CISSP-ISSMP Topic 3
QUESTION NO: 91
Which of the following tools works by using a standard set of MS-DOS commands and can create an MD5 hash of an entire drive, partition, or selected files?
A. Device Seizure
B. Ontrack
C. DriveSpy
D. Forensic Sorter
Answer: C
Explanation:
QUESTION NO: 92
Which of the following needs to be documented to preserve evidence for presentation in court?
A. Separation of duties
B. Account lockout policy
C. Incident response policy
D. Chain of custody
Answer: D
Explanation:
QUESTION NO: 93
Which of the following statements best explains how encryption works on the Internet?
A. Encryption encodes information using specific algorithms with a string of numbers known as a key.
B. Encryption validates a username and password before sending information to the Web server.
C. Encryption allows authorized users to access Web sites that offer online shopping.
D. Encryption helps in transaction processing by e-commerce servers on the Internet.
Answer: A
Explanation:
QUESTION NO: 94
Which of the following statutes is enacted in the U.S., which prohibits creditors from collecting data from applicants, such as national origin, caste, religion etc?
A. The Fair Credit Reporting Act (FCRA)
B. The Privacy Act
C. The Electronic Communications Privacy Act
D. The Equal Credit Opportunity Act (ECOA)
Answer: D
Explanation:
QUESTION NO: 95
Which of the following security models deal only with integrity? Each correct answer represents a complete solution. Choose two.
A. Biba-Wilson
B. Clark-Wilson
C. Bell-LaPadula
D. Biba
Answer: B,D
Explanation:
QUESTION NO: 96
Rick is the project manager for the TTM project. He is in the process of procuring services from vendors. He makes a contract with a vendor in which he precisely specify the services to be procured, and any changes to the procurement specification will increase the costs to the buyer.
Which type of contract is this?
A. Firm Fixed Price
B. Fixed Price Incentive Fee
C. Cost Plus Fixed Fee ContractD. Fixed Price with Economic Price Adjustment
Answer: A
Explanation:
QUESTION NO: 97
You are an Incident manager in Oranges Etc.Inc. You have been tasked to set up a new extension of your enterprise. The networking, to be done in the new extension, requires different types of cables and an appropriate policy that will be decided by you. Which of the following stages in the Incident handling process involves your decision making?
A. Preparation
B. Eradication
C. Identification
D. Containment
Answer: A
Explanation:
QUESTION NO: 98
Which of the following security models focuses on data confidentiality and controlled access to classified information?
A. Bell-La Padula model
B. Take-Grant model
C. Clark-Wilson model
D. Biba model
Answer: A
Explanation:
QUESTION NO: 99 CORRECT TEXT
SIMULATION
Fill in the blank with the appropriate phrase. ____________ is the ability to record and report on the configuration baselines associated with each configuration item at any moment of time.
Answer:
Configuration status accounting
QUESTION NO: 100 CORRECT TEXT
SIMULATION
Fill in the blank with an appropriate phrase.___________ is the process of using a strategy and plan of what patches should be applied to which systems at a specified time. Correct
Answer:
Patch management
QUESTION NO: 101
Which of the following recovery plans includes specific strategies and actions to deal with specific variances to assumptions resulting in a particular security problem, emergency, or state of affairs?
A. Disaster recovery plan
B. Contingency plan
C. Continuity of Operations Plan
D. Business continuity plan
Answer: B
Explanation:
QUESTION NO: 102
Which of the following BCP teams handles financial arrangement, public relations, and media inquiries in the time of disaster recovery?
A. Software team
B. Off-site storage team
C. Applications team
D. Emergency-management team
Answer: D
Explanation:
QUESTION NO: 103
Eric is the project manager of the NQQ Project and has hired the ZAS Corporation to complete part of the project work for Eric’s organization. Due to a change request the ZAS Corporation is no longer needed on the project even though they have completed nearly all of the project work. Is Eric’s organization liable to pay the ZAS Corporation for the work they have completed so far on the project?
A. Yes, the ZAS Corporation did not choose to terminate the contract work.
B. It depends on what the outcome of a lawsuit will determine.
C. It depends on what the termination clause of the contract stipulates.
D. No, the ZAS Corporation did not complete all of the work.
Answer: C
Explanation:
QUESTION NO: 104
Which of the following are the goals of risk management? Each correct answer represents a complete solution. Choose threE.
A. Assessing the impact of potential threats
B. Identifying the accused
C. Finding an economic balance between the impact of the risk and the cost of the counter measure
D. Identifying the risk
Answer: A,C,D
Explanation:
QUESTION NO: 105
You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control?
A. Quantitative risk analysis
B. Qualitative risk analysis
C. Requested changes
D. Risk audits
Answer: C
Explanation:
QUESTION NO: 106
Della works as a security manager for SoftTech Inc. She is training some of the newly recruited personnel in the field of security management. She is giving a tutorial on DRP. She explains that the major goal of a disaster recovery plan is to provide an organized way to make decisions if a disruptive event occurs and asks for the other objectives of the DRP. If you are among some of the newly recruited personnel in SoftTech Inc, what will be your answer for her question? Each correct answer represents a part of the solution. Choose threE.
A. Protect an organization from major computer services failure.
B. Minimize the risk to the organization from delays in providing services.
C. Guarantee the reliability of standby systems through testing and simulation.
D. Maximize the decision-making required by personnel during a disaster.
Answer: A,B,C
Explanation:
QUESTION NO: 107 CORRECT TEXT
SIMULATION
Fill in the blank with an appropriate phrase.______________ is used to provide security mechanisms for the storage, processing, and transfer of data.
