PRACTICE QUESTIONS

Question 1

Which of the following issues is NOT addressed by Kerberos?
A.
Availability
B.
Confidentiality
C.
Integrity
D.
Authentication

Answer 1

A

Using symmetric key cryptography, Kerberos authenticates clients to other entities on
a network of which a client requires services.

Question 2

Which of the following statements is not listed within the 4 canons of the (ISC)2 Code of Ethics?

A.
All information systems security professionals who are certified by (ISC)2 shall observe all
contracts and agreements, express or implied.
B.
All information systems security professionals who are certified by (ISC)2 shall render only those
services for which they are fully competent and qualified.
C.
All information systems security professionals who are certified by (ISC)2 shall promote and
preserve public trust and confidence in information and systems.
D.
All information systems security professionals who are certified by (ISC)2 shall think about the
social consequences of the program they write.

Answer 2

D

Question 3

Regarding codes of ethics covered within the ISC2 CBK, within which of them is the phrase
“Discourage unsafe practice” found?

A.
Computer Ethics Institute commandments
B.
(ISC)2 Code of Ethics
C.
Internet Activities Board's Ethics and the Internet (RFC1087)
D.
CIAC Guidelines

Answer 3

B

The (ISC)2 Code of Ethics include the phrase Discourage unsafe practices, and preserve and
strengthen the integrity of public infrastructures.

Question 4

Which of the following is NOT a factor related to Access Control?

A.
integrity
B.
authenticity
C.
confidentiality
D.
availability

Answer 4

B

Access Control = CIA - Authentication is not part of the CIA triad

Access controls are security features that control how users and systems communicate and
interact with other systems and resources.
Access controls give organization the ability to control, restrict, monitor, and protect resource
availability, integrity and confidentiality.

Question 5

Which of the following is the correct set of assurance requirements for EAL 5?

A.
Semiformally verified design and tested
B.
Semiformally tested and checked
C.
Semiformally designed and tested
D.
Semiformally verified tested and checked

Answer 5

C

The EAL 5 requirement is: Semiformally designed and tested; this is sought when developing specialized Target of Evaluations for high-risk situations.

Question 6

Which of the following is needed for System Accountability?

A.
Audit mechanisms.
B.
Documented design as laid out in the Common Criteria.
C.
Authorization.
D.
Formal verification of system design.

Answer 6

A

Question 7

The major objective of system configuration management is which of the following?

A.
System maintenance.
B.
System stability.
C.
System operations.
D.
System tracking.

Answer 7

B

The configuration baseline will be tried and tested and known to be stable.
Modifying the configuration settings of a system could lead to system instability.

System configuration management will help to ensure system stability by ensuring a consistent
configuration across the systems.

Question 8

The Internet Architecture Board (IAB) characterizes which of the following as unethical behavior
for Internet users?

A.
Writing computer viruses.
B.
Monitoring data traffic.
C.
Wasting computer resources.
D.
Concealing unauthorized accesses.

Answer 8

C

IAB considers wasting resources (people, capacity, and computers) through purposeful actions
unethical.

Question 9

A deviation from an organization-wide security policy requires which of the following?

A.
Risk Acceptance
B.
Risk Assignment
C.
Risk Reduction
D.
Risk Containment

Answer 9

A

A deviation from an organization-wide security policy is a ‘risk’.

Question 10

Which of the following is the most important ISC2 Code of Ethics Canons?

A.
Act honorably, honestly, justly, responsibly, and legally
B.
Advance and protect the profession
C.
Protect society, the commonwealth, and the infrastructure
D.
Provide diligent and competent service to principals

Answer 10

C

Question 11

Within the realm of IT security, which of the following combinations best defines risk?

A.
Threat coupled with a breach.
B.
Threat coupled with a vulnerability.
C.
Vulnerability coupled with an attack.
D.
Threat coupled with a breach of security.

Answer 11

B

Question 12

Which of the following is considered the weakest link in a security system?

A.
People
B.
Software
C.
Communications
D.
Hardware

Answer 12

A

Question 13

Which one of the following represents an ALE calculation?

A.
Single loss expectancy x annualized rate of occurrence.
B.
Gross loss expectancy x loss frequency.
C.
Actual replacement cost - proceeds of salvage.
D.
Asset value x loss expectancy.

