Certified Information Systems Security Professional1. As part of emergency response awareness, all employees should have minimal training in all but which of the following? A. First aid B. Use of a fire extinguisher C. Evacuation routes D. Management of toxic gases
2. Which of the following is not an important element or aspect of business continuity planning (BCP) or disaster recovery planning (DRP)? A. Minimum operational IT system requirements. B. Obtaining replacement hardware. C. Restoring critical operations. D. Maintaining a reliable backup solution.
3. When selecting an insurance policy to reduce the effects of a disaster on an organization, what is the most important criteria to consider? A. Overall cost. B. Familiarity of the insurance company with your specific field of operation. C. Total value of the organization's assets. D. Evaluating asset value with various risks.
4. What is a disaster recovery plan primarily concerned with protecting against? A. Financial losses B. Asset losses C. Equipment losses D. Market share losses
5. If an organization does not have a disaster recovery plan and an earthquake destroys the primary processing facility, who is held liable? A. Insurance company B. IT staff C. Senior management D. Risk analysis team
6. Which backup or protection mechanisms can be used to quickly restore a database at the primary location due to a virus corruption from the data stored at the secondary location? A. Sending an employee to the second site to physically move the duplicate system back to the primary site. B. Creating a drive image from the secondary site and then using the drive image to restore the primary site. C. Offsite tape storage. D. Electronic vaulting.
7. What must occur to minimize losses due to a disaster? A. A hot site must be available for immediate transfer of production operations. B. Minimizing the disaster recovery time period. C. Ensuring all personnel are thoroughly trained in contingency activities. D. Ensuring noncritical functions are restored.
8. When storing backup tapes at an offsite facility for an organization that controls highly confidential military assets, which of the following is the most important aspect to consider? A. The format of the backup tapes. B. The number of backup tapes stored offsite. C. The useful life of the stored data. D. Whether the same route is traveled at the same time each day between the facility and the offsite storage location.
9. What is the best way to test a disaster recovery plan? A. During a crisis. B. Unannounced. C. Using simulations. D. Immediately after a disaster occurs.
10. When a hardware failure occurs, which designation determines the length of time the recovery process will take? A. Cost of the repair. B. Availability of replacement parts. C. Mean time to repair. D. Thoroughness of the business continuity plan.
11. A traffic accident results in a delivery van crashing into your server cage located in the corner of your building. All systems within the cage are damaged beyond repair. What would have been the best course of action to prepare for such an emergency? A. Arranging for a cold site backup facility. B. Adequately training employees in security awareness. C. Contracting with a neighboring company in a mutual aid agreement. D. Implementing a daily offsite electronic vault backup system.
12. When performing contingency planning for a SOHO LAN, which of the following should be considered? A. Remote access connectivity for telecommuters. B. Backup solutions. C. Hot site alternative processing facility. D. Rolling mobile backup sites with self-contained A/C and fully installed servers.
13. Which of the following network devices offers the least redundancy or fault tolerance? A. Switch B. UPS C. FDDI D. Hub
14. Which of the following is not an element or aspect of the ISC2 code of ethics? A. CISSP certification holders are required by law to uphold the ISC2 code of ethics. B. CISSP certification holders should adhere to the highest ethical standards of behavior. C. A condition of CISSP certification is adherence to the ISC2 code of ethics. D. Protect society, the commonwealth, and the infrastructure.
15. Which of the following is not directly specified in the cannons of the ISC2 code of ethics? A. Act honorably, honestly, justly, responsibly, and legally. B. Provide diligent and competent service to principals. C. Don't write malicious code, such as viruses. D. Advance and protect the profession.
16. Which of the following is not defined as an unethical and unacceptable activity by RFC 1087? A. Soliciting for nonprofit organization donations. B. Wasting resources (people, capacity, computer) through such actions. C. Destroying the integrity of computer-based information. D. Compromising the privacy of users.
17. What is the theft of small amounts of information from many sources to compile or infer data about something private or classified known as? A. Masquerading B. The Salami technique C. Data diddling D. Espionage
18. What is the crime of impersonation or spoofing also known as? A. Spamming B. Data diddling C. Masquerading D. Social engineering
19. What is TEMPEST concerned with? A. Emanation eavesdropping. B. Distributed denial-of-service attacks. C. Password theft. D. Dumpster diving.
