Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISSP > Domain 1 - Security and Risk Management > Flashcards

Domain 1 - Security and Risk Management Flashcards

(100 cards)

Start Studying
1
Q

Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?
A. Gamification
B. Computer-based training
C. Content reviews
D. Live training

A

C. Content reviews

Alyssa should use periodic content reviews to continually verify that the content in her program meets the organization’s needs and is up-to-date based upon the evolving risk landscape.
She may do this using a combination of computer-based training, live training, and gamification, but those techniques do not necessarily verify that the content is updated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Gavin is creating a report to management on the results of his
most recent risk assessment. In his report, he would like to
identify the remaining level of risk to the organization after
adopting security controls. What term best describes this
current level of risk?
A. Inherent risk
B. Residual risk
C. Control risk
D. Mitigated risk

A

B. Residual risk

The residual risk is the level of risk that remains after
controls have been applied to mitigate risks. Inherent risk is the
original risk that existed prior to the controls. Control risk is
new risk introduced by the addition of controls to the
environment. Mitigated risk is the risk that has been addressed
by existing controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Francine is a security specialist for an online service provider in
the United States. She recently received a claim from a copyright
holder that a user is storing information on her service that
violates the third party’s copyright. What law governs the
actions that Francine must take?
A. Copyright Act
B. Lanham Act
C. Digital Millennium Copyright Act
D. Gramm Leach Bliley Act

A

C. Digital Millennium Copyright Act

The Digital Millennium Copyright Act (DMCA) sets forth the
requirements for online service providers when handling
copyright complaints received from third parties. The Copyright
Act creates the mechanics for issuing and enforcing copyrights
but does not cover the actions of online service providers. The
Lanham Act regulates the issuance of trademarks to protect
intellectual property. The Gramm-Leach-Bliley Act regulates the
handling of personal financial information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

FlyAway Travel has offices in both the European Union (EU)
and the United States and transfers personal information
between those offices regularly. They have recently received a
request from an EU customer requesting that their account be
terminated. Under the General Data Protection Regulation
(GDPR), which requirement for processing personal information
states that individuals may request that their data no longer be
disseminated or processed?
A. The right to access
B. Privacy by design
C. The right to be forgotten
D. The right of data portability

A

C. The right to be forgotten

The right to be forgotten, also known as the right to erasure,
guarantees the data subject the ability to have their information
removed from processing or use. It may be tied to consent given
for data processing; if a subject revokes consent for processing,
the data controller may need to take additional steps, including
erasure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

After conducting a qualitative risk assessment of her
organization, Sally recommends purchasing cybersecurity
breach insurance. What type of risk response behavior is she
recommending?
A. Accept
B. Transfer
C. Reduce
D. Reject

A

B. Transfer

Purchasing insurance is a means of transferring risk. If Sally
had worked to decrease the likelihood of the events occurring,
she would have been using a reduce or risk mitigation strategy,
while simply continuing to function as the organization has
would be an example of an acceptance strategy. Rejection, or
denial of the risk, is not a valid strategy, even though it occurs!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which one of the following elements of information is not
considered personally identifiable information that would
trigger most United States (U.S.) state data breach laws?
A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number

A

A. Student identification number

Most state data breach notification laws are modeled after
California’s data breach notification law, which covers Social
Security number, driver’s license number, state identification
card number, credit/debit card numbers, and bank account
numbers (in conjunction with a PIN or password). California’s
breach notification law also protects some items not commonly
found in other state laws, including medical records and health
insurance information. These laws are separate and distinct
from privacy laws, such as the California Consumer Privacy Act
(CCPA), which regulates the handling of personal information
more broadly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Renee is speaking to her board of directors about their
responsibilities to review cybersecurity controls. What rule
requires that senior executives take personal responsibility for
information security matters?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule

A

C. Prudent man rule

The prudent man rule requires that senior executives take
personal responsibility for ensuring the due care that ordinary,
prudent individuals would exercise in the same situation. The
rule originally applied to financial matters, but the Federal
Sentencing Guidelines applied them to information security
matters in the United States in 1991

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Henry recently assisted one of his co-workers in preparing for
the CISSP exam. During this process, Henry disclosed
confidential information about the content of the exam, in
violation of Canon IV of the Code of Ethics: “Advance and
protect the profession.” Who may bring ethics charges against
Henry for this violation?
A. Anyone may bring charges.
B. Any certified or licensed professional may bring charges.
C. Only Henry’s employer may bring charges.
D. Only the affected employee may bring charges.

