












Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A comprehensive overview of key security concepts, including the cia triad, the parkerian hexad, and the principles of least privilege, defense in depth, and separation of duties. It also explores the osi and tcp/ip models, highlighting the layers and their functions. Particularly valuable for understanding the principles of confidentiality, integrity, availability, and authenticity in information security.
Typology: Exams
1 / 20
This page cannot be seen from the preview
Don't miss anything!













What is the ISC2 Code of Ethics Preamble? - Correct Answer - The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
(Please Do Not Throw Sausage Pizza Away) What are the four layers of the TCP/IP Model? What OSI layers does each TCP/IP layer consist of? - Correct Answer 1. Network Access Layer - combines Data-Link and Physical layer.
What are some elements of Separation of Duties (SoD)? - Correct Answer - Also referred to as "segregation of duties".
Interface with the human resources group, & Review the acceptable use policy. What is a best practice when terminating an employee? - Correct Answer Conduct an exit interview What are similar to standards but are more flexible and not usually mandatory? - Correct Answer Guidelines At the start of an interview, it is not uncommon to sign which kind of agreement? - Correct Answer Non-disclosure agreement Which topics would most likely be covered during end-user security awareness education and training? - Correct Answer Social engineering tactics, Anti-phishing measures, Tailgating policy, & Clean desk policy In an information security policy lifecycle, which of these critical success factors means the policy can accommodate change and be adapted if necessary? - Correct Answer Flexible What is an inventory strategy used to increase efficiency and decrease waste by acquiring goods only as needed in the production process? - Correct Answer JIT Which data type is the least mature and most difficult to protect due to overhead from encryption/decryption? - Correct Answer Data in use You have restricted subjects and objects based on a mandatory access control model. What attribute have you used to establish an asset classification level? - Correct Answer Architecture What asset and data role is the keeper of the object from a technical perspective so that CIA is maintained? - Correct Answer Custodian
Which phase of the data lifecycle is concerned with the residual risk from data, metadata, and artifacts that are left over after a software deletion process? - Correct Answer Remanence What is the best and most common destruction technique for microfilm (microfiche), laser discs, and document imaging applications? - Correct Answer Pulverizing What system plays a critical role in several IT management initiatives such as IT Service Management (ITSM) and IT Asset Management (ITAM) by storing metadata and modifications to items? - Correct Answer CMDB You have configured a network access control list to protect traffic coming into your virtual network at a popular cloud provider. Which type of control is this? - Correct Answer Technical What is the standardized language developed by MITRE (in a collaborative way) to represent structured information about cyber threats? - Correct Answer STIX At what defense-in-depth layer would you deploy data loss prevention, HIPS, and patch management? - Correct Answer Endpoint security In which phase of the data lifecycle would you apply the Do and Check activities of the PDCA model? - Correct Answer Information What is a set of services and tools that allows organizations to simplify security operations in threat management, incident response, and security operations automation? - Correct Answer SOAR Your company's facility is built in a 100 - year flood zone so your executive management decides not to get flood insurance. What type of risk treatment is this? - Correct Answer Acceptance Your SOC needs a risk management tool to use for a security audit. What is a unique, open-source threat modeling method focused on enhancing the security auditing process from a cyber risk management perspective? - Correct Answer TRIKE Which security framework offers the Cloud Control Matrix to ensure handling of requirements stemming from new technologies and controls? - Correct Answer CSA
What access control model seeks to imitate real world decision making while also considering operational needs and vulnerability with every access control decision? - Correct Answer Risk-based What access model uses integrity verification procedures that run periodically to check the consistency of the integrity rules in the system? - Correct Answer Clark-Wilson In which access model is the owner of an object most likely to have some control over permissions and sharing? - Correct Answer Discretionary Which of these MAC models is a confidentiality model? - Correct Answer Bell-LaPadula Which form of access model is often used with infrastructure ACLs on routers and firewall devices? - Correct Answer Rule-based Which these security measures are used to specifically control physical access? - Correct Answer Fire suppression, Signage, Bollards, & Safes What is another term for a Type 1 hypervisor? - Correct Answer Native What access model would you choose if you wanted to make decisions based on weighing rules against the characteristics of the subject's actions and the request environment? - Correct Answer Attribute-based Which type of organization is structured around traditional roles and departments such as Human Resources, IT, Sales, Marketing, and Finance? - Correct Answer Functional Which IdM process involves collecting attributes or digital documents to support a claim of identification for a specific subject to validate the veracity of the claim? - Correct Answer Proofing When provisioning resources using an identity management system, which component offers an accepted origination point or "system of record" for user identity data attributes?
Which of these are common activities of auditing account access? - Correct Answer Confirming the deployment of SSO best practices, Reviewing when a user's job requires new access, Assuring the proper removal of terminated users, & Confirming that roles are modified when a user changes jobs Which authentication and authorization protocol is used with IEEE 802.1X? - Correct Answer RADIUS Which type of SSO attack would involve secret cooperation between a principal and service provider system to launch an attack? - Correct Answer Collusion attack Which is a basic and common identity layer on top of the OAuth 2.0 protocol? - Correct Answer OIDC What takes place when a user gets access to resources and functionality that they are not authorized or generally allowed to access? - Correct Answer Privilege escalation Which authentication protocol relies on a Key Distribution Center (KDC)? - Correct Answer Kerberos Which of these AAA accounting services involves performing showback against departmental budgets and business unit allocations? - Correct Answer Chargeback Which common type of system is often powered by specialized chips or system-on-a-chip as well as older unpatched versions of Linux or Microsoft Windows? - Correct Answer IoT Which database security control involves modifying the baseline to become more applicable, such as changing the data application timeout requirement from 20 minutes of inactivity to 10? - Correct Answer Tailoring Which is a specific service-oriented application component that represents an architectural approach to software development where the results are made up of small independent services that communicate over well-defined APIs? - Correct Answer Microservices
Which NIST special publication has guidelines for media sanitization? - Correct Answer 800 - 88 What are strategically placed physical controls meant to prohibit vehicles from entering certain areas as well as in parking lots or along sidewalks to guide pedestrian traffic? - Correct Answer Bollards On the CISSP exam, what category of control is physical security? - Correct Answer Operational What is an intentional or unintentional sag, slump, or drop in electrical voltage? - Correct Answer Brownout What type of lighting, although slow to turn on, is a preferred outdoor security lighting? - Correct Answer Mercury vapor What is the recommend temperature and humidity respectively for a data center or server room expressed in Fahrenheit? - Correct Answer 72 to 76 degrees and 40 to 60% What are enclosures that block electromagnetic fields emanating from Electric Magnetic Interference (EMI), Carrington events, solar flares, and Electro-magnetic Pulses (EMP)? - Correct Answer Faraday cage What type of fire extinguisher is for electrical equipment and wires using inert gas, dry powders, powdered aerosols, foam, or carbon dioxide? - Correct Answer Type C What term describes the physical separation of the control network and the other networks? - Correct Answer Airgap Which service decouples the physical hardware from the network map in order to support virtualization and allow the data center network to be deployed programmatically? - Correct Answer VXLAN Which infrastructure devices have session level access control for management protocols and Management Frame Protection features? - Correct Answer Wireless LAN controllers Which AWS CDN feature controls who can download content directly from a CloudFront distribution? - Correct Answer Private Content Feature
Which is the most common S/MIME service for providing authentication, data integrity, and non-repudiation? - Correct Answer Digital signatures Which WPA3 protocol and feature set specifically replaces WPA2 PSK? - Correct Answer SAE Which technology has the goal of delivering bandwidths of up to 10 Gbps by using higher- frequency radio waves than current cellular networks? - Correct Answer 5G Which is a document specifying constraints and practices that a user must agree to for access to a corporate network or the Internet? - Correct Answer AUP Which TCP port does Transport Layer Security operate on? - Correct Answer 443 What is a structured language developed by MITRE for a collaborative way to represent cyber threat intelligence and observable data? - Correct Answer STIX In which phase of the incident response lifecycle, also called "eradication", would most likely involve determining the root cause of the incident and applying immediate remedies if available? - Correct Answer Mitigation What type of lower risk change follows a specific process for scheduling, assessment, and an approval/authorization process? - Correct Answer Normal Which of these represents the initial phase of patch management? - Correct Answer Develop inventory and patch management plan Which of these security principles is closely related to separation of duties (SoD)? - Correct Answer Dual operator Which of these components would be considered the most volatile as a data storage medium? - Correct Answer Routing table What is a set of data, tools, utilities, and processes used to support configuration management? - Correct Answer CMS
At which phase of the SCM would you establish software code baselines? Result: Correct. Great job! - Correct Answer Version Control Which CCM level is also referred to as early explicit, when an enterprise has developed its own standard software process through greater attention to documentation, standardization, and integration? - Correct Answer Level 3 What is defined as a multidisciplinary team of people who are collectively responsible for delivering a well-defined software solution by maintaining different subject matter experts leveraged throughout the entire development lifecycle? - Correct Answer Integrated Product Teams Which application security testing model can detect up to 100% of the OWASP benchmark in real-time with no false positives and has the flexibly to be used in QA and production environments, analyzing dependencies as well as legacy components? - Correct Answer IAST Which of the following would be an aspect of mobile application management? - Correct Answer Securing and removing corporate data within mobile apps Which organization would offer "API1:2019 Broken Object Level Authorization" as an API top ten vulnerability? - Correct Answer OWASP Which software products are intended to be easily installed and to interoperate tightly with existing system components? - Correct Answer COTS (Commercial-Off-The-Shelf) Which of these would be considered poor coding practices? - Correct Answer Improper input validation, Unsecure usage of repositories, Leaving inoperative dead code, Not relying on stored procedures Which is an application development methodology where two or more functionally duplicate versions of the app are developed from the same specification? - Correct Answer Software diversity
Which secure coding practice involves writing code that attackers and other people have a hard time understanding? - Correct Answer Obfuscation