Quiz Summary
0 of 316 Questions completed
Questions:
Information
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading…
You must sign in or sign up to start the quiz.
You must first complete the following:
Results
Results
0 of 316 Questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 point(s), (0)
Earned Point(s): 0 of 0, (0)
0 Essay(s) Pending (Possible Point(s): 0)
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- Current
- Review / Skip
- Answered
- Correct
- Incorrect
-
Question 1 of 316
1. Question
There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method?
CorrectIncorrect -
Question 2 of 316
2. Question
Which of the following is not a reason to develop and implement a disaster recovery plan?
CorrectIncorrect -
Question 3 of 316
3. Question
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?
CorrectIncorrect -
Question 4 of 316
4. Question
What is the chief security responsibility of a data owner?
CorrectIncorrect -
Question 5 of 316
5. Question
Which of the following approaches is the most effective way for an organization to reduce its liability regarding the protection of private data?
CorrectIncorrect -
Question 6 of 316
6. Question
Virtualization offers many benefits. Which of the following incorrectly describes virtualization?
CorrectIncorrect -
Question 7 of 316
7. Question
Operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on, operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in client/server models within kernel mode.
Which of the following best describes the last architecture described in this scenario?
CorrectIncorrect -
Question 8 of 316
8. Question
There are several components involved with steganography. Which of the following refers to a file that has hidden information in it?
CorrectIncorrect -
Question 9 of 316
9. Question
The CA is responsible for revoking certificates when necessary. Which of the following correctly describes a CRL and OCSP?
CorrectIncorrect -
Question 10 of 316
10. Question
What is the difference between generating a message authentication code (MAC) and generating a hash MAC (HMAC)?
CorrectIncorrect -
Question 11 of 316
11. Question
When a system needs to send data to an end user, that data may have to travel over different networking protocols to get to the destination. The different protocol types depend upon how far geographically the data needs to travel, the types of intermediate devices involved, and how this data needs to be protected during transmission. In the following graphic, which two WAN protocols are missing, and what is the best reasoning for their functionality in the transmission scenario being illustrated?
CorrectIncorrect -
Question 12 of 316
12. Question
Which of the following does software-defined networking (SDN) technology specify?
CorrectIncorrect -
Question 13 of 316
13. Question
Which of the following describes the best use of Network Access Control (NAC)?
CorrectIncorrect -
Question 14 of 316
14. Question
There are several different types of centralized access control protocols. Which of the following is illustrated in the graphic that follows?
CorrectIncorrect -
Question 15 of 316
15. Question
Claudia is the CISO for a global financial institution, overseeing the security of hundreds of millions of bank accounts. Which of the three main security principles should she consider most important when prioritizing the controls her enterprise should deploy?
CorrectIncorrect -
Question 16 of 316
16. Question
How can a backup strategy be made most effective?
CorrectIncorrect -
Question 17 of 316
17. Question
Why is “test coverage” an important consideration during an audit?
CorrectIncorrect -
Question 18 of 316
18. Question
Countries around the world are focusing on cyber warfare and how it can affect their utility and power grid infrastructures. Securing water, power, oil, gas, transportation, and manufacturing systems is an increasing priority for governments. These critical infrastructures are made up of different types of industrial control systems (ICS) that provide this type of functionality. Which of the following answers is not considered a common ICS?
CorrectIncorrect -
Question 19 of 316
19. Question
The operations team is responsible for defining which data gets backed up and how often. Which type of backup process backs up files that have been modified since the last time all data was backed up?
CorrectIncorrect -
Question 20 of 316
20. Question
Maria has been tasked with reviewing and ultimately augmenting her organization’s physical security. Of the following controls and approaches, which should be her highest priority to ensure are properly implemented?
CorrectIncorrect -
Question 21 of 316
21. Question
The following graphic contains a commonly used risk management scorecard. Identify the proper quadrant and its description.
CorrectIncorrect -
Question 22 of 316
22. Question
With what phase of a business continuity plan does a company proceed when it is ready to move back into its original site or a new site?
CorrectIncorrect -
Question 23 of 316
23. Question
The Zachman Architecture Framework is often used to set up an enterprise security architecture. Which of the following does not correctly describe the Zachman Framework?
CorrectIncorrect -
Question 24 of 316
24. Question
Which is the most valuable technique when determining if a specific security control should be implemented?
CorrectIncorrect -
Question 25 of 316
25. Question
When protecting information assets, which of the following security controls is most effective for data in motion?
CorrectIncorrect -
Question 26 of 316
26. Question
Which security architecture model defines how to securely develop access rights between subjects and objects?
CorrectIncorrect -
Question 27 of 316
27. Question
As with logical access controls, audit logs should be produced and monitored for physical access controls. Which of the following statements is correct about auditing physical access?
CorrectIncorrect -
Question 28 of 316
28. Question
Which of the following incorrectly describes steganography?
CorrectIncorrect -
Question 29 of 316
29. Question
There are several different types of technologies within cryptography that provide confidentiality. What is represented in the graphic that follows?
CorrectIncorrect -
Question 30 of 316
30. Question
Why is it important to understand the life cycle of cryptography and your cryptographic needs?
CorrectIncorrect -
Question 31 of 316
31. Question
Which of the following does NOT describe IP telephony security?
CorrectIncorrect -
Question 32 of 316
32. Question
Determining the geographic location of a client IP address in order to route it toward the most proximal topological source of web content is an example of what technology?
CorrectIncorrect -
Question 33 of 316
33. Question
What is the greatest weakness, and hence concern, with virtualized networks?
CorrectIncorrect -
Question 34 of 316
34. Question
An access control matrix is used in many operating systems and applications to control access between subjects and objects. What is the column in this type of matrix referred to as?
CorrectIncorrect -
Question 35 of 316
35. Question
Which of the following is an example of a credential management system, also known as an identity management (IdM) system?
CorrectIncorrect -
Question 36 of 316
36. Question
What is a synthetic transaction?
CorrectIncorrect -
Question 37 of 316
37. Question
Which of the following statements is true with respect to vulnerability tests versus penetration tests?
CorrectIncorrect -
Question 38 of 316
38. Question
John is responsible for providing a weekly report to his manager outlining the week’s security incidents and mitigation steps. What steps should he take if a report has no information?
CorrectIncorrect -
Question 39 of 316
39. Question
After a disaster occurs, a damage assessment needs to take place. Which of the following steps occurs last in a damage assessment?
CorrectIncorrect -
Question 40 of 316
40. Question
Which of the following statements is true with respect to preventing and/or detecting security disasters?
CorrectIncorrect -
Question 41 of 316
41. Question
What are the three types of policies that are missing from the following graphic?
CorrectIncorrect -
Question 42 of 316
42. Question
What is the missing second step in the graphic that follows?
CorrectIncorrect -
Question 43 of 316
43. Question
John has been told to report to the board of directors with a vendor-neutral enterprise architecture framework that will help the company reduce fragmentation that results from the misalignment of IT and business processes. Which of the following frameworks should he suggest?
CorrectIncorrect -
Question 44 of 316
44. Question
Which of the following is the LEAST important stage in the life-cycle management of information?
CorrectIncorrect -
Question 45 of 316
45. Question
When protecting information assets, which of the following security controls is most effective for data at rest?
CorrectIncorrect -
Question 46 of 316
46. Question
Operating systems can be programmed to carry out different methods for process isolation. Which of the following refers to a method in which an interface defines how communication can take place between two processes and no process can interact with the other’s internal programming code?
CorrectIncorrect -
Question 47 of 316
47. Question
An outline for a physical security design should include program categories and the necessary countermeasures for each. What category do locks and access controls belong to?