Answer 13

A

ALE = SLE * ARO

Asset Value × Exposure Factor = SLE

Question 14

Which of the following is the best reason for the use of an automated risk analysis tool?

A.
Much of the data gathered during the review cannot be reused for subsequent analysis.
B.
Automated methodologies require minimal training and knowledge of risk analysis.
C.
Most software tools have user interfaces that are easy to use and do not require any training.
D.
Information gathering would be minimized and expedited due to the amount of information already
built into the tool.

Answer 14

D

The objective of these tools is to reduce the manual effort of these tasks, perform calculations
quickly, estimate future expected losses, and determine the effectiveness and benefits of the
security countermeasures chosen.

Question 15

How is Annualized Loss Expectancy (ALE) derived from a threat?

A.
ARO x (SLE - EF)
B.
SLE x ARO
C.
SLE/EF
D.
AV x EF

Answer 15

B

Question 16

What does “residual risk” mean?
A. The security risk that remains after controls have been implemented
B.
Weakness of an asset which can be exploited by a threat
C.
Risk that remains after risk assessment has been performed
D.
A security risk intrinsic to an asset being audited, where no mitigation has taken place.

Answer 16

A

Question 17

Preservation of confidentiality within information systems requires that the information is not
disclosed to:
A.
Authorized persons
B.
Unauthorized persons or processes.
C.
Unauthorized persons.
D.
Authorized persons and processes

Answer 17

B

Question 18

Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson
model?

A.
Prevention of the modification of information by unauthorized users.
B.
Prevention of the unauthorized or unintentional modification of information by authorized users.
C.
Preservation of the internal and external consistency.
D.
Prevention of the modification of information by authorized users.

Answer 18

D

The Clark-Wilson model enforces the three goals of integrity by using access triple (subject,
software [TP], object), separation of duties, and auditing

Question 19

What is called an event or activity that has the potential to cause harm to the information systems
or networks?
A.
Vulnerability
B.
Threat agent
C.
Weakness
D.
Threat

Answer 19

D

DIFFERENCE BETWEEN THREAT AGENT AND THREAT:

-threat is any potential danger that is associated with the exploitation of a vulnerability (potential)

-threat agent could be an intruder accessing the network through a port on the firewall, a process
accessing data in a way that violates the security policy, a tornado wiping out a facility, or an
employee making an unintentional mistake that could expose confidential information. (Occurring/Occurred)

Question 20

A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the
information systems or networks is called:
A.
a vulnerability.
B.
a risk.
C.
a threat.
D.
an overflow.

Answer 20

A

Question 21

What is called the probability that a threat to an information system will materialize?
A.
Threat
B.
Risk
C.
Vulnerability
D.
Hole

Answer 21

B

Question 22

Risk mitigation and risk reduction controls for providing information security are classified within
three main categories, which of the following are being used?
A.
Preventive, corrective, and administrative.
B.
Detective, corrective, and physical.
C.
Physical, technical, and administrative.
D.
Administrative, operational, and logical.

Answer 22

C

Question 23

Which of the following would be best suited to oversee the development of an information security
policy?
A.
System Administrators
B.
End User
C.
Security Officers
D.
Security administrators

Answer 23

C

Question 24

Which of the following is the MOST important aspect relating to employee termination?
A.
The details of employee have been removed from active payroll files.
B.
Company property provided to the employee has been returned.
C.
User ID and passwords of the employee have been deleted.
ISC CISSP Exam
“Leading the way in IT Testing & Certification Tools” - www.testking.com 16
D.
The appropriate company staff is notified about the termination

Answer 24

D

All are correct, HOWEVER D is the inclusive correct answer

Question 25

Making sure that only those who are supposed to access the data can access is which of the
following?
A.
confidentiality
B.
capability
C.
integrity
D.
availability

Answer 25

A

Question 26

Related to information security, confidentiality is the opposite of which of the following?
A.
closure
B.
disclosure
C.
disposal
D.
disaster

Answer 26

B

Question 27

Related to information security, integrity is the opposite of which of the following?
A.
abstraction
B.
alteration
C.
accreditation
D.
application

Answer 27

B

Question 28

Making sure that the data is accessible when and where it is needed is which of the following?
A.
confidentiality
B.
integrity
C.
acceptability
D.
availability

Answer 28

D

Question 29

Related to information security, availability is the opposite of which of the following?
A.
delegation
B.
distribution
C.
documentation
D.
destruction

Answer 29

D

Question 30

Related to information security, the prevention of the intentional or unintentional unauthorized
disclosure of contents is which of the following?
A.
Confidentiality
B.
Integrity
C.
Availability
D.
capability

Answer 30

A

Question 31

Good security is built on which of the following concept?
A.
The concept of a pass-through device that only allows certain traffic in and out.
B.
The concept of defense in depth.
C.
The concept of preventative controls.
D.
The concept of defensive controls.

Answer 31

B

Question 32

The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP:
A.
Honesty
B.
Ethical behavior
C.
Legality
D.
Control

Answer 32

D

Question 33

One of these statements about the key elements of a good configuration process is NOT true
A.
Accommodate the reuse of proven standards and best practices
B.
Ensure that all requirements remain clear, concise, and valid
C.
Control modifications to system hardware in order to prevent resource changes
D.
Ensure changes, standards, and requirements are communicated promptly and precisely

Answer 33

C

Configuration management should not be designed to prevent resource changes

Question 34

Which of the following is NOT part of user provisioning?

A.
Creation and deactivation of user accounts
B.
Business process implementation
C.
Maintenance and deactivation of user objects and attributes
D.
Delegating user administration

Answer 34

B

User provisioning involves the creation, maintenance, and deactivation of user objects and
attributes

Question 35

Which of the following is MOST appropriate to notify an internal user that session monitoring is
being conducted?
A.
Logon Banners
B.
Wall poster
C.
Employee Handbook
D.
Written agreement

Answer 35

D

Not “A” because this is an internal user and an internal user is met face-to-face and therefore can sign an agreement.

Question 36

What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the
case where a company employs 100 data entry clerks and every one of them makes one input
error each month?
A.
100
B.
120
C.
1
D.
1200

Answer 36

D

Question 37

Which of the following is NOT defined in the Internet Architecture Board (IAB) Ethics and the
Internet (RFC 1087) as unacceptable and unethical activity?
A.
uses a computer to steal
B.
destroys the integrity of computer-based information
C.
wastes resources such as people, capacity and computers through such actions
D.
involves negligence in the conduct of Internet-wide experiments

Answer 37

A

Stealing using a computer is not addressed in RFC 1087.

Question 38

Keeping in mind that these are objectives that are provided for information only within the CBK as
they only apply to the committee and not to the individuals. Which of the following statements
pertaining to the (ISC)2 Code of Ethics is NOT true?
A.
All information systems security professionals who are certified by (ISC)2 recognize that such a
certification is a privilege that must be both earned and maintained.
B.
All information systems security professionals who are certified by (ISC)2 shall provide diligent and
competent service to principals.
C.
All information systems security professionals who are certified by (ISC)2 shall forbid behavior
such as associating or appearing to associate with criminals or criminal behavior.
D.
All information systems security professionals who are certified by (ISC)2 shall promote the
understanding and acceptance of prudent information security measures.

Answer 38

C

The ISC Code of Ethics does not explicitly state that an individual who are certified by (ISC)2
should not associate with criminals or with criminal behavior.

Question 39

Which approach to a security program ensures people responsible for protecting the company's
assets are driving the program?
A.
The Delphi approach.
B.
The top-down approach.
C.
The bottom-up approach.
D.
The technology approach.

Answer 39

B

A top-down approach makes sure the people
actually responsible for protecting the company’s assets (senior management) are driving the
program.

A bottom-up approach is commonly less effective

Question 40

Which of the following is NOT a part of a risk analysis?
A.
Identify risks
B.
Quantify the impact of potential threats
C.
Provide an economic balance between the impact of the risk and the cost of the associated
countermeasure
D.
Choose the best countermeasure

Answer 40

D

Choosing the best countermeasure is not part of risk analysis. Choosing the best countermeasure
would be part of risk mitigation.

Question 41

How should a risk be handled when the cost of the countermeasure outweighs the cost of the risk?
A.
Reject the risk.
B.
Perform another risk analysis.
C.
Accept the risk.
D.
Reduce the risk.

Answer 41

C

Question 42

Which of the following is NOT an administrative control?
A.
Logical access control mechanisms
B.
Screening of personnel
C.
Development of policies, standards, procedures and guidelines
D.
Change control procedures

Answer 42

A

“Logical control” also known as a “Technical control”

Question 43

Which of the following outlined how senior management are responsible for the computer and
information security decisions that they make and what actually took place within their
organizations?
A.
The Computer Security Act of 1987.
B.
The Federal Sentencing Guidelines of 1991.
C.
The Economic Espionage Act of 1996.
D.
The Computer Fraud and Abuse Act of 1986.

