CISSP4

CISSP4

1 / 40

An online retail company has formulated a record retention schedule for customer transactions. Which of the following is a valid reason a customer transaction is kept beyond the retention schedule?

Pending legal hold

Long term data mining needs

Customer makes request to retain

Useful for future business initiatives

2 / 40

When is security personnel involvement in the Systems Development Life Cycle (SDLC) process MOST beneficial?

Testing phase

Development phase

Requirements definition phase

Operations and maintenance phase

3 / 40

Which of the following is a critical factor for implementing a successful data classification program?

Executive sponsorship

Information security sponsorship

End-user acceptance

Internal audit acceptance

4 / 40

During an audit, the auditor finds evidence of potentially illegal activity. Which of the following is the MOST appropriate action to take?

Immediately call the police

Work with the client to resolve the issue internally

Advise the person performing the illegal activity to cease and desist

Work with the client to report the activity to the appropriate authority

5 / 40

Which of the following provides effective management assurance for a Wireless Local Area Network (WLAN)?

Maintaining an inventory of authorized Access Points (AP) and connecting devices

Setting the radio frequency to the minimum range required

Establishing a Virtual Private Network (VPN) tunnel between the WLAN client device and a VPN concentrator

Verifying that all default passwords have been changed

6 / 40

With data labeling, which of the following MUST be the key decision maker?

Information security

Departmental management

Data custodian

Data owner

7 / 40

Refer to the information below to answer the question.
A security practitioner detects client-based attacks on the organization’s network. A plan will be necessary to address these concerns.
What MUST the plan include in order to reduce client-side exploitation?

Approved web browsers

Network firewall procedures

Proxy configuration

Employee education

8 / 40

A security manager has noticed an inconsistent application of server security controls resulting in vulnerabilities on critical systems. What is the MOST likely cause of this issue?

A lack of baseline standards

Improper documentation of security guidelines

A poorly designed security policy communication program

Host-based Intrusion Prevention System (HIPS) policies are ineffective

9 / 40

Refer to the information below to answer the question.
A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization’s Information Technology (IT) department discovers that a peer-to-peer program has been installed on the computer using the employee’s access.
Which of the following solutions would have MOST likely detected the use of peer-to-peer programs when the computer was connected to the office network?

Anti-virus software

Intrusion Prevention System (IPS)

Anti-spyware software

Integrity checking software

10 / 40

Which of the following is an example of two-factor authentication?

Retina scan and a palm print

Fingerprint and a smart card

Magnetic stripe card and an ID badge

Password and Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)

11 / 40

What is the MOST important reason to configure unique user IDs?

Supporting accountability

Reducing authentication errors

Preventing password compromise

Supporting Single Sign On (SSO)

12 / 40

Refer to the information below to answer the question.
An organization has hired an information security officer to lead their security department. The officer has adequate people resources but is lacking the other necessary components to have an effective security program. There are numerous initiatives requiring security involvement.
Which of the following is considered the MOST important priority for the information security officer?

Formal acceptance of the security strategy

Disciplinary actions taken against unethical behavior

Development of an awareness program for new employees

Audit of all organization system configurations for faults

13 / 40

Which of the following is the PRIMARY benefit of a formalized information classification program?

It drives audit processes.

It supports risk assessment.

It reduces asset vulnerabilities.

It minimizes system logging requirements.

14 / 40

According to best practice, which of the following is required when implementing third party software in a production environment?

Scan the application for vulnerabilities

Contract the vendor for patching

Negotiate end user application training

Escrow a copy of the software

15 / 40

Refer to the information below to answer the question.
During the investigation of a security incident, it is determined that an unauthorized individual accessed a system which hosts a database containing financial information.
If the intrusion causes the system processes to hang, which of the following has been affected?

System integrity

System availability

System confidentiality

System auditability

16 / 40

Which of the following is a MAJOR consideration in implementing a Voice over IP (VoIP) network?

Use of a unified messaging.

Use of separation for the voice network.

Use of Network Access Control (NAC) on switches.

Use of Request for Comments (RFC) 1918 addressing.

17 / 40

Which of the following assures that rules are followed in an identity management architecture?

Policy database

Digital signature

Policy decision point

Policy enforcement point

18 / 40

Refer to the information below to answer the question.
A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization’s Information Technology (IT) department discovers that a peer-to-peer program has been installed on the computer using the employee’s access.
Which of the following could have MOST likely prevented the Peer-to-Peer (P2P) program from being installed on the computer?

Removing employee’s full access to the computer

Supervising their child’s use of the computer

Limiting computer’s access to only the employee

Ensuring employee understands their business conduct guidelines

19 / 40

Which of the following BEST describes a Protection Profile (PP)?

A document that expresses an implementation independent set of security requirements for an IT product that meets specific consumer needs.

A document that is used to develop an IT security product from its security requirements definition.

A document that expresses an implementation dependent set of security requirements which contains only the security functional requirements.

A document that represents evaluated products where there is a one-to-one correspondence between a PP and a Security Target (ST).

20 / 40

Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?

Discretionary Access Control (DAC) procedures

Mandatory Access Control (MAC) procedures

Data link encryption

Segregation of duties

21 / 40

While inventorying storage equipment, it is found that there are unlabeled, disconnected, and powered off devices. Which of the following is the correct procedure for handling such equipment?

They should be recycled to save energy.

They should be recycled according to NIST SP 800-88.

They should be inspected and sanitized following the organizational policy.

They should be inspected and categorized properly to sell them for reuse.

22 / 40

What is the PRIMARY difference between security policies and security procedures?

Policies are used to enforce violations, and procedures create penalties

Policies point to guidelines, and procedures are more contractual in nature

Policies are included in awareness training, and procedures give guidance

Policies are generic in nature, and procedures contain operational details

23 / 40

Which of the following standards/guidelines requires an Information Security Management System (ISMS) to be defined?

International Organization for Standardization (ISO) 27000 family

Information Technology Infrastructure Library (ITIL)

Payment Card Industry Data Security Standard (PCIDSS)

ISO/IEC 20000

24 / 40

What is the process called when impact values are assigned to the security objectives for information types?

Qualitative analysis

Quantitative analysis

Remediation

System security categorization

25 / 40

An organization has decided to contract with a cloud-based service provider to leverage their identity as a service offering. They will use Open Authentication (OAuth) 2.0 to authenticate external users to the organization’s services.
As part of the authentication process, which of the following must the end user provide?

An access token

A username and password

A username

A password

26 / 40

If compromised, which of the following would lead to the exploitation of multiple virtual machines?

Virtual device drivers

Virtual machine monitor

Virtual machine instance

Virtual machine file system

27 / 40

What is the MOST efficient way to secure a production program and its data?

Disable default accounts and implement access control lists (ACL)

Harden the application and encrypt the data

Disable unused services and implement tunneling

Harden the servers and backup the data

28 / 40

Which of the following is a recommended alternative to an integrated email encryption system?

Sign emails containing sensitive data

Send sensitive data in separate emails

Encrypt sensitive data separately in attachments

Store sensitive information to be sent in encrypted drives

29 / 40

Which of the following is the BEST example of weak management commitment to the protection of security assets and resources?

poor governance over security processes and procedures

immature security controls and procedures

variances against regulatory requirements

unanticipated increases in security incidents and threats

30 / 40

If an identification process using a biometric system detects a 100% match between a presented template and a stored template, what is the interpretation of this result?

User error

Suspected tampering

Accurate identification

Unsuccessful identification

31 / 40

Retaining system logs for six months or longer can be valuable for what activities?

Disaster recovery and business continuity

Forensics and incident response

Identity and authorization management

Physical and logical access control

32 / 40

Which of the following BEST describes a rogue Access Point (AP)?

An AP that is not protected by a firewall

An AP not configured to use Wired Equivalent Privacy (WEP) with Triple Data Encryption Algorithm (3DES)

An AP connected to the wired infrastructure but not under the management of authorized network administrators

An AP infected by any kind of Trojan or Malware

33 / 40

Which of the following is the MOST effective method of mitigating data theft from an active user workstation?

Implement full-disk encryption

Enable multifactor authentication

Deploy file integrity checkers

Disable use of portable devices

34 / 40

Which of the following is the BEST method to assess the effectiveness of an organization’s vulnerability management program?

Review automated patch deployment reports

Periodic third party vulnerability assessment

Automated vulnerability scanning

Perform vulnerability scan by security team

35 / 40

Which of the following prevents improper aggregation of privileges in Role Based Access Control (RBAC)?

Hierarchical inheritance

Dynamic separation of duties

The Clark-Wilson security model

The Bell-LaPadula security model

36 / 40

Which of the following explains why record destruction requirements are included in a data retention policy?

To comply with legal and business requirements

To save cost for storage and backup

To meet destruction guidelines

To validate data ownership

37 / 40

Which of the following is the MOST likely cause of a non-malicious data breach when the source of the data breach was an un-marked file cabinet containing sensitive documents?

Ineffective data classification

Lack of data access controls

Ineffective identity management controls

Lack of Data Loss Prevention (DLP) tools

38 / 40

An organization lacks a data retention policy. Of the following, who is the BEST person to consult for such requirement?

Application Manager

Database Administrator

Privacy Officer

Finance Manager

39 / 40

What should happen when an emergency change to a system must be performed?

The change must be given priority at the next meeting of the change control board.

Testing and approvals must be performed quickly.

The change must be performed immediately and then submitted to the change board.

The change is performed and a notation is made in the system log.

40 / 40

Which security approach will BEST minimize Personally Identifiable Information (PII) loss from a data breach?

A strong breach notification process

Limited collection of individuals’ confidential data

End-to-end data encryption for data in transit

Continuous monitoring of potential vulnerabilities

Your score is

0%

Leave a Reply Cancel reply