Questão 1
Questão
Which one of the following is not an example of a technical control?
Responda
-
A. Router ACL
-
B. Firewall rule
-
C. Encryption
-
D. Data classification
Questão 2
Questão
Which one of the following stakeholders is not typically included on a
business continuity planning team?
Questão 3
Questão
Ben is designing a messaging system for a bank and would like to
include a feature that allows the recipient of a message to prove to a
third party that the message did indeed come from the purported
originator. What goal is Ben trying to achieve?
Responda
-
A. Authentication
-
B. Authorization
-
C. Integrity
-
D. Nonrepudiation
Questão 4
Questão
What principle of information security states that an organization
should implement overlapping security controls whenever possible?
Questão 5
Questão
Which one of the following is not a goal of a formal change
management program?
Responda
-
A. Implement change in an orderly fashion.
-
B. Test changes prior to implementation.
-
C. Provide rollback plans for changes.
-
D. Inform stakeholders of changes after they occur.
Questão 6
Questão
Ben is responsible for the security of payment card information stored
in a database. Policy directs that he remove the information from the
database, but he cannot do this for operational reasons. He obtained
an exception to policy and is seeking an appropriate compensating
control to mitigate the risk. What would be his best option?
Questão 7
Questão
The Domer Industries risk assessment team recently conducted a
qualitative risk assessment and developed a matrix similar to the one
shown here. Which quadrant contains the risks that require the most
immediate attention?
Questão 8
Questão
Tom is planning to terminate an employee this afternoon for fraud
and expects that the meeting will be somewhat hostile. He is
coordinating the meeting with Human Resources and wants to
protect the company against damage. Which one of the following
steps is most important to coordinate in time with the termination
meeting?
Responda
-
A. Informing other employees of the termination
-
B. Retrieving the employee’s photo ID
-
C. Calculating the final paycheck
-
D. Revoking electronic access rights
Questão 9
Questão
Rolando is a risk manager with a large-scale enterprise. The firm
recently evaluated the risk of California mudslides on its operations in
the region and determined that the cost of responding outweighed the
benefits of any controls it could implement. The company chose to
take no action at this time. What risk management strategy did
Rolando’s organization pursue?
Responda
-
A. Risk avoidance
-
B. Risk mitigation
-
C. Risk transference
-
D. Risk acceptance
Questão 10
Questão
You discover that a user on your network has been using the
Wireshark tool, as shown here. Further investigation revealed that he
was using it for illicit purposes. What pillar of information security
has most likely been violated?
Responda
-
A. Integrity
-
B. Denial
-
C. Availability
-
D. Confidentiality
Questão 11
Questão
Alan is performing threat modeling and decides that it would be
useful to decompose the system into the key elements shown here.
What tool is he using?
Questão 12
Questão
Which one of the following tools is most often used for identification
purposes and is not suitable for use as an authenticator?
Responda
-
A. Password
-
B. Retinal scan
-
C. Username
-
D. Token
Questão 13
Questão
Which type of business impact assessment tool is most appropriate
when attempting to evaluate the impact of a failure on customer
confidence?
Questão 14
Questão
Which one of the following is the first step in developing an
organization’s vital records program?
Responda
-
A. Identifying vital records
-
B. Locating vital records
-
C. Archiving vital records
-
D. Preserving vital records
Questão 15
Questão
Which one of the following security programs is designed to provide
employees with the knowledge they need to perform their specific
work tasks?
Responda
-
A. Awareness
-
B. Training
-
C. Education
-
D. Indoctrination
Questão 16
Questão
Which one of the following security programs is designed to establish
a minimum standard common denominator of security
understanding?
Responda
-
A. Training
-
B. Education
-
C. Indoctrination
-
D. Awareness
Questão 17
Questão
Ryan is a security risk analyst for an insurance company. He is
currently examining a scenario in which a malicious hacker might use
a SQL injection attack to deface a web server due to a missing patch in
the company’s web application. In this scenario, what is the threat?
Questão 18
Questão
Henry is the risk manager for Atwood Landing, a resort
community in the midwestern United States. The resort’s main
data center is located in northern Indiana in an area that is prone
to tornados. Henry recently undertook a replacement cost analysis
and determined that rebuilding and reconfiguring the data center
would cost $10 million.
Henry consulted with tornado experts, data center specialists, and
structural engineers. Together, they determined that a typical
tornado would cause approximately $5 million of damage to the
facility. The meteorologists determined that Atwood’s facility lies
in an area where they are likely to experience a tornado once every
200 years.
Based upon the information in this scenario, what is the exposure
factor for the effect of a tornado on Atwood Landing’s data center?
Responda
-
A. 10%
-
B. 25%
-
C. 50%
-
D. 75%
Questão 19
Questão
Henry is the risk manager for Atwood Landing, a resort
community in the midwestern United States. The resort’s main
data center is located in northern Indiana in an area that is prone
to tornados. Henry recently undertook a replacement cost analysis
and determined that rebuilding and reconfiguring the data center
would cost $10 million.
Henry consulted with tornado experts, data center specialists, and
structural engineers. Together, they determined that a typical
tornado would cause approximately $5 million of damage to the
facility. The meteorologists determined that Atwood’s facility lies
in an area where they are likely to experience a tornado once every
200 years.
Based upon the information in this scenario, what is the annualized
rate of occurrence for a tornado at Atwood Landing’s data center?
Responda
-
A. 0.0025
-
B. 0.005
-
C. 0.01
-
D. 0.015
Questão 20
Questão
Henry is the risk manager for Atwood Landing, a resort
community in the midwestern United States. The resort’s main
data center is located in northern Indiana in an area that is prone
to tornados. Henry recently undertook a replacement cost analysis
and determined that rebuilding and reconfiguring the data center
would cost $10 million.
Henry consulted with tornado experts, data center specialists, and
structural engineers. Together, they determined that a typical
tornado would cause approximately $5 million of damage to the
facility. The meteorologists determined that Atwood’s facility lies
in an area where they are likely to experience a tornado once every
200 years.
Based upon the information in this scenario, what is the annualized
loss expectancy for a tornado at Atwood Landing’s data center?
Responda
-
A. $25,000
-
B. $50,000
-
C. $250,000
-
D. $500,000
Questão 21
Questão
John is analyzing an attack against his company in which the attacker
found comments embedded in HTML code that provided the clues
needed to exploit a software vulnerability. Using the STRIDE model,
what type of attack did he uncover?
Questão 22
Questão
Which one of the following is an administrative control that can
protect the confidentiality of information?
Questão 23
Questão
Chris is worried that the laptops that his organization has recently
acquired were modified by a third party to include keyloggers before
they were delivered. Where should he focus his efforts to prevent
this?
Questão 24
Questão
STRIDE, PASTA, and VAST are all examples of what type of tool?
Responda
-
A. Risk assessment methodologies
-
B. Control matrices
-
C. Threat modeling methodologies
-
D. Awareness campaign tools
Questão 25
Questão
In her role as a developer for an online bank, Lisa is required to
submit her code for testing and review. After it passes through this
process and it is approved, another employee moves the code to the
production environment. What security management does this
process describe?
Responda
-
A. Regression testing
-
B. Code review
-
C. Change management
-
D. Fuzz testing
Questão 26
Questão
After completing the first year of his security awareness program,
Charles reviews the data about how many staff completed training
compared to how many were assigned the training to determine
whether he hit the 95 percent completion rate he was aiming for.
What is this type of measure called?
Questão 27
Questão
Which of the following is not typically included in a prehire screening
process?
Responda
-
A. A drug test
-
B. A background check
-
C. Social media review
-
D. Fitness evaluation
Questão 28
Questão
The (ISC)2 code of ethics applies to all CISSP holders. Which of the
following is not one of the four mandatory canons of the code?
Responda
-
A. Protect society, the common good, the necessary public trust and
confidence, and the infrastructure
-
B. Disclose breaches of privacy, trust, and ethics
-
C. Provide diligent and competent service to the principles
-
D. Advance and protect the profession
Questão 29
Questão
Greg’s company recently experienced a significant data breach
involving the personal data of many of their customers. Which breach
laws should they review to ensure that they are taking appropriate
action?
Responda
-
A. The breach laws in the state where they are headquartered
-
B. The breach laws of states they do business in
-
C. Only federal breach laws
-
D. Breach laws only cover government agencies, not private
businesses
Questão 30
Questão
Lawrence has been asked to perform vulnerability scans and a risk
assessment of systems. Which organizational process are these more
likely to be associated with?
Responda
-
A. A merger
-
B. A divestiture
-
C. A layoff
-
D. A financial audit
Questão 31
Questão
Which of the following is not typically part of a termination process?
