CISSP Sybex Official Study Guide Chapter 1 Review Questions Flashcards
Which of the following contains the primary goals and objectives of security?
A. A network’s border perimeter
B. The CIA Triad
C. A stand-alone system
D. The internet
B. The CIA Triad
Explanation:
The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
Vulnerabilities and risks are evaluated based on their threats against which of the following?
A. One or more of the CIA Triad principles
B. Data usefulness
C. Due care
D. Extent of liability
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 45). Wiley. Kindle Edition.
A. One or more of the CIA Triad principles
Explanation:
Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?
A. Identification
B. Availability
C. Encryption
D. Layering
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 45). Wiley. Kindle Edition.
B. Availability
Explanation:
Availability means that authorized subjects are granted timely and uninterrupted access to objects.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
Which of the following is not considered a violation of confidentiality?
A. Stealing passwords
B. Eavesdropping
C. Hardware destruction
D. Social engineering
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 45). Wiley. Kindle Edition.
C. Hardware destruction
Explanation:
Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
Which of the following is not true?
A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 45). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 45). Wiley. Kindle Edition.
C. Violations of confidentiality are limited to direct intentional attacks.
Explanation:
Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE?
A. Spoofing
B. Elevation of privilege
C. Repudiation
D. Disclosure
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 45). Wiley. Kindle Edition.
D. Disclosure
Explanation:
Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _____________________ the data, objects, and resources.
A. Control
B. Audit
C. Access
D. Repudiate
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 46). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 46). Wiley. Kindle Edition.
C. Access
Explanation:
Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
_______________ refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
A. Seclusion
B. Concealment
C. Privacy
D. Criticality
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 46). Wiley. Kindle Edition.
C. Privacy
Explanation:
Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion is to store something in an out-of-the-way location. Concealment is the act of hiding or preventing disclosure. The level to which information is mission critical is its measure of criticality.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
All but which of the following items requires awareness for all individuals affected?
A. Restricting personal email
B. Recording phone conversations
C. Gathering information about surfing habits
D. The backup mechanism used to retain email messages
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 46). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 46). Wiley. Kindle Edition.
D. The backup mechanism used to retain email messages
Explanation:
Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
What element of data categorization management can override all other forms of access control?
A. Classification
B. Physical access
C. Custodian responsibilities
D. Taking ownership
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 46). Wiley. Kindle Edition.
D. Taking ownership
Explanation:
D. Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
What ensures that the subject of an activity or event cannot deny that the event occurred?
A. CIA Triad
B. Abstraction
C. Nonrepudiation
D. Hash totals
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 46). Wiley. Kindle Edition.
C. Nonrepudiation
Explanation:
Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
Which of the following is the most important and distinctive concept in relation to layered security?
A. Multiple
B. Series
C. Parallel
D. Filter
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 47). Wiley. Kindle Edition.
B. Series
Explanation:
B. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
Which of the following is not considered an example of data hiding?
A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being accessed by unauthorized visitors
C. Restricting a subject at a lower classification level from accessing data at a higher classification level
D. Preventing an application from accessing hardware directly
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 47). Wiley. Kindle Edition.
.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 47). Wiley. Kindle Edition.
A. Preventing an authorized reader of an object from deleting that object
Explanation:
Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 950). Wiley. Kindle Edition.
What is the primary goal of change management?
A. Maintaining documentation
B. Keeping users informed of changes
C. Allowing rollback of failed changes
D. Preventing security compromises
D. Preventing security compromises
Explanation:
The prevention of security compromises is the primary goal of change management.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
What is the primary objective of data classification schemes?
A. To control access to objects for authorized subjects
B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
C. To establish a transaction trail for auditing accountability
D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 47). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 47). Wiley. Kindle Edition.
B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
Explanation:
The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 951). Wiley. Kindle Edition.