20. What is a superzap? A. A short-duration high-voltage surge of electricity. B. A tool used to discover the source of an Internet attack even when spoofed packets are used. C. A tool used to bypass system security to modify or disclose data. D. A firewall scanning tool used to detect open and active ports.
21. Which of the following is not malicious code? A. Email spam B. A virus C. A Trojan horse D. A worm
22. What is the computer crime that attempts to alter the financial status of a nation, disrupt its power grid, or misrepresent the capabilities of an enemy known as? A. Employing the Salami technique. B. Data diddling. C. Information warfare. D. Espionage.
23. Which of the following is not true? A. The investigation of a computer crime can usually be accomplished by the same forensic specialists used for any other type of crime scene. B. Evidence can be difficult to gather. C. Locations of the crimes can be separated by large geographic distances even though they were perpetrated through a computer at a single location. D. Electronic evidence can be destroyed easily, such as booting a system, running a program, or reading a file.
24. What did the 1991 U.S. Federal Sentencing Guidelines establish? A. Maximum sentences for the punishment of computer crimes. B. Multijurisdiction accumulation of sentencing. C. Punishment guidelines for breaking federal laws. D. Rules for a jury to follow when debating the guilt or innocence of a suspect.
25. The 1991 U.S. Federal Sentencing Guidelines establish a link between the degree/severity of punishment and ______. A. the extent of due care. B. size of asset loss. C. financial cost to investors. D. amount of liability insurance.
26. Which of the following is not a way that a company can show that due care is properly implemented and practiced? A. Performing security awareness training. B. Performing penetration testing against the organization. C. Deploying a homogenous network. D. Running updated antivirus software.
27. What is the requirement that senior management must perform its duties with the same care that any normal, sensible person would under similar circumstances known as? A. The prudent man rule. B. The risk avoidance axiom. C. The liability avoidance method. D. Common sense.
28. Which of the following is not required to prove negligence in court? A. Legally recognized obligation. B. Failure to conform to a required standard. C. Proximate causation resulting in damage or injury. D. Violation of the prudent man rule.
29. Which type of laws is the legislative branch responsible for creating? A. Statutory law. B. Common law. C. Civil law. D. Criminal law.
30. Which type of law is concerned with the protection of the public and is able to assign imprisonment as a punishment? A. Civil law. B. Intellectual property law. C. Criminal law. D. Regulatory law.
31. Which of the following statements is true? A. European privacy laws are more restrictive than those of the U.S. B. U.S. privacy laws are more restrictive than those of Europe. C. European and U.S. privacy laws are about the same. D. Europe has far fewer privacy laws that the U.S.
32. Temping someone into committing a crime through coercion is known as what? A. Enticement B. A sting operation C. Entrapment D. Penetration testing
33. Which of the following is not a component in the chain of evidence? A. The method used to collect, obtain, or gather the evidence. B. Location of evidence when it was collected. C. Identification of individuals who possessed the evidence from the time of collection to the present. D. The time the evidence was collected.
34. Which of the following is not an element of the evidence life cycle? A. Identification B. Transportation C. Destruction D. Return to owner
35. When identifying evidence collected at the scene of a computer crime, all but which of the following are valid methods for identifying evidence? A. Writing a file containing identification information to the storage media. B. Marking printouts with a permanent marker. C. Placing components in labeled bags. D. Making a list of serial numbers, makes, and models of components.
36. What is evidence obtained from a secondary source rather than firsthand knowledge or experience known as? A. Secondary evidence. B. Circumstantial evidence. C. Hearsay evidence. D. Conclusive evidence.
37. What is the goal of an interrogation? A. To gather enough evidence to consider the subject a suspect. B. Enter Answer and Explanation. To gather enough evidence to consider the individual a witness. C. To discern the who, what, when, where, why, and how of a crime. D. To clear the suspect of all suspicion.
