce the time it takes to perform network, system, and application security compliance audits while increasing quality and effectiveness of the results.
What should be implemented to BEST achieve the desired results?

Configuration Management Database (CMDB)

Source code repository

Configuration Management Plan (CMP)

System performance monitoring application

3 / 40

From a security perspective, which of the following assumptions MUST be made about input to an application?

It is tested

It is logged

It is verified

It is untrusted

4 / 40

Unused space in a disk cluster is important in media analysis because it may contain which of the following?

Residual data that has not been overwritten

Hidden viruses and Trojan horses

Information about the File Allocation table (FAT)

Information about patches and upgrades to the system

5 / 40

Which security modes is MOST commonly used in a commercial environment because it protects the integrity of financial and accounting data?

Biba

Graham-Denning

Clark-Wilson

Beil-LaPadula

6 / 40

Which of the following alarm systems is recommended to detect intrusions through windows in a high- noise, occupied environment?

Acoustic sensor

Motion sensor

Shock sensor

Photoelectric sensor

7 / 40

What is the foundation of cryptographic functions?

Encryption

Cipher

Hash

Entropy

8 / 40

Which of the following is the MOST important security goal when performing application interface testing?

Confirm that all platforms are supported and function properly

Evaluate whether systems or components pass data and control correctly to one another

Verify compatibility of software, hardware, and network connections

Examine error conditions related to external interfaces to prevent application details leakage

9 / 40

Which of the following is the MOST challenging issue in apprehending cyber criminals?

They often use sophisticated method to commit a crime.

It is often hard to collect and maintain integrity of digital evidence.

The crime is often committed from a different jurisdiction.

There is often no physical evidence involved.

10 / 40

What is the MAIN reason for testing a Disaster Recovery Plan (DRP)?

To ensure Information Technology (IT) staff knows and performs roles assigned to each of them

To validate backup sites’ effectiveness

To find out what does not work and fix it

To create a high level DRP awareness among Information Technology (IT) staff

11 / 40

An organization’s security policy delegates to the data owner the ability to assign which user roles have access to a particular resource. What type of authorization mechanism is being used?

Discretionary Access Control (DAC)

Role Based Access Control (RBAC)

Media Access Control (MAC)

Mandatory Access Control (MAC)

12 / 40

The use of private and public encryption keys is fondamental in the implementation of which of the following?

Diffie-Hellman algorithm

Message Digest 5 (ND5)

Secure Sockets Layer (SSL)

Advanced Encryption Standard (AES)

13 / 40

Which of the following combinations would MOST negatively affect availability?

Denial of Service (DoS) attacks and outdated hardware

Unauthorized transactions and outdated hardware

Fire and accidental changes to data

Unauthorized transactions and denial of service attacks

14 / 40

Which of the following is the MOST appropriate action when reusing media that contains sensitive data?

Erase

Sanitize

Encrypt

Degauss

15 / 40

Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege?

identity provisioning

access recovery

multi-factor authentication (MFA)

user access review

16 / 40

Who has the PRIMARY responsibility to ensure that security objectives are aligned with organization goals?

Senior management

Information security department

Audit committee

All users

17 / 40

Which of the following management process allows ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?

Configuration

Identity

Compliance

Patch

18 / 40

Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution?

Password requirements are simplified.

Risk associated with orphan accounts is reduced.

Segregation of duties is automatically enforced.

Data confidentiality is increased.

19 / 40

In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software inventories is a critical part of

systems integration.

risk management.

quality assurance.

change management.

20 / 40

Which of the following is needed to securely distribute symmetric cryptographic keys?

Officially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certificates

Officially approved and compliant key management technology and processes

An organizationally approved communication protection policy and key management plan

Hardware tokens that protect the user’s private key.

21 / 40

Which of the following is a characteristic of the initialization vector when using Data Encryption Standard (DES)?

It must be known to both sender and receiver.

It can be transmitted in the clear as a random number.

It must be retained until the last block is transmitted.

It can be used to encrypt and decrypt information.

22 / 40

In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ?

Reduced risk to internal systems.

Prepare the server for potential attacks.

Mitigate the risk associated with the exposed server.

Bypass the need for a firewall.

23 / 40

How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?

Use an impact-based approach.

Use a risk-based approach.

Use a criticality-based approach.

Use a threat-based approach.

24 / 40

The goal of a Business Impact Analysis (BIA) is to determine which of the following?

Cost effectiveness of business recovery

Cost effectiveness of installing software security patches

Resource priorities for recovery and Maximum Tolerable Downtime (MTD)

Which security measures should be implemented

25 / 40

An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is

organization policy.

industry best practices.

industry laws and regulations.

management feedback.

26 / 40

Which of the following BEST describes a chosen plaintext attack?

The cryptanalyst can generate ciphertext from arbitrary text.

The cryptanalyst examines the communication being sent back and forth.

The cryptanalyst can choose the key and algorithm to mount the attack.

The cryptanalyst is presented with the ciphertext from which the original message is determined.

27 / 40

Which of the following information MUST be provided for user account provisioning?

Full name

Unique identifier

Security question

Date of birth

28 / 40

A database administrator is asked by a high-ranking member of management to perform specific changes to the accounting system database. The administrator is specifically instructed to not track or evidence the change in a ticket. Which of the following is the BEST course of action?

Ignore the request and do not perform the change.

Perform the change as requested, and rely on the next audit to detect and report the situation.

Perform the change, but create a change ticket regardless to ensure there is complete traceability.

Inform the audit committee or internal audit directly using the corporate whistleblower process.

29 / 40

What operations role is responsible for protecting the enterprise from corrupt or contaminated media?

Information security practitioner

Information librarian

Computer operator

Network administrator

30 / 40

What is the BEST way to encrypt web application communications?

Secure Hash Algorithm 1 (SHA-1)

Secure Sockets Layer (SSL)

Cipher Block Chaining Message Authentication Code (CBC-MAC)

Transport Layer Security (TLS)

31 / 40

A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually?

Asset Management, Business Environment, Governance and Risk Assessment

Access Control, Awareness and Training, Data Security and Maintenance

Anomalies and Events, Security Continuous Monitoring and Detection Processes

Recovery Planning, Improvements and Communications

32 / 40

Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an organization network?

Provide vulnerability reports to management.

Validate vulnerability remediation activities.

Prevent attackers from discovering vulnerabilities.

Remediate known vulnerabilities.

33 / 40

At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a datagram handled?

Transport Layer

Data-Link Layer

Network Layer

Application Layer

34 / 40

Which of the following is the MAIN reason for using configuration management?

To provide centralized administration

To reduce the number of changes

To reduce errors during upgrades

To provide consistency in security controls

35 / 40

Which of the following is a document that identifies each item seized in an investigation, including date and time seized, full name and signature or initials of the person who seized the item, and a detailed description of the item?

Property book

Chain of custody form

Search warrant return

Evidence tag

36 / 40

A security architect plans to reference a Mandatory Access Control (MAC) model for implementation. This indicates that which of the following properties are being prioritized?

Confidentiality

Integrity

Availability

Accessibility

37 / 40

What balance MUST be considered when web application developers determine how informative application error messages should be constructed?

Risk versus benefit

Availability versus auditability

Confidentiality versus integrity

Performance versus user satisfaction

38 / 40

Which of the following would BEST describe the role directly responsible for data within an organization?

Data custodian

Information owner

Database administrator

Quality control

39 / 40

In configuration management, what baseline configuration information MUST be maintained for each computer system?

Operating system and version, patch level, applications running, and versions.

List of system changes, test reports, and change approvals

Last vulnerability assessment report and initial risk assessment report

Date of last update, test report, and accreditation certificate

40 / 40

Which one of the following activities would present a significant security risk to organizations when employing a Virtual Private Network (VPN) solution?

VPN bandwidth

Simultaneous connection to other networks

Users with Internet Protocol (IP) addressing conflicts

Remote users with administrative rights

Your score is

0%

Leave a Reply Cancel reply