CorrectIncorrect -
Question 48 of 316
48. Question
Which of the following correctly describes a drawback of symmetric key systems?
CorrectIncorrect -
Question 49 of 316
49. Question
There are several different types of important architectures within public key infrastructures. Which architecture does the graphic that follows represent?
CorrectIncorrect -
Question 50 of 316
50. Question
Which of the following are services that cryptosystems can provide?
CorrectIncorrect -
Question 51 of 316
51. Question
When an organization splits naming zones, the names of its hosts that are accessible only from an intranet are hidden from the Internet. Which of the following best describes why this is done?
CorrectIncorrect -
Question 52 of 316
52. Question
Which of the following protocols or set of protocols is used in Voice over IP (VoIP) for caller identification?
CorrectIncorrect -
Question 53 of 316
53. Question
Which of the following does NOT correctly describe a directory service?
CorrectIncorrect -
Question 54 of 316
54. Question
What technology within identity management is illustrated in the graphic that follows?
CorrectIncorrect -
Question 55 of 316
55. Question
Which of the following attributes is used to biometrically authenticate a user’s identity?
CorrectIncorrect -
Question 56 of 316
56. Question
Why are security metrics so important as performance and/or risk indicators?
CorrectIncorrect -
Question 57 of 316
57. Question
Which of the following types of tests involves discursive explorations of existing response procedures, based on a likely adverse scenario, designed to determine if desired outcomes will result?
CorrectIncorrect -
Question 58 of 316
58. Question
Brian, a security administrator, is responding to a virus infection. The antivirus application reports that a file has been infected with a dangerous virus and disinfecting it could damage the file. What course of action should Brian take?
CorrectIncorrect -
Question 59 of 316
59. Question
Of the following plans, which establishes senior management and a headquarters after a disaster?
CorrectIncorrect -
Question 60 of 316
60. Question
Miranda has been directed to investigate a possible violation of her organization’s acceptable use policy (AUP) by a coworker suspected of running cryptocurrency mining software on his desktop system. Which of the following is NOT a very likely scenario that could arise during her investigation?
CorrectIncorrect -
Question 61 of 316
61. Question
List in the proper order from the table shown the learning objectives that are missing and their proper definitions.
CorrectIncorrect -
Question 62 of 316
62. Question
Different threats need to be evaluated and ranked based upon their severity of business risk when developing a BCP. Which ranking approach is illustrated in the graphic that follows?
CorrectIncorrect -
Question 63 of 316
63. Question
The Information Technology Infrastructure Library (ITIL) consists of five sets of instructional books. Which of the following is considered the core set and focuses on the overall planning of the intended IT services?
CorrectIncorrect -
Question 64 of 316
64. Question
Which of the following are effective methods of preventing data remanence on solid-state devices (SSDs)?
i. Clearing
ii. Purging
iii. Degaussing
iv. DestructionCorrectIncorrect -
Question 65 of 316
65. Question
Which of the following is the LEAST effective security control regarding sensitive data stored on mobile devices?
CorrectIncorrect -
Question 66 of 316
66. Question
Which of the following is not a responsibility of the memory manager?
CorrectIncorrect -
Question 67 of 316
67. Question
What discipline combines the physical environment and the sociology issues that surround it to reduce crime rates and the fear of crime?
CorrectIncorrect -
Question 68 of 316
68. Question
Which of the following occurs in a PKI environment?
CorrectIncorrect -
Question 69 of 316
69. Question
There are different ways of providing integrity and authentication within cryptography. What type of technology is shown in the graphic that follows?
CorrectIncorrect -
Question 70 of 316
70. Question
Which of the following statements is true with respect to the physical security of distribution and storage facilities?
CorrectIncorrect -
Question 71 of 316
71. Question
Which of the following best describes why e-mail spoofing is easily executed?
CorrectIncorrect -
Question 72 of 316
72. Question
Encryption can happen at different layers of an operating system and network stack. Where does PPTP encryption take place?
CorrectIncorrect -
Question 73 of 316
73. Question
Hannah has been assigned the task of installing web access management (WAM) software. What is the best description for what WAM is commonly used for?
CorrectIncorrect -
Question 74 of 316
74. Question
There are different ways that specific technologies can create one-time passwords for authentication purposes. What type of technology is illustrated in the graphic that follows?
CorrectIncorrect -
Question 75 of 316
75. Question
Within biometric authentication, what is a Type II error rate?
CorrectIncorrect -
Question 76 of 316
76. Question
When providing a security report to management, which of the following is the most important component?
CorrectIncorrect -
Question 77 of 316
77. Question
Camellia has just concluded a security audit of some critical services within her environment and the state of the controls deployed to protect them. She has the results of a battery of technical tests and must now organize them into a written report to her chain of management. In analyzing these results, what must her immediate goal be?
CorrectIncorrect -
Question 78 of 316
78. Question
Guidelines should be followed to allow secure remote administration. Which of the following is not one of those guidelines?
CorrectIncorrect -
Question 79 of 316
79. Question
Gizmos and Gadgets has restored its original facility after a disaster. What should be moved in first?
CorrectIncorrect -
Question 80 of 316
80. Question
What type of risk analysis approach does the following graphic provide?
CorrectIncorrect -
Question 81 of 316
81. Question
Sean has been hired as business continuity coordinator. He has been told by management that he needs to ensure that the company is in compliance with the ISO/IEC standard that pertains to technology readiness for business continuity. He has also been instructed to find a way to transfer the risk of being unable to carry out critical business functions for a period of time because of a disaster. Which of the following is most likely the standard that Sean has been asked to comply with?
CorrectIncorrect -
Question 82 of 316
82. Question
Sarah and her security team have carried out many vulnerability tests over the years to locate the weaknesses and vulnerabilities within the systems on the network. The CISO has asked her to oversee the development of a threat model for the network. Which of the following best describes what this model is and what it would be used for?
CorrectIncorrect -
Question 83 of 316
83. Question
The requirement of erasure is the end of the media life cycle if the media contains sensitive information. Which of the following best describes purging?
CorrectIncorrect -
Question 84 of 316
84. Question
In the modern era, are paper records still a significant concern in the protection of enterprise data assets? If so, why? If not, why not?
CorrectIncorrect -
Question 85 of 316
85. Question
Frank is responsible for the security of his company’s online applications, web servers, and web-based activities. The web applications have the capability of being dynamically “locked” so that multiple users cannot edit a web page at the same time and overwrite each other’s work. An audit uncovered that although this software-locking capability was properly configured, multiple users were still able to modify the same web page at the same time. Which of the following best describes what is taking place in this situation?
CorrectIncorrect -
Question 86 of 316
86. Question
David is preparing a server room at a new branch office. What locking mechanisms should he use for the primary and secondary server room entry doors?
CorrectIncorrect -
Question 87 of 316
87. Question
Which of the following correctly describes the difference between public key cryptography and public key infrastructure?
CorrectIncorrect -
Question 88 of 316
88. Question
A widely used family of symmetric algorithms is called block ciphers. When these types of algorithms are being used, a message that needs to be encrypted is segmented into individual blocks and each block is encrypted. These algorithms work in different modes, and each mode has a specific use case. Which mode is being represented in the graphic and what is its most common use case?
CorrectIncorrect -
Question 89 of 316
89. Question
Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer?
CorrectIncorrect -
Question 90 of 316
90. Question
Which of the following is not a benefit of VoIP?
CorrectIncorrect -
Question 91 of 316
91. Question
Which of the following INCORRECTLY describes IP spoofing and session hijacking?
CorrectIncorrect -
Question 92 of 316
92. Question
There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised?
CorrectIncorrect -
Question 93 of 316
93. Question
Which of the following best describes how SAML, SOAP, and HTTP commonly work together in an environment that provides web services?