38. Which of the following grants customers the ability to prohibit banks and financial institutions from sharing their personal information with nonaffiliated third parties? A. U.S. Computer Fraud and Abuse Act. B. U.S. Privacy Act 1974. C. Gramm Leach Bliley Act of 1999. D. U.S. National Information Infrastructure Protection Act 1996.
39. Which of the following can receive encrypted products exported from America? A. Any member of the European Union. B. Only to England. C. Any noncommunist country in the world. D. All countries but Iraq, China, and Vietnam.
40. Which of the following occurrences does not demonstrate foresight and planning on the part of a programmer when a software product encounters a security error? A. Blue screen. B. Switching into a nonprivileged state upon failure. C. Locking out all high-level privileges. D. Rebooting into any available state.
41. What is a collection of related items of the same type? A. File B. Record C. Database D. Base relation
42. Which of the following is required in every row of a table to maintain uniqueness? A. Cell B. File C. Primary key D. Schema
43. What holds the data that defines or describes the database? A. Schema B. Primary key C. Data dictionary D. Base relation
44. Which model of database is useful for mapping or creating many-to-many relationships? A. Relational model. B. Hierarchical model. C. Distributed data model. D. Reflective model.
45. What is concurrency? A. A mechanism used to ensure that database information is always correct. B. A mechanism to ensure that structural and semantic rules are not violated. C. A mechanism that ensures that no record contains references to a primary key of a nonexistent record. D. A mechanism that terminates the current transaction and cancels all changes made to the database.
46. What is polyinstantiation? A. A mechanism that prevents the creation of entities within a database at a lower sensitivity level when that entity already exists at a higher sensitivity level. B. A mechanism that allows a database table to contain two primary keys. C. A mechanism that allows a duplicate primary key to be created at a lower sensitivity level when the same key already exists at a higher sensitivity level. D. A mechanism for entering the same information into multiple databases simultaneously.
47. Which of the following is not true when performing testing during product development? A. Testing should use real or live data. B. Testing should ensure that only valid value ranges are accepted. C. Testing should verify that incorrect input types are rejected. D. Testing should verify all bounds and conditions of input.
48. Which procedure of configuration management is responsible for recording the processing of changes? A. Configuration identification. B. Configuration control. C. Configuration status accounting. D. Configuration audit.
49. Which inference engine step is used when a fuzzy output must be converted into a quantitative number? A. Transposition B. Polyinstantiation C. Defuzzification D. Composition
50. Which of the following is the collection of correlations between data or data about data? A. Data mart B. Metadata C. Data dictionary D. Data warehouse
51. What are Java and ActiveX examples of? A. Code that can be run on any platform. B. Interpreted programming languages. C. Programming languages that operate within a sandbox. D. Mobile code.
52. Which of the following is not a countermeasure against malicious code? A. Screening applets at the firewall. B. Requiring strong passwords. C. Requiring signed applets from trusted servers. D. Training users for safe Internet usage.
53. Which type of virus attaches itself to a program so it is activated whenever the software is executed? A. Boot virus. B. Macro virus. C. File virus. D. Companion virus.
54. Which of the following is not considered a denial-of-service attack? A. Consuming bandwidth from a victim. B. Sending a limited amount of spam to a victim. C. Blocking the ability to respond to legitimate traffic. D. Consuming all computing resources.
55. Which of the following is not a form of DoS attack? A. Teardrop B. SYN flood C. Fraggle D. Spoofing
56. What is a serialization error? A. A mistake made by a human when entering data into a database. B. A boundary error. C. A validation error. D. A time-of-use or a time-of-check error.
57. What is the biggest issue related to database security? A. Logic bombs. B. Human errors. C. Inference attacks. D. Validation errors.
58. What is an unapproved method of gaining access to a system known as? A. Polymorphism B. Trojan horse C. Covert channel D. Backdoor
59. At which point in a product's development cycle should information security (infosec) be introduced? A. Evaluation and testing. B. Inception. C. Design specification. D. Software development.
60. What is operations security primarily concerned with? A. Protecting assets from threats. B. Establishing audit trails. C. Classifying subjects. D. Managing personnel security awareness.