Answer 43

B

Senior management could be responsible for monetary damages up to $10 million or twice the
gain of the offender for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991.

Question 44

What are the three FUNDAMENTAL principles of security?
A.
Accountability, confidentiality and integrity
B.
Confidentiality, integrity and availability
C.
Integrity, availability and accountability
D.
Availability, accountability and confidentiality

Answer 44

B

Question 45

What would BEST define risk management?
A.
The process of eliminating the risk
B.
The process of assessing the risks
C.
The process of reducing risk to an acceptable level
D.
The process of transferring risk

Answer 45

C

Question 46

Within the context of the CBK, which of the following provides a MINIMUM level of security
ACCEPTABLE for an environment?
A.
A baseline
B.
A standard
C.
A procedure
D.
A guideline

Answer 46

A

Question 47

Related to information security, the guarantee that the message sent is the message received with
the assurance that the message was not intentionally or unintentionally altered is an example of
which of the following?
A.
Integrity
B.
Confidentiality
C.
Availability
D.
Identity

Answer 47

A

Question 48

Which of the following is NOT a technical control?
A.
Password and resource management
B.
Identification and authentication methods
C.
Monitoring for physical intrusion
D.
Intrusion Detection Systems

Answer 48

C

Question 49

Which of the following would NOT violate the Due Diligence concept?
A.
Security policy being outdated
B.
Data owners not laying out the foundation of data protection
C.
Network administrator not taking mandatory two-week vacation as planned
D.
Latest security patches for servers being installed as per the Patch Management process

Answer 49

D

Question 50

Ensuring least privilege does NOT require:
A.
Identifying what the user’s job is.
B.
Ensuring that the user alone does not have sufficient rights to subvert an important process.
C.
Determining the minimum set of privileges required for a user to perform their duties.
D.
Restricting the user to required privileges and nothing more.

Answer 50

B

The answer is an example of separation of duties where it would take collusion between two or more people to subvert the process.

Question 51

Who is responsible for providing reports to the senior management on the effectiveness of the
security controls?
ISC CISSP Exam
"Leading the way in IT Testing & Certification Tools" - www.testking.com 34
A.
Information systems security professionals
B.
Data owners
C.
Data custodians
D.
Information systems auditors

Answer 51

D

Question 52

What is the highest amount a company should spend annually on countermeasures for protecting
an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of
once every five years and an exposure factor (EF) of 30%?
A.
$300,000
B.
$150,000
C.
$60,000
D.
$1,500

Answer 52

C

The exposure factor (EF) represents the percentage of loss a realized threat could have on a
certain asset.
The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a
specific threat taking place within a 12-month timeframe. The range can be from 0.0 (never) to 1.0
(once a year) to greater than 1 (several times a year) and anywhere in between. For example, if
the probability of a fire taking place and damaging our data warehouse is once every ten years,
the ARO value is 0.1.
In this question, the EF is $1,000,000 x 30% = $300,000.
The ARO is once every five years which equals 0.2 (1 / 5).
Therefore, the highest amount a company should spend annually on countermeasures is
$300,000 x 0.2 = $60,000.

Question 53

Which of the following statements pertaining to quantitative risk analysis is NOT true?
A.
Portion of it can be automated
B.
It involves complex calculations
C.
It requires a high volume of information
D.
It requires little experience to apply

Answer 53

D

Question 54

Which property ensures that only the intended recipient can access the data and nobody else?
A.
Confidentiality
B.
Capability
C.
Integrity
D.
Availability

Answer 54

A

Question 55

Making sure that the data has not been changed unintentionally, due to an accident or malice is:
A.
Integrity.
B.
Confidentiality.
C.
Availability.
D.
Auditability.