A

B. Any certified or licensed professional may bring charges.

This is a question about who has standing to bring an ethics
complaint. The group of individuals who has standing differs
based upon the violated canon. In this case, we are examining
Canon IV, which permits any certified or licensed professional
who subscribes to a code of ethics to bring charges. Charges of
violations of Canons I or II may be brought by anyone. Charges
of violations of Canon III may only be brought by a principal
with an employer/contractor relationship with the accused.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Wanda is working with one of her organization’s European
Union business partners to facilitate the exchange of customer
information. Wanda’s organization is located in the United
States. What would be the best method for Wanda to use to
ensure GDPR compliance?
A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor

A

C. Standard contractual clauses

The European Union provides standard contractual clauses
that may be used to facilitate data transfer. That would be the
best choice in a case where two different companies are sharing
data. If the data were being shared internally within a company,
binding corporate rules would also be an option. The EU/U.S.
Privacy Shield was a safe harbor agreement that would
previously have allowed the transfer but is no longer valid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Yolanda is the chief privacy officer for a financial institution and
is researching privacy requirements related to customer
checking accounts. Which one of the following laws is most
likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA

A

A. GLBA

A. The Gramm-Leach-Bliley Act (GLBA) contains provisions
regulating the privacy of customer financial information. It
applies specifically to financial institutions. The Sarbanes Oxley
(SOX) Act regulates the financial reporting activities of publicly
traded companies. The Health Insurance Portability and
Accountability Act (HIPAA) regulates the handling of protected
health information (PHI). The Family Educational Rights and
Privacy Act (FERPA) regulates the handling of student
educational records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Tim’s organization recently received a contract to conduct
sponsored research as a government contractor. What law now
likely applies to the information systems involved in this
contract?
A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA

A

A. FISMA

A. The Federal Information Security Management Act (FISMA)
specifically applies to government contractors. The Government
Information Security Reform Act (GISRA) was the precursor to
FISMA and expired in November 2002. HIPAA and PCI DSS
apply to healthcare and credit card information, respectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Chris is advising travelers from his organization who will be
visiting many different countries overseas. He is concerned
about compliance with export control laws. Which of the
following technologies is most likely to trigger these regulations?
A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software

A

D. Encryption software

D. The export of encryption software to certain countries is
regulated under U.S. export control laws. Memory chips, office
productivity applications, and hard drives are unlikely to be
covered by these regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Bobbi is investigating a security incident and discovers that an
attacker began with a normal user account but managed to
exploit a system vulnerability to provide that account with
administrative rights. What type of attack took place under the
STRIDE threat model?
A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege

A

D. Elevation of privilege

D. In an elevation of privilege attack, the attacker transforms a
limited user account into an account with greater privileges,
powers, and/or access to the system. Spoofing attacks falsify an
identity, while repudiation attacks attempt to deny
accountability for an action. Tampering attacks attempt to
violate the integrity of information or resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are completing your business continuity planning effort and
have decided that you want to accept one of the risks. What
should you do next?
A. Implement new security controls to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.

A

D. Document your decision-making process.

D. Whenever you choose to accept a risk, you should maintain
detailed documentation of the risk acceptance process to satisfy
auditors in the future. This should happen before implementing
security controls, designing a disaster recovery plan, or
repeating the business impact analysis (BIA).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You are completing a review of the controls used to protect a
media storage facility in your organization and would like to
properly categorize each control that is currently in place. Which
of the following control categories accurately describe a fence
around a facility? (Select all that apply.)
A. Physical
B. Detective
C. Deterrent
D. Preventive

A

A. Physical
C. Deterrent
D. Preventive

A, C, D. A fence does not have the ability to detect intrusions. It
does, however, have the ability to prevent and deter an
intrusion. Fences are an example of a physical control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Tony is developing a business continuity plan and is having
difficulty prioritizing resources because of the difficulty of
combining information about tangible and intangible assets.
What would be the most effective risk assessment approach for
him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment

A

D. Combination of quantitative and qualitative risk assessment

D. Tony would see the best results by combining elements of
quantitative and qualitative risk assessment. Quantitative risk
assessment excels at analyzing financial risk, while qualitative
risk assessment is a good tool for intangible risks. Combining
the two techniques provides a well-rounded risk picture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Vincent believes that a former employee took trade secret
information from his firm and brought it with him to a
competitor. He wants to pursue legal action. Under what law
could he pursue charges?
A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act