61. What is trusted recovery? A. A storage system that ensures the security of backup sets. B. An element in disaster recovery planning where the restoration of backups is assigned to a trusted team of security professionals. C. A process that ensures a system's security is not violated when it encounters a failure requiring a restoration. D. An automatic process that restores the most recent backup to a system when a security fault is encountered.
62. What is the goal of configuration change management? A. To ensure that all changes to the system do not diminish security. B. To control who performs changes to the security system. C. To track all changes to the security system. D. To automate the distribution of widespread security changes throughout a network.
63. What makes it possible to easily audit and inspect the work tasks of an employee? A. Separation of duties. B. Exit interviews. C. Mandatory vacations. D. Background checks.
64. Which of the following is considered the lowest level of privilege? A. Read-only B. Read-write C. Change access D. Need to know
65. Which of the following occurs when an intruder enters through a secured doorway by tagging along with an authorized user? A. Social engineering. B. Spoofing. C. Piggybacking. D. Eavesdropping.
66. What is the most important aspect of security controls? A. They need to be transparent to the system. B. They must be simple. C. They should be obvious to the user. D. They can be circumvented by a superzap tool.
67. Which of the following is not an auditing technique used to protect your IT environment? A. Intrusion detection system. B. Port scanning. C. Dumpster diving. D. Packet sniffing.
68. Before it can be performed against you by a malicious attacker, what should you use against your IT infrastructure first? A. Penetration testing. B. Social engineering. C. Dumpster diving. D. War dialing.
69. Which of the following is not a typical activity that causes a violation report to be created? A. Repetitive mistakes that exceed the clipping level. B. Users who attempt to exceed their access or privileges. C. Several users performing normal work tasks that consume significant system resources without exceeding a clipping level. D. Patterns of intrusion attempts.
70. Which of the following is not considered a threat to operational security? A. Responding to hostile customers via email. B. Conducting private business on the company's IT infrastructure. C. Distributing sexually charged material to co-workers.
71. Countermeasures against traffic or trend analysis include all but which of the following? A. Message padding. B. Noise transmission. C. Encrypting transmitted messages. D. Analyzing covert channel usage.
72. Trusted recovery is concerned with all but which of the following conditions? A. Hot-swapping of a failed RAID member drive. B. System reboot. C. Emergency system restart. D. Cold system boot.
73. What is an attack that reroutes packets by altering network addresses in the routing table or DNS system known as? A. Masquerading B. Spoofing C. Hijacking D. Superzapping
74. Which of the following is not an effective means to protect email transmitted over the Internet? A. Plain-text messages using polyalphabetic substitution ciphers. B. Using PGP. C. Implementing PKI. D. Performing message encryption at the Application layer.
75. What is system fingerprinting? A. A tool used by security administrators to examine the state of security on their networks. B. A process of testing the security mechanisms of a network. C. A method of gathering information about a network to be used in an intrusion or attack attempt. D. A biometric device that provides authentication for remote networks.
76. What are TCP wrappers useful for? A. Protecting against port scanning. B. Securing Internet communications. C. Blocking VPN eavesdropping. D. Preventing spoofing.
77. Which of the following cannot be used to block access at the perimeter of a network? A. Firewall. B. Router. C. IDS. D. Proxy server.
78. What is the disclosure of confidential information to another employee by the action of that employee viewing your system's screen or keyboard known as? A. Shoulder surfing. B. Social engineering. C. Espionage. D. Enticement.
79. Which of the following is not a network sniffer? A. Jack the ripper B. trinux C. SATAN D. Snort
80. Which of the following is the primary countermeasure to session hijacking? A. IPSec AH B. Proxy servers. C. Strong passwords. D. Intrusion detection system.
81. A RAID 5 array is an example of which type of security control? A. Detective B. Recovery C. Administrative D. Physical
82. Which of the following activities most strongly encourages users to comply with security policies? A. Awareness training. B. Separation of duties. C. Principle of least privilege. D. Activity monitoring.
83. Who is ultimately responsible for negligence in protecting the assets of an organization? A. Senior management. B. Security team. C. IT department. D. Data custodian.