CorrectIncorrect -
Question 94 of 316
94. Question
Which of the following criteria is the most important consideration for the selection and deployment of a biometric authentication system?
CorrectIncorrect -
Question 95 of 316
95. Question
What is the difference between security training and a security awareness program, and which is most important?
CorrectIncorrect -
Question 96 of 316
96. Question
As a security analyst writing a technical report about the findings of a technical security assessment, what should your primary goal be?
CorrectIncorrect -
Question 97 of 316
97. Question
In a redundant array of inexpensive disks (RAID) system, data and parity information are striped over several different disks. What is parity information?
CorrectIncorrect -
Question 98 of 316
98. Question
Several teams should be involved in carrying out the business continuity plan. Which team is responsible for starting the recovery of the original site?
CorrectIncorrect -
Question 99 of 316
99. Question
ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards ?
CorrectIncorrect -
Question 100 of 316
100. Question
Which organization has been developed to deal with economic, social, and governance issues and with how sensitive data is transported over borders?
CorrectIncorrect -
Question 101 of 316
101. Question
Health Tracking Apps, Inc. (HTA) is a U.S.-based corporation that develops and sells apps that its customers can use to track various aspects of their own health, from their daily exercise regimes to various medical test results and comparative statistics over time. These apps utilize cloud-based storage so that customers can access their data from multiple platforms, including smart mobile devices and desktop systems. Customers can also easily share the data the apps generate with their personal trainers and healthcare providers if they choose, on a subscription basis.
HTA’s products are available in several languages, including English, French, Spanish, German, and Italian. All of HTA’s software is developed by a dedicated staff within the United States, though HTA occasionally hires interns from the local university to assist with language translations for its various user interfaces.
The following entity relationship diagram illustrates HTA’s business model dependencies:Would HTA be required to comply with the General Data Protection Regulation (GDPR)? If so, why? If not, why?
1. Maybe, because HTA’s HR records could contain protected privacy data about European citizens if any of HTA’s interns are students studying from abroad.
2. No, because the GDPR applies only to European-based companies.
3. Yes, to the extent that HTA’s stored private data includes that of any European customers.
4. No, because any private data regarding European citizens that HTA’s HR and customer records contain is stored within the United States.CorrectIncorrect -
Question 102 of 316
102. Question
Sam plans to establish mobile phone service using the personal information he has stolen from his former boss. What type of identity theft is this?
CorrectIncorrect -
Question 103 of 316
103. Question
When selecting and implementing information asset protection standards, the process of scoping refers to which of the following?
CorrectIncorrect -
Question 104 of 316
104. Question
There are several different important pieces to the Common Criteria. Which of the following best describes the first of the missing components?
CorrectIncorrect -
Question 105 of 316
105. Question
Before an effective physical security program can be rolled out, a number of steps must be taken. Which of the following steps comes first in the process of rolling out a security program?
CorrectIncorrect -
Question 106 of 316
106. Question
Which of the following best describes Key Derivation Functions (KDFs)?
CorrectIncorrect -
Question 107 of 316
107. Question
If Marge uses her private key to create a digital signature on a message she is sending to George, but she does not show or share her private key with George, what is it an example of ?
CorrectIncorrect -
Question 108 of 316
108. Question
Which of the following is not an effective counter measure against spam?
CorrectIncorrect -
Question 109 of 316
109. Question
Today, satellites are used to provide wireless connectivity between different locations. What two prerequisites are needed for two different locations to communicate via satellite links?
CorrectIncorrect -
Question 110 of 316
110. Question
A small medical institution’s IT security team has become overwhelmed with having to operate and maintain IDSs, firewalls, enterprise-wide antimalware solutions, data leak prevention technologies, and centralized log management. Which of the following best describes what type of solution this organization should implement to allow for standardized and streamlined security operations?
CorrectIncorrect -
Question 111 of 316
111. Question
In the United States, federal agencies must adhere to Federal Information Processing Standard (FIPS) 201-2 “Personal Identity Verification,” which discusses technical measures of authentication for federal employees and contractors. This standard must be followed in order to ensure which of the following?
CorrectIncorrect -
Question 112 of 316
112. Question
Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?
CorrectIncorrect -
Question 113 of 316
113. Question
Though “something you know,” in the form of passwords, is the most common authentication factor still used today, it is considered one of the weakest. This is because passwords are easy for users to share, and relatively easy for adversaries to steal or guess. Which of the following measures is the best way to counter attacks on this form of authentication?
CorrectIncorrect -
Question 114 of 316
114. Question
Which of the following describes a parallel test during disaster recovery testing?
CorrectIncorrect -
Question 115 of 316
115. Question
Why is a “Methodology” section as critical to a technical security assessment report as the findings themselves?
CorrectIncorrect -
Question 116 of 316
116. Question
Mirroring of drives is when data is written to two drives at once for redundancy purposes. What similar type of technology is shown in the graphic that follows?
CorrectIncorrect -
Question 117 of 316
117. Question
ACME, Inc., paid a software vendor to develop specialized software, and that vendor has gone out of business. ACME, Inc., does not have access to the code and therefore cannot keep it updated. What mechanism should the company have implemented to prevent this from happening?
CorrectIncorrect -
Question 118 of 316
118. Question
Which of the following is the criteria Sam’s company was most likely certified under?
CorrectIncorrect -
Question 119 of 316
119. Question
Widgets, Inc., wishes to protect its logo from unauthorized use. Which of the following will protect the logo and ensure that others cannot copy and use it?
CorrectIncorrect -
Question 120 of 316
120. Question
Health Tracking Apps, Inc. (HTA) is a U.S.-based corporation that develops and sells apps that its customers can use to track various aspects of their own health, from their daily exercise regimes to various medical test results and comparative statistics over time. These apps utilize cloud-based storage so that customers can access their data from multiple platforms, including smart mobile devices and desktop systems. Customers can also easily share the data the apps generate with their personal trainers and healthcare providers if they choose, on a subscription basis.
HTA’s products are available in several languages, including English, French, Spanish, German, and Italian. All of HTA’s software is developed by a dedicated staff within the United States, though HTA occasionally hires interns from the local university to assist with language translations for its various user interfaces.
The following entity relationship diagram illustrates HTA’s business model dependencies:HTA’s customer data is breached via a vulnerability in its application programming interface (API). This vulnerability is discovered to be a result of a recently announced security flaw in the underlying Java framework that HTA uses for the development of its apps. Which of the following best describes the root of this problem?
CorrectIncorrect -
Question 121 of 316
121. Question
Which of the following are common military categories of data classification?
CorrectIncorrect -
Question 122 of 316
122. Question
When selecting and implementing information asset protection standards, why is tailoring an important process?
CorrectIncorrect -
Question 123 of 316
123. Question
Different access control models provide specific types of security measures and functionality in applications and operating systems. What model is being expressed in the graphic that follows?
CorrectIncorrect -
Question 124 of 316
124. Question
A number of measures should be taken to help protect devices and the environment from electric power issues. Which of the following is best to keep voltage steady and power clean?
CorrectIncorrect -
Question 125 of 316
125. Question
An elliptic curve cryptosystem is an asymmetric algorithm. What sets it apart from other asymmetric algorithms?
CorrectIncorrect -
Question 126 of 316
126. Question
There are two main functions that Trusted Platform Modules (TPMs) carry out within systems today. Which of the following best describes these two functions?
CorrectIncorrect -
Question 127 of 316
127. Question
Robert is responsible for implementing a common architecture used when customers need to access confidential information through Internet connections. Which of the following best describes this type of architecture?