Responda
-
A. An exit interview
-
B. Recovery of property
-
C. Account termination
-
D. Signing an NCA
Questão 32
Questão
Laura has been asked to perform an SCA. What type of organization is
she most likely in?
Responda
-
A. Higher education
-
B. Banking
-
C. Government
-
D. Healthcare
Questão 33
Questão
After conducting a qualitative risk assessment of her organization,
Sally recommends purchasing cybersecurity breach insurance. What
type of risk response behavior is she recommending?
Responda
-
A. Accept
-
B. Transfer
-
C. Reduce
-
D. Reject
Questão 34
Questão
What is the final step of a quantitative risk analysis?
Responda
-
A. Determine asset value.
-
B. Assess the annualized rate of occurrence.
-
C. Derive the annualized loss expectancy.
-
D. Conduct a cost/benefit analysis.
Questão 35
Questão
Under the Digital Millennium Copyright Act (DMCA), what type of
offenses do not require prompt action by an internet service provider
after it receives a notification of infringement claim from a copyright
holder?
Responda
-
A. Storage of information by a customer on a provider’s server
-
B. Caching of information by the provider
-
C. Transmission of information over the provider’s network by a
customer
-
D. Caching of information in a provider search engine
Questão 36
Questão
FlyAway Travel has offices in both the European Union (EU) and the
United States and transfers personal information between those
offices regularly. They have recently received a request from an EU
customer requesting that their account be terminated. Under the
General Data Protection Regulation (GDPR), which requirement for
processing personal information states that individuals may request
that their data no longer be disseminated or processed?
Questão 37
Questão
Which one of the following is not one of the three common threat
modeling techniques?
Questão 38
Questão
In 1991, the Federal Sentencing Guidelines formalized a rule that
requires senior executives to take personal responsibility for
information security matters. What is the name of this rule?
Questão 39
Questão
Which one of the following provides an authentication mechanism
that would be appropriate for pairing with a password to achieve
multifactor authentication?
Questão 40
Questão
Chris is advising travelers from his organization who will be visiting
many different countries overseas. He is concerned about compliance
with export control laws. Which of the following technologies is most
likely to trigger these regulations?
Questão 41
Questão
Bobbi is investigating a security incident and discovers that an
attacker began with a normal user account but managed to exploit a
system vulnerability to provide that account with administrative
rights. What type of attack took place under the STRIDE threat
model?
Questão 42
Questão
You are completing your business continuity planning effort and have
decided that you wish to accept one of the risks. What should you do
next?
Responda
-
A. Implement new security controls to reduce the risk level.
-
B. Design a disaster recovery plan.
-
C. Repeat the business impact assessment.
-
D. Document your decision-making process.
Questão 43
Questão
Which one of the following control categories does not accurately
describe a fence around a facility
Responda
-
A. Physical
-
B. Detective
-
C. Deterrent
-
D. Preventive
Questão 44
Questão
Tony is developing a business continuity plan and is having difficulty
prioritizing resources because of the difficulty of combining
information about tangible and intangible assets. What would be the
most effective risk assessment approach for him to use?
Responda
-
A. Quantitative risk assessment
-
B. Qualitative risk assessment
-
C. Neither quantitative nor qualitative risk assessment
-
D. Combination of quantitative and qualitative risk assessment
Questão 45
Questão
What law provides intellectual property protection to the holders of
trade secrets?
Questão 46
Questão
Which one of the following principles imposes a standard of care
upon an individual that is broad and equivalent to what one would
expect from a reasonable person under the circumstances?
Responda
-
A. Due diligence
-
B. Separation of duties
-
C. Due care
-
D. Least privilege
Questão 47
Questão
Darcy is designing a fault tolerant system and wants to implement
RAID level 5 for her system. What is the minimum number of
physical hard disks she can use to build this system?
Responda
-
A. One
-
B. Two
-
C. Three
-
D. Five
Questão 48
Questão
Which one of the following is an example of an administrative
control?
Questão 49
Questão
Keenan Systems recently developed a new manufacturing process for
microprocessors. The company wants to license the technology to
other companies for use but wishes to prevent unauthorized use of
the technology. What type of intellectual property protection is best
suited for this situation?
Responda
-
A. Patent
-
B. Trade secret
-
C. Copyright
-
D. Trademark
Questão 50
Questão
Which one of the following actions might be taken as part of a
business continuity plan?
Responda
-
A. Restoring from backup tapes
-
B. Implementing RAID
-
C. Relocating to a cold site
-
D. Restarting business operations