A

D. Economic Espionage Act

D. The Economic Espionage Act imposes fines and jail
sentences on anyone found guilty of stealing trade secrets from a
U.S. corporation. It gives true teeth to the intellectual property
rights of trade secret owners. Copyright law does not apply in
this situation because there is no indication that the information
was copyrighted. The Lanham Act applies to trademark
protection cases. The Glass-Steagall Act was a banking reform
act that is not relevant in this situation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which one of the following principles imposes a standard of care
upon an individual that is broad and equivalent to what one
would expect from a reasonable person under the
circumstances?
A. Due diligence
B. Separation of duties
C. Due care
D. Least privilege

A

C. Due care

C. The due care principle states that an individual should react
in a situation using the same level of care that would be expected
from any reasonable person. It is a very broad standard. The due
diligence principle is a more specific component of due care that
states that an individual assigned a responsibility should
exercise due care to complete it accurately and in a timely
manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Brenda’s organization recently completed the acquisition of a
competitor firm. Which one of the following tasks would be
LEAST likely to be part of the organizational processes
addressed during the acquisition?
A. Consolidation of security functions
B. Integration of security tools
C. Protection of intellectual property
D. Documentation of security policies

A

C. Protection of intellectual property

C. The protection of intellectual property is a greater concern
during a divestiture, where a subsidiary is being spun off into a
separate organization, than an acquisition, where one firm has
purchased another. Acquisition concerns include consolidating
security functions and policies as well as integrating security
tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Kelly believes that an employee engaged in the unauthorized use
of computing resources for a side business. After consulting with
management, she decides to launch an administrative
investigation. What is the burden of proof that she must meet in
this investigation?
A. Preponderance of the evidence
B. Beyond a reasonable doubt
C. Beyond the shadow of a doubt
D. There is no standard

A

D. There is no standard

D. Unlike criminal or civil cases, administrative investigations
are an internal matter, and there is no set standard of proof that
Kelly must apply. However, it would still be wise for her
organization to include a standard burden of proof in their own
internal procedures to ensure the thoroughness and fairness of
investigations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Keenan Systems recently developed a new manufacturing
process for microprocessors. The company wants to license the
technology to other companies for use but wants to prevent
unauthorized use of the technology. What type of intellectual
property protection is best suited for this situation?
A. Patent
B. Trade secret
C. Copyright
D. Trademark

A

A. Patent

A. Patents and trade secrets can both protect intellectual
property related to a manufacturing process. Trade secrets are
appropriate only when the details can be tightly controlled
within an organization, so a patent is the appropriate solution in
this case. Copyrights are used to protect creative works, while
trademarks are used to protect names, logos, and symbols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which one of the following actions might be taken as part of a
business continuity plan?
A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations

A

B. Implementing RAID

B. RAID technology provides fault tolerance for hard drive
failures and is an example of a business continuity action.
Restoring from backup tapes, relocating to a cold site, and
restarting business operations are all disaster recovery actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

When developing a business impact analysis, the team should
first create a list of assets. What should happen next?
A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset.

A

C. Develop a value for each asset.

C. After developing a list of assets, the business impact analysis
team should assign values to each asset. The other activities
listed here occur only after the assets are assigned values.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Mike recently implemented an intrusion prevention system
designed to block common network attacks from affecting his
organization. What type of risk management strategy is Mike
pursuing?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference

A

C. Risk mitigation

C. Risk mitigation strategies attempt to lower the probability
and/or impact of a risk occurring. Intrusion prevention systems
attempt to reduce the probability of a successful attack and are,
therefore, examples of risk mitigation. Risk acceptance involves
making a conscious decision to accept a risk as-is with no
further action. Risk avoidance alters business activities to make
a risk irrelevant. Risk transfer shifts the costs of a risk to another
organization, such as an insurance company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Laura has been asked to perform an SCA. What type of organization is she most likely in? A. Higher education B. Banking C. Government D. Healthcare
C. Government ## Footnote C. A security controls assessment (SCA) most often refers to a formal U.S. government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.
26
Carl is a federal agent investigating a computer crime case. He identified an attacker who engaged in illegal conduct and wants to pursue a case against that individual that will lead to imprisonment. What standard of proof must Carl meet? A. Beyond the shadow of a doubt B. Preponderance of the evidence C. Beyond a reasonable doubt D. Majority of the evidence
C. Beyond a reasonable doubt ## Footnote C. There are two steps to answering this question. First, you must realize that for the case to lead to imprisonment, it must be the result of a criminal investigation. Next, you must know that the standard of proof for a criminal investigation is normally the beyond a reasonable doubt standard.
27
The International Information Systems Security Certification Consortium uses their logo to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo? A. Copyright B. Patent C. Trade secret D. Trademark
D. Trademark ## Footnote D. Trademark protection extends to words and symbols used to represent an organization, product, or service in the marketplace. Copyrights are used to protect creative works. Patents and trade secrets are used to protect inventions and similar intellectual property.
28
Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred? "Your personal files are encrypted!" Ransomware A. Availability B. Confidentiality C. Disclosure D. Distributed
A. Availability ## Footnote A. The message displayed is an example of ransomware, which encrypts the contents of a user's computer to prevent legitimate use. This is an example of an availability attack. There is no indication that the data was disclosed to others, so there is no confidentiality/disclosure risk. There is also no indication that other systems were involved in a distributed attack.
29
Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions? A. Healthcare provider B. Health and fitness application developer C. Health information clearinghouse D. Health insurance plan
B. Health and fitness application developer ## Footnote B. A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans— as well as the business associates of any of those covered entities.
30
John's network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated? A. Availability B. Integrity C. Confidentiality D. Denial
A. Availability ## Footnote A. A smurf attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network. Smurf attacks do not target integrity or confidentiality. While this is a denial of service attack, denial is not the correct answer because you are asked which principle is violated, not what type of attack took place. Denial of service attacks target resource availability.
31
Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. Her primary goal is to align the security function with the broader plans and objectives of the business. What type of plan is she developing? A. Operational B. Tactical C. Summary D. Strategic
D. Strategic ## Footnote D. Strategic plans have a long-term planning horizon of up to five years in most cases. They are designed to strategically align the security function with the business’ objectives. Operational and tactical plans have shorter horizons of a year or less.
32
Gina is working to protect a logo that her company will use for a new product they are launching. She has questions about the intellectual property protection process for this logo. What U.S. government agency would be best able to answer her questions? A. USPTO B. Library of Congress C. NSA D. NIST
A. USPTO ## Footnote A. First, you must realize that a trademark is the correct intellectual property protection mechanism for a logo. Therefore, Gina should contact the United States Patent and Trademark Office (USPTO), which bears responsibility for the registration of trademarks. The Library of Congress administers the copyright program. The National Security Agency (NSA) and the National Institute for Standards and Technology (NIST) play no role in intellectual property protection.
33
The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? A. Mandatory vacation B. Separation of duties C. Defense in depth D. Job rotation
B. Separation of duties ## Footnote B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner. Mandatory vacations and job rotations are designed to detect fraud, not prevent it. Defense in depth is not the relevant principle here because the answer is seeking an initial control. We may choose to add additional controls at a later date, but the primary objective here would be to implement separation of duties.
34
Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA? A. Banks B. Defense contractors C. School districts D. Hospitals
B. Defense contractors ## Footnote B. The U.S. Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.
35
Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions? A. HIPAA B. PCI DSS C. SOX D. GLBA
B. PCI DSS ## Footnote B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information. The Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Gramm Leach Bliley Act (GLBA) regulates the handling of personal financial information.
36
Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies? A. Data custodian B. Data owner C. User D. Auditor
A. Data custodian ## Footnote A. The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.
37
Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan's company's rights? A. Trade secret B. Copyright C. Trademark D. Patent
B. Copyright ## Footnote B. Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions, and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.
38
Florian receives a flyer from a U.S. federal government agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law? A. United States Code B. Supreme Court rulings C. Code of Federal Regulations D. Compendium of Laws
