sset set33

Maddox is conducting an information audit for his organization. Which one of the following elements that he discovered is least likely to be classified as PII when used in isolation? Street addresses Item codes Mobile phone numbers Social Security numbers

B.

Carl recently assisted in the implementation of a new set of security controls designed to comply with legal requirements. He is concerned about the long-term maintenance of those controls. Which one of the following is a good way for Carl to ease his concerns? Firewall rules Policy documents Security standards Periodic audits

D.

Darlene was recently offered a consulting opportunity as a side job. She is concerned that the opportunity might constitute a conflict of interest. Which one of the following sources is most likely to provide her with appropriate guidance? Organizational code of ethics (ISC)2 code of ethics Organizational security policy (ISC)2 security policy

A.

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this? His supply chain His vendor contracts His post-purchase build process The original equipment manufacturer (OEM)

A.

The (ISC)2 code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code? Protect society, the common good, the necessary public trust and confidence, and the infrastructure. Disclose breaches of privacy, trust, and ethics. Provide diligent and competent service to the principles. Advance and protect the profession.

B.

Which one of the following control categories does not accurately describe a fence around a facility? Physical Detective Deterrent Preventive

B.

Which one of the following actions might be taken as part of a business continuity plan? Restoring from backup tapes Implementing RAID Relocating to a cold site Restarting business operations

B.

Which one of the following is an example of physical infrastructure hardening? Antivirus software Hardware-based network firewall Two-factor authentication Fire suppression system

D.

Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?

Availability Confidentiality Disclosure Distributed

A.

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? Mandatory vacation Separation of duties Defense in depth Job rotation

B.

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing? Integrity Availability Confidentiality Denial

C.

Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce? Denial Confidentiality Integrity Availability

D.

Which one of the following is not an example of a technical control? Session timeout Password aging Encryption Data classification

D.

Jasper would like to establish a governing body for the organization’s change management efforts. What individual or group within an organization is typically responsible for reviewing the impact of proposed changes? Chief information officer Senior leadership team Change control board Software developer

C.

During what phase of the change management process does the organization conduct peer review of the change for accuracy and completeness? Recording Analysis/Impact Assessment Approval Decision Making and Prioritization

B.

Who should the organization appoint to manage the policies and procedures surrounding change management? Project manager Change manager System security officer Architect

B.

Which one of the following elements is not a crucial component of a change request? Description of the change Implementation plan Backout plan Incident response plan

D.

Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve? Authentication Authorization Integrity Nonrepudiation

D.

What principle of information security states that an organization should implement overlapping security controls whenever possible? Least privilege Separation of duties Defense in depth Security through obscurity

C.

Which one of the following is not a goal of a formal change management program? Implement change in an orderly fashion. Test changes prior to implementation. Provide rollback plans for changes. Inform stakeholders of changes after they occur.

D.

Ben is assessing the compliance of his organization with credit card security requirements. He finds payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option? Purchasing insurance Encrypting the database contents Removing the data Objecting to the exception

B.

Which one of the following is the first step in developing an organization’s vital records program? Identifying vital records Locating vital records Archiving vital records Preserving vital records

A.

Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks? Awareness Training Education Indoctrination

B.

Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding? Training Education Indoctrination Awareness

D.

Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for? Erasing Clearing Sanitization Destruction

C.

What term is used to describe a set of common security configurations, often provided by a third party? Security policy Baseline DSS NIST SP 800-53

B.

Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information? Information classification Remanence Transmitting data Clearing

A.

Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow? Larger View

Source: NIST SP 800-88 Destroy, validate, document Clear, purge, document Purge, document, validate Purge, validate, document

D.

Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline? It applies in all circumstances, allowing consistent security controls. They are approved by industry standards bodies, preventing liability. They provide a good starting point that can be tailored to organizational needs. They ensure that systems are always in a secure state.

C.

Retaining and maintaining information for as long as it is needed is known as what? Data storage policy Data storage Asset maintenance Record retention

D.

Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?

Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission. Incipient Smoke Flame Heat

A.

What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water? Wet pipe Dry pipe Deluge Preaction

D.

Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs? CCTV IPS Turnstiles Faraday cages

A.

Referring to the figure shown here, what is the name of the security control indicated by the arrow?

Image reprinted from CISSP (ISC) 2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission. Mantrap Turnstile Intrusion prevention system Portal

A.

Which one of the following does not describe a standard physical security requirement for wiring closets? Place only in areas monitored by security guards. Do not store flammable items in the closet. Use sensors on doors to log entries. Perform regular inspections of the closet.

A.

Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks? Firewall Intrusion detection system Parameter checking Vulnerability scanning

C.

Juan is retrofitting an existing door to his facility to include a lock with automation capabilities. Which one of the following types of lock is easiest to install as a retrofit to the existing door? Mantrap Electric lock Magnetic lock Turnstile

C.

Rhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown here. What type of card is this?

Smart card Proximity card Magnetic stripe card Phase three card

A.

Which one of the following facilities would have the highest level of physical security requirements? Data center Network closet SCIF Cubicle work areas

C.

Glenda is investigating a potential privacy violation within her organization. The organization notified users that it was collecting data for product research that would last for six months and then disposed of the data at the end of that period. During the time that they had the data, they also used it to target a marketing campaign. Which principle of data privacy was most directly violated? Data minimization Accuracy Storage limitations Purpose limitations

D.

What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies? Corrective Logical Compensating Administrative

D.

Which of the following access control categories would not include a door lock? Physical Corrective Preventative Deterrent

B.

As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions? Separation of duties Least privilege Aggregation Separation of privileges

B.

As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce? Larger View

Segregation of duties Aggregation Two-person control Defense in depth

A.

Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following? Need to know Least privilege Separation of duties Two-person control

A.

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing? Least privilege Two-person control Job rotation Separation of duties

B.

Which of the following is not true about the (ISC)2 code of ethics? Adherence to the code is a condition of certification. Failure to comply with the code may result in revocation of certification. The code applies to all members of the information security profession. Members who observe a breach of the code are required to report the possible violation.

C.

Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing? Need to know Least privilege Two-person control Transitive trust

B.

Connor’s company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced? Espionage Confidentiality breach Sabotage Integrity breach

C.

Which one of the following is not a canon of the (ISC)2 code of ethics? Protect society, the common good, necessary public trust and confidence, and the infrastructure. Promptly report security vulnerabilities to relevant authorities. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals.

B.

When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following? Least privilege Separation of duties Job rotation Security through obscurity

B.

Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications? Security guidelines Security policy Baseline configuration Running configuration

C.

Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning? Unit testing Acceptance testing Regression testing Vulnerability testing

C.

Which one of the following security practices suggests that an organization should deploy multiple, overlapping security controls to meet security objectives? Defense in depth Security through obscurity Least privilege Separation of duties

A.

What technology asset management practice would an organization use to ensure that systems meet baseline security standards? Change management Patch management Configuration management Identity management

C.

The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack best ensure accountability for actions taken on systems in his environment? Review the logs and require digital signatures for each log. Require authentication for all actions taken and capture logs centrally. Log the use of administrative credentials and encrypt log data in transit. Require authorization and capture logs centrally.

B.

Veronica is responsible for her organization’s asset management program. During what stage of the process would she select the controls that will be used to protect assets from theft? Implementation/assessment Operation/maintenance Inventory and licensing Process, planning, design, and initiation

D.

Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package? GNU Public License Freeware Open source Public domain

D.

When an attacker called an organization’s help desk and persuaded them to reset a password due to the help desk employee’s trust and willingness to help, what type of attack succeeded? Trojan horse Social engineering Phishing Whaling

B.

Greg is the network administrator for a large stadium that hosts many events throughout the course of the year. They equip ushers with handheld scanners to verify tickets. Ushers turn over frequently and are often hired at the last minute. Scanners are handed out to ushers before each event, but different ushers may use different scanners. Scanners are secured in a locked safe when not in use. What network access control approach would be most effective for this scenario? Multifactor authentication Device authentication Password authentication No authentication

B.

Norma is helping her organization create a specialized third-party network connection for a set of vendors needing to connect to Norma’s organization’s network to process invoices and upload inventory. This network should be segmented from the rest of the corporate network but have a much higher degree of access than the general public. What type of network is Norma building? Internet Intranet Outranet Extranet

D.

Which one of the following is an example of a nondiscretionary access control system? File ACLs MAC DAC Visitor list

B.

Wanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices? IP address MAC address Digital certificate Password

C.

Kaiden is creating an extranet for his organization and is concerned about unauthorized eavesdropping on network communications. Which one of the following technologies can he use to mitigate this risk? VPN Firewall Content filter Proxy server

A.

When Ben lists the files on a Linux system, he sees the set of attributes shown here.

The letters rwx indicate different levels of what? Identification Authorization Authentication Accountability

B.

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator? Password Retinal scan Username Token

C.

When a subject claims an identity, what process is occurring? Login Identification Authorization Token presentation

B.

Files, databases, computers, programs, processes, devices, and media are all examples of what? Subjects Objects File stores Users

B.

MAC models use three types of environments. Which of the following is not a mandatory access control design? Hierarchical Bracketed Compartmentalized Hybrid

B.

Ryan would like to implement an access control technology that is likely to both improve security and increase user satisfaction. Which one of the following technologies meets this requirement? Mandatory access controls Single sign-on Multifactor authentication Automated deprovisioning

B.

The leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Susan’s best choice? ABAC Rule-based access control (RBAC) DAC MAC

A.

What is the primary advantage of decentralized access control? It provides better redundancy. It provides control of access to people closer to the resources. It is less expensive. It provides more granular control of access.

B.

Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access? An access control list An implicit denial list A capability table A rights management matrix

C.

Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt? Kerberos LDAP OpenID SESAME

C.

Ben uses a software-based token that changes its code every minute. What type of token is he using? Asynchronous Smart card Synchronous Static

C.

How does single sign-on increase security? It decreases the number of accounts required for a subject. It helps decrease the likelihood that users will write down their passwords. It provides logging for each system that it is connected to. It provides better encryption for authentication data.

B.

Which of the following multifactor authentication technologies provides both low management overhead and flexibility? Biometrics Software tokens Synchronous hardware tokens Asynchronous hardware tokens

B.

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?

Informing other employees of the termination Retrieving the employee’s photo ID Calculating the final paycheck Revoking electronic access rights

D.

Jim wants to allow a partner organization’s Active Directory forest (B) to access his domain forest’s (A)’s resources but doesn’t want to allow users in his domain to access B’s resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do? Set up a two-way transitive trust. Set up a one-way transitive trust. Set up a one-way nontransitive trust. Set up a two-way nontransitive trust.

C.

The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as “Which of the following streets did you live on in 2007?” What process is Susan’s organization using? Identity proofing Password verification Authenticating with Type 2 authentication factor Out-of-band identity proofing

A.

Lauren’s team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features such as logging and password rotation occur? A credential management system A strong password policy Separation of duties Single sign-on

A.

What type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains? Transitive trust Inheritable trust Nontransitive trust Noninheritable trust

A.

Adam is accessing a standalone file server using a username and password provided to him by the server administrator. Which one of the following entities is guaranteed to have information necessary to complete the authorization process? Adam File server Server administrator Adam’s supervisor

B.

After 10 years working in her organization, Cassandra is moving into her fourth role, this time as a manager in the accounting department. What issue is likely to show up during an account review if her organization does not have strong account maintenance practices? An issue with least privilege Privilege creep Account creep Account termination

B.

Adam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create? An access control list An access control entry Role-based access control Mandatory access control

A.

Questions like “What is your pet’s name?” are examples of what type of identity proofing? Knowledge-based authentication Dynamic knowledge-based authentication Out-of-band identity proofing A Type 3 authentication factor

A.

What access management concept defines what rights or privileges a user has? Identification Accountability Authorization Authentication

C.

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why? MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

B.

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed? Log review Manual review of permissions Signature-based detection Review the audit trail

C.

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts? Read only Editor Administrator No access

D.

A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer’s account. What type of biometric factor error occurred? A registration error A Type 1 error A Type 2 error A time-of-use, method-of-use error

C.

Laura is in the process of logging into a system and she just entered her password. What term best describes this activity? Authentication Authorization Accounting Identification

A.

Kelly is adjusting her organization’s password requirements to make them consistent with best practice guidance from NIST. What should she choose as the most appropriate time period for password expiration? 30 days 90 days 180 days No expiration

D.

Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option? HTML XACML SAML SPML

C.

What access control scheme labels subjects and objects and allows subjects to access objects when the labels match? DAC MAC Rule-based access control (RBAC) Role-based access control (RBAC)

B.

Mandatory access control is based on what type of model? Discretionary Group-based Lattice-based Rule-based

C.

Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky’s login attempt? Ricky VPN Remote file server Files contained on the remote server

A.

What type of access control is typically used by firewalls? Discretionary access controls Rule-based access controls Task-based access control Mandatory access controls

B.

Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users? More complex passwords User education against social engineering Multifactor authentication Addition of security questions based on personal knowledge

C.

During a review of support incidents, Ben’s organization discovered that password changes accounted for more than a quarter of its help desk’s cases. Which of the following options would be most likely to decrease that number significantly? Two-factor authentication Biometric authentication Self-service password reset Passphrases

C.