Download CISSP OFFICIAL ISC2 PRACTICE TESTS (ALL DOMAINS) and more Exams Advanced Education in PDF only on Docsity!
CISSP OFFICIAL ISC2 PRACTICE
TESTS (ALL DOMAINS) QUESTIONS
AND ANSWERS WITH COMPLETE
SOLUTIONS 100% CORRECT RATED
A+
Question 1: Which of the following represents the concluding step in a quantitative risk analysis workflow? A. Determine asset value. B. Assess the annualized rate of occurrence. C. Derive the annualized loss expectancy. D. Conduct a cost-benefit analysis. Answer: ✔✔ D. Conduct a cost-benefit analysis. Explanation: The final phase of a quantitative risk analysis involves performing a cost-benefit analysis. This process helps the organization evaluate whether the financial cost of implementing a specific countermeasure or safeguard is justified by the amount of risk it mitigates. Question 2: An evil twin attack involves broadcasting a legitimate, trusted SSID from an unauthorized wireless access point. What category of security threat does this behavior represent? A. Spoofing B. Information disclosure C. Repudiation D. Tampering Answer: ✔✔ A. Spoofing Explanation: Spoofing threats rely on utilizing a falsified or disguised identity to deceive targets. Depending on the scenario, spoofing can involve mimicking
legitimate IP addresses, email headers, user names, or—as seen in an evil twin attack—authorized wireless network names (SSIDs).
- Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder? A. Storage of information by a customer on a provider's server B. Caching of information by the provider C. Transmission of information over the provider's network by a customer D. Caching of information in a provider search engine - ANSWER ✔✔C. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all nontransitory actions that require remediation by the provider.
- FlyAway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly. Which of the seven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used? A. Notice B. Choice C. Onward Transfer D. Enforcement - ANSWER ✔✔A. The Notice principle says that organizations must inform individuals of the information the organization collects about individuals and how the organization
- In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule? A. Due diligence rule B. Personal liability rule C. Prudent man rule D. Due process rule - ANSWER ✔✔C. The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.
- Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multifactor authentication? A. Username B. PIN C. Security question D. Fingerprint scan - ANSWER ✔✔D. A fingerprint scan is an example of a "something you are" factor, which would be appropriate for pairing with a "something you know" password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both "something you know," which would not achieve multifactor
authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.
- What United States government agency is responsible for administering the terms of safe harbor agreements between the European Union and the United States under the EU Data Protection Directive? A. Department of Defense B. Department of the Treasury C. State Department D. Department of Commerce - ANSWER ✔✔D. The US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. The validity of this agreement was in legal question in the wake of the NSA surveillance disclosures.
- Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation? A. GLBA B. SOX C. HIPAA D. FERPA - ANSWER ✔✔A.
The export of encryption software to certain countries is regulated under US export control laws.
- Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE model? A. Spoofing B. Repudiation C. Tampering D. Elevation of privilege - ANSWER ✔✔D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.
- You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next? A. Implement new security controls to reduce the risk level. B. Design a disaster recovery plan. C. Repeat the business impact assessment.
D. Document your decision-making process. - ANSWER ✔✔D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).
- Which one of the following control categories does not accurately describe a fence around a facility? A. Physical B. Detective C. Deterrent D. Preventive - ANSWER ✔✔B. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.
- Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use? A. Quantitative risk assessment B. Qualitative risk assessment C. Neither quantitative nor qualitative risk assessment
The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
- Darcy is designing a fault tolerant system and wants to implement RAID-5 for her system. What is the minimum number of physical hard disks she can use to build this system? A. One B. Two C. Three D. Five - ANSWER ✔✔C. RAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.
- Which one of the following is an example of an administrative control? A. Intrusion detection system B. Security awareness training C. Firewalls D. Security guards - ANSWER ✔✔B. Awareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls.
- Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wishes to prevent unauthorised use of the technology. What type of intellectual property protection is best suited for this situation? A. Patent B. Trade secret C. Copyright D. Trademark - ANSWER ✔✔A. Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organisation, so a patent is the appropriate solution in this case.
- Which one of the following actions might be taken as part of a business continuity plan? A. Restoring from backup tapes B. Implementing RAID C. Relocating to a cold site D. Restarting business operations - ANSWER ✔✔B.
- Which one of the following is an example of physical infrastructure hardening? A. Antivirus software B. Hardware-based network firewall C. Two-factor authentication D. Fire suppression system - ANSWER ✔✔D. Fire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.
- Which one of the following is normally used as an authorization tool? A. ACL B. Token C. Username D. Password - ANSWER ✔✔A. Access control lists are used for determining a user's authorization level. Usernames are identification tools. Passwords and tokens are authentication tools.
- The International Information Systems Security Certification Consortium uses the logo (ISC2) to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo? A. Copyright
B. Patent C. Trade secret D. Trademark - ANSWER ✔✔D. Trademark protection extends to words and symbols used to represent an organisation, product, or service in the marketplace.
- Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred? A. Availability B. Confidentiality C. Disclosure D. Distributed - ANSWER ✔✔A. The message displayed is an example of ransomware, which encrypts the contents of a user's computer to prevent legitimate use. This is an example of an availability attack.
- Which one of the following organizations would not be automatically subject to the terms of HIPAA if they engage in electronic transactions? A. Healthcare provider B. Health and fitness application developer C. Health information clearinghouse D. Health insurance plan - ANSWER ✔✔B.
Operational and tactical plans have shorter horizons of a year or less.
- What government agency is responsible for the evaluation and registration of trademarks? A. USPTO B. Library of Congress C. TVA D. NIST - ANSWER ✔✔A. The United States Patent and Trademark Office (USPTO) bears responsibility for the registration of trademarks.
- The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? A. Mandatory vacation B. Separation of duties C. Defense in depth D. Job rotation - ANSWER ✔✔B. When following the separation of duties principle, organisations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorised manner.
- Which one of the following categories of organisations is most likely to be covered by the provisions of FISMA? A. Banks B. Defense contractors C. School districts D. Hospitals - ANSWER ✔✔B. The Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.
- Robert is responsible for securing systems used to process credit card information. What standard should guide his actions? A. HIPAA B. PCI DSS C. SOX D. GLBA - ANSWER ✔✔B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information.
- Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?
Where should he go to find the text of the law? A. United States Code B. Supreme Court rulings C. Code of Federal Regulations D. Compendium of Laws - ANSWER ✔✔C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.
- Tom is installing a next-generation firewall (NGFW) in his data centre that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower? A. Impact B. RPO C. MTO D. Likelihood - ANSWER ✔✔D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.
- Which one of the following individuals would be the most effective organizational owner for an information security program? A. CISSP-certified analyst
B. Chief information officer C. Manager of network security D. President and CEO - ANSWER ✔✔B. The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.
- What important function do senior managers normally fill on a business continuity planning team? A. Arbitrating disputes about criticality B. Evaluating the legal environment C. Training staff D. Designing failure controls - ANSWER ✔✔A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.
- You are the CISO for a major hospital system and are preparing to sign a contract with a Software-as-a-Service (SaaS) email vendor and want to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?