C. Code of Federal Regulations ## Footnote C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.
39
Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure? A. Impact B. RPO C. MTO D. Likelihood
D. Likelihood ## Footnote D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack. Adding a firewall will not address the impact of a risk, the recovery point objective (RPO) or the maximum tolerable outage (MTO).
40
Which one of the following individuals would be the most effective organizational owner for an information security program? A. CISSP-certified analyst B. Chief information officer (CIO) C. Manager of network security D. President and CEO
B. Chief information officer (CIO) ## Footnote B. The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.
41
What important function do senior managers normally fill on a business continuity planning team? A. Arbitrating disputes about criticality B. Evaluating the legal environment C. Training staff D. Designing failure controls
A. Arbitrating disputes about criticality ## Footnote A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.
42
You are the CISO for a major hospital system and are preparing to sign a contract with a software as a service (SaaS) email vendor and want to perform a control assessment to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal? A. SOC 1 B. FISMA C. PCI DSS D. SOC 2
D. SOC 2 ## Footnote D. The Service Organizations Control audit program includes business continuity controls in a SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.
43
Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model? A. Repudiation B. Information disclosure C. Tampering D. Elevation of privilege
A. Repudiation ## Footnote A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently. There is no evidence that the attacker engaged in information disclosure, tampering, or elevation of privilege.
44
Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing? A. Integrity B. Availability C. Confidentiality D. Denial
A. Integrity ## Footnote A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information. There is no evidence of an attack against availability or confidentiality. Denial is an objective of attackers, rather than of security professionals and is not relevant in this scenario that targets integrity.
45
Which one of the following issues is not normally addressed in a service-level agreement (SLA)? A. Confidentiality of customer information B. Failover time C. Uptime D. Maximum consecutive downtime
A. Confidentiality of customer information ## Footnote A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).
46
Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software? A. Trademark B. Copyright C. Patent D. Trade secret
A. Trademark ## Footnote A. Trademarks protect words and images that represent a product or service and would not protect computer software.
47
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization's security. Users in the two offices would like to access each other's file servers over the internet. What control would provide confidentiality for those communications? A. Digital signatures B. Virtual private network C. Virtual LAN D. Digital content management
B. Virtual private network ## Footnote B. Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office's server over the internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.
48
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization's security. You are also concerned about the availability of data stored on each office's server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What control allows you to add robustness without adding additional servers? A. Server clustering B. Load balancing C. RAID D. Scheduled backups
C. RAID ## Footnote C. RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.
49
Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks. Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work. You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization's security. Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add? A. Hashing B. ACLs C. Read-only attributes D. Firewalls
A. Hashing ## Footnote A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and readonly attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.
50
Beth is a human resources specialist preparing to assist in the termination of an employee. Which of the following is not typically part of a termination process? A. An exit interview B. Recovery of property C. Account termination D. Signing an NCA
D. Signing an NCA ## Footnote D. Signing a noncompete or nondisclosure agreement is typically done at hiring. Exit interviews, recovery of organizational property, and account termination are all common elements of a termination process. During the exit interview, the team may choose to review employment agreements and policies that remain in force, such as a noncompete or nondisclosure agreement.
51
Frances is reviewing her organization's business continuity plan documentation for completeness. Which one of the following is not normally included in business continuity plan documentation? A. Statement of accounts B. Statement of importance C. Statement of priorities D. Statement of organizational responsibility
A. Statement of accounts ## Footnote A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.
52
An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud? A. Separation of duties B. Least privilege C. Defense in depth D. Mandatory vacation
D. Mandatory vacation ## Footnote D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. The purpose of these required vacation periods is to disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.
53
Jeff would like to adopt an industry-standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use? A. CMM B. SW-CMM C. RMM D. COBIT
C. RMM ## Footnote C. The Risk Maturity Model (RMM) is specifically designed for the purpose of assessing enterprise risk management programs. Jeff could conceivably use the more generic capability maturity model (CMM), but this would not be as good of a fit. The software capability maturity model (SW-CMM) is designed for assessing development projects, not risk management efforts. The Control Objectives for Information Technology (COBIT) are a set of security control objectives and not a maturity model.
54
Chris' organization recently suffered an attack that rendered their website inaccessible to paying customers for several hours. Which information security goal was most directly impacted? A. Confidentiality B. Integrity C. Availability D. Denial
C. Availability ## Footnote C. Denial-of-service (DoS) attacks and distributed denial-ofservice (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.
