Certified Information Systems Security Professional

Management of toxic gases is an activity that requires specialized training and equipment. This is not a normal awareness activity for employees.

All employees should have this issue addressed in their general emergency response awareness training.

This is the best criteria for selecting an insurance policy.

A DRP is primarily concerned with protecting against financial losses.

Asset loss is only part of the overall financial loss potential due to a crisis.

Equipment loss is only part of the overall financial loss potential due to a crisis.

Market share loss is only part of the overall financial loss potential due to a crisis.

Senior management is held liable for the lack of due care and due diligence in forming a disaster recovery plan.

The use of electronic vaulting is the fastest mechanism to restore a damaged system at the primary site from the backup stored at the secondary site. Electronic vaulting consists of the online storage of backups, which can be quickly accessed and restored.

Retrieving a system from the secondary site is not as efficient as electronic vaulting.

Retrieving a drive image from the secondary site is not as efficient as electronic vaulting.

Retrieving tapes from an offsite storage facility is not as efficient as electronic vaulting.

Minimizing the disaster recovery time period will directly reduce the losses associated with the disaster.

The presence of a hot site will not directly reduce losses due to a disaster; in general, a hot site is prohibitively expensive.

Personnel training will make disaster recovery more efficient, but only shortening the time period for recovery results in true loss prevention.

This is a normal and required step of disaster recovery, but it does not directly affect the loss associated with recovery.

The travel route is the most important aspect to consider from this list. If the data is highly classified, very high security standards need to be maintained. This would include varying the route and the time at which backup tapes are transferred offsite to prevent timed attacks against the transfer vehicles.

The format or type of backup tapes is inconsequential to the security for highly confidential military assets.

The number of backup tapes is inconsequential to the security for highly confidential military assets.

The useful life of the stored data is inconsequential to the security for highly confidential military assets.

The best way to test a DRP is like an unannounced fire drill. A few key managers should be aware of the test, but all aspects of the DRP should be implemented to ensure they operate as designed.

Waiting to test a DRP during an actual crisis is not a test. It is a plan for failure.

Simulations are not tests. A DRP requires implementation testing.

Waiting to test a DRP during an actual crisis is not a test. It is a plan for failure.

The mean time to repair determines how long it will take to repair a system and thus directly relates to the recovery time period.

The cost of the repair does not affect the recovery time period.

The availability of replacement parts is an element of the MTTR factor. MTTR directly relates to the length of time recovery requires.

BCP should focus on limiting recovery time, but it is not the primary factor in determining the length of an actual recovery time period.

The best preparatory action for such a disaster is an offsite backup solution.

A SOHO (small office, home office) LAN should have backup solutions as part of its contingency plan.

A SOHO (small office, home office) LAN should not involve concern for remote access connectivity for telecommuters because a LAN is not a WAN and thus does not require remote access connections and a SOHO environment doesn't have telecommuters.

Plans for a SOHO (small office, home office) LAN should not consider a hot site alternative processing facility due to the extreme expense. Plus, such as site is typically unnecessary or excessive.

Plans for a SOHO (small office, home office) LAN should not consider rolling mobile backup sites because they are extremely expensive and are excessive for a SOHO LAN environment.

Switches often offer redundant connection paths to destinations.

A UPS offers redundancy and fault tolerance for the supply of power.

FDDI is a fault-tolerant and redundant form of Token-Ring.

A hub is not redundant or fault tolerant.

This is not an element or aspect of the ISC2 code of ethics; the code is not enforceable by law.

This is in the preamble of the ISC2 code of ethics.

This is one of the cannons of the ISC2 code of ethics.

This is not addressed in the cannons of the ISC2 code of ethics.

This is addressed in the cannons of the ISC2 code of ethics.

This is not listed or defined as an unethical and unacceptable activity by RFC 1087.

This is listed or defined as an unethical and unacceptable activity by RFC 1087.

The theft of small amounts of information from many sources to compile or infer data about something private or classified is known as the Salami technique.

Masquerading is pretending to be something you are not.

Data diddling is the act of unauthorized modification of data.

Espionage is the use of spies to discover private or secret information.