Answer 55

A

Question 56

Which of the following are the steps usually followed in the development of documents such as
security policy, standards and procedures?
A.
design, development, publication, coding, and testing
B.
design, evaluation, approval, publication, and implementation
C.
initiation, evaluation, development, approval, publication, implementation, and maintenance
D.
feasibility, development, approval, implementation, and integration

Answer 56

C

Question 57

What is the goal of the Maintenance phase in a common development process of a security
policy?
A.
to review the document on the specified review date
B.
publication within the organization
C.
to write a proposal to management that states the objectives of the policy
D.
to present the document to an approving body

Answer 57

A

Question 58

What is the difference between Advisory and Regulatory security policies?
A.
there is no difference between them
B.
regulatory policies are high level policy, while advisory policies are very detailed
C.
Advisory policies are not mandated. Regulatory policies must be implemented.
D.
Advisory policies are mandated while Regulatory policies are not

Answer 58

C

Question 59

Risk analysis is MOST useful when applied during which phase of the system development
process?
A.
Project initiation and Planning
B.
Functional Requirements definition
C.
System Design Specification
D.
Development and Implementation

Answer 59

A

Question 60

What is the main purpose of Corporate Security Policy?
A.
To transfer the responsibility for the information security to all users of the organization
B.
To communicate management’s intentions in regards to information security
C.
To provide detailed steps for performing specific actions
D.
To provide a common framework for all development activities

Answer 60

B

dictates what role security plays within the organization.

Question 61

Which of the following is from the Internet Architecture Board (IAB) Ethics and the Internet (RFC
1087)?
A.
Access to and use of the Internet is a privilege and should be treated as such by all users of the
systems.
B.
Users should execute responsibilities in a manner consistent with the highest standards of their
profession.
C.
There must not be personal data record-keeping systems whose very existence is secret.
D.
There must be a way for a person to prevent information about them, which was obtained for one
purpose, from being used or made available for another purpose without their consent.

Answer 61

A

RFC 1087 is called “Ethics and the Internet.” This RFC outlines the concepts pertaining to what
the IAB considers unethical and unacceptable behavior.

Question 62

Out of the steps listed below, which one is not one of the steps conducted during the Business
Impact Analysis (BIA)?
A.
Alternate site selection
B.
Create data-gathering techniques
C.
Identify the company’s critical business functions
D.
Select individuals to interview for data gathering

Answer 62

A

Its part of the BCP, not BIA

Question 63

In the CIA triad, what does the letter A stand for?
A.
Auditability
B.
Accountability
C.
Availability
D.
Authentication

Answer 63

C

Question 64

Controls are implemented to:
A.
eliminate risk and reduce the potential for loss.
B.
mitigate risk and eliminate the potential for loss.
C.
mitigate risk and reduce the potential for loss.
D.
eliminate risk and eliminate the potential for loss.

Answer 64

C

Question 65

What can be described as a measure of the magnitude of loss or impact on the value of an asset?
A.
Probability
B.
Exposure factor
C.
Vulnerability
D.
Threat

Answer 65

B
The exposure factor (EF) represents the percentage of loss a realized threat could have on a
certain asset

Question 66

The scope and focus of the Business continuity plan development depends most on:
A.
Directives of Senior Management
B.
Business Impact Analysis (BIA)
C.
Scope and Plan Initiation
D.
Skills of BCP committee

Answer 66

B

Question 67

Which of the following best allows risk management results to be used knowledgeably?
A.
A vulnerability analysis
B.
A likelihood assessment
C.
An uncertainty analysis
D.
Threat identification

Answer 67

C

uncertainty analysis attempts to document this so that the risk
management results can be used knowledgeably. There are two primary sources of uncertainty in
the risk management process: (1) a lack of confidence or precision in the risk management model
or methodology and (2) a lack of sufficient information to determine the exact value of the
elements of the risk model, such as threat frequency, safeguard effectiveness, or consequences.

Question 68

Which of the following control pairings include: organizational policies and procedures, preemployment
background checks, strict hiring practices, employment agreements, employee
termination procedures, vacation scheduling, labeling of sensitive materials, increased
supervision, security awareness training, behavior awareness, and sign-up procedures to obtain
access to information systems and networks?
A.
Preventive/Administrative Pairing
B.
Preventive/Technical Pairing
C.
Preventive/Physical Pairing
D.
Detective/Administrative Pairing

Answer 68

A

Question 69

What can best be defined as high-level statements, beliefs, goals and objectives?
A.
Standards
B.
Policies
C.
Guidelines
D.
Procedures

Answer 69

B

A policy is defined as a high-level document that outlines senior management’s security directives

A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy.