84. Which of the following is the best personnel arrangement for the design and management of security for an organization? A. A single security professional from within the organization. B. A team of security professionals from the organization. C. A team of employees representing every department within the organization. D. An outside consultant.
85. Which aspect of access control is responsible for verifying that you are allowed to perform the activities or actions you request on a system? A. Auditing B. Authentication C. Administration D. Authorization
86. Which of the following is a physical security control? A. Logical access controls. B. Security awareness training. C. Identification. D. Environmental controls.
87. Which of the following is a valid definition for confidentiality? A. Unauthorized disclosure is prevented. B. Unauthorized modification is prevented. C. Resources are accessible at all times by authorized users. D. Disasters can be recovered from quickly.
88. Which of the following is a security control that ensures availability? A. Encrypting data. B. Blocking DoS attacks. C. Checking for valid input. D. Training personnel.
89. Which of the following is not a vulnerability? A. Unrestricted dial-in modems. B. Open ports. C. Absence of a password policy. D. Human error.
90. How can risk be reduced? A. Removing the vulnerability or removing the threat agent. B. Adjusting procedures. C. Installing fake security cameras. D. Logging system activity.
91. Which of the following is the best definition for countermeasures and safeguards? A. They eliminate exposure through configuration changes. B. They block intrusion attempts. C. They block damage by malicious code. D. They reduce the risk of a threat taking advantage of a vulnerability.
92. Who within an organization is responsible for establishing the foundations of security as well as ongoing support and direction? A. Security support staff. B. IT department. C. Upper or senior management. D. System administrators.
93. Which type of plan developed by the security team is typically stable for 5 years and defines the security mission, goals, and objectives of an organization? A. Operational plan. B. Tactical plan. C. Procedural plan. D. Strategic plan.
94. Which type of plan developed by the security team is typically stable for 1 year and defines, schedules, and manages the tasks necessary to implement the security objectives the organization? A. Strategic plan. B. Tactical plan. C. Operational plan. D. Procedural plan.
95. The security model employed by an organization depends on its primary needs. What are the primary needs of a private sector business? A. Confidentialityand integrity. B. Confidentiality and availability. C. Integrity and availability. D. Access control and risk avoidance.
96. What is the goal of risk management? A. Reduce risk to an acceptable level. B. Remove all risk. C. Evaluate risks. D. Implement countermeasures.
97. Which of the following is true? A. All risks can be eliminated. B. All security configurations reduce risk. C. Risk reduction requires an IDS. D. No system can be 100% risk free.
98. Which of the following is not a goal of risk analysis? A. Expand security awareness training. B. Identify all possible risks to an environment. C. Quantify the impact or cost of potential threats. D. Provide a cost/benefit analysis of countermeasures and safeguards.
99. In risk analysis, senior management is responsible for all but which of the following? A. Performing the cost/benefit analysis. B. Defining the scope of the risk analysis process. C. Appointing the risk assessment team. D. Acting on the results of the analysis.
100. Which aspect of an asset determines whether is should be protected and to what extent that protection should extend? A. Accessibility B. Data type C. Value D. Accuracy
101. Which of the following is not a reason, benefit, or requirement to perform asset valuation? A. Reduces hosting costs. B. Useful in countermeasure selection. C Insurance coverage identification. D. Prevents negligence of due care.
102. Which of the following statements is true? A. A purely quantitative risk analysis can be performed by the risk assessment team. B. A quantitative analysis requires the subjective input from users. C. A purely quantitative risk analysis cannot be performed because qualitative aspects cannot be quantified. D. Qualitative analysis requires specific dollar valuations of assets to be successful.
103. What is the formula used to derive annualized loss expectancy? A. Asset Value x Exposure Factor x Annualized Rate of Occurrence. B. Asset Value x Annualized Rate of Occurrence. C. Asset Value x Exposure Factor. D. Exposure Factor x Annualized Rate of Occurrence.
104. Which of the following is not a task that should be performed by the risk assessment/risk analysis team? A. Perform a threat analysis. B. Estimate the potential for each risk to be realized. C. Implement an appropriate countermeasure. D. Assign values to assets.
105. Which qualitative analysis method is a group decision method that seeks a consensus while retaining the anonymity of the participants? A. Delphi technique. B. Brainstorming. C. Storyboarding. D. Surveys.