CorrectIncorrect -
Question 128 of 316
128. Question
Brad is a security manager at Thingamabobs, Inc. He is preparing a presentation for his company’s executives on the risks of using instant messaging (IM) and his reasons for wanting to prohibit its use on the company network. Which of the following should not be included in his presentation?
CorrectIncorrect -
Question 129 of 316
129. Question
Which of the following protocols blurs the lines between the OSI model layers, performing the tasks of several at once?
CorrectIncorrect -
Question 130 of 316
130. Question
Which of the following does NOT describe privacy-aware role-based access control?
CorrectIncorrect -
Question 131 of 316
131. Question
Bethany is working on a mandatory access control (MAC) system. She has been working on a file that was classified as Secret. She can no longer access this file because it has been reclassified as Top Secret. She deduces that the project she was working on has just increased in confidentiality and she now knows more about this project than her clearance and need-to-know allows. Which of the following refers to a concept that attempts to prevent this type of scenario from occurring?
CorrectIncorrect -
Question 132 of 316
132. Question
Which of the following is the correct sequence in the Kerberos authentication process with respect to passwords, Key Distribution Centers (KDCs), ticket granting servers (TGSs), ticket granting tickets (TGTs), services, and service tickets?
CorrectIncorrect -
Question 133 of 316
133. Question
Which of the following describes a structured walk-through test during disaster recovery testing?
CorrectIncorrect -
Question 134 of 316
134. Question
Which of the following types of vulnerabilities CANNOT be discovered in the course of a routine vulnerability assessment?
CorrectIncorrect -
Question 135 of 316
135. Question
There are several different types of important architectures within backup technologies. Which architecture does the graphic that follows represent?
CorrectIncorrect -
Question 136 of 316
136. Question
Which of the following incorrectly describes the concept of executive succession planning?
CorrectIncorrect -
Question 137 of 316
137. Question
Which of the following best describes the relationship between COBIT and ITIL?
CorrectIncorrect -
Question 138 of 316
138. Question
What is the associated single loss expectancy value in this scenario?
CorrectIncorrect -
Question 139 of 316
139. Question
Which of the following means that a company did all it could have reasonably done to prevent a security breach?
CorrectIncorrect -
Question 140 of 316
140. Question
Health Tracking Apps, Inc. (HTA) is a U.S.-based corporation that develops and sells apps that its customers can use to track various aspects of their own health, from their daily exercise regimes to various medical test results and comparative statistics over time. These apps utilize cloud-based storage so that customers can access their data from multiple platforms, including smart mobile devices and desktop systems. Customers can also easily share the data the apps generate with their personal trainers and healthcare providers if they choose, on a subscription basis.
HTA’s products are available in several languages, including English, French, Spanish, German, and Italian. All of HTA’s software is developed by a dedicated staff within the United States, though HTA occasionally hires interns from the local university to assist with language translations for its various user interfaces.
The following entity relationship diagram illustrates HTA’s business model dependencies:HTA stores its customers’ private data in a third-party cloud. What is the primary means through which HTA can ensure that its cloud service provider maintains compliance with any regulations—including the GDPR, if necessary—that HTA is subject to?
CorrectIncorrect -
Question 141 of 316
141. Question
Joan needs to document a data classification scheme for her organization. Which criteria should she use to guide her decisions?
CorrectIncorrect -
Question 142 of 316
142. Question
When implementing data leak prevention (DLP), which is the first, most critical step?
CorrectIncorrect -
Question 143 of 316
143. Question
There are many different types of access control mechanisms that are commonly embedded into all operating systems. Which of the following is the mechanism that is missing in this graphic?
CorrectIncorrect -
Question 144 of 316
144. Question
Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. Of CPTED’s three main components, what is illustrated in the following photo?
CorrectIncorrect -
Question 145 of 316
145. Question
If implemented properly, a one-time pad is a perfect encryption scheme. Which of the following incorrectly describes a requirement for implementation?
CorrectIncorrect -
Question 146 of 316
146. Question
Jack has been told that successful attacks have been taking place and data that has been encrypted by his company’s software systems has leaked to the company’s competitors. Through Jack’s investigation he has discovered that the lack of randomness in the seeding values used by the encryption algorithms in the company’s software exposed patterns and allowed for successful reverse engineering.
Which of the following is most likely the item that is the root of the problem when it comes to the necessary randomness explained in the scenario?
CorrectIncorrect -
Question 147 of 316
147. Question
Since sending spam (unwanted messages) has increased over the years and e-mail has become a common way of sending out malicious links and malware, the industry has developed different ways to combat these issues. One approach is to use a Sender Policy Framework, which is an e-mail validation system. In the following graphic, what type of system receives the request in step 2 and replies in step 3 ?
CorrectIncorrect -
Question 148 of 316
148. Question
There are several different types of authentication technologies. Which type is being shown in the graphic that follows?
CorrectIncorrect -
Question 149 of 316
149. Question
Which of the following correctly describes the relationship between SSL and TLS?
CorrectIncorrect -
Question 150 of 316
150. Question
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between systems on different security domains. SAML allows for the sharing of authentication information, such as how authentication took place, entity attributes, and what the entity is authorized to access. SAML is most commonly used in web-based environments that require single sign-on (SSO) capability. Which of the following has a correct definition associated with the corresponding SAML component?
CorrectIncorrect -
Question 151 of 316
151. Question
A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesn’t try to compromise a flaw or weakness. Which of the following is NOT a side-channel attack?
CorrectIncorrect -
Question 152 of 316
152. Question
In practical use, which of the following best describes a “session”?
CorrectIncorrect -
Question 153 of 316
153. Question
John and his team are conducting a penetration test of a client’s network. The team will conduct its testing armed only with knowledge it acquired from the Web. The network staff is aware that the testing will take place, but the penetration testing team will only work with publicly available data and some information from the client. What is the degree of the team’s knowledge, and what type of test is the team carrying out?
CorrectIncorrect -
Question 154 of 316
154. Question
Which of the following is not a common component of configuration management change control steps?
CorrectIncorrect -
Question 155 of 316
155. Question
______ provides for availability and scalability. It groups physically different systems and combines them logically, which helps to provide immunity to faults and improves performance.
CorrectIncorrect -
Question 156 of 316
156. Question
What type of infrastructural setup is illustrated in the graphic that follows?
CorrectIncorrect -
Question 157 of 316
157. Question
Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?
CorrectIncorrect -
Question 158 of 316
158. Question
The NIST organization has defined best practices for creating continuity plans. Which of the following phases deals with identifying and prioritizing critical functions and systems?
CorrectIncorrect -
Question 159 of 316
159. Question
Which of the following is a U.S. copyright law that criminalizes the production and dissemination of technology, devices, or services that circumvent access control measures put into place to protect copyright material?
CorrectIncorrect -
Question 160 of 316
160. Question
Health Tracking Apps, Inc. (HTA) is a U.S.-based corporation that develops and sells apps that its customers can use to track various aspects of their own health, from their daily exercise regimes to various medical test results and comparative statistics over time. These apps utilize cloud-based storage so that customers can access their data from multiple platforms, including smart mobile devices and desktop systems. Customers can also easily share the data the apps generate with their personal trainers and healthcare providers if they choose, on a subscription basis.
HTA’s products are available in several languages, including English, French, Spanish, German, and Italian. All of HTA’s software is developed by a dedicated staff within the United States, though HTA occasionally hires interns from the local university to assist with language translations for its various user interfaces.
The following entity relationship diagram illustrates HTA’s business model dependencies:Many of HTA’s employees have either direct or indirect access to its customers’ private data. HTA has to ensure that newly hired employees are aware of all security policies and procedures that apply to them, have only the necessary access through the accounts created for them, and have signed an agreement not to disclose the data inappropriately. Which of the following terms describes this process?
CorrectIncorrect -
Question 161 of 316
161. Question
Which of the following means of data removal makes the data unrecoverable even with extraordinary effort, such as with physical forensics in a laboratory?
CorrectIncorrect -
Question 162 of 316
162. Question
Lacy’s manager has tasked her with researching an intrusion detection system for a new dispatching center. Lacy identifies the top five products and compares their ratings. Which of the following is the evaluation criteria framework most in use today for these types of purposes?
CorrectIncorrect -
Question 163 of 316
163. Question
There are several security enforcement components that are commonly built into operating systems. Which component is illustrated in the graphic that follows?
CorrectIncorrect -
Question 164 of 316
164. Question
There are five different classes of fire. Each depends upon what is on fire. Which of the following is the proper mapping for the items missing in the provided table?
CorrectIncorrect -
Question 165 of 316
165. Question
Sally is responsible for key management within her organization. Which of the following incorrectly describes a principle of secure key management?
CorrectIncorrect -
Question 166 of 316
166. Question
Jack has been told that successful attacks have been taking place and data that has been encrypted by his company’s software systems has leaked to the company’s competitors. Through Jack’s investigation he has discovered that the lack of randomness in the seeding values used by the encryption algorithms in the company’s software exposed patterns and allowed for successful reverse engineering.
Which of the following best describes the role of the values that is allowing for patterns as described in the scenario?
CorrectIncorrect -
Question 167 of 316
167. Question
Which of the following indicates to a packet where to go and how to communicate with the right service or protocol on the destination computer?
CorrectIncorrect -
Question 168 of 316
168. Question
What type of security encryption component is missing from the table that follows?
CorrectIncorrect -
Question 169 of 316
169. Question
End-to-end encryption is used by users, and link encryption is used by service providers. Which of the following correctly describes these technologies?
CorrectIncorrect -
Question 170 of 316
170. Question
Brian has been asked to work on the virtual directory of his company’s new identity management system. Which of the following best describes a virtual directory?
CorrectIncorrect -
Question 171 of 316
171. Question
Emily is listening to network traffic and capturing passwords as they are sent to the authentication server. She plans to use the passwords as part of a future attack. What type of attack is this?
CorrectIncorrect -
Question 172 of 316
172. Question
The use of “resource servers” and “authorization servers” to enable a “client” web service (such as LinkedIn) to access a “resource owner” (such as Google) for federated authorization is a hallmark of what open standard?
CorrectIncorrect -
Question 173 of 316
173. Question
Fred is a new security officer who wants to implement a control for detecting and preventing users who attempt to exceed their authority by misusing the access rights that have been assigned to them. Which of the following best fits this need?
CorrectIncorrect -
Question 174 of 316
174. Question
A change management process should include a number of procedures. Which of the following incorrectly describes a characteristic or component of a change control policy?
CorrectIncorrect -
Question 175 of 316
175. Question
Bob is a new security administrator at a financial institution. The organization has experienced some suspicious activity on one of the critical servers that contain customer data. When reviewing how the systems are administered, he uncovers some concerning issues pertaining to remote administration. Which of the following should not be put into place to reduce these concerns?
i. Commands and data should not be sent in cleartext.
ii. SSH should be used, not Telnet.
iii. Truly critical systems should be administered locally instead of remotely.
iv. Only a small number of administrators should be able to carry out remote functionality.
v. Strong authentication should be in place for any administration activities.
CorrectIncorrect -
Question 176 of 316
176. Question
There are several types of redundant technologies that can be put into place. What type of technology is shown in the graphic that follows?
CorrectIncorrect -
Question 177 of 316
177. Question
Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?
CorrectIncorrect -
Question 178 of 316
178. Question
As his company’s business continuity coordinator, Matthew is responsible for helping recruit members to the business continuity planning (BCP) committee. Which of the following does not correctly describe this effort?
CorrectIncorrect -
Question 179 of 316
179. Question
What role does the Internet Architecture Board play regarding technology and ethics?
CorrectIncorrect -
Question 180 of 316
180. Question
Health Tracking Apps, Inc. (HTA) is a U.S.-based corporation that develops and sells apps that its customers can use to track various aspects of their own health, from their daily exercise regimes to various medical test results and comparative statistics over time. These apps utilize cloud-based storage so that customers can access their data from multiple platforms, including smart mobile devices and desktop systems. Customers can also easily share the data the apps generate with their personal trainers and healthcare providers if they choose, on a subscription basis.
HTA’s products are available in several languages, including English, French, Spanish, German, and Italian. All of HTA’s software is developed by a dedicated staff within the United States, though HTA occasionally hires interns from the local university to assist with language translations for its various user interfaces.
The following entity relationship diagram illustrates HTA’s business model dependencies:HTA has an awareness program designed to educate all employees about security-relevant issues that apply to them, based on their role. IT staff members are specifically instructed that it is important to be aware of new vulnerabilities as they are discovered, not only in the OSs that are used by HTA, but also in the applications and frameworks the developers use to build their software. The awareness program also stresses the importance of rapid mitigation by IT staff. As stated in question 48, HTA’s customer data has been breached via a vulnerability in its API, a vulnerability discovered to be a result of a recently announced security flaw in the underlying Java framework that HTA uses for the development of its apps. Which of the following most likely contributed to the breach with respect to the security awareness program?
CorrectIncorrect -
Question 181 of 316
181. Question
When classifying information, its sensitivity refers to:
CorrectIncorrect -
Question 182 of 316
182. Question
Certain types of attacks have been made more potent by which of the following advances to microprocessor technology?
CorrectIncorrect -
Question 183 of 316
183. Question
A multitasking operating system can have several processes running at the same time. What are the components within the processes that are shown in the graphic that follows?
CorrectIncorrect -
Question 184 of 316
184. Question
Electrical power is being provided more through smart grids, which allow for self- healing, resistance to physical and cyberattacks, increased efficiency, and better integration of renewable energy sources. Countries want their grids to be more reliable, resilient, flexible, and efficient. Why does this type of evolution in power infrastructure concern many security professionals?
CorrectIncorrect -
Question 185 of 316
185. Question
Mandy needs to calculate how many keys must be generated for the 260 employees using the company’s PKI asymmetric algorithm. How many keys are required?
CorrectIncorrect -
Question 186 of 316
186. Question
Sometimes when studying for an industry certification exam like the CISSP, people do not fully appreciate that the concepts and technologies that they need to learn to pass the test directly relate to real-world security issues. To enforce how exam-oriented theoretical concepts directly relate to the practical world of security, choose the correct answer that best describes the Heartbleed SSL/TLS vulnerability, which is considered to be one of the most critical attack vectors in the history of the Internet.
CorrectIncorrect -
Question 187 of 316
187. Question
Several different tunneling protocols can be used in dial-up situations. Which of the following would be best to use as a VPN tunneling solution?
CorrectIncorrect -
Question 188 of 316
188. Question
What type of technology is represented in the graphic that follows?
CorrectIncorrect -
Question 189 of 316
189. Question
What do the SA values in the graphic of IPSec that follows represent?
CorrectIncorrect -
Question 190 of 316
190. Question
Which of the following accurately describes Identity as a Service (IDaaS)?
CorrectIncorrect -
Question 191 of 316
191. Question
Which of the following is the best way to reduce brute-force attacks that allow intruders to uncover users’ passwords?
CorrectIncorrect -
Question 192 of 316
192. Question
Which of the following is NOT true of OpenID Connect (OIDC)?
CorrectIncorrect -
Question 193 of 316
193. Question
What is the difference between a test and an assessment?
CorrectIncorrect -
Question 194 of 316
194. Question
Device backup and other availability solutions are chosen to balance the value of having information available against the cost of keeping that information available. Which of the following best describes fault-tolerant technologies?