Question 70

In an organization, an Information Technology security function should:
A.
Be a function within the information systems function of an organization.
B.
Report directly to a specialized business unit such as legal, corporate security or insurance.
C.
Be led by a Chief Security Officer and report directly to the CEO.
D.
Be independent but report to the Information Systems function.

Answer 70

C

All correct except D, but “C” is the best answer

Question 71

Qualitative loss resulting from the business interruption does NOT usually include:
A.
Loss of revenue
B.
Loss of competitive advantage or market share
C.
Loss of public confidence and credibility
D.
Loss of market leadership

Answer 71

A

Qualitative does not have to do with money. Qualitative is used for strategic decision-making.

Qualitative impact includes such factors as reputation, goodwill, value of the brand and lost
opportunity, among others

Question 72

Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)?
A.
Calculate the risk for each different business function.
B.
Identify the company’s critical business functions.
C.
Calculate how long these functions can survive without these resources.
D.
Develop a mission statement.

Answer 72

D

Question 73

Which of the following is NOT a common integrity goal?
A.
Prevent unauthorized users from making modifications.
B.
Maintain internal and external consistency.
C.
Prevent authorized users from making improper modifications.
D.
Prevent paths that could lead to inappropriate disclosure.

Answer 73

D

Question 74

At what Orange Book evaluation levels are design specification and verification FIRST required?
A.
C1 and above.
B.
C2 and above.
C.
B1 and above.
D.
B2 and above.

Answer 74

C

NO IDEA WHAT THIS IS… RESEARCH THIS

B1: Labeled Security: Each data object must contain a classification label and each subject must
have a clearance label. When a subject attempts to access an object, the system must compare
the subject’s and object’s security labels to ensure the requested actions are acceptable. Data
leaving the system must also contain an accurate security label. The security policy is based on an
informal statement, and the design specifications are reviewed and verified.
This security rating is intended for environments that require systems to handle classified data.

Question 75

Which of the following is an advantage of a qualitative over a quantitative risk analysis?
A.
It prioritizes the risks and identifies areas for immediate improvement in addressing the
vulnerabilities.
B.
It provides specific quantifiable measurements of the magnitude of the impacts.
C.
It makes a cost-benefit analysis of recommended controls easier.
D.
It can easily be automated.

Answer 75

A

One risk assessment methodology is called FRAP, which stands for Facilitated Risk Analysis Process.

Question 76

An effective information security policy should NOT have which of the following characteristic?
A.
Include separation of duties
B.
Be designed with a short- to mid-term focus
C.
Be understandable and supported by all stakeholders
D.
Specify areas of responsibility and authority

Answer 76

B

It should be created with the intention of having the policies in place for several years at a time

Question 77

Which of the following choices is NOT normally part of the questions that would be asked in
regards to an organization’s information security policy?
A.
Who is involved in establishing the security policy?
B.
Where is the organization’s security policy defined?
C.
What are the actions that need to be performed in case of a disaster?
D.
Who is responsible for monitoring compliance to the organization’s security policy?

Answer 77

C

Question 78

The property of a system or a system resource being accessible and usable upon demand by an
authorized system entity, according to performance specifications for the system is referred to as?
A.
Confidentiality
B.
Availability
C.
Integrity
D.
Reliability

Answer 78

B

Question 79

Which of the following would BEST classify as a management control?
A.
Review of security controls
B.
Personnel security
C.
Physical and environmental protection
D.
Documentation

Answer 79

A

Management controls are largely procedural. REVIEWING is a procedure

Question 80

Valuable paper insurance coverage does cover damage to which of the following?
A.
Inscribed, printed and Written documents
B.
Manuscripts
C.
Records
D.
Money and Securities

Answer 80

D

Covers all these things, however D is the best answer

Question 81

Which of the following statements pertaining to a security policy is NOT true?
A.
Its main purpose is to inform the users, administrators and managers of their obligatory
requirements for protecting technology and information assets.
B.
It specifies how hardware and software should be used throughout the organization.
C.
It needs to have the acceptance and support of all levels of employees within the organization in
order for it to be appropriate and effective.
D.
It must be flexible to the changing environment.

Answer 81

B

Security policy does not specify how hardware and software should be used throughout the org. This is what the AUP is for.

