Download CISSP Official ISC2 Practice Tests. and more Exams Nursing in PDF only on Docsity!
CISSP Official ISC2 Practice Tests - Domain 4 Already Passed, Exams of Advanced Education
- What is the final step of a quantitative risk analysis? A. Determine asset value. B. Assess the annualized rate of occurrence. C. Derive the annualized loss expectancy. D. Conduct a cost.benefit analysis. - ANSWERD. The final step of a quantitative risk analysis is conducting a cost/benefit analysis to determine whether the organisation should implement proposed countermeasure(s).
- An evil twin attack that broadcasts a legitimate SSID for an unauthorised network is an example of what category of threat? A. Spoofing B. Information disclosure C. Repudiation D. Tampering - ANSWERA.
Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email addresses, names, or, in the case of an evil twin attack, SSIDs.
- Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder? A. Storage of information by a customer on a provider's server B. Caching of information by the provider C. Transmission of information over the provider's network by a customer D. Caching of information in a provider search engine - ANSWERC. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all nontransitory actions that require remediation by the provider.
- FlyAway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly. Which of the seven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used? A. Notice B. Choice
C. Driver's license number D. Credit card number - ANSWERA. Most state data breach notification laws are modeled after California's law, which covers Social Security number, driver's license number, state identification card number, credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), medical records, and health insurance information.
- In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule? A. Due diligence rule B. Personal liability rule C. Prudent man rule D. Due process rule - ANSWERC. The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.
- Which one of the following provides an authentication mechanism that would be
appropriate for pairing with a password to achieve multifactor authentication? A. Username B. PIN C. Security question D. Fingerprint scan - ANSWERD. A fingerprint scan is an example of a "something you are" factor, which would be appropriate for pairing with a "something you know" password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both "something you know," which would not achieve multifactor authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.
- What United States government agency is responsible for administering the terms of safe harbor agreements between the European Union and the United States under the EU Data Protection Directive? A. Department of Defense B. Department of the Treasury C. State Department D. Department of Commerce - ANSWERD. The US Department of Commerce is responsible for implementing the EU-US Safe
The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.
- Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations? A. Memory chips B. Office productivity applications C. Hard drives D. Encryption software - ANSWERD. The export of encryption software to certain countries is regulated under US export control laws.
- Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE model? A. Spoofing
B. Repudiation C. Tampering D. Elevation of privilege - ANSWERD. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.
- You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next? A. Implement new security controls to reduce the risk level. B. Design a disaster recovery plan. C. Repeat the business impact assessment. D. Document your decision-making process. - ANSWERD. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).
- Which one of the following control categories does not accurately describe a fence around a facility?
- What law provides intellectual property protection to the holders of trade secrets? A. Copyright Law B. Lanham Act C. Glass-Steagall Act D. Economic Espionage Act - ANSWERD. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation. It gives true teeth to the intellectual property rights of trade secret owners.
- Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances? A. Due diligence B. Separation of duties C. Due care D. Least privilege - ANSWERC. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very
broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
- Darcy is designing a fault tolerant system and wants to implement RAID- 5 for her system. What is the minimum number of physical hard disks she can use to build this system? A. One B. Two C. Three D. Five - ANSWERC. RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.
- Which one of the following is an example of an administrative control? A. Intrusion detection system B. Security awareness training C. Firewalls D. Security guards - ANSWERB. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.
RAID technology provides fault tolerance for hard drive failures and is an exampleof a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.
- When developing a business impact analysis, the team should first create a list of assets. What should happen next? A. Identify vulnerabilities in each asset. B. Determine the risks facing the asset. C. Develop a value for each asset. D. Identify threats facing each asset. - ANSWERC. After developing a list of assets, the business impact analysis team should assign values to each asset.
- Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference - ANSWERC.
Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation.
- Which one of the following is an example of physical infrastructure hardening? A. Antivirus software B. Hardware-based network firewall C. Two-factor authentication D. Fire suppression system - ANSWERD. Fire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.
- Which one of the following is normally used as an authorization tool? A. ACL B. Token C. Username D. Password - ANSWERA.
attack.
- Which one of the following organizations would not be automatically subject to the terms of HIPAA if they engage in electronic transactions? A. Healthcare provider B. Health and fitness application developer C. Health information clearinghouse D. Health insurance plan - ANSWERB. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.
- John's network begins to experience symptoms of slowness. Upon investigation, he realises that the network is being bombarded with ICMP ECHO REPLY packets and believes that his organisation is the victim of a Smurf attack. What principle of information security is being violated? A. Availability B. Integrity C. Confidentiality D. Denial - ANSWERA. A Smurf attack is an example of a denial of service attack, which jeopardizes the
availability of a targeted network.
- Renee is designing the long-term security plan for her organisation and has a 3-5 year planning horizon. What type of plan is she developing? A. Operational B. Tactical C. Summary D. Strategic - ANSWERD. Strategic plans have a long-term planning horizon of up to five years in most cases. Operational and tactical plans have shorter horizons of a year or less.
- What government agency is responsible for the evaluation and registration of trademarks? A. USPTO B. Library of Congress C. TVA D. NIST - ANSWERA. The United States Patent and Trademark Office (USPTO) bears responsibility for the registration of trademarks.
- Robert is responsible for securing systems used to process credit card information. What standard should guide his actions? A. HIPAA B. PCI DSS C. SOX D. GLBA - ANSWERB. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information.
- Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies? A. Data custodian B. Data owner C. User D. Auditor - ANSWERA. The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.
- Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan's company's rights? A. Trade secret B. Copyright C. Trademark D. Patent - ANSWERB. Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.
- Florian receives a flyer from a federal agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law? A. United States Code B. Supreme Court rulings C. Code of Federal Regulations D. Compendium of Laws - ANSWERC. The Code of Federal Regulations (CFR) contains the text of all administrative laws