55
Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing? A. Policy B. Baseline C. Guideline D. Procedure
B. Baseline ## Footnote B. Baselines provide the minimum level of security that every system throughout the organization must meet. This type of information would not appear in a policy, guideline, or procedure.
56
Who should receive initial business continuity plan training in an organization? A. Senior executives B. Those with specific business continuity roles C. Everyone in the organization D. First responders
C. Everyone in the organization ## Footnote C. Everyone in the organization should receive basic training on the nature and scope of the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.
57
James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization's primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation? A. Purchase cost B. Depreciated cost C. Replacement cost D. Opportunity cost
C. Replacement cost ## Footnote C. If the organization's primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers.
58
Roger's organization suffered a breach of customer credit card records. Under the terms of PCI DSS, what organization may choose to pursue an investigation of this matter? A. FBI B. Local law enforcement C. Bank D. PCI SSC
C. Bank ## Footnote C. PCI DSS is a standard promulgated by the Payment Card Industry Security Standards Council (PCI SSC), but is enforced through contractual relationships between merchants and their banks. Therefore, the bank would be the appropriate entity to initiate an investigation under PCI DSS. Local and federal law enforcement agencies (such as the FBI) could decide to pursue a criminal investigation if the circumstances warrant, but they do not have the authority to enforce PCI DSS requirements.
59
Rick recently engaged critical employees in each of his organization's business units to ask for their assistance with his security awareness program. They will be responsible for sharing security messages with their peers and answering questions about cybersecurity matters. What term best describes this relationship? A. Security champion B. Security expert C. Gamification D. Peer review
A. Security champion ## Footnote A. This is an example of a security champion program that uses individuals employed in other roles in a business unit to share security messaging. The individuals in these roles are not necessarily security experts and do not have a peer review role.
60
Frank discovers a keylogger hidden on the laptop of his company's chief executive officer. What information security principle is the keylogger most likely designed to disrupt? A. Confidentiality B. Integrity C. Availability D. Denial
A. Confidentiality ## Footnote A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.
61
Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors? A. Compliance with all laws and regulations B. Handling information in the same manner the organization would C. Elimination of all identified security risks D. Compliance with the vendor's own policies
B. Handling information in the same manner the organization would ## Footnote B. The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendor's security controls meet the organization's own standards. Compliance with laws and regulations should be included in that requirement and are a necessary, but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, as the vendor's policy may be weaker than the organization's own requirements. The elimination of all identified security risks is an impossible requirement for a potential vendor to meet.
62
NIST RMF Step 1: Categorize Information Systems Step 2: Select Security Controls Step 3: Implement Security Controls Step 4: ??? Step 5: Authorize Information System Step 6: Monitor Security Controls What is the missing step? A. Assess security controls. B. Determine control gaps. C. Remediate control gaps. D. Evaluate user activity.
A. Assess security controls. ## Footnote A. The fourth step of the NIST risk management framework is assessing security controls. This is an important component of the process. The organization has already categorized the system, selected appropriate controls, and implemented those controls. Before authorizing the use of the system, they must assess the effectiveness of those controls to ensure that they meet security requirements.
63
HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services? A. Risk mitigation B. Risk acceptance C. Risk transference D. Risk avoidance
D. Risk avoidance ## Footnote D. HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse. Risk acceptance involves making a conscious decision to accept a risk as-is with no further action. Risk mitigation takes measures to reduce the likelihood and/or impact of a risk. Risk transfer shifts the costs of a risk to another organization, such as an insurance company.
64
Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce? A. Availability B. Denial C. Confidentiality D. Integrity
C. Confidentiality ## Footnote C. Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.
65
Which one of the following components should be included in an organization's emergency response guidelines? A. List of individuals who should be notified of an emergency incident B. Long-term business continuity protocols C. Activation procedures for the organization's cold sites D. Contact information for ordering equipment
A. List of individuals who should be notified of an emergency incident ## Footnote A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
66
Chas recently completed the development of his organization's business continuity plan. Who is the ideal person to approve an organization's business continuity plan? A. Chief information officer B. Chief executive officer C. Chief information security officer D. Chief operating officer
B. Chief executive officer ## Footnote B. Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.
67
Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning? A. Structured analysis of the organization B. Review of the legal and regulatory landscape C. Creation of a BCP team D. Documentation of the plan
D. Documentation of the plan ## Footnote D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.
68
Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce? A. Denial B. Confidentiality C. Integrity D. Availability
D. Availability ## Footnote D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.
69
Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using? A. Cold site B. Warm site C. Hot site D. Mobile site
A. Cold site ## Footnote A. A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations. Warm sites, hot sites, and mobile sites would all include hardware.