106. In the formula for calculating residual risk, what does the controls gap element represent? A. Vulnerability. B. Potential of risk realization. C. Countermeasures and safeguards. D. Cost of risk analysis.
107. What type of policy is not enforceable? A. Informative B. Advisory C. Organizational D. Regulatory
108. Standards are used for what purpose in a formalized security structure? A. To implement industry regulations. B. To detail the overall scope and vision of security for an organization. C. To establish uniformity across an organization. D. To define the actual processes used to implement security.
109. Guidelines serve all but which of the following purposes within an organization's formalized security structure? A. A step-by-step implementation manual. B. To introduce methodologies for handling various security issues. C. To provide recommended courses of action for security problems. D. As operational guides for the IT staff.
110. Who is held liable for an organization's failure to perform due care and due diligence? A. End users. B. IT staff. C. Senior management. D. Security team.
111. Which of the following commercial business data classification levels represents the most sensitive collection of assets? A. Confidential B. Private C. Sensitive D. Public
112. Who is responsible for protecting the confidentiality, integrity, and availability of data? A. Senior management. B. Data Owner. C. Data Custodian. D. End User.
113. Where do the greatest number of threats to the assets of an organization come from? A. Inside the organization. B. Malicious code. C. The Internet. D. Hardware failures.
114. Job rotation as a security mechanism has shown itself effective against all but which of the following? A. Fraud. B. Data modification. C. Collusion. D. Misuse of information.
115. What is the most important aspect of the exit interview for terminated employees? A. Reviewing nondisclosure agreements. B. Updating the job description. C. Returning personal property. D. Escorted removal from the property.
116. All but which of the following are characteristics of an effective security plan? A. Achievable B. Specific C. Inexpensive D. Clearly stated
117. What are the three fundamental principles of security? A. Confidentiality, integrity, availability. B. Authentication, authorization, accountability. C. Accessibility, integrity, secrecy. D. Privacy, control, prevention.
118. Which of the following characterizes authorization? A. An audit log. B. A biometric. C. A security label or classification. D. A challenge response token.
119. What type of authentication factor is a fingerprint? A. Type 1 B. Type 2 C. Type 3 D. Type 4
120. What is a Type 1 authentication factor also known as? A. Something you know. B. Something you have. C. Something you are. D. Something you do.
121. What type of password offers the best security possible for password-based authentication? A. One-time passwords. B. Static passwords. C. Dynamic passwords. D. Passphrases.
122. What is the crossover error rate (CER) used for in regard to a biometric device? A. Tuning the device for efficiency. B. Comparing performance between similar devices. C. Adjusting the sensitivity of the device. D. Reducing the enrollment time.
123. Which type of token generates unique passwords at fixed time intervals that must be provided to the authenticating system with the appropriate PIN within a valid time window? A. Asynchronous password token. B. Challenge-response token. C. Synchronous dynamic password token. D. Static password token.
124. Access criteria are used to add need-to-know and trust level to the access control mechanisms. Which of the following is not a form of access criteria? A. Type of transaction. B. Authentication factor used. C. Logical location. D. Assigned role.
125. Which of the following is the security principle or axiom that restricts a person's access to resources or data even if he has sufficient security clearance? A. Principle of least privilege. B. Accountability. C. Clark-Wilson control. D. Need-to-know.
126. Which of the following is not an example of a single sign-on technology? A. Kerberos B. TACACS C. SESAME D. KryptoKnight
127. What authentication technology was developed to address weaknesses in Kerberos? A. RADIUS B. TACACS C. SESAME D. KryptoKnight
128. Discretionary access control is most often implemented using which mechanism? A. Access control lists (ACLs). B. Biometrics. C. Roles. D. Subject classification.
129. Which access control method is best suited for an organization with a high rate of personnel turnover and change? A. Access control lists. B. Mandatory access controls. C. Role-based access controls. D. Discretionary access controls.
130. Which authentication mechanism supports two-factor authentication for remote access clients? A. TACACS+ B. Kerberos C. RADIUS D. XTACACS
|