CorrectIncorrect -
Question 195 of 316
195. Question
A suspected crime has been reported within your organization. Which of the following steps should the incident response team take first?
CorrectIncorrect -
Question 196 of 316
196. Question
Here is a graphic of a business continuity policy. Which component is missing from this graphic?
CorrectIncorrect -
Question 197 of 316
197. Question
Which of the following is not included in a risk assessment?
CorrectIncorrect -
Question 198 of 316
198. Question
A business impact analysis is considered a functional analysis. Which of the following is not carried out during a business impact analysis?
CorrectIncorrect -
Question 199 of 316
199. Question
As a CISSP candidate, you must sign a Code of Ethics. Which of the following is from the (ISC)² Code of Ethics for the CISSP?
CorrectIncorrect -
Question 200 of 316
200. Question
As head of sales, Jim is the data owner for the sales department. Which of the following is not Jim’s responsibility as data owner?
CorrectIncorrect -
Question 201 of 316
201. Question
When classifying information, its criticality refers to:
CorrectIncorrect -
Question 202 of 316
202. Question
CPUs and operating systems can work in two main types of multitasking modes. What controls access and the use of system resources in preemptive multitasking mode?
CorrectIncorrect -
Question 203 of 316
203. Question
Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities.
Which of the following best describes the standard Charlie’s team needs to comply with?
CorrectIncorrect -
Question 204 of 316
204. Question
Mike is the new CSO of a large pharmaceutical company. He has been asked to revamp the company’s physical security program and better align it with the company’s information security practices. Mike knows that the new physical security program should be made up of controls and processes that support the following categories: deterrent, delaying, detection, assessment, and response.
Mike’s team has decided to implement new perimeter fences and warning signs against trespassing around the company’s facility. Which of the categories listed in the scenario do these countermeasures map to?
CorrectIncorrect -
Question 205 of 316
205. Question
Which of the following works similarly to stream ciphers?
CorrectIncorrect -
Question 206 of 316
206. Question
What type of exploited vulnerability allows more input than the program has allocated space to store it?
CorrectIncorrect -
Question 207 of 316
207. Question
Which of the following correctly describes Bluejacking?
CorrectIncorrect -
Question 208 of 316
208. Question
What type of telecommunication technology is illustrated in the graphic that follows?
CorrectIncorrect -
Question 209 of 316
209. Question
What is the process depicted in the illustration below referred to as?
CorrectIncorrect -
Question 210 of 316
210. Question
Which of the following correctly describes a federated identity and its role within identity management processes?
CorrectIncorrect -
Question 211 of 316
211. Question
Phishing and pharming are similar. Which of the following correctly describes the difference between phishing and pharming?
CorrectIncorrect -
Question 212 of 316
212. Question
Which of the following attributes are added beyond traditional access control mechanisms (RBAC, MAC, and DAC) in order to implement ABAC?
CorrectIncorrect -
Question 213 of 316
213. Question
Which of the following statements is most true with regard to internal security audits versus external, second-party audits?
CorrectIncorrect -
Question 214 of 316
214. Question
Which of the following refers to the expected amount of time it will take to get a device fixed and back into production after its failure?
CorrectIncorrect -
Question 215 of 316
215. Question
Which of the following is a correct statement regarding digital forensics?
CorrectIncorrect -
Question 216 of 316
216. Question
The recovery time objective (RTO) and maximum tolerable downtime (MTD) metrics have similar roles, but their values are very different. Which of the following best describes the difference between RTO and MTD metrics?
CorrectIncorrect -
Question 217 of 316
217. Question
The integrity of data is not related to which of the following?
CorrectIncorrect -
Question 218 of 316
218. Question
Which of the following steps comes first in a business impact analysis?
CorrectIncorrect -
Question 219 of 316
219. Question
Which of the following was the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation?
CorrectIncorrect -
Question 220 of 316
220. Question
Assigning data classification levels can help with all of the following except:
CorrectIncorrect -
Question 221 of 316
221. Question
Which of the following classification levels are most commonly used in commercial industry?
CorrectIncorrect -
Question 222 of 316
222. Question
Virtual storage combines RAM and secondary storage for system memory. Which of the following is a security concern pertaining to virtual storage?
CorrectIncorrect -
Question 223 of 316
223. Question
Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities.
Which of the following is Charlie most likely concerned with in this situation?
CorrectIncorrect -
Question 224 of 316
224. Question
Mike is the new CSO of a large pharmaceutical company. He has been asked to revamp the company’s physical security program and better align it with the company’s information security practices. Mike knows that the new physical security program should be made up of controls and processes that support the following categories: deterrent, delaying, detection, assessment, and response.
Mike’s team has decided to implement stronger locks on the exterior doors of the new company’s facility. Which of the categories listed in the scenario does this countermeasure map to?
CorrectIncorrect -
Question 225 of 316
225. Question
There are two main types of symmetric ciphers: stream and block. Which of the following is not an attribute of a good stream cipher?
CorrectIncorrect -
Question 226 of 316
226. Question
There are common cloud computing service models. usually requires companies to deploy their own operating systems, applications, and software onto the provided infrastructure. is the software environment that runs on top of the infrastructure. In the model the provider commonly gives the customers network-based access to a single copy of an application.
CorrectIncorrect -
Question 227 of 316
227. Question
DNS is a popular target for attackers due to its strategic role on the Internet. What type of attack uses recursive queries to poison the cache of a DNS server?
CorrectIncorrect -
Question 228 of 316
228. Question
Which type of WAN tunneling protocol is missing from the right table in the graphic that follows?
CorrectIncorrect -
Question 229 of 316
229. Question
Which of the following is a purpose of the transport layer?
CorrectIncorrect -
Question 230 of 316
230. Question
Security countermeasures should be transparent to users and attackers. Which of the following does NOT describe transparency?
CorrectIncorrect -
Question 231 of 316
231. Question
There are several types of intrusion detection systems (IDSs). What type of IDS builds a profile of an environment’s normal activities and assigns an anomaly score to packets based on the profile?
CorrectIncorrect -
Question 232 of 316
232. Question
How is interface testing different from misuse case testing?
CorrectIncorrect -
Question 233 of 316
233. Question
Which of the following is the most critical best practice when conducting an internal security audit?
CorrectIncorrect -
Question 234 of 316
234. Question
Which of the following correctly describes direct access and sequential access storage devices?
CorrectIncorrect -
Question 235 of 316
235. Question
Which of the following dictates that all evidence be labeled with information indicating who secured and validated it?
CorrectIncorrect -
Question 236 of 316
236. Question
High availability (HA) is a combination of technologies and processes that work together to ensure that specific critical functions are always up and running at the necessary level. To provide this level of high availability, a company has to have a long list of technologies and processes that provide redundancy, fault tolerance, and failover capabilities. Which of the following best describes these characteristics?
CorrectIncorrect -
Question 237 of 316
237. Question
As his company’s CISO, George needs to demonstrate to the board of directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?
CorrectIncorrect -
Question 238 of 316
238. Question
It is not unusual for business continuity plans to become out of date. Which of the following is not a reason why plans become outdated?
CorrectIncorrect -
Question 239 of 316
239. Question
Lee is a new security manager who is in charge of ensuring that his company complies with the European Union Principles on Privacy when his company is interacting with their European partners. The set of principles that deals with transmitting data considered private is encompassed within which of the following laws or regulations?
CorrectIncorrect -
Question 240 of 316
240. Question
Susan, an attorney, has been hired to fill a new position at Widgets, Inc.: chief privacy officer (CPO). What is the primary function of her new role?
CorrectIncorrect -
Question 241 of 316
241. Question
Which of the following classification levels are most commonly used in military environments?
CorrectIncorrect -
Question 242 of 316
242. Question
Which of the following is a common association of the Clark-Wilson access model?
CorrectIncorrect -
Question 243 of 316
243. Question
Tim’s development team is designing a new operating system. One of the requirements of the new product is that critical memory segments need to be categorized as nonexecutable, with the goal of reducing malicious code from being able to execute instructions in privileged mode. The team also wants to make sure that attackers will have a difficult time predicting execution target addresses.
Which of the following best describes the type of protection that needs to be provided by this product?
CorrectIncorrect -
Question 244 of 316
244. Question
Mike is the new CSO of a large pharmaceutical company. He has been asked to revamp the company’s physical security program and better align it with the company’s information security practices. Mike knows that the new physical security program should be made up of controls and processes that support the following categories: deterrent, delaying, detection, assessment, and response.
Mike’s team has decided to hire and deploy security guards to monitor activities within the company’s facility. Which of the categories listed in the scenario does this countermeasure map to?
CorrectIncorrect -
Question 245 of 316
245. Question
Which of the following best describes how a digital signature is created?
CorrectIncorrect -
Question 246 of 316
246. Question
A company has decided that it no longer wants to maintain its own servers and network environment because of increasing costs and liabilities. The company wants to move to a cloud-based solution, but needs to determine which type of solution best fits its needs. Which of the following provides a correct definition and mapping of a typical cloud-based solution?
CorrectIncorrect -
Question 247 of 316
247. Question
IP telephony networks require the same security measures as those implemented on an IP data network. Which of the following is unique to IP telephony?
CorrectIncorrect -
Question 248 of 316
248. Question
IPv6 has many new and different characteristics and functionality compared to IPv4. Which of the following is an incorrect functionality or characteristic of IPv6?
i.IPv6 allows for nonscoped addresses, which enables an administrator to restrict specific addresses for specific servers or file and print sharing, for example.
ii.IPv6 has IPSec integrated into the protocol stack, which provides application-based secure transmission and authentication.
iii.IPv6 has more flexibility and routing capabilities compared to IPv4 and allows for Quality of Service (QoS) priority values to be assigned to time-sensitive transmissions.
iv.The protocol offers autoconfiguration, which makes administration much easier
compared to IPv4, and it does not require network address translation (NAT) to extend its address space.CorrectIncorrect -
Question 249 of 316
249. Question
Which of the following statements is NOT true about the IPv4 address 192.168.10.129\25?
CorrectIncorrect -
Question 250 of 316
250. Question
What markup language allows for the sharing of application security policies to ensure that all applications are following the same security rules?
CorrectIncorrect -
Question 251 of 316
251. Question
A rule-based IDS takes a different approach than a signature-based or anomaly- based system. Which of the following is characteristic of a rule-based IDS?
CorrectIncorrect -
Question 252 of 316
252. Question
What are the key stages of account management?
CorrectIncorrect -
Question 253 of 316
253. Question
With respect to external audits, what is the difference between a second-party audit and a third-party audit?
CorrectIncorrect -
Question 254 of 316
254. Question
Various levels of RAID dictate the type of activity that will take place within the RAID system. Which level is associated with byte-level parity?
CorrectIncorrect -
Question 255 of 316
255. Question
Which of the following is not true of a forensic investigation?
CorrectIncorrect -
Question 256 of 316
256. Question
Jeff is leading the business continuity group in his company. They have completed a business impact analysis and have determined that if the company’s credit card processing functionality was unavailable for 48 hours the company would most likely experience such a large financial hit that it would have to go out of business. The team has calculated that this functionality needs to be up and running within 28 hours after experiencing a disaster for the company to stay in business. The team has also determined that the restoration steps must be able to restore data that is 60 minutes old or less.
In this scenario, which of the following is the work recovery time value?
CorrectIncorrect -
Question 257 of 316
257. Question
Capability Maturity Model Integration (CMMI) came from the software engineering world and is used within organizations to help lay out a pathway of how incremental improvement can take place. This model is used by organizations in self-assessment and to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes. In the CMMI model graphic shown, what is the proper sequence of the levels?
CorrectIncorrect -
Question 258 of 316
258. Question
Preplanned business continuity procedures provide organizations a number of benefits. Which of the following is not a capability enabled by business continuity planning?
CorrectIncorrect -
Question 259 of 316
259. Question
Brandy could not figure out how Sam gained unauthorized access to her system, since he has little computer experience. Which of the following is most likely the attack Sam used?
CorrectIncorrect -
Question 260 of 316
260. Question
Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role?
CorrectIncorrect -
Question 261 of 316
261. Question
Which of the following is true regarding data retention requirements?
CorrectIncorrect -
Question 262 of 316
262. Question
Which of the following correctly describes the relationship between the reference monitor and the security kernel?
CorrectIncorrect -
Question 263 of 316
263. Question
Tim’s development team is designing a new operating system. One of the requirements of the new product is that critical memory segments need to be categorized as nonexecutable, with the goal of reducing malicious code from being able to execute instructions in privileged mode. The team also wants to make sure that attackers will have a difficult time predicting execution target addresses.
Which of the following best describes the type of technology the team should implement to increase the work effort of buffer overflow attacks?
CorrectIncorrect -
Question 264 of 316
264. Question
Greg is the security facility officer of a financial institution. His boss has told him that visitors need a secondary screening before they are allowed into sensitive areas within the building. Greg has also been told by the network administrators that after the new HVAC system was installed throughout the facility, they have noticed that power voltage to the systems in the data center sags.
Which of the following is the best control that Greg should ensure is implemented to deal with his boss’s concern?
CorrectIncorrect -
Question 265 of 316
265. Question
In cryptography, different steps and algorithms provide different types of security services. Which of the following provides only authentication, non repudiation, and integrity?
CorrectIncorrect -
Question 266 of 316
266. Question
Sally is carrying out a software analysis on her company’s proprietary application. She has found out that it is possible for an attacker to force an authorization step to take place before the authentication step is completed successfully. What type of issue would allow for this type of compromise to take place?
CorrectIncorrect -
Question 267 of 316
267. Question
Angela wants to group together computers by department to make it easier for them to share network resources. Which of the following will best allow her to group computers logically?
CorrectIncorrect -
Question 268 of 316
268. Question
Hanna is a new security manager for a computer consulting company. She has found out that the company has lost intellectual property in the past because malicious employees installed rogue devices on the network, which were used to capture sensitive traffic. Hanna needs to implement a solution that ensures only authorized devices are allowed access to the company network. Which of the following IEEE standards was developed for this type of protection?
CorrectIncorrect -
Question 269 of 316
269. Question
Which of the following statements describes a “converged” protocol?
CorrectIncorrect -
Question 270 of 316
270. Question
The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of today’s regulations. Which of the following does NOT explain why audit logs should be protected?
CorrectIncorrect -
Question 271 of 316
271. Question
Tom works at a large retail company that recently deployed radio-frequency identification (RFID) to better manage its inventory processes. Employees use scanners to gather product-related information instead of manually looking up product data. Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the following is the most likely reason for the existence of this type of vulnerability?
CorrectIncorrect -
Question 272 of 316
272. Question
What is a code review?
CorrectIncorrect -
Question 273 of 316
273. Question
Which of the following statements is true of audits conducted by external parties?
CorrectIncorrect -
Question 274 of 316
274. Question
RAID systems use a number of techniques to provide redundancy and performance. Which of the following activities divides and writes data over several drives?
CorrectIncorrect -
Question 275 of 316
275. Question
Stephanie has been put in charge of developing incident response and forensics procedures her company needs to carry out if an incident occurs. She needs to ensure that their procedures map to the international principles for gathering and protecting digital evidence. She also needs to ensure that if and when internal forensics teams are deployed, they have labels, tags, evidence bags, cable ties, imaging software, and other associated tools. Which of the following best describes what Stephanie needs to build for the deployment teams?
CorrectIncorrect -
Question 276 of 316
276. Question
Jeff is leading the business continuity group in his company. They have completed a business impact analysis and have determined that if the company’s credit card processing functionality was unavailable for 48 hours the company would most likely experience such a large financial hit that it would have to go out of business. The team has calculated that this functionality needs to be up and running within 28 hours after experiencing a disaster for the company to stay in business. The team has also determined that the restoration steps must be able to restore data that is 60 minutes old or less.
In this scenario, what would the 60-minute time period be referred to as?
CorrectIncorrect -
Question 277 of 316
277. Question
Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?
CorrectIncorrect -
Question 278 of 316
278. Question
Management support is critical to the success of a business continuity plan. Which of the following is the most important to be provided to management to obtain their support?
CorrectIncorrect -
Question 279 of 316
279. Question
Jane has been charged with ensuring that the privacy of clients’ personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to?
CorrectIncorrect -
Question 280 of 316
280. Question
Michael is charged with developing a data classification program for his company. Which of the following should he do first?
CorrectIncorrect -
Question 281 of 316
281. Question
Why is the issue of data remanence sometimes problematic?
CorrectIncorrect -
Question 282 of 316
282. Question
The trusted computing base (TCB) ensures security within a system when a process in one domain must access another domain in order to retrieve sensitive information. What function does the TCB initiate to ensure that this is done in a secure manner?
CorrectIncorrect -
Question 283 of 316
283. Question
Operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on, operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in client/server models within kernel mode.
Which of the following best describes the second operating system architecture described in the scenario?
CorrectIncorrect -
Question 284 of 316
284. Question
Greg is the security facility officer of a financial institution. His boss has told him that visitors need a secondary screening before they are allowed into sensitive areas within the building. Greg has also been told by the network administrators that after the new HVAC system was installed throughout the facility, they have noticed that power voltage to the systems in the data center sags.
Which of the following best describes the situation that the network administrators are experiencing?
CorrectIncorrect -
Question 285 of 316
285. Question
Advanced Encryption Standard is an algorithm used for which of the following?
CorrectIncorrect -
Question 286 of 316
286. Question
Which of the following is true about information flow models?
CorrectIncorrect -
Question 287 of 316
287. Question
Which of the following incorrectly describes how routing commonly takes place on the Internet?
CorrectIncorrect -
Question 288 of 316
288. Question
________ is a set of extensions to DNS that provides to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types.
CorrectIncorrect -
Question 289 of 316
289. Question
Ethernet uses a shared medium for all stations on a LAN to communicate, and uses a carrier sense multiple access with collision detection (CSMA/CD) approach to managing communications between stations. Which of the following statements about this protocol best explains how it works?
CorrectIncorrect -
Question 290 of 316
290. Question
Of the following, what is the primary item that a capability table is based upon?
CorrectIncorrect -
Question 291 of 316
291. Question
Tanya is the security administrator for a large distributed retail company. The company’s network has many different network devices and software appliances that generate logs and audit data. Tanya and her staff have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Which of the following is the best solution for this company to implement?
CorrectIncorrect -
Question 292 of 316
292. Question
Which of the following statements is true with respect to security audits, vulnerability assessments, and penetration tests?
CorrectIncorrect -
Question 293 of 316
293. Question
Which of the following is an advantage of having an audit performed by an external, third party?
CorrectIncorrect -
Question 294 of 316
294. Question
What is the difference between hierarchical storage management and storage area network technologies?
CorrectIncorrect -
Question 295 of 316
295. Question
When developing a recovery and continuity program within an organization, different metrics can be used to properly measure potential damages and recovery requirements. These metrics help us quantify our risks and the benefits of controls we can put into place. Two metrics commonly used in the development of recovery programs are recovery point objective (RPO) and recovery time objective (RTO). Data restoration (RPO) requirements can be different from service restoration (RTO) requirements. Which of the following best defines these two main recovery measurements in this type of scenario?
CorrectIncorrect -
Question 296 of 316
296. Question
For evidence to be legally admissible, it must be relevant, complete, sufficient, and reliably obtained. Which characteristic refers to the evidence having a reasonable and sensible relationship to the findings?
CorrectIncorrect -
Question 297 of 316
297. Question
Which of the following is not a characteristic of a company with a security governance program in place?
CorrectIncorrect -
Question 298 of 316
298. Question
Which of the following is a critical first step in disaster recovery and contingency planning?
CorrectIncorrect -
Question 299 of 316
299. Question
Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company’s e-mail system. What type of approach is her company taking to handle the risk posed by the system?
CorrectIncorrect -
Question 300 of 316
300. Question
Which of the following is NOT a factor in determining the sensitivity of data?
CorrectIncorrect -
Question 301 of 316
301. Question
For which of the following physical media is degaussing a relatively cheap and effective means of eradicating data?
CorrectIncorrect -
Question 302 of 316
302. Question
Which of the following best defines a virtual machine?
CorrectIncorrect -
Question 303 of 316
303. Question
Operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on, operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in client/server models within kernel mode.
Which of the following best describes why there was a performance issue in the context of the scenario?
CorrectIncorrect -
Question 304 of 316
304. Question
Greg is the security facility officer of a financial institution. His boss has told him that visitors need a secondary screening before they are allowed into sensitive areas within the building. Greg has also been told by the network administrators that after the new HVAC system was installed throughout the facility, they have noticed that power voltage to the systems in the data center sags.
Which of the following is a control that Greg’s team could implement to address the network administrators’ issue?
CorrectIncorrect -
Question 305 of 316
305. Question
SSL is a protocol used for securing transactions that occur over untrusted networks. Which of the following best describes what takes place during a SSL connection setup process?
CorrectIncorrect -
Question 306 of 316
306. Question
Which of the following is true with respect to distributed systems?
CorrectIncorrect -
Question 307 of 316
307. Question
Both de facto and proprietary interior protocols are in use today. Which of the following is a proprietary interior protocol that chooses the best path between the source and destination?
CorrectIncorrect -
Question 308 of 316
308. Question
Which of the following best describes the difference between a virtual firewall that works in bridge mode versus one that is embedded into a hypervisor?
CorrectIncorrect -
Question 309 of 316
309. Question
Within the realm of network components, what are “endpoints” and why do they pose such difficult security challenges?
CorrectIncorrect -
Question 310 of 316
310. Question
Which markup language allows a company to send service requests and the receiving company to provision access to these services?
CorrectIncorrect -
Question 311 of 316
311. Question
The Logistics Agency of a country’s department of defense is responsible for ensuring that all necessary materials get to the proper locations to support the department’s day- to-day activities. The data that this agency maintains must be protected according to the three main security principles of security controls. For this agency’s responsibilities, which security principle has the highest priority?
CorrectIncorrect -
Question 312 of 316
312. Question
Which of the following is the most important reason to log events remotely?
CorrectIncorrect -
Question 313 of 316
313. Question
Which of the following is NOT an important practice when facilitating a third-party audit?
CorrectIncorrect -
Question 314 of 316
314. Question
There are often scenarios where the IT staff must react to emergencies and quickly apply fixes or change configurations. When dealing with such emergencies, which of the following is the best approach to making changes?
CorrectIncorrect -
Question 315 of 316
315. Question
An approach to alternate offsite facilities is to establish a reciprocal agreement. Which of the following describes the pros and cons of a reciprocal agreement?
CorrectIncorrect -
Question 316 of 316
316. Question
Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures?
CorrectIncorrect