Answer:
Data classification
QUESTION NO: 108
Software Development Life Cycle (SDLC) is a logical process used by programmers to develop software. Which of the following SDLC phases meets the audit objectives defined below: System and data are validated. System meets all user requirements. System meets all control requirements.
A. Programming and training
B. Evaluation and acceptance
C. Definition
D. Initiation
Answer: B
Explanation:
QUESTION NO: 109
You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one?
A. Identification information for each stakeholder
B. Assessment information of the stakeholders’ major requirements, expectations, and potential influence
C. Stakeholder classification of their role in the project
D. Stakeholder management strategy
Answer: D
Explanation:
QUESTION NO: 110
Which of the following are examples of physical controls used to prevent unauthorized access to sensitive materials?
A. Thermal alarm systems
B. Closed circuit cameras
C. Encryption
D. Security Guards
Answer: A,B,D
Explanation:
QUESTION NO: 111
Which of the following security issues does the Bell-La Padula model focus on?
A. Authentication
B. Confidentiality
C. Integrity
D. Authorization
Answer: B
Explanation:
QUESTION NO: 112
Which of the following are the examples of administrative controls? Each correct answer represents a complete solution. Choose all that apply.
A. Security awareness training
B. Security policy
C. Data Backup
D. Auditing
Answer: A,B
Explanation:
QUESTION NO: 113
Which of the following are the types of access controls? Each correct answer represents a complete solution. Choose three.
A. Administrative
B. Automatic
C. Physical
D. Technical
Answer: A,C,D
Explanation:
QUESTION NO: 114
Which of the following laws enacted in United States makes it illegal for an Internet Service
Provider (ISP) to allow child pornography to exist on Web sites?
A. Child Pornography Prevention Act (CPPA)
B. USA PATRIOT Act
C. Prosecutorial Remedies and Tools Against the Exploitation of Children Today Act (PROTECT Act)
D. Sexual Predators Act
Answer: D
Explanation:
QUESTION NO: 115
Which of the following representatives of the incident response team takes forensic backups of the systems that are the focus of the incident?
A. Legal representative
B. Technical representative
C. Lead investigator
D. Information security representative
Answer: B
Explanation:
QUESTION NO: 116
A Web-based credit card company had collected financial and personal details of Mark before issuing him a credit card. The company has now provided Mark’s financial and personal details to another company. Which of the following Internet laws has the credit card issuing company violated?
A. Copyright law
B. Trademark law
C. Privacy law
D. Security law
Answer: C
Explanation:
QUESTION NO: 117
You work as a Web Administrator for Perfect World Inc. The company is planning to host an Ecommerce Web site. You are required to design a security plan for it. Client computers with different operating systems will access the Web server. How will you configure the Web server so that it is secure and only authenticated users are able to access it? Each correct answer represents a part of the solution. Choose two.
A. Use encrypted authentication.
B. Use the SSL protocol.
C. Use the EAP protocol.
D. Use Basic authentication.
Answer: A,B
Explanation:
QUESTION NO: 118
Which of the following statements are true about security risks? Each correct answer represents a complete solution. Choose threE.
A. They can be analyzed and measured by the risk analysis process.
B. They can be removed completely by taking proper actions.
C. They can be mitigated by reviewing and taking responsible actions based on possible risks.
D. They are considered an indicator of threats coupled with vulnerability.
Answer: A,C,D
Explanation:
QUESTION NO: 119
Which of the following methods for identifying appropriate BIA interviewees’ includes examining the organizational chart of the enterprise to understand the functional positions?
A. Organizational chart reviews
B. Executive management interviews
C. Overlaying system technology
D. Organizational process models
Answer: A
Explanation:
QUESTION NO: 120
Which of the following BCP teams provides clerical support to the other teams and serves as a message center for the user-recovery site?
A. Security team
B. Data preparation and records team
C. Administrative support team
D. Emergency operations team
Answer: C
Explanation:
QUESTION NO: 121
Which of the following architecturally related vulnerabilities is a hardware or software mechanism, which was installed to permit system maintenance and to bypass the system’s security protections?
A. Maintenance hook
B. Lack of parameter checking
C. Time of Check to Time of Use (TOC/TOU) attack
D. Covert channel
Answer: A
Explanation:
QUESTION NO: 122
You have created a team of HR Managers and Project Managers for Blue Well Inc. The team will concentrate on hiring some new employees for the company and improving the organization’s overall security by turning employees among numerous job positions. Which of the following steps will you perform to accomplish the task?
A. Job rotation
B. Job responsibility
C. Screening candidates
D. Separation of duties
Answer: A
Explanation:
QUESTION NO: 123
Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They’d like for you to create some type of a chart that identifies the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?
A. Quantitative analysis
B. Contingency reserve
C. Risk response
D. Risk response plan
Answer: B
Explanation:
QUESTION NO: 124
Which of the following persons is responsible for testing and verifying whether the security policy is properly implemented, and the derived security solutions are adequate or not?
A. Data custodian
B. Auditor
C. User
D. Data owner
Answer: B
Explanation:
QUESTION NO: 125
Which of the following are the process steps of OPSEC? Each correct answer represents a part of the solution. Choose all that apply.
A. Analysis of Vulnerabilities
B. