New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CISSP Certified Information Systems Security Professional (CISSP) Questions and Answers

Questions 4

What is a characteristic of Secure Socket Layer (SSL) and Transport Layer Security (TLS)?

Options:

A.

SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP).

B.

SSL and TLS provide nonrepudiation by default.

C.

SSL and TLS do not provide security for most routed protocols.

D.

SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).

Buy Now
Questions 5

Which of the following is the PRIMARY concern when using an Internet browser to access a cloud-based service?

Options:

A.

Insecure implementation of Application Programming Interfaces (API)

B.

Improper use and storage of management keys

C.

Misconfiguration of infrastructure allowing for unauthorized access

D.

Vulnerabilities within protocols that can expose confidential data

Buy Now
Questions 6

The application of which of the following standards would BEST reduce the potential for data breaches?

Options:

A.

ISO 9000

B.

ISO 20121

C.

ISO 26000

D.

ISO 27001

Buy Now
Questions 7

While inventorying storage equipment, it is found that there are unlabeled, disconnected, and powered off devices. Which of the following is the correct procedure for handling such equipment?

Options:

A.

They should be recycled to save energy.

B.

They should be recycled according to NIST SP 800-88.

C.

They should be inspected and sanitized following the organizational policy.

D.

They should be inspected and categorized properly to sell them for reuse.

Buy Now
Questions 8

What balance MUST be considered when web application developers determine how informative application error messages should be constructed?

Options:

A.

Risk versus benefit

B.

Availability versus auditability

C.

Confidentiality versus integrity

D.

Performance versus user satisfaction

Buy Now
Questions 9

Which of the following sets of controls should allow an investigation if an attack is not blocked by preventive controls or detected by monitoring?

Options:

A.

Logging and audit trail controls to enable forensic analysis

B.

Security incident response lessons learned procedures

C.

Security event alert triage done by analysts using a Security Information and Event Management (SIEM) system

D.

Transactional controls focused on fraud prevention

Buy Now
Questions 10

What is an advantage of Elliptic Curve Cryptography (ECC)?

Options:

A.

Cryptographic approach that does not require a fixed-length key

B.

Military-strength security that does not depend upon secrecy of the algorithm

C.

Opportunity to use shorter keys for the same level of security

D.

Ability to use much longer keys for greater security

Buy Now
Questions 11

Which of the following would BEST describe the role directly responsible for data within an organization?

Options:

A.

Data custodian

B.

Information owner

C.

Database administrator

D.

Quality control

Buy Now
Questions 12

A Simple Power Analysis (SPA) attack against a device directly observes which of the following?

Options:

A.

Static discharge

B.

Consumption

C.

Generation

D.

Magnetism

Buy Now
Questions 13

The PRIMARY characteristic of a Distributed Denial of Service (DDoS) attack is that it

Options:

A.

exploits weak authentication to penetrate networks.

B.

can be detected with signature analysis.

C.

looks like normal network activity.

D.

is commonly confused with viruses or worms.

Buy Now
Questions 14

Which of the following is needed to securely distribute symmetric cryptographic keys?

Options:

A.

Officially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certificates

B.

Officially approved and compliant key management technology and processes

C.

An organizationally approved communication protection policy and key management plan

D.

Hardware tokens that protect the user’s private key.

Buy Now
Questions 15

After a thorough analysis, it was discovered that a perpetrator compromised a network by gaining access to the network through a Secure Socket Layer (SSL) Virtual Private Network (VPN) gateway. The perpetrator guessed a username and brute forced the password to gain access. Which of the following BEST mitigates this issue?

Options:

A.

Implement strong passwords authentication for VPN

B.

Integrate the VPN with centralized credential stores

C.

Implement an Internet Protocol Security (IPSec) client

D.

Use two-factor authentication mechanisms

Buy Now
Questions 16

Which of the following media sanitization techniques is MOST likely to be effective for an organization using public cloud services?

Options:

A.

Low-level formatting

B.

Secure-grade overwrite erasure

C.

Cryptographic erasure

D.

Drive degaussing

Buy Now
Questions 17

An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is

Options:

A.

organization policy.

B.

industry best practices.

C.

industry laws and regulations.

D.

management feedback.

Buy Now
Questions 18

What operations role is responsible for protecting the enterprise from corrupt or contaminated media?

Options:

A.

Information security practitioner

B.

Information librarian

C.

Computer operator

D.

Network administrator

Buy Now
Questions 19

What is the difference between media marking and media labeling?

Options:

A.

Media marking refers to the use of human-readable security attributes, while media labeling refers to the use of security attributes in internal data structures.

B.

Media labeling refers to the use of human-readable security attributes, while media marking refers to the use of security attributes in internal data structures.

C.

Media labeling refers to security attributes required by public policy/law, while media marking refers to security required by internal organizational policy.

D.

Media marking refers to security attributes required by public policy/law, while media labeling refers to security attributes required by internal organizational policy.

Buy Now
Questions 20

Which of the following is the BEST example of weak management commitment to the protection of security assets and resources?

Options:

A.

poor governance over security processes and procedures

B.

immature security controls and procedures

C.

variances against regulatory requirements

D.

unanticipated increases in security incidents and threats

Buy Now
Questions 21

Which of the following BEST describes a Protection Profile (PP)?

Options:

A.

A document that expresses an implementation independent set of security requirements for an IT product that meets specific consumer needs.

B.

A document that is used to develop an IT security product from its security requirements definition.

C.

A document that expresses an implementation dependent set of security requirements which contains only the security functional requirements.

D.

A document that represents evaluated products where there is a one-to-one correspondence between a PP and a Security Target (ST).

Buy Now
Questions 22

The World Trade Organization's (WTO) agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) requires authors of computer software to be given the

Options:

A.

right to refuse or permit commercial rentals.

B.

right to disguise the software's geographic origin.

C.

ability to tailor security parameters based on location.

D.

ability to confirm license authenticity of their works.

Buy Now
Questions 23

Which of the following is the BEST approach to take in order to effectively incorporate the concepts of business continuity into the organization?

Options:

A.

Ensure end users are aware of the planning activities

B.

Validate all regulatory requirements are known and fully documented

C.

Develop training and awareness programs that involve all stakeholders

D.

Ensure plans do not violate the organization's cultural objectives and goals

Buy Now
Questions 24

Which of the following questions can be answered using user and group entitlement reporting?

Options:

A.

When a particular file was last accessed by a user

B.

Change control activities for a particular group of users

C.

The number of failed login attempts for a particular user

D.

Where does a particular user have access within the network

Buy Now
Questions 25

Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test?

Options:

A.

Reversal

B.

Gray box

C.

Blind

D.

White box

Buy Now
Questions 26

Which of the following is the BEST method to assess the effectiveness of an organization's vulnerability management program?

Options:

A.

Review automated patch deployment reports

B.

Periodic third party vulnerability assessment

C.

Automated vulnerability scanning

D.

Perform vulnerability scan by security team

Buy Now
Questions 27

Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?

Options:

A.

Discretionary Access Control (DAC) procedures

B.

Mandatory Access Control (MAC) procedures

C.

Data link encryption

D.

Segregation of duties

Buy Now
Questions 28

Which of the following analyses is performed to protect information assets?

Options:

A.

Business impact analysis

B.

Feasibility analysis

C.

Cost benefit analysis

D.

Data analysis

Buy Now
Questions 29

The goal of a Business Impact Analysis (BIA) is to determine which of the following?

Options:

A.

Cost effectiveness of business recovery

B.

Cost effectiveness of installing software security patches

C.

Resource priorities for recovery and Maximum Tolerable Downtime (MTD)

D.

Which security measures should be implemented

Buy Now
Questions 30

What type of wireless network attack BEST describes an Electromagnetic Pulse (EMP) attack?

Options:

A.

Radio Frequency (RF) attack

B.

Denial of Service (DoS) attack

C.

Data modification attack

D.

Application-layer attack

Buy Now
Questions 31

The BEST example of the concept of "something that a user has" when providing an authorized user access to a computing system is

Options:

A.

the user's hand geometry.

B.

a credential stored in a token.

C.

a passphrase.

D.

the user's face.

Buy Now
Questions 32

Which of the following is an essential step before performing Structured Query Language (SQL) penetration tests on a production system?

Options:

A.

Verify countermeasures have been deactivated.

B.

Ensure firewall logging has been activated.

C.

Validate target systems have been backed up.

D.

Confirm warm site is ready to accept connections.

Buy Now
Questions 33

Regarding asset security and appropriate retention, which of the following INITIAL top three areas are important to focus on?

Options:

A.

Security control baselines, access controls, employee awareness and training

B.

Human resources, asset management, production management

C.

Supply chain lead-time, inventory control, and encryption

D.

Polygraphs, crime statistics, forensics

Buy Now
Questions 34

Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)?

Options:

A.

Application interface entry and endpoints

B.

The likelihood and impact of a vulnerability

C.

Countermeasures and mitigations for vulnerabilities

D.

A data flow diagram for the application and attack surface analysis

Buy Now
Questions 35

Match the objectives to the assessment questions in the governance domain of Software Assurance Maturity Model (SAMM).

Options:

Buy Now
Questions 36

What is the MOST critical factor to achieve the goals of a security program?

Options:

A.

Capabilities of security resources

B.

Executive management support

C.

Effectiveness of security management

D.

Budget approved for security resources

Buy Now
Questions 37

Refer to the information below to answer the question.

An organization experiencing a negative financial impact is forced to reduce budgets and the number of Information Technology (IT) operations staff performing basic logical access security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles.

Which of the following will MOST likely allow the organization to keep risk at an acceptable level?

Options:

A.

Increasing the amount of audits performed by third parties

B.

Removing privileged accounts from operational staff

C.

Assigning privileged functions to appropriate staff

D.

Separating the security function into distinct roles

Buy Now
Questions 38

According to best practice, which of the following groups is the MOST effective in performing an information security compliance audit?

Options:

A.

In-house security administrators

B.

In-house Network Team

C.

Disaster Recovery (DR) Team

D.

External consultants

Buy Now
Questions 39

Refer to the information below to answer the question.

In a Multilevel Security (MLS) system, the following sensitivity labels are used in increasing levels of sensitivity: restricted, confidential, secret, top secret. Table A lists the clearance levels for four users, while Table B lists the security classes of four different files.

Which of the following is true according to the star property (*property)?

Options:

A.

User D can write to File 1

B.

User B can write to File 1

C.

User A can write to File 1

D.

User C can write to File 1

Buy Now
Questions 40

Which of the following is the MOST difficult to enforce when using cloud computing?

Options:

A.

Data access

B.

Data backup

C.

Data recovery

D.

Data disposal

Buy Now
Questions 41

Which of the following methods provides the MOST protection for user credentials?

Options:

A.

Forms-based authentication

B.

Digest authentication

C.

Basic authentication

D.

Self-registration

Buy Now
Questions 42

When using third-party software developers, which of the following is the MOST effective method of providing software development Quality Assurance (QA)?

Options:

A.

Retain intellectual property rights through contractual wording.

B.

Perform overlapping code reviews by both parties.

C.

Verify that the contractors attend development planning meetings.

D.

Create a separate contractor development environment.

Buy Now
Questions 43

Refer to the information below to answer the question.

A security practitioner detects client-based attacks on the organization’s network. A plan will be necessary to address these concerns.

What is the BEST reason for the organization to pursue a plan to mitigate client-based attacks?

Options:

A.

Client privilege administration is inherently weaker than server privilege administration.

B.

Client hardening and management is easier on clients than on servers.

C.

Client-based attacks are more common and easier to exploit than server and network based attacks.

D.

Client-based attacks have higher financial impact.

Buy Now
Questions 44

Refer to the information below to answer the question.

A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classification. The organization is subject to periodic independent reviews of access controls and violations. The organization uses wired and wireless networks and remote access. The organization also uses secure connections to branch offices and secure backup and recovery strategies for selected information and processes.

In addition to authentication at the start of the user session, best practice would require re-authentication

Options:

A.

periodically during a session.

B.

for each business process.

C.

at system sign-off.

D.

after a period of inactivity.

Buy Now
Questions 45

Host-Based Intrusion Protection (HIPS) systems are often deployed in monitoring or learning mode during their initial implementation. What is the objective of starting in this mode?

Options:

A.

Automatically create exceptions for specific actions or files

B.

Determine which files are unsafe to access and blacklist them

C.

Automatically whitelist actions or files known to the system

D.

Build a baseline of normal or safe system events for review

Buy Now
Questions 46

When dealing with compliance with the Payment Card Industry-Data Security Standard (PCI-DSS), an organization that shares card holder information with a service provider MUST do which of the following?

Options:

A.

Perform a service provider PCI-DSS assessment on a yearly basis.

B.

Validate the service provider's PCI-DSS compliance status on a regular basis.

C.

Validate that the service providers security policies are in alignment with those of the organization.

D.

Ensure that the service provider updates and tests its Disaster Recovery Plan (DRP) on a yearly basis.

Buy Now
Questions 47

Refer to the information below to answer the question.

A large, multinational organization has decided to outsource a portion of their Information Technology (IT) organization to a third-party provider’s facility. This provider will be responsible for the design, development, testing, and support of several critical, customer-based applications used by the organization.

The organization should ensure that the third party's physical security controls are in place so that they

Options:

A.

are more rigorous than the original controls.

B.

are able to limit access to sensitive information.

C.

allow access by the organization staff at any time.

D.

cannot be accessed by subcontractors of the third party.

Buy Now
Questions 48

From a security perspective, which of the following is a best practice to configure a Domain Name Service (DNS) system?

Options:

A.

Configure secondary servers to use the primary server as a zone forwarder.

B.

Block all Transmission Control Protocol (TCP) connections.

C.

Disable all recursive queries on the name servers.

D.

Limit zone transfers to authorized devices.

Buy Now
Questions 49

What is the BEST method to detect the most common improper initialization problems in programming languages?

Options:

A.

Use and specify a strong character encoding.

B.

Use automated static analysis tools that target this type of weakness.

C.

Perform input validation on any numeric inputs by assuring that they are within the expected range.

D.

Use data flow analysis to minimize the number of false positives.

Buy Now
Questions 50

What is the MOST effective method for gaining unauthorized access to a file protected with a long complex password?

Options:

A.

Brute force attack

B.

Frequency analysis

C.

Social engineering

D.

Dictionary attack

Buy Now
Questions 51

Refer to the information below to answer the question.

An organization experiencing a negative financial impact is forced to reduce budgets and the number of Information Technology (IT) operations staff performing basic logical access security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles.

When determining appropriate resource allocation, which of the following is MOST important to monitor?

Options:

A.

Number of system compromises

B.

Number of audit findings

C.

Number of staff reductions

D.

Number of additional assets

Buy Now
Questions 52

Without proper signal protection, embedded systems may be prone to which type of attack?

Options:

A.

Brute force

B.

Tampering

C.

Information disclosure

D.

Denial of Service (DoS)

Buy Now
Questions 53

Which of the following describes the concept of a Single Sign -On (SSO) system?

Options:

A.

Users are authenticated to one system at a time.

B.

Users are identified to multiple systems with several credentials.

C.

Users are authenticated to multiple systems with one login.

D.

Only one user is using the system at a time.

Buy Now
Questions 54

Refer to the information below to answer the question.

A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization’s Information Technology (IT) department discovers that a peer-to-peer program has been installed on the computer using the employee's access.

Which of the following documents explains the proper use of the organization's assets?

Options:

A.

Human resources policy

B.

Acceptable use policy

C.

Code of ethics

D.

Access control policy

Buy Now
Questions 55

An organization's data policy MUST include a data retention period which is based on

Options:

A.

application dismissal.

B.

business procedures.

C.

digital certificates expiration.

D.

regulatory compliance.

Buy Now
Questions 56

Refer to the information below to answer the question.

Desktop computers in an organization were sanitized for re-use in an equivalent security environment. The data was destroyed in accordance with organizational policy and all marking and other external indications of the sensitivity of the data that was formerly stored on the magnetic drives were removed.

Organizational policy requires the deletion of user data from Personal Digital Assistant (PDA) devices before disposal. It may not be possible to delete the user data if the device is malfunctioning. Which destruction method below provides the BEST assurance that the data has been removed?

Options:

A.

Knurling

B.

Grinding

C.

Shredding

D.

Degaussing

Buy Now
Questions 57

Refer to the information below to answer the question.

An organization has hired an information security officer to lead their security department. The officer has adequate people resources but is lacking the other necessary components to have an effective security program. There are numerous initiatives requiring security involvement.

The security program can be considered effective when

Options:

A.

vulnerabilities are proactively identified.

B.

audits are regularly performed and reviewed.

C.

backups are regularly performed and validated.

D.

risk is lowered to an acceptable level.

Buy Now
Questions 58

With data labeling, which of the following MUST be the key decision maker?

Options:

A.

Information security

B.

Departmental management

C.

Data custodian

D.

Data owner

Buy Now
Questions 59

Which of the following is the MOST effective attack against cryptographic hardware modules?

Options:

A.

Plaintext

B.

Brute force

C.

Power analysis

D.

Man-in-the-middle (MITM)

Buy Now
Questions 60

Refer to the information below to answer the question.

A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization’s Information Technology (IT) department discovers that a peer-to-peer program has been installed on the computer using the employee's access.

Which of the following solutions would have MOST likely detected the use of peer-to-peer programs when the computer was connected to the office network?

Options:

A.

Anti-virus software

B.

Intrusion Prevention System (IPS)

C.

Anti-spyware software

D.

Integrity checking software

Buy Now
Questions 61

Which of the following is the MAIN goal of a data retention policy?

Options:

A.

Ensure that data is destroyed properly.

B.

Ensure that data recovery can be done on the datA.

C.

Ensure the integrity and availability of data for a predetermined amount of time.

D.

Ensure the integrity and confidentiality of data for a predetermined amount of time.

Buy Now
Questions 62

Which of the following problems is not addressed by using OAuth (Open Standard to Authorization) 2.0 to integrate a third-party identity provider for a service?

Options:

A.

Resource Servers are required to use passwords to authenticate end users.

B.

Revocation of access of some users of the third party instead of all the users from the third party.

C.

Compromise of the third party means compromise of all the users in the service.

D.

Guest users need to authenticate with the third party identity provider.

Buy Now
Questions 63

Which of the following violates identity and access management best practices?

Options:

A.

User accounts

B.

System accounts

C.

Generic accounts

D.

Privileged accounts

Buy Now
Questions 64

Which item below is a federated identity standard?

Options:

A.

802.11i

B.

Kerberos

C.

Lightweight Directory Access Protocol (LDAP)

D.

Security Assertion Markup Language (SAML)

Buy Now
Questions 65

Which of the following MUST system and database administrators be aware of and apply when configuring systems used for storing personal employee data?

Options:

A.

Secondary use of the data by business users

B.

The organization's security policies and standards

C.

The business purpose for which the data is to be used

D.

The overall protection of corporate resources and data

Buy Now
Questions 66

Which of the following is the BEST countermeasure to brute force login attacks?

Options:

A.

Changing all canonical passwords

B.

Decreasing the number of concurrent user sessions

C.

Restricting initial password delivery only in person

D.

Introducing a delay after failed system access attempts

Buy Now
Questions 67

Refer to the information below to answer the question.

An organization has hired an information security officer to lead their security department. The officer has adequate people resources but is lacking the other necessary components to have an effective security program. There are numerous initiatives requiring security involvement.

The effectiveness of the security program can PRIMARILY be measured through

Options:

A.

audit findings.

B.

risk elimination.

C.

audit requirements.

D.

customer satisfaction.

Buy Now
Questions 68

Which of the following is the MOST crucial for a successful audit plan?

Options:

A.

Defining the scope of the audit to be performed

B.

Identifying the security controls to be implemented

C.

Working with the system owner on new controls

D.

Acquiring evidence of systems that are not compliant

Buy Now
Questions 69

Refer to the information below to answer the question.

A security practitioner detects client-based attacks on the organization’s network. A plan will be necessary to address these concerns.

What MUST the plan include in order to reduce client-side exploitation?

Options:

A.

Approved web browsers

B.

Network firewall procedures

C.

Proxy configuration

D.

Employee education

Buy Now
Questions 70

Refer to the information below to answer the question.

A security practitioner detects client-based attacks on the organization’s network. A plan will be necessary to address these concerns.

In the plan, what is the BEST approach to mitigate future internal client-based attacks?

Options:

A.

Block all client side web exploits at the perimeter.

B.

Remove all non-essential client-side web services from the network.

C.

Screen for harmful exploits of client-side services before implementation.

D.

Harden the client image before deployment.

Buy Now
Questions 71

Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas?

Options:

A.

Install mantraps at the building entrances

B.

Enclose the personnel entry area with polycarbonate plastic

C.

Supply a duress alarm for personnel exposed to the public

D.

Hire a guard to protect the public area

Buy Now
Questions 72

All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that

Options:

A.

determine the risk of a business interruption occurring

B.

determine the technological dependence of the business processes

C.

Identify the operational impacts of a business interruption

D.

Identify the financial impacts of a business interruption

Buy Now
Questions 73

Which of the following represents the GREATEST risk to data confidentiality?

Options:

A.

Network redundancies are not implemented

B.

Security awareness training is not completed

C.

Backup tapes are generated unencrypted

D.

Users have administrative privileges

Buy Now
Questions 74

An important principle of defense in depth is that achieving information security requires a balanced focus on which PRIMARY elements?

Options:

A.

Development, testing, and deployment

B.

Prevention, detection, and remediation

C.

People, technology, and operations

D.

Certification, accreditation, and monitoring

Buy Now
Questions 75

When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?

Options:

A.

Only when assets are clearly defined

B.

Only when standards are defined

C.

Only when controls are put in place

D.

Only procedures are defined

Buy Now
Questions 76

A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with?

Options:

A.

Application

B.

Storage

C.

Power

D.

Network

Buy Now
Questions 77

Which of the following actions will reduce risk to a laptop before traveling to a high risk area?

Options:

A.

Examine the device for physical tampering

B.

Implement more stringent baseline configurations

C.

Purge or re-image the hard disk drive

D.

Change access codes

Buy Now
Questions 78

Intellectual property rights are PRIMARY concerned with which of the following?

Options:

A.

Owner’s ability to realize financial gain

B.

Owner’s ability to maintain copyright

C.

Right of the owner to enjoy their creation

D.

Right of the owner to control delivery method

Buy Now
Questions 79

What is the MOST important consideration from a data security perspective when an organization plans to relocate?

Options:

A.

Ensure the fire prevention and detection systems are sufficient to protect personnel

B.

Review the architectural plans to determine how many emergency exits are present

C.

Conduct a gap analysis of a new facilities against existing security requirements

D.

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

Buy Now
Questions 80

Which security service is served by the process of encryption plaintext with the sender’s private key and decrypting cipher text with the sender’s public key?

Options:

A.

Confidentiality

B.

Integrity

C.

Identification

D.

Availability

Buy Now
Questions 81

What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?

Options:

A.

Implementation Phase

B.

Initialization Phase

C.

Cancellation Phase

D.

Issued Phase

Buy Now
Questions 82

Which of the following mobile code security models relies only on trust?

Options:

A.

Code signing

B.

Class authentication

C.

Sandboxing

D.

Type safety

Buy Now
Questions 83

Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to estimate the severity of vulnerabilities identified automated vulnerability assessments?

Options:

A.

Common Vulnerabilities and Exposures (CVE)

B.

Common Vulnerability Scoring System (CVSS)

C.

Asset Reporting Format (ARF)

D.

Open Vulnerability and Assessment Language (OVAL)

Buy Now
Questions 84

Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?

Options:

A.

Hashing the data before encryption

B.

Hashing the data after encryption

C.

Compressing the data after encryption

D.

Compressing the data before encryption

Buy Now
Questions 85

Who in the organization is accountable for classification of data information assets?

Options:

A.

Data owner

B.

Data architect

C.

Chief Information Security Officer (CISO)

D.

Chief Information Officer (CIO)

Buy Now
Questions 86

The use of private and public encryption keys is fundamental in the implementation of which of the following?

Options:

A.

Diffie-Hellman algorithm

B.

Secure Sockets Layer (SSL)

C.

Advanced Encryption Standard (AES)

D.

Message Digest 5 (MD5)

Buy Now
Questions 87

A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the MOST probable security feature of Java preventing the program from operating as intended?

Options:

A.

Least privilege

B.

Privilege escalation

C.

Defense in depth

D.

Privilege bracketing

Buy Now
Questions 88

The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?

Options:

A.

System acquisition and development

B.

System operations and maintenance

C.

System initiation

D.

System implementation

Buy Now
Questions 89

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

Options:

A.

After the system preliminary design has been developed and the data security categorization has been performed

B.

After the vulnerability analysis has been performed and before the system detailed design begins

C.

After the system preliminary design has been developed and before the data security categorization begins

D.

After the business functional analysis and the data security categorization have been performed

Buy Now
Questions 90

Which of the following is the BEST method to prevent malware from being introduced into a production environment?

Options:

A.

Purchase software from a limited list of retailers

B.

Verify the hash key or certificate key of all updates

C.

Do not permit programs, patches, or updates from the Internet

D.

Test all new software in a segregated environment

Buy Now
Questions 91

What is the BEST approach to addressing security issues in legacy web applications?

Options:

A.

Debug the security issues

B.

Migrate to newer, supported applications where possible

C.

Conduct a security assessment

D.

Protect the legacy application with a web application firewall

Buy Now
Questions 92

Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?

Options:

A.

Check arguments in function calls

B.

Test for the security patch level of the environment

C.

Include logging functions

D.

Digitally sign each application module

Buy Now
Questions 93

Which of the following is the PRIMARY risk with using open source software in a commercial software construction?

Options:

A.

Lack of software documentation

B.

License agreements requiring release of modified code

C.

Expiration of the license agreement

D.

Costs associated with support of the software

Buy Now
Questions 94

Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?

Options:

A.

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

B.

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

C.

Management teams will understand the testing objectives and reputational risk to the organization

D.

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

Buy Now
Questions 95

Which of the following is of GREATEST assistance to auditors when reviewing system configurations?

Options:

A.

Change management processes

B.

User administration procedures

C.

Operating System (OS) baselines

D.

System backup documentation

Buy Now
Questions 96

Which of the following could cause a Denial of Service (DoS) against an authentication system?

Options:

A.

Encryption of audit logs

B.

No archiving of audit logs

C.

Hashing of audit logs

D.

Remote access audit logs

Buy Now
Questions 97

In which of the following programs is it MOST important to include the collection of security process data?

Options:

A.

Quarterly access reviews

B.

Security continuous monitoring

C.

Business continuity testing

D.

Annual security training

Buy Now
Questions 98

A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation. What MUST an administrator review to audit a user’s access to data files?

Options:

A.

Host VM monitor audit logs

B.

Guest OS access controls

C.

Host VM access controls

D.

Guest OS audit logs

Buy Now
Questions 99

Which of the following is a PRIMARY advantage of using a third-party identity service?

Options:

A.

Consolidation of multiple providers

B.

Directory synchronization

C.

Web based logon

D.

Automated account management

Buy Now
Questions 100

A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following?

Options:

A.

Guaranteed recovery of all business functions

B.

Minimization of the need decision making during a crisis

C.

Insurance against litigation following a disaster

D.

Protection from loss of organization resources

Buy Now
Questions 101

What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?

Options:

A.

Take the computer to a forensic lab

B.

Make a copy of the hard drive

C.

Start documenting

D.

Turn off the computer

Buy Now
Questions 102

When is a Business Continuity Plan (BCP) considered to be valid?

Options:

A.

When it has been validated by the Business Continuity (BC) manager

B.

When it has been validated by the board of directors

C.

When it has been validated by all threat scenarios

D.

When it has been validated by realistic exercises

Buy Now
Questions 103

Which of the following is the FIRST step in the incident response process?

Options:

A.

Determine the cause of the incident

B.

Disconnect the system involved from the network

C.

Isolate and contain the system involved

D.

Investigate all symptoms to confirm the incident

Buy Now
Questions 104

What would be the MOST cost effective solution for a Disaster Recovery (DR) site given that the organization’s systems cannot be unavailable for more than 24 hours?

Options:

A.

Warm site

B.

Hot site

C.

Mirror site

D.

Cold site

Buy Now
Questions 105

What is the PRIMARY reason for implementing change management?

Options:

A.

Certify and approve releases to the environment

B.

Provide version rollbacks for system changes

C.

Ensure that all applications are approved

D.

Ensure accountability for changes to the environment

Buy Now
Questions 106

What is the purpose of an Internet Protocol (IP) spoofing attack?

Options:

A.

To send excessive amounts of data to a process, making it unpredictable

B.

To intercept network traffic without authorization

C.

To disguise the destination address from a target’s IP filtering devices

D.

To convince a system that it is communicating with a known entity

Buy Now
Questions 107

An external attacker has compromised an organization’s network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information?

Options:

A.

Implement packet filtering on the network firewalls

B.

Install Host Based Intrusion Detection Systems (HIDS)

C.

Require strong authentication for administrators

D.

Implement logical network segmentation at the switches

Buy Now
Questions 108

In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?

Options:

A.

Transport layer

B.

Application layer

C.

Network layer

D.

Session layer

Buy Now
Questions 109

Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?

Options:

A.

Packet filtering

B.

Port services filtering

C.

Content filtering

D.

Application access control

Buy Now
Questions 110

An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly implement a control?

Options:

A.

Add a new rule to the application layer firewall

B.

Block access to the service

C.

Install an Intrusion Detection System (IDS)

D.

Patch the application source code

Buy Now
Questions 111

At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located?

Options:

A.

Link layer

B.

Physical layer

C.

Session layer

D.

Application layer

Buy Now
Questions 112

Which of the following is the BEST network defense against unknown types of attacks or stealth attacks in progress?

Options:

A.

Intrusion Prevention Systems (IPS)

B.

Intrusion Detection Systems (IDS)

C.

Stateful firewalls

D.

Network Behavior Analysis (NBA) tools

Buy Now
Questions 113

Which of the following factors contributes to the weakness of Wired Equivalent Privacy (WEP) protocol?

Options:

A.

WEP uses a small range Initialization Vector (IV)

B.

WEP uses Message Digest 5 (MD5)

C.

WEP uses Diffie-Hellman

D.

WEP does not use any Initialization Vector (IV)

Buy Now
Questions 114

Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?

Options:

A.

Layer 2 Tunneling Protocol (L2TP)

B.

Link Control Protocol (LCP)

C.

Challenge Handshake Authentication Protocol (CHAP)

D.

Packet Transfer Protocol (PTP)

Buy Now
Questions 115

Which one of the following would cause an immediate review and possible change to the security policies of an organization?

Options:

A.

Change in technology

B.

Change in senior management

C.

Change to organization processes

D.

Change to organization goals

Buy Now
Questions 116

Which testing method requires very limited or no information about the network infrastructure?

Options:

A.

While box

B.

Static

C.

Black box

D.

Stress

Buy Now
Questions 117

A client has reviewed a vulnerability assessment report and has stated it is Inaccurate. The client states that the vulnerabilities listed are not valid because the host’s Operating System (OS) was not properly detected.

Where in the vulnerability assessment process did the erra MOST likely occur?

Options:

A.

Detection

B.

Enumeration

C.

Reporting

D.

Discovery

Buy Now
Questions 118

A subscription service which provides power, climate control, raised flooring, and telephone wiring but NOT the computer and peripheral equipment is BEST described as a:

Options:

A.

warm site.

B.

reciprocal site.

C.

sicold site.

D.

hot site.

Buy Now
Questions 119

A software engineer uses automated tools to review application code and search for application flaws, back doors, or other malicious code. Which of the following is the

FIRST Software Development Life Cycle (SDLC) phase where this takes place?

Options:

A.

Design

B.

Test

C.

Development

D.

Deployment

Buy Now
Questions 120

Which of the following is the MAIN difference between a network-based firewall and a host-based firewall?

Options:

A.

A network-based firewall is stateful, while a host-based firewall is stateless.

B.

A network-based firewall controls traffic passing through the device, while a host-based firewall controls traffic destined for the device.

C.

A network-based firewall verifies network traffic, while a host-based firewall verifies processes and applications.

D.

A network-based firewall blocks network intrusions, while a host-based firewall blocks malware.

Buy Now
Questions 121

Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes?

Options:

A.

File Integrity Checker

B.

Security information and event management (SIEM) system

C.

Audit Logs

D.

Intrusion detection system (IDS)

Buy Now
Questions 122

A security professional should consider the protection of which of the following elements FIRST when developing a defense-in-depth strategy for a mobile workforce?

Options:

A.

Network perimeters

B.

Demilitarized Zones (DM2)

C.

Databases and back-end servers

D.

End-user devices

Buy Now
Questions 123

When dealing with shared, privilaged accounts, especially those for emergencies, what is the BEST way to assure non-repudiation of logs?

Options:

A.

Regularity change the passwords,

B.

implement a password vaulting solution.

C.

Lock passwords in tamperproof envelopes in a safe.

D.

Implement a strict access control policy.

Buy Now
Questions 124

Assume that a computer was powered off when an information security professional

arrived at a crime scene. Which of the following actions should be performed after

the crime scene is isolated?

Options:

A.

Turn the computer on and collect volatile data.

B.

Turn the computer on and collect network information.

C.

Leave the computer off and prepare the computer for transportation to the laboratory

D.

Remove the hard drive, prepare it for transportation, and leave the hardware ta the scene.

Buy Now
Questions 125

What is the BEST approach for maintaining ethics when a security professional is

unfamiliar with the culture of a country and is asked to perform a questionable task?

Options:

A.

Exercise due diligence when deciding to circumvent host government requests.

B.

Become familiar with the means in which the code of ethics is applied and considered.

C.

Complete the assignment based on the customer's wishes.

D.

Execute according to the professional's comfort level with the code of ethics.

Buy Now
Questions 126

What is the PRIMARY benefit of relying on Security Content Automation Protocol (SCAP)?

Options:

A.

Save security costs for the organization.

B.

Improve vulnerability assessment capabilities.

C.

Standardize specifications between software security products.

D.

Achieve organizational compliance with international standards.

Buy Now
Questions 127

A company developed a web application which is sold as a Software as a Service (SaaS) solution to the customer. The application is hosted by a web server running on a ‘specific operating system (OS) on a virtual machine (VM). During the transition phase of the service, it is determined that the support team will need access to the application logs. Which of the following privileges would be the MOST suitable?

Options:

A.

Administrative privileges on the OS

B.

Administrative privileges on the web server

C.

Administrative privileges on the hypervisor

D.

Administrative privileges on the application folders

Buy Now
Questions 128

What Is the FIRST step for a digital investigator to perform when using best practices to collect digital evidence from a potential crime scene?

Options:

A.

Consult the lead investigate to team the details of the case and required evidence.

B.

Assure that grounding procedures have been followed to reduce the loss of digital data due to static electricity discharge.

C.

Update the Basic Input Output System (BIOS) and Operating System (OS) of any tools used to assure evidence admissibility.

D.

Confirm that the appropriate warrants were issued to the subject of the investigation to eliminate illegal search claims.

Buy Now
Questions 129

An organization that has achieved a Capability Maturity model Integration (CMMI) level of 4 has done which of the following?

Options:

A.

Addressed continuous innovative process improvement

B.

Addressed the causes of common process variance

C.

Achieved optimized process performance

D.

Achieved predictable process performance

Buy Now
Questions 130

Which of the following frameworks provides vulnerability metrics and characteristics to support the National Vulnerability Database (NVD)?

Options:

A.

Center for Internet Security (CIS)

B.

Common Vulnerabilities and Exposures (CVE)

C.

Open Web Application Security Project (OWASP)

D.

Common Vulnerability Scoring System (CVSS)

Buy Now
Questions 131

Which of the following methods MOST efficiently manages user accounts when using a third-party cloud-based application and directory solution?

Options:

A.

Cloud directory

B.

Directory synchronization

C.

Assurance framework

D.

Lightweight Directory Access Protocol (LDAP)

Buy Now
Questions 132

What is the PRIMARY purpose for an organization to conduct a security audit?

Options:

A.

To ensure the organization is adhering to a well-defined standard

B.

To ensure the organization is applying security controls to mitigate identified risks

C.

To ensure the organization is configuring information systems efficiently

D.

To ensure the organization is documenting findings

Buy Now
Questions 133

In setting expectations when reviewing the results of a security test, which of the following statements is MOST important to convey to reviewers?

Options:

A.

The target’s security posture cannot be further compromised.

B.

The results of the tests represent a point-in-time assessment of the target(s).

C.

The accuracy of testing results can be greatly improved if the target(s) are properly hardened.

D.

The deficiencies identified can be corrected immediately

Buy Now
Questions 134

While reviewing the financial reporting risks of a third-party application, which of the following Service Organization Control (SOC) reports will be the MOST useful?

Options:

A.

ISIsOC 1

B.

SOC 2

C.

SOC 3

D.

SOC for cybersecurity

Buy Now
Questions 135

What is the MAIN purpose of a security assessment plan?

Options:

A.

Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation

B.

Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.

C.

Provide technical information to executives to help them understand information security postures and secure funding.

D.

Provide education to employees on security and privacy, to ensure their awareness on policies and procedures

Buy Now
Questions 136

Which of the following is the BEST identity-as-a-service (IDaaS) solution for validating users?

Options:

A.

Lightweight Directory Access Protocol (LDAP)

B.

Security Assertion Markup Language (SAM.)

C.

Single Sign-on (SSO)

D.

Open Authentication (OAuth)

Buy Now
Questions 137

Which of the following four iterative steps are conducted on third-party vendors in an on-going basis?

Options:

A.

Investigate, Evaluate, Respond, Monitor

B.

Frame, Assess, Respond, Monitor

C.

Frame, Assess, Remediate, Monitor

D.

Investigate, Assess, Remediate, Monitor

Buy Now
Questions 138

A large corporation is locking for a solution to automate access based on where on request is coming from, who the user is, what device they are connecting with, and what time of day they are attempting this access. What type of solution would suit their needs?

Options:

A.

Discretionary Access Control (DAC)

B.

Role Based Access Control (RBAC)

C.

Mandater Access Control (MAC)

D.

Network Access Control (NAC)

Buy Now
Questions 139

If virus infection is suspected, which of the following is the FIRST step for the user to take?

Options:

A.

Unplug the computer from the network.

B.

Save the opened files and shutdown the computer.

C.

Report the incident to service desk.

D.

Update the antivirus to the latest version.

Buy Now
Questions 140

What is the HIGHEST priority in agile development?

Options:

A.

Selecting appropriate coding language

B.

Managing costs of product delivery

C.

Early and continuous delivery of software

D.

Maximizing the amount of code delivered

Buy Now
Questions 141

Which of the following BEST describes an access control method utilizing cryptographic keys derived from a smart card private key that is embedded within mobile devices?

Options:

A.

Derived credential

B.

Temporary security credential

C.

Mobile device credentialing service

D.

Digest authentication

Buy Now
Questions 142

What is the BEST approach for controlling access to highly sensitive information when employees have the same level of security clearance?

Options:

A.

Audit logs

B.

Role-Based Access Control (RBAC)

C.

Two-factor authentication

D.

Application of least privilege

Buy Now
Questions 143

Users require access rights that allow them to view the average salary of groups of employees. Which control would prevent the users from obtaining an individual employee’s salary?

Options:

A.

Limit access to predefined queries

B.

Segregate the database into a small number of partitions each with a separate security level

C.

Implement Role Based Access Control (RBAC)

D.

Reduce the number of people who have access to the system for statistical purposes

Buy Now
Questions 144

A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its 20 different supplier companies. Which of the following is the BEST solution for the manufacturing organization?

Options:

A.

Trusted third-party certification

B.

Lightweight Directory Access Protocol (LDAP)

C.

Security Assertion Markup language (SAML)

D.

Cross-certification

Buy Now
Questions 145

Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?

Options:

A.

Personal Identity Verification (PIV)

B.

Cardholder Unique Identifier (CHUID) authentication

C.

Physical Access Control System (PACS) repeated attempt detection

D.

Asymmetric Card Authentication Key (CAK) challenge-response

Buy Now
Questions 146

Which of the following is MOST important when assigning ownership of an asset to a department?

Options:

A.

The department should report to the business owner

B.

Ownership of the asset should be periodically reviewed

C.

Individual accountability should be ensured

D.

All members should be trained on their responsibilities

Buy Now
Questions 147

Which one of the following affects the classification of data?

Options:

A.

Assigned security label

B.

Multilevel Security (MLS) architecture

C.

Minimum query size

D.

Passage of time

Buy Now
Questions 148

An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests.

Which contract is BEST in offloading the task from the IT staff?

Options:

A.

Platform as a Service (PaaS)

B.

Identity as a Service (IDaaS)

C.

Desktop as a Service (DaaS)

D.

Software as a Service (SaaS)

Buy Now
Questions 149

In a data classification scheme, the data is owned by the

Options:

A.

system security managers

B.

business managers

C.

Information Technology (IT) managers

D.

end users

Buy Now
Questions 150

Which of the following is an initial consideration when developing an information security management system?

Options:

A.

Identify the contractual security obligations that apply to the organizations

B.

Understand the value of the information assets

C.

Identify the level of residual risk that is tolerable to management

D.

Identify relevant legislative and regulatory compliance requirements

Buy Now
Questions 151

When implementing a data classification program, why is it important to avoid too much granularity?

Options:

A.

The process will require too many resources

B.

It will be difficult to apply to both hardware and software

C.

It will be difficult to assign ownership to the data

D.

The process will be perceived as having value

Buy Now
Questions 152

Which of the following BEST describes the responsibilities of a data owner?

Options:

A.

Ensuring quality and validation through periodic audits for ongoing data integrity

B.

Maintaining fundamental data availability, including data storage and archiving

C.

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

D.

Determining the impact the information has on the mission of the organization

Buy Now
Questions 153

Which factors MUST be considered when classifying information and supporting assets for risk management, legal discovery, and compliance?

Options:

A.

System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements

B.

Data stewardship roles, data handling and storage standards, data lifecycle requirements

C.

Compliance office roles and responsibilities, classified material handling standards, storage system lifecycle requirements

D.

System authorization roles and responsibilities, cloud computing standards, lifecycle requirements

Buy Now
Questions 154

Which of the following is a responsibility of a data steward?

Options:

A.

Ensure alignment of the data governance effort to the organization.

B.

Conduct data governance interviews with the organization.

C.

Document data governance requirements.

D.

Ensure that data decisions and impacts are communicated to the organization.

Buy Now
Questions 155

Proven application security principles include which of the following?

Options:

A.

Minimizing attack surface area

B.

Hardening the network perimeter

C.

Accepting infrastructure security controls

D.

Developing independent modules

Buy Now
Questions 156

A vulnerability assessment report has been submitted to a client. The client indicates that one third of the hosts

that were in scope are missing from the report.

In which phase of the assessment was this error MOST likely made?

Options:

A.

Enumeration

B.

Reporting

C.

Detection

D.

Discovery

Buy Now
Questions 157

Who is responsible for the protection of information when it is shared with or provided to other organizations?

Options:

A.

Systems owner

B.

Authorizing Official (AO)

C.

Information owner

D.

Security officer

Buy Now
Questions 158

Which of the following is a responsibility of the information owner?

Options:

A.

Ensure that users and personnel complete the required security training to access the Information System

(IS)

B.

Defining proper access to the Information System (IS), including privileges or access rights

C.

Managing identification, implementation, and assessment of common security controls

D.

Ensuring the Information System (IS) is operated according to agreed upon security requirements

Buy Now
Questions 159

Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?

Options:

A.

Code quality, security, and origin

B.

Architecture, hardware, and firmware

C.

Data quality, provenance, and scaling

D.

Distributed, agile, and bench testing

Buy Now
Questions 160

Which security access policy contains fixed security attributes that are used by the system to determine a

user’s access to a file or object?

Options:

A.

Mandatory Access Control (MAC)

B.

Access Control List (ACL)

C.

Discretionary Access Control (DAC)

D.

Authorized user control

Buy Now
Questions 161

Match the name of access control model with its associated restriction.

Drag each access control model to its appropriate restriction access on the right.

Options:

Buy Now
Questions 162

Access to which of the following is required to validate web session management?

Options:

A.

Log timestamp

B.

Live session traffic

C.

Session state variables

D.

Test scripts

Buy Now
Questions 163

Which of the following could be considered the MOST significant security challenge when adopting DevOps practices compared to a more traditional control framework?

Options:

A.

Achieving Service Level Agreements (SLA) on how quickly patches will be released when a security flaw is found.

B.

Maintaining segregation of duties.

C.

Standardized configurations for logging, alerting, and security metrics.

D.

Availability of security teams at the end of design process to perform last-minute manual audits and reviews.

Buy Now
Questions 164

Which of the following would BEST support effective testing of patch compatibility when patches are applied to an organization’s systems?

Options:

A.

Standardized configurations for devices

B.

Standardized patch testing equipment

C.

Automated system patching

D.

Management support for patching

Buy Now
Questions 165

Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) only provides which of the following?

Options:

A.

Mutual authentication

B.

Server authentication

C.

User authentication

D.

Streaming ciphertext data

Buy Now
Questions 166

Which of the following is a characteristic of an internal audit?

Options:

A.

An internal audit is typically shorter in duration than an external audit.

B.

The internal audit schedule is published to the organization well in advance.

C.

The internal auditor reports to the Information Technology (IT) department

D.

Management is responsible for reading and acting upon the internal audit results

Buy Now
Questions 167

Which of the BEST internationally recognized standard for evaluating security products and systems?

Options:

A.

Payment Card Industry Data Security Standards (PCI-DSS)

B.

Common Criteria (CC)

C.

Health Insurance Portability and Accountability Act (HIPAA)

D.

Sarbanes-Oxley (SOX)

Buy Now
Questions 168

Which of the following is the MOST efficient mechanism to account for all staff during a speedy nonemergency evacuation from a large security facility?

Options:

A.

Large mantrap where groups of individuals leaving are identified using facial recognition technology

B.

Radio Frequency Identification (RFID) sensors worn by each employee scanned by sensors at each exitdoor

C.

Emergency exits with push bars with coordinates at each exit checking off the individual against a

predefined list

D.

Card-activated turnstile where individuals are validated upon exit

Buy Now
Questions 169

An organization’s security policy delegates to the data owner the ability to assign which user roles have access

to a particular resource. What type of authorization mechanism is being used?

Options:

A.

Discretionary Access Control (DAC)

B.

Role Based Access Control (RBAC)

C.

Media Access Control (MAC)

D.

Mandatory Access Control (MAC)

Buy Now
Questions 170

The core component of Role Based Access Control (RBAC) must be constructed of defined data elements.

Which elements are required?

Options:

A.

Users, permissions, operations, and protected objects

B.

Roles, accounts, permissions, and protected objects

C.

Users, roles, operations, and protected objects

D.

Roles, operations, accounts, and protected objects

Buy Now
Questions 171

An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses?

Options:

A.

The Data Protection Authority (DPA)

B.

The Cloud Service Provider (CSP)

C.

The application developers

D.

The data owner

Buy Now
Questions 172

From a security perspective, which of the following assumptions MUST be made about input to an

application?

Options:

A.

It is tested

B.

It is logged

C.

It is verified

D.

It is untrusted

Buy Now
Questions 173

As part of an application penetration testing process, session hijacking can BEST be achieved by which of the following?

Options:

A.

Known-plaintext attack

B.

Denial of Service (DoS)

C.

Cookie manipulation

D.

Structured Query Language (SQL) injection

Buy Now
Questions 174

What is the foundation of cryptographic functions?

Options:

A.

Encryption

B.

Cipher

C.

Hash

D.

Entropy

Buy Now
Questions 175

Who is accountable for the information within an Information System (IS)?

Options:

A.

Security manager

B.

System owner

C.

Data owner

D.

Data processor

Buy Now
Questions 176

A software scanner identifies a region within a binary image having high entropy. What does this MOST likely indicate?

Options:

A.

Encryption routines

B.

Random number generator

C.

Obfuscated code

D.

Botnet command and control

Buy Now
Questions 177

By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the

Options:

A.

confidentiality of the traffic is protected.

B.

opportunity to sniff network traffic exists.

C.

opportunity for device identity spoofing is eliminated.

D.

storage devices are protected against availability attacks.

Buy Now
Questions 178

An auditor carrying out a compliance audit requests passwords that are encrypted in the system to verify that the passwords are compliant with policy. Which of the following is the BEST response to the auditor?

Options:

A.

Provide the encrypted passwords and analysis tools to the auditor for analysis.

B.

Analyze the encrypted passwords for the auditor and show them the results.

C.

Demonstrate that non-compliant passwords cannot be created in the system.

D.

Demonstrate that non-compliant passwords cannot be encrypted in the system.

Buy Now
Questions 179

The type of authorized interactions a subject can have with an object is

Options:

A.

control.

B.

permission.

C.

procedure.

D.

protocol.

Buy Now
Questions 180

Which of the following is an effective method for avoiding magnetic media data remanence?

Options:

A.

Degaussing

B.

Encryption

C.

Data Loss Prevention (DLP)

D.

Authentication

Buy Now
Questions 181

The BEST method of demonstrating a company's security level to potential customers is

Options:

A.

a report from an external auditor.

B.

responding to a customer's security questionnaire.

C.

a formal report from an internal auditor.

D.

a site visit by a customer's security team.

Buy Now
Questions 182

In Disaster Recovery (DR) and business continuity training, which BEST describes a functional drill?

Options:

A.

A full-scale simulation of an emergency and the subsequent response functions

B.

A specific test by response teams of individual emergency response functions

C.

A functional evacuation of personnel

D.

An activation of the backup site

Buy Now
Questions 183

What technique BEST describes antivirus software that detects viruses by watching anomalous behavior?

Options:

A.

Signature

B.

Inference

C.

Induction

D.

Heuristic

Buy Now
Questions 184

Which Hyper Text Markup Language 5 (HTML5) option presents a security challenge for network data leakage prevention and/or monitoring?

Options:

A.

Cross Origin Resource Sharing (CORS)

B.

WebSockets

C.

Document Object Model (DOM) trees

D.

Web Interface Definition Language (IDL)

Buy Now
Questions 185

In Business Continuity Planning (BCP), what is the importance of documenting business processes?

Options:

A.

Provides senior management with decision-making tools

B.

Establishes and adopts ongoing testing and maintenance strategies

C.

Defines who will perform which functions during a disaster or emergency

D.

Provides an understanding of the organization's interdependencies

Buy Now
Questions 186

The three PRIMARY requirements for a penetration test are

Options:

A.

A defined goal, limited time period, and approval of management

B.

A general objective, unlimited time, and approval of the network administrator

C.

An objective statement, disclosed methodology, and fixed cost

D.

A stated objective, liability waiver, and disclosed methodology

Buy Now
Questions 187

What is the ultimate objective of information classification?

Options:

A.

To assign responsibility for mitigating the risk to vulnerable systems

B.

To ensure that information assets receive an appropriate level of protection

C.

To recognize that the value of any item of information may change over time

D.

To recognize the optimal number of classification categories and the benefits to be gained from their use

Buy Now
Questions 188

Which of the following statements is TRUE for point-to-point microwave transmissions?

Options:

A.

They are not subject to interception due to encryption.

B.

Interception only depends on signal strength.

C.

They are too highly multiplexed for meaningful interception.

D.

They are subject to interception by an antenna within proximity.

Buy Now
Questions 189

Which of the following BEST represents the principle of open design?

Options:

A.

Disassembly, analysis, or reverse engineering will reveal the security functionality of the computer system.

B.

Algorithms must be protected to ensure the security and interoperability of the designed system.

C.

A knowledgeable user should have limited privileges on the system to prevent their ability to compromise security capabilities.

D.

The security of a mechanism should not depend on the secrecy of its design or implementation.

Buy Now
Questions 190

Which one of these risk factors would be the LEAST important consideration in choosing a building site for a new computer facility?

Options:

A.

Vulnerability to crime

B.

Adjacent buildings and businesses

C.

Proximity to an airline flight path

D.

Vulnerability to natural disasters

Buy Now
Questions 191

Passive Infrared Sensors (PIR) used in a non-climate controlled environment should

Options:

A.

reduce the detected object temperature in relation to the background temperature.

B.

increase the detected object temperature in relation to the background temperature.

C.

automatically compensate for variance in background temperature.

D.

detect objects of a specific temperature independent of the background temperature.

Buy Now
Questions 192

Which of the following is TRUE about Disaster Recovery Plan (DRP) testing?

Options:

A.

Operational networks are usually shut down during testing.

B.

Testing should continue even if components of the test fail.

C.

The company is fully prepared for a disaster if all tests pass.

D.

Testing should not be done until the entire disaster plan can be tested.

Buy Now
Questions 193

Who must approve modifications to an organization's production infrastructure configuration?

Options:

A.

Technical management

B.

Change control board

C.

System operations

D.

System users

Buy Now
Questions 194

What is an effective practice when returning electronic storage media to third parties for repair?

Options:

A.

Ensuring the media is not labeled in any way that indicates the organization's name.

B.

Disassembling the media and removing parts that may contain sensitive datA.

C.

Physically breaking parts of the media that may contain sensitive datA.

D.

Establishing a contract with the third party regarding the secure handling of the mediA.

Buy Now
Questions 195

Which of the following is an essential element of a privileged identity lifecycle management?

Options:

A.

Regularly perform account re-validation and approval

B.

Account provisioning based on multi-factor authentication

C.

Frequently review performed activities and request justification

D.

Account information to be provided by supervisor or line manager

Buy Now
Questions 196

Which of the following statements is TRUE of black box testing?

Options:

A.

Only the functional specifications are known to the test planner.

B.

Only the source code and the design documents are known to the test planner.

C.

Only the source code and functional specifications are known to the test planner.

D.

Only the design documents and the functional specifications are known to the test planner.

Buy Now
Questions 197

An organization is designing a large enterprise-wide document repository system. They plan to have several different classification level areas with increasing levels of controls. The BEST way to ensure document confidentiality in the repository is to

Options:

A.

encrypt the contents of the repository and document any exceptions to that requirement.

B.

utilize Intrusion Detection System (IDS) set drop connections if too many requests for documents are detected.

C.

keep individuals with access to high security areas from saving those documents into lower security areas.

D.

require individuals with access to the system to sign Non-Disclosure Agreements (NDA).

Buy Now
Questions 198

Which of the following is a security feature of Global Systems for Mobile Communications (GSM)?

Options:

A.

It uses a Subscriber Identity Module (SIM) for authentication.

B.

It uses encrypting techniques for all communications.

C.

The radio spectrum is divided with multiple frequency carriers.

D.

The signal is difficult to read as it provides end-to-end encryption.

Buy Now
Questions 199

What is the MOST effective countermeasure to a malicious code attack against a mobile system?

Options:

A.

Sandbox

B.

Change control

C.

Memory management

D.

Public-Key Infrastructure (PKI)

Buy Now
Questions 200

In a financial institution, who has the responsibility for assigning the classification to a piece of information?

Options:

A.

Chief Financial Officer (CFO)

B.

Chief Information Security Officer (CISO)

C.

Originator or nominated owner of the information

D.

Department head responsible for ensuring the protection of the information

Buy Now
Questions 201

To prevent inadvertent disclosure of restricted information, which of the following would be the LEAST effective process for eliminating data prior to the media being discarded?

Options:

A.

Multiple-pass overwriting

B.

Degaussing

C.

High-level formatting

D.

Physical destruction

Buy Now
Questions 202

An organization allows ping traffic into and out of their network. An attacker has installed a program on the network that uses the payload portion of the ping packet to move data into and out of the network. What type of attack has the organization experienced?

Options:

A.

Data leakage

B.

Unfiltered channel

C.

Data emanation

D.

Covert channel

Buy Now
Questions 203

Which of the following wraps the decryption key of a full disk encryption implementation and ties the hard disk drive to a particular device?

Options:

A.

Trusted Platform Module (TPM)

B.

Preboot eXecution Environment (PXE)

C.

Key Distribution Center (KDC)

D.

Simple Key-Management for Internet Protocol (SKIP)

Buy Now
Questions 204

An advantage of link encryption in a communications network is that it

Options:

A.

makes key management and distribution easier.

B.

protects data from start to finish through the entire network.

C.

improves the efficiency of the transmission.

D.

encrypts all information, including headers and routing information.

Buy Now
Questions 205

Which of the following is considered best practice for preventing e-mail spoofing?

Options:

A.

Spam filtering

B.

Cryptographic signature

C.

Uniform Resource Locator (URL) filtering

D.

Reverse Domain Name Service (DNS) lookup

Buy Now
Questions 206

How can a forensic specialist exclude from examination a large percentage of operating system files residing on a copy of the target system?

Options:

A.

Take another backup of the media in question then delete all irrelevant operating system files.

B.

Create a comparison database of cryptographic hashes of the files from a system with the same operating system and patch level.

C.

Generate a message digest (MD) or secure hash on the drive image to detect tampering of the media being examined.

D.

Discard harmless files for the operating system, and known installed programs.

Buy Now
Questions 207

An external attacker has compromised an organization's network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker's ability to gain further information?

Options:

A.

Implement packet filtering on the network firewalls

B.

Require strong authentication for administrators

C.

Install Host Based Intrusion Detection Systems (HIDS)

D.

Implement logical network segmentation at the switches

Buy Now
Questions 208

What would be the PRIMARY concern when designing and coordinating a security assessment for an Automatic Teller Machine (ATM) system?

Options:

A.

Physical access to the electronic hardware

B.

Regularly scheduled maintenance process

C.

Availability of the network connection

D.

Processing delays

Buy Now
Questions 209

The goal of software assurance in application development is to

Options:

A.

enable the development of High Availability (HA) systems.

B.

facilitate the creation of Trusted Computing Base (TCB) systems.

C.

prevent the creation of vulnerable applications.

D.

encourage the development of open source applications.

Buy Now
Questions 210

The BEST way to check for good security programming practices, as well as auditing for possible backdoors, is to conduct

Options:

A.

log auditing.

B.

code reviews.

C.

impact assessments.

D.

static analysis.

Buy Now
Exam Code: CISSP
Exam Name: Certified Information Systems Security Professional (CISSP)
Last Update: Dec 22, 2024
Questions: 1486

PDF + Testing Engine

$599

Testing Engine

$449

PDF (Q&A)

$399