Masquerading is another name for the crime of impersonation or spoofing.

Spamming is the act of sending an account or a system a large amount of unrequested messages, such as email or newsgroup postings.

Data diddling is the act of unauthorized modification of data.

Social engineering is using human nature against people to discover private or confidential information or to get them to perform unauthorized activities.

Superzap is a tool used to bypass system security to modify or disclose data.

Email spam is unwanted, can cause a DoS attack, and can be the carrier agent of malicious code, but it is not itself considered a form of malicious code.

The computer crime that attempts to alter the financial status of a nation, disrupt its power grid, or misrepresent the capabilities of an enemy is known as information warfare.

The theft of small amounts of information from many sources to compile or infer data about something private or classified is known as the Salami technique.

Data diddling is the act of unauthorized modification of data.

Espionage is the use of spies to discover private or secret information.

This is incorrect. The investigation of a computer crime usually requires a specialist or an expert to gather evidence and process a crime scene.

The 1991 U.S. Federal Sentencing Guidelines established punishment guidelines for breaking federal laws.

The 1991 U.S. Federal Sentencing Guidelines establish a link between the degree/severity of punishment and the extent of due care.

This is not an aspect of showing that due care is properly implemented and practiced. Homogeneity of systems on a network does not offer any special security benefits

This is an aspect of showing that due care is properly implemented and practiced.

The requirement that senior management must perform its duties with the same care that any normal, sensible person would under similar circumstances is known as the prudent man rule.

This element is not a requirement to prove negligence in court. This is used to prove liability.

This is an element required to prove negligence in court.

Statutory law is a form of common law that is created by the legislative branch.

Common law is created by the judicial branch.

Civil law is a form of common law that is created by the judicial branch.

Criminal law is a form of common law that is created by the judicial branch.

Criminal law is concerned with the protection of the public and offers imprisonment as a punishment.

Civil law is concerned with the wrongs inflicted against individuals or organizations but does not offer imprisonment as a punishment.

Intellectual property law is concerned with protecting original creations.

Regulatory law is concerned with the performance and conduct of organizations.

Temping someone into committing a crime through coercion is known as entrapment.

The method used to collect the evidence is not part of the chain of evidence, but it can be an important issue in court.

This is a component in the chain of evidence.

Destruction is not an element in the evidence life cycle. Evidence is never destroyed

This is an element in the evidence life cycle.

This is not a valid method of identifying evidence because it modifies it.

This is a valid method to identify evidence.

Hearsay evidence is evidence obtained from a secondary source rather than firsthand knowledge or experience

Secondary evidence is a copy of evidence or an oral description of its contents.

Circumstantial evidence is evidence gained through inference from other evidence or facts.

Conclusive evidence is incontrovertible.

The goal of an interrogation is to gather enough evidence to consider the subject a suspect.

The Gramm Leach Bliley Act of 1999 grants customers the ability to prohibit banks and financial institutions from sharing their personal information with nonaffiliated third parties.

The U.S. Computer Fraud and Abuse Act defines three new federal computer crimes.

The U.S. Privacy Act 1974 protects information about individuals within government databases.

The U.S. National Information Infrastructure Protection Act 1996 was an expansion of the U.S. Computer Fraud and Abuse Act to encourage the protection of confidentiality, integrity, and availability of data and systems.

Rebooting into any available state could result in booting into a privileged state, which is not the proper outcome when software encounters a security error.

A file is a collection of related items or records of the same type.

A record is a collection of related items.

A database is a cross-referenced collection of files.

A base relation is a table stored in a database.

A primary key is required in every row of a table to maintain uniqueness.

A schema holds the data that defines or describes the database.

A primary key is a column that makes each row of a table unique.

A data dictionary is the centralized storehouse of the data elements and their relationships used by developers.

A base relation is a table stored in a database.

A distributed data model uses many-to-many relationships.

A relational model uses one-to-one relationships.

A hierarchical model uses one-to-many relationships.

There is no such type as a reflective model.

Concurrency is a mechanism used to ensure that database information is always correct.

The semantic integrity mechanism ensures that structural and semantic rules are not violated.

The referential integrity mechanism ensures that no record contains references to a primary key of a nonexistent record.

A rollback statement is a mechanism that terminates the current transaction and cancels all changes made to the database.

Polyinstantiation is a mechanism that allows a duplicate primary key to be created at a lower sensitivity level when the same key already exists at a higher sensitivity level. This prevents inference.

A database table can have only a single primary key. This is not polyinstantiation.

Testing should never use real or live data.

Testing should ensure that only valid value ranges are accepted.

Testing should verify that incorrect input types are rejected.

Testing should verify all bounds and conditions of input.

Configuration identification is the procedure of identifying and documenting the functional and physical characteristics of all configuration items.

Configuration control is the procedure that controls changes to the configuration items.

Configuration status accounting is the procedure that records the processing of changes.

Configuration audit is the procedure that controls the quality of the configuration management process.

Defuzzification is the inference engine step used when a fuzzy output must be converted into a quantitative number.

Transposition is not a valid inference engine step.

Polyinstantiation is not a valid inference engine step.

Composition occurs when all the output variables assigned to fuzzy subsets are combined to create a single output variable.

Metadata is the collection of correlations between data or data about data.

A data mart is a storage facility for metadata that offers a high level of protection.

A data dictionary is the centralized storehouse of the data elements and their relationships used by developers.

A data warehouse is a repository of information from several heterogeneous databases.

ActiveX and Java are examples of mobile code.

Only Java can be run on any platform. ActiveX is limited to Microsoft operating systems.

Java can be either compiled or interpreted, whereas ActiveX is always compiled.

Only Java operates within a sandbox.

Requiring strong passwords is not a countermeasure against malicious code.

A file virus attaches itself to a program so it is activated whenever the software is executed.

A boot virus infects the boot sector on the primary hard drive.

A macro virus embeds itself in the template or macro set of a document.

A companion virus attaches itself to the OS or exploits the OS so the malicious code is executed before the intended code.

Although spam is unwanted and a large amount can result in a DoS attack, most spam is little more than annoying.

Although spoofing can be involved in some DoS attacks, spoofing in and of itself is not a DoS attack.

Human errors are the biggest issue related to database security. All other problems or issues are related to human errors, mistakes, or omissions.

An unapproved method of gaining access to a system is known as a backdoor.

Polymorphism is the capability of different objects to respond differently to the same message.

A Trojan horse is a program that seems to be benign but secretly harbors malicious code that executes in the background when the program is launched.

A covert channel is the use of a nonobvious and uncommon means of communication to transfer information.

Infosec should be introduced into a product's development cycle from inception.

Operations security is primarily concerned with protecting assets from threats.

Trusted recovery is a process that ensures a system's security is not violated when it encounters a failure requiring a restoration.

The primary goal of configuration change management is to ensure that all changes to the system do not diminish security.

Mandatory vacations allow for job auditing to ensure compliance with security policy and laws.

When an intruder enters through a secured doorway by tagging along with an authorized user, this is known as piggybacking.

Social engineering is the use of human nature against someone to get him to reveal information or perform an unauthorized activity.

Spoofing is impersonating something or someone else.

Security controls need to be transparent to the system.

Security controls can be simple or complex; their capability to perform as expected is more important than their complexity.

Some security controls should be obvious to the user, but most should be unseen by the user.

Dumpster diving is rarely if ever used as a means to improve security of an organization; most often it is used as a data gathering mission for an attack.

IDS is a form of scanning used to improve the security of an organization.

Port scanning is a form of scanning used to improve the security of an organization.

You should perform penetration testing against your own IT infrastructure before an attacker. If you discover a fault, you can fix it. If an attacker discovers a fault, she can exploit it.

Social engineering can be used to test a security infrastructure by your own testing team; however, in most cases social engineering is dealt with on a training and awareness level rather than a technical or logistical attack level.

Dumpster diving is rarely used as a method to test a security infrastructure by your own testing team. However, secure disposal of sensitive information should be addressed in the security policy to avoid this vulnerability.

War dialing can be used in a penetration test, so this is not the best answer.

Unfortunately, hostile customers are a fact of doing business.

Conducting private business on the company's IT infrastructure is a waste of company resources and therefore a threat to operational security.

Committing sexual or racial harassment is an inappropriate activity that is considered a threat to operational security.

Revealing the context of sensitive documents to users outside the realm of need-to-know.

The encryption of message traffic will not alter the traffic patterns themselves, which is the focus of traffic or trend analysis.

Trusted recovery is not concerned with the hot-swapping of a failed RAID member drive.

System reboot is a concern of trusted recovery.

Emergency system restart is a concern of trusted recovery.

Cold system boot is a concern of trusted recovery.

Hijacking is an attack that reroutes packets by altering network addresses in the routing table or DNS system.

Masquerading is a form of spoofing in which a system impersonates someone or something else.

Spoofing is impersonating something or someone else.

Superzapping is the use of a tool that bypasses system security to disclose or alter data.

System fingerprinting is a method of gathering information about a network to be used in an intrusion or attack attempt.

TCP wrappers are tools used as protection against port scanning.

IDS detects network perimeter access, but it does not block access.

Firewalls can be used to block access at the perimeter of a network.

Routers can be used to block access at the perimeter of a network.

Proxy servers can be used to block access at the perimeter of a network.

Shoulder surfing is the act of disclosing confidential information to another employee by the action of that employee viewing your system's screen or keyboard.

Social engineering is the use of human nature against someone to get him to reveal information or perform an unauthorized activity.

Espionage is the act of gathering proprietary data from one organization and disclosing it to another organization.

Enticement is providing the opportunity for an individual to perform a crime without coercion.

SATAN is a security vulnerability scanner, not a network sniffer.

IPSec's Authentication Header mode is the primary countermeasure to session hijacking.

Proxy servers are not a countermeasure for session hijacking.

Strong passwords are not a countermeasure for session hijacking.

An IDS is not a countermeasure for session hijacking. An IDS can detect session hijack attacks, but it does not prevent them.

RAID 5 is an example of a recovery control because RAID 5 offers fault-tolerance and can continue functioning with the loss of a single drive member.

Awareness training does contribute to security policy compliance, but it does not have the greatest effect.

Separation of duties does contribute to security policy compliance, but it does not have the greatest effect.

Principle of least privilege does contribute to security policy compliance, but it does not have the greatest effect.

Senior management is ultimately responsible for implementing prudent due care and is liable for negligence in protecting the assets of an organization.

The security team is responsible for implementing all aspects of the security policy but is not ultimately responsible for the failure of imposed security.

The IT department is responsible for supporting and maintaining the IT infrastructure but is not ultimately responsible for the failure of imposed security

A data custodian is responsible for implementing the security defined by the security policy but is not ultimately responsible for the failure of imposed security.

The best personnel arrangement for the design and management of security for an organization is a team of internal security professionals.

A representative from every department is not necessary or warranted for security design. A broad representation of all departments is useful in qualitative risk analysis, but not in overall security design and management.

Authorization is the aspect of access control that is responsible for verifying that you are allowed to perform the activities or actions you request on a system.

Environmental controls are physical security controls.

Logical access controls are technical security controls.

Security awareness training is an administrative security control.

Identification is a technical security control.

Confidentiality can be defined by "Unauthorized disclosure is prevented."

Integrity can be defined by "Unauthorized modification is prevented."

Availability can be defined by "Resources are accessible at all times by authorized users."

Availability can be defined by "Disasters can be recovered from quickly."

Blocking DoS attacks ensures availability.

Encrypting data ensures confidentiality.

Checking for valid input ensures integrity.

Training personnel ensures confidentiality.

Human error is a threat, not a vulnerability.

Unrestricted dial-in modems are a vulnerability.

Open ports are a vulnerability.

Absence of a password policy is a vulnerability.

Removing the vulnerability or removing the threat agent reduces risk.

Adjusting procedures does not reduce risk.

Installing fake security cameras does not reduce risk.

Logging system activity does not reduce risk.

"They reduce the risk of a threat taking advantage of a vulnerability" is the best definition offered in this question for countermeasures and safeguards.

Countermeasures and safeguards can eliminate exposure through configuration changes, but they can perform many other functions as well. This definition is incomplete.

Countermeasures and safeguards can block intrusion attempts, but they can perform many other functions as well. This definition is incomplete.

Countermeasures and safeguards can block damage by malicious code, but they can perform many other functions as well. This definition is incomplete.

Upper or senior management is responsible for establishing the foundations of security as well as ongoing support and direction.

The strategic plan, developed by the security team, is typically stable for 5 years and defines the security mission, goals, and objectives of an organization.

The tactical plan is typically stable for 1 year and defines, schedules, and manages the tasks necessary to implement the security objectives the organization.

The primary needs of a private sector business are integrity and availability.

The goal of risk management is to reduce risk to an acceptable level.

No system can be 100% risk free.

Not all security configurations reduce risk.

Risk reduction can be performed without an IDS.

Expanding security awareness training is not a goal of risk analysis.

Identifying all possible risks to an environment is a goal of risk analysis.

Quantifying the impact or cost of potential threats is a goal of risk analysis.

Providing a cost/benefit analysis of countermeasures and safeguards is a goal of risk analysis.

The risk assessment team, not senior management, is responsible for performing the cost/benefit analysis.

Senior management is responsible for defining the scope of the process, appointing the assessment team, and acting on the results.

The value of an asset determines its need for security.

Asset valuation does not typically improve asset hosting costs.

Usefulness in countermeasure selection is a benefit of asset valuation.

Insurance coverage identification is a benefit of asset valuation.

Preventing negligence of due care is a benefit of asset valuation.

A purely quantitative risk analysis cannot be performed because qualitative aspects cannot be quantified.

Quantitative analysis assigns real numbers to aspects of the analysis; subjective input is not used.

Qualitative analysis uses subjective information to perform an evaluation.

Asset Value x Exposure Factor x Annualized Rate of Occurrence or Single Loss Expectancy x Annualized Rate of Occurrence is the formula for the annualized loss expectancy.

Implementing an appropriate countermeasure is not a task of the risk assessment team. It provides only cost/analysis of countermeasures. Selecting an appropriate countermeasure based on the analysis and assigning the implementation procedure to the security management/administration team is the responsibility of management.

Performing a threat analysis is a task of the risk assessment team.

Estimating the potential for each risk to be realized is a task of the risk assessment team.

Assigning values to assets is a task of the risk assessment team.

The Delphi technique is a group decision method that seeks a consensus while retaining the anonymity of the participants.

Informative policies cannot be enforced.

Advisory policies are enforced through the use of noncompliance consequences, such as employment termination.

Organizational policies can be enforced if they are of a regulatory or advisory nature.

Regulatory policies can be enforced.

Guidelines do not serve as step-by-step implementation manuals.

Guidelines are used to introduce methodologies for handling various security issues.

Guidelines do provide recommended courses of action for security problems.

Guidelines do serve as operational guides for the IT staff.

The greatest number of threats to the assets of an organization come from inside the organization (over 85%).

The most important aspect of the exit interview is to review nondisclosure agreements.

The most important aspect of the exit interview is to review nondisclosure agreements.

Updating the job description is not a function or aspect of the exit interview.

Escorted removal is an activity for after the exit interview.

Implementing cost-effective safeguards is an aspect of a security plan, but not all safeguards or security mechanisms are inexpensive. The cost is not a characteristic of an efficient security plan.

A fingerprint is an example of a Type 3 authentication factor-something you are.

A synchronous dynamic password token generates unique passwords at fixed time intervals that must be provided to the authenticating system with the appropriate PIN within a valid time window.

The authentication factor used is not a form of access criteria.

Need-to-know is the security principle or axiom that restricts a person's access to resources or data even if he has sufficient security clearance.

TACACS is not a single sign-on technology; it is a centrally managed remote access authentication service.

SESAME was designed to address weaknesses in Kerberos.

Discretionary access control is most often implemented using ACLs.

TACACS+ supports two-factor authentication for remote access clients.