Question 82

If your property Insurance has Actual Cash Valuation (ACV) clause, your damaged property will be
compensated based on:
A.
Value of item on the date of loss
B.
Replacement with a new item for the old one regardless of condition of lost item
C.
Value of item one month before the loss
D.
Value of item on the date of loss plus 10 percent

Answer 82

A

Question 83

The preliminary steps to security planning include all of the following EXCEPT which of the
following?
A.
Establish objectives.
B.
List planning assumptions.
C.
Establish a security audit function.
D.
Determine alternate courses of action

Answer 83

C

Security planning should include establishing objectives, listing assumptions and determining
alternate courses of action.

Security planning does not include establishing a security audit function. Auditing security is
performed to ensure that the security measures implemented as described in the security plan are
effective.

Question 84

Step-by-step instructions used to satisfy control requirements are called a:
A.
policy.
B.
standard.
C.
guideline.
D.
procedure.

Answer 84

D

Question 85

One purpose of a security awareness program is to modify:
A.
employee’s attitudes and behaviors towards enterprise’s security posture.
B.
management’s approach towards enterprise’s security posture.
C.
attitudes of employees with sensitive data.
D.
corporate attitudes about safeguarding data.

Answer 85

A
The goal is for each employee to understand the importance of security to the company as a
whole and to each individual

This can best be achieved through a formalized
process of security-awareness training.

Question 86

What is a security policy?
A.
High level statements on management’s expectations that must be met in regards to security
B.
A policy that defines authentication to the network.
ISC CISSP Exam
“Leading the way in IT Testing & Certification Tools” - www.testking.com 57
C.
A policy that focuses on ensuring a secure posture and expresses management approval. It
explains in detail how to implement the requirements.
D.
A statement that focuses on the authorization process for a system

Answer 86

A

Question 87

The end result of implementing the principle of least privilege means which of the following?
A.
Users would get access to only the info for which they have a need to know
B.
Users can access all systems.
C.
Users get new privileges added when they change positions.
D.
Authorization creep.

Answer 87

A

Question 88

Which of the following exemplifies proper separation of duties?
A.
Operators are not permitted modify the system time.
B.
Programmers are permitted to use the system console.
C.
Console operators are permitted to mount tapes and disks.
D.
Tape operators are permitted to use the system console.

Answer 88

A

Question 89

An access control policy for a bank teller is an example of the implementation of which of the
following?
A.
Rule-based policy
B.
Identity-based policy
C.
User-based policy
D.
Role-based policy

Answer 89

D

Question 90

At which of the Orange Book evaluation levels is configuration management required?
A.
C1 and above.
B.
C2 and above.
C.
B1 and above.
D.
B2 and above.

Answer 90

D

Configuration management consists of identifying, controlling, accounting for, and auditing all
changes made to a particular system or equipment during its life cycle. In particular, as related to
equipment used to process classified information, equipment can be identified in categories of
COMSEC, TEMPEST, or as a Trusted Computer Base (TCB).
The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for
classes B2 through A1 be controlled by configuration management.

Question 91

Which type of security control is also known as "Logical" control?
A.
Physical
B.
Technical
C.
Administrative
D.
Risk

Answer 91

B

Technical controls, which are also known as logical controls, are software or hardware
components such as firewalls, IDS, encryption, identification and authentication mechanisms

Question 92

Which Security and Audit Framework has been adopted by some organizations working towards
Sarbanes—Oxley Section 404 compliance?
A.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
B.
BIBA
C.
National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66)
D.
CCTA Risk Analysis and Management Method (CRAMM)

Answer 92

A

COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals
more at the strategic level, while CobiT focuses more at the operational level. You can think of
CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO
deals with non-IT items also, as in company culture, financial accounting principles, board of
director responsibility, and internal communication structures. COSO was formed to provide
sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that
studies deceptive financial reports and what elements lead to them.
There have been laws in place since the 1970s that basically state that it was illegal for a
corporation to cook its books (manipulate its revenue and earnings reports), but it took the
Sarbanes–Oxley Act (SOX) of 2002 to really put teeth into those existing laws. SOX is a U.S.
federal law that, among other things, could send executives to jail if it was discovered that their
company was submitting fraudulent accounting findings to the Security Exchange Commission
(SEC). SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has
to follow the COSO model. Companies commonly implement ISO/IEC 27000 standards and CobiT
to help construct and maintain their internal COSO structure.

Question 93

The Widget Company decided to take their company public and while they were in the process of
doing so had an external auditor come and look at their company. As part of the external audit
they brought in a technology expert, who incidentally was a new CISSP. The auditor’s expert
asked to see their last risk analysis from the technology manager. The technology manager did
not get back to him for a few days and then the Chief Financial Officer gave the auditors a 2 page
risk assessment that was signed by both the Chief Financial Officer and the Technology Manager.
While reviewing it, the auditor noticed that only parts of their financial data were being backed up
on site and nowhere else; the Chief Financial Officer accepted the risk of only partial financial data
being backed up with no off-site copies available.
Who owns the risk with regards to the data that is being backed up and where it is stored?
A.
Only the Chief Financial Officer
B.
Only the most Senior Management such as the Chief Executive Officer
C.
Both the Chief Financial Officer and Technology Manager
D.
Only The Technology Manager

Answer 93

A

The chief financial officer (CFO) is a member of the board. The board members are responsible
for setting the organization’s strategy and risk appetite (how much risk the company should take
on).
In this question, the Chief Financial Officer accepted the risk of only partial financial data being
backed up with no off-site copies available. The Chief Financial Officer therefore owns the risk.

Question 94

The control measures that are intended to reveal the violations of security policy using software
and hardware are associated with:
A.
preventive/physical.
B.
detective/technical.
C.
detective/physical.
D.
detective/administrative

Answer 94

B

Question 95

Which of the following steps is NOT one of the eight detailed steps of a Business Impact
Assessment (BIA)?
A.
Notifying senior management of the start of the assessment.
B.
ISC CISSP Exam
“Leading the way in IT Testing & Certification Tools” - www.testking.com 63
Creating data gathering techniques.
C.
Identifying critical business functions.
D.
Calculating the risk for each different business function.

Answer 95

A

Notifying senior management of the start of the assessment is not one of the eight steps in the BIA
process.
Note: The steps of a Business Impact Assessment are:
Step 1: Determine information gathering techniques.
Step 2: Select interviewees (i.e. stakeholders.)
Step 3: Customize questionnaire to gather economic and operational impact information.
Step 4: Analyze collected impact information.
Step 5: Determine time-critical business systems.
Step 6: Determine maximum tolerable downtimes (MTD).
Step 7: Prioritize critical business systems based on MTD.
Step 8: Document findings and report recommendations.

Question 96

Which of the following provides enterprise management with a prioritized list of time-critical
business processes, and estimates a recovery time objective for each of the time critical
processes and the components of the enterprise that support those processes?
A.
Business Impact Assessment
B.
Current State Assessment
C.
Risk Mitigation Assessment.
D.
Business Risk Assessment.

Answer 96

A

Question 97

Which of the following answers is the BEST example of Risk Transference?
A.
Insurance
B.
Results of Cost Benefit Analysis
C.
Acceptance
D.
Not hosting the services at all

Answer 97

A

Question 98

Which of the following answer BEST relates to the type of risk analysis that involves committees,
interviews, opinions and subjective input from staff?
A.
Qualitative Risk Analysis
B.
Quantitative Risk Analysis
C.
Interview Approach to Risk Analysis
D.
Managerial Risk Assessment

Answer 98

A

Examples of qualitative
techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys,
questionnaires, checklists, one-on-one meetings, and interviews

Question 99

Regarding risk reduction, which of the following answers is BEST defined by the process of giving
only just enough access to information necessary for them to perform their job functions?
A.
Least Privilege Principle
B.
Minimum Privilege Principle
C.
Mandatory Privilege Requirement
D.
Implicit Information Principle

Answer 99

A

Question 100

Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are
associated with:
A.
preventive/physical.
B.
detective/technical.
C.
detective/physical.
D.
detective/administrative.

Answer 100

D

Question 101

John is the product manager for an information system. His product has undergone under security
review by an IS auditor. John has decided to apply appropriate security controls to reduce the
security risks suggested by an IS auditor. Which of the following technique is used by John to treat
the identified risk provided by an IS auditor?
A.
Risk Mitigation
B.
Risk Acceptance
C.
Risk Avoidance
D.
Risk transfer

Answer 101

A

Question 102

Sam is the security Manager of a financial institute. Senior management has requested he
performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the
risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that
risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that
could be incurred. What kind of a strategy should Sam recommend to the senior management to
treat these risks?
A.
Risk Mitigation
B.
Risk Acceptance
C.
Risk Avoidance
D.
Risk transfer

Answer 102

B