70
Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs? A. ITIL B. ISO 27002 C. CMM D. PMBOK Guide
B. ISO 27002 ## Footnote B. ISO 27002 is an international standard focused on information security and titled “Information technology— Security techniques—Code of practice for information security management.” The Information Technology Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document, and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.
70
Greg's company recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action? A. The breach laws in the state where they are headquartered. B. The breach laws of states they do business in. C. Only federal breach laws. D. Breach laws only cover government agencies, not private businesses.
B. The breach laws of states they do business in. ## Footnote B. In general, companies should be aware of the breach laws in any location where they do business. U.S. states have a diverse collection of breach laws and requirements, meaning that in this case, Greg's company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state's residents.
71
Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices? A. FERPA B. GLBA C. HIPAA D. HITECH
B. GLBA ## Footnote B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.
71
Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt's clients pursuant to a search warrant. Which one of the following laws requires that communications service providers cooperate with law enforcement requests? A. ECPA B. CALEA C. Privacy Act D. HITECH Act
B. CALEA ## Footnote B. The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.
72
Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement? A. NCA B. SLA C. NDA D. RTO
C. NDA ## Footnote C. Nondisclosure agreements (NDAs) typically require either mutual or one-way confidentiality in a business relationship. Service-level agreements specify service uptime and other performance measures. Noncompete agreements (NCAs) limit the future employment possibilities of employees. Recovery time objectives (RTOs) are used in business continuity planning.
73
The (ISC)2 Code of Ethics applies to all CISSP holders. Which of the following is not one of the four mandatory canons of the code? A. Protect society, the common good, the necessary public trust and confidence, and the infrastructure. B. Disclose breaches of privacy, trust, and ethics. C. Provide diligent and competent service to the principles. D. Advance and protect the profession.
B. Disclose breaches of privacy, trust, and ethics. ## Footnote B. The (ISC)2 Code of Ethics also includes “Act honorably, honestly, justly, responsibly, and legally” but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.
74
Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve? A. Authentication B. Authorization C. Integrity D. Nonrepudiation
D. Nonrepudiation ## Footnote D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.
75
Which one of the following stakeholders is not typically included on a business continuity planning team? A. Core business function leaders B. Information technology staff C. CEO D. Support departments
C. CEO ## Footnote C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.
76
What principle of information security states that an organization should implement overlapping security controls whenever possible? A. Least privilege B. Separation of duties C. Defense in depth D. Security through obscurity
C. Defense in depth ## Footnote C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure. Least privilege ensures that an individual only has the minimum set of permissions necessary to carry out their assigned job functions and does not require overlapping controls. Separation of duties requires that one person not have permission to perform two separate actions that, when combined, carry out a sensitive function. Security through obscurity attempts to hide the details of security controls to add security to them. Neither separation of duties nor security through obscurity involve overlapping controls.
77
Ryan is a CISSP-certified cybersecurity professional working in a nonprofit organization. Which of the following ethical obligations apply to his work? (Select all that apply.) A. (ISC)2 Code of Ethics B. Organizational code of ethics C. Federal code of ethics D. RFC 1087
A. (ISC)2 Code of Ethics B. Organizational code of ethics ## Footnote A, B. All (ISC)2 certified professionals are required to comply with the (ISC)2 Code of Ethics. All employees of an organization are required to comply with the organization's code of ethics. The federal code of ethics (or, more formally, the Code of Ethics for Government Service) would not apply to a nonprofit organization, as it only applies to federal employees. RFC 1087 does provide a code of ethics for the internet, but it is not binding on any individual.
78
Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option? A. Purchasing insurance B. Encrypting the database contents C. Removing the data D. Objecting to the exception
Ben is responsible for the security of payment card information ## Footnote B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.
79
----------------------------------------- | | | ^ | | | ^ | | | ^ | II | I | P | | | r | | | o | | | b ----------------------------------------- a | | | b | | | i | | | l | III | IV | i | | | t | | | y | | | ^ ----------------------------------------- ^ >>>> Impact >>>>> The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention? A. I B. II C. III D. IV
A. I ## Footnote A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.
80
Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting? A. Informing other employees of the termination B. Retrieving the employee's photo ID C. Calculating the final paycheck D. Revoking electronic access rights
D. Revoking electronic access rights ## Footnote D. Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.
81
Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando's organization pursue? A. Risk avoidance B. Risk mitigation C. Risk transference D. Risk acceptance
D. Risk acceptance ## Footnote D. In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.
82
Helen is the owner of a U.S. website that provides information for middle and high school students preparing for exams. She is writing the site's privacy policy and would like to ensure that it complies with the provisions of the Children's Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA? A. 13 B. 15 C. 17 D. 18
A. 13 ## Footnote A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.
83
Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area? A. 100 B. 1 C. 0.1 D. 0.01
D. 0.01 ## Footnote D. The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.
84
You discover that a user on your network has been using the Wireshark tool. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated? A. Integrity B. Denial C. Availability D. Confidentiality
D. Confidentiality ## Footnote D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.
85
Alan is performing threat modeling and decides that it would be useful to decompose the system into the core elements. What tool is he using? A. Vulnerability assessment B. Fuzzing C. Reduction analysis D. Data modeling
C. Reduction analysis ## Footnote C. In reduction analysis, the security professional breaks the system down into five core elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.
86
Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk? A. New York (24-32) B. North Carolina (16-24) C. Indiana (16-24) D. Florida (0-2)
D. Florida (0-2) ## Footnote D. Of the states listed, Florida is the only one that is not shaded to indicate a serious risk of a major earthquake.
87
Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence? A. Quantitative B. Qualitative C. Annualized loss expectancy D. Reduction
B. Qualitative ## Footnote B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.
88
Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the threat? A. Unpatched web application B. Web defacement C. Malicious hacker D. Operating system
C. Malicious hacker ## Footnote C. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, the missing patch is the vulnerability. In this scenario, if the malicious hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.
89
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing's data center? A. 10 percent B. 25 percent C. 50 percent D. 75 percent
C. 50 percent ## Footnote C. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5million in damage divided by the $10million facility value, or 50 percent.
90
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing's data center? A. 0.0025 B. 0.005 C. 0.01 D. 0.015
B. 0.005 ## Footnote B. The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year.
91
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing's data center? A. $25,000 B. $50,000 C. $250,000 D. $500,000
A. $25,000 ## Footnote A. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.
92
John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover? A. Spoofing B. Repudiation C. Information disclosure D. Elevation of privilege
C. Information disclosure ## Footnote C. Information disclosure attacks rely upon the revelation of private, confidential, or controlled information. Programming comments embedded in HTML code are an example of this type of attack.
93
Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this? A. His supply chain B. His vendor contracts C. His post-purchase build process D. The original equipment manufacturer (OEM)
A. His supply chain ## Footnote A. Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.
94
In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe? A. Regression testing B. Code review C. Change management D. Fuzz testing
C. Change management ## Footnote C. Change management is a critical control process that involves systematically managing change. Without it, Lisa might simply deploy her code to production without oversight, documentation, or testing. Regression testing focuses on testing to ensure that new code doesn't bring back old flaws, while fuzz testing feeds unexpected input to code. Code review reviews the source code itself and may be involved in the change management process but isn't what is described here.
95
After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95 percent completion rate he was aiming for. What is this type of measure called? A. A KPI B. A metric C. An awareness control D. A return on investment rate
A. A KPI ## Footnote A. Charles is tracking a key performance indicator (KPI). A KPI is used to measure performance (and success). Without a definition of success, this would simply be a metric, but Charles is working toward a known goal and can measure against it. There is not a return investment calculation in this problem, and the measure is not a control.
96
Which of the following is not typically included in a prehire screening process? A. A drug test B. A background check C. Social media review D. Fitness evaluation
D. Fitness evaluation ## Footnote D. A fitness evaluation is not a typical part of a hiring process. Drug tests, background checks, and social media checks are all common parts of current hiring practices.
97
Which of the following would normally be considered a supply chain risk? (Select all that apply.) A. Adversary tampering with hardware prior while being shipped to the end customer B. Adversary hacking into a web server run by the organization in an IaaS environment C. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts D. Adversary conducting a denial-of-service attack using a botnet
A. Adversary tampering with hardware prior while being shipped to the end customer C. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts ## Footnote A, C. Supply chain risks occur when the adversary is interfering with the delivery of goods or services from a supplier to the customer. This might involve tampering with hardware before the customer receives it or using social engineering to compromise a vendor employee. Hacking into a web server run in an IaaS environment is not a supply chain risk because the web server is already under the control of the customer. Using a botnet to conduct a denial-of-service attack does not involve any supply chain elements.
98
Match the following numbered laws or industry standards to their lettered description: Laws and industry standards 1. GLBA 2. PCI DSS 3. HIPAA 4. SOX Descriptions A. A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis B. A U.S. law that requires internal controls assessments, including IT transaction flows for publicly traded companies C. An industry standard that covers organizations that handle credit cards D. A U.S. law that provides data privacy and security requirements for medical information
The laws or industry standards match to the descriptions as follows: 1. GLBA: A. A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis 2. PCI DSS: C. An industry standard that covers organizations that handle credit cards 3. HIPAA: D. A U.S. law that provides data privacy and security requirements for medical information 4. SOX: B. A U.S. law that requires internal controls assessments including IT transaction flows for publicly traded companies

CISSP (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions