CISSP6

CISSP6

1 / 40

Security categorization of a new system takes place during which phase of the Systems Development Life Cycle (SDLC)?

System implementation

System initiation

System operations and maintenance

System acquisition and development

2 / 40

Which concept might require users to use a second access token or to re-enter passwords to gain elevated access rights in the identity and access provisioning life cycle?

Time-based

Enrollment

Least privilege

Access review

3 / 40

When conveying the results of a security assessment, which of the following is the PRIMARY audience?

Information System Security Officer (ISSO)

Authorizing Official (AO)

Information System Security Manager (ISSM)

Security Control Assessor (SCA)

4 / 40

What is the FIRST action a security professional needs to take while assessing an organization’s asset security in order to properly classify and protect access to data?

Verify the various data classification models implemented for different environments.

Determine the level of access for the data and systems.

Verify if confidential data is protected with cryptography.

Determine how data is accessed in the organization.

5 / 40

Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal controls?

The risk culture of the organization

The impact of the control

The nature of the risk

The cost of the control

6 / 40

A security engineer is tasked with implementing a new identity solution. The client doesn’t want to install or
maintain the infrastructure. Which of the following would qualify as the BEST solution?

Microsoft Identity Manager (MIM)

Azure Active Directory (AD)

Active Directory Federation Services (ADFS)

Active Directory (AD)

7 / 40

What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain confidence in a service organization’s systems?

SOC 1 Type 1

SOC 1 Type 2

SOC 2

SOC 3

8 / 40

Which of the following benefits does Role Based Access Control (RBAC) provide for the access review process?

Lowers the amount of access requests after review

Gives more control into the revocation phase

Gives more fine-grained access analysis to accesses

Lowers the number of items to be reviewed

9 / 40

The process of “salting” a password is designed to increase the difficulty of cracking which of the following?

Specific password

Password hash function

Password algorithm

Maximum password length

10 / 40

A group of organizations follows the same access standards and practices. One manages the verification and due diligence processes for the others. For a user to access a resource from one of the organizations, a check is made to see if that user has been certified. Which Federated Identity Management (FIM) process is this an example of?

One-time authentication

Web based access management

Cross-certification model

Bridge model

11 / 40

A security team member was selected as a member of a Change Control Board (CCB) for an organization. Which of the following is one of their responsibilities?

Approving or disapproving the change

Determining the impact of the change

Carrying out the requested change

Logging the change

12 / 40

A security practitioner has just been assigned to address an ongoing Denial of Service (DoS) attack against the company’s network, which includes an e-commerce web site. The strategy has to include defenses for any size of attack without rendering the company network unusable. Which of the following should be a PRIMARY concern when addressing this issue?

Deal with end user education and training.

Pay more for a dedicated path to the Internet.

Allow legitimate connections while blocking malicious connections.

Ensure the web sites are properly backed up on a daily basis.

13 / 40

What is the MAIN reason for having a developer sign a Non-Disclosure Agreement (NDA)?

Signing the NDA always gives consent to the developer to access tools and privileged company information to do their work.

Signing the NDA allows the developer to use their developed coding methods.

Signing the NDA protects confidential, technical, or Intellectual Property (IP) from disclosure to others.

Signing the NDA is legally binding for up to one year of employment.

14 / 40

What is the MOST efficient way to verify the integrity of database backups?

Test restores on a regular basis.

Restore every file in the system to check its health.

Use checksum as part of the backup operation to make sure that no corruption has occurred.

Run DBCC CHECKDB on a regular basis to check the logical and physical integrity of the database objects.

15 / 40

When should the software Quality Assurance (QA) team feel confident that testing is complete?

When release criteria are met

When the time allocated for testing the software is met

When senior management approves the test results

When the software has zero security vulnerabilities

16 / 40

What is the MAIN purpose for writing planned procedures in the design of Business Continuity Plans (BCP)?

Establish lines of responsibility.

Minimize the risk of failure.

Accelerate the recovery process.

Eliminate unnecessary decision making.

17 / 40

Which of the following is PRIMARILY adopted for ensuring the integrity of information is preserved?

Data at rest protection

Transport Layer Security (TLS)

Role Based Access Control (RBAC)

One-way encryption

18 / 40

An employee receives a promotion that entities them to access higher-level functions on the company’s accounting system, as well as keeping their access to the previous system that is no longer needed or applicable. What is the name of the process that tries to remove this excess privilege?

Access provisioning

Segregation of Duties (SoD)

Access certification

Access aggregation

19 / 40

A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own
encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation?

No, because the encryption solution is internal to the cloud provider.

Yes, because the cloud provider meets all regulations requirements.

Yes, because the cloud provider is GDPR compliant.

No, because the cloud provider is not certified to host government data.

20 / 40

What is the best way for mutual authentication of devices belonging to the same organization?

Token

Certificates

User ID and passwords

Biometric

21 / 40

Physical assets defined in an organization’s Business Impact Analysis (BIA) could include which of the following?

Personal belongings of organizational staff members

Supplies kept off-site at a remote facility

Cloud-based applications

Disaster Recovery (DR) line-item revenues

22 / 40

Which of the following Service Organization Control (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system?

SOC 1 Type 1

SOC 1 Type 2

SOC 2 Type 1

SOC 2 Type 2

23 / 40

Vulnerability scanners may allow for the administrator to assign which of the following in order to assist in prioritizing remediation activities?

Definitions for each exposure type

Vulnerability attack vectors

Asset values for networks

Exploit code metrics

24 / 40

Which of the following processes has the PRIMARY purpose of identifying outdated software versions, missing patches, and lapsed system updates?

Penetration testing

Vulnerability management

Software Development Life Cycle (SDLC)

Life cycle management

25 / 40

Which of the following would an internal technical security audit BEST validate?

Whether managerial controls are in place

Support for security programs by executive management

Appropriate third-party system hardening

Implementation of changes to a system

26 / 40

Which of the following BEST describes how access to a system is granted to federated user accounts?

With the federation assurance level

Based on defined criteria by the Relying Party (RP)

Based on defined criteria by the Identity Provider (IdP)

With the identity assurance level

27 / 40

Directive controls are a form of change management policy and procedures. Which of the following subsections are recommended as part of the change management process?

Build and test

Implement security controls

Categorize Information System (IS)

Select security controls

28 / 40

A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?

Select and procure supporting technologies.

Determine a budget and cost analysis for the program.

Measure effectiveness of the program’s stated goals.

Educate and train key stakeholders.

29 / 40

What principle requires that changes to the plaintext affect many parts of the ciphertext?

Encapsulation

Permutation

Diffusion

Obfuscation

30 / 40

A security professional recommends that a company integrate threat modeling into its Agile development processes. Which of the following BEST describes the benefits of this approach?

Reduce application development costs.

Potential threats are addressed later in the Software Development Life Cycle (SDLC).

Improve user acceptance of implemented security controls.

Potential threats are addressed earlier in the Software Development Life Cycle (SDLC).

31 / 40

An Internet software application requires authentication before a user is permitted to utilize the resource. Which testing scenario BEST validates the functionality of the application?

Reasonable data testing

Input validation testing

Web session testing

Allowed data bounds and limits testing

32 / 40

For the purpose of classification, which of the following is used to divide trust domain and trust boundaries?

Network architecture

Integrity

Identity Management (IdM)

Confidentiality management

33 / 40

Which of the following needs to be taken into account when assessing vulnerability?

Risk identification and validation

Threat mapping

Risk acceptance criteria

Safeguard selection

34 / 40

Which of the following is the PRIMARY mechanism used to limit the range of objects available to a given subject within different execution domains?

Process isolation

Data hiding and abstraction

Use of discrete layering and Application Programming Interfaces (API)

Virtual Private Network (VPN)

35 / 40

Which of the following open source software issues pose the MOST risk to an application?

The software is beyond end of life and the vendor is out of business.

The software is not used or popular in the development community.

The software has multiple Common Vulnerabilities and Exposures (CVE) and only some are remediated.

The software has multiple Common Vulnerabilities and Exposures (CVE) but the CVEs are classified as low risks.

36 / 40

Which of the following is the final phase of the identity and access provisioning lifecycle?

Recertification

Revocation

Removal

Validation

37 / 40

Which of the following is a process in the access provisioning lifecycle that will MOST likely identify access aggregation issues?

Test

Assessment

Review

Peer review

38 / 40

Which of the following is held accountable for the risk to organizational systems and data that result from outsourcing Information Technology (IT) systems and services?

The acquiring organization

The service provider

The risk executive (function)

The IT manager

39 / 40

A user downloads a file from the Internet, then applies the Secure Hash Algorithm 3 (SHA-3) to it. Which of the following is the MOST likely reason for doing so?

It verifies the integrity of the file.

It checks the file for malware.

It ensures the entire file downloaded.

It encrypts the entire file.

40 / 40

What is the MOST common component of a vulnerability management framework?

Risk analysis

Patch management

Threat analysis

Backup management

Your score is

0%

Leave a Reply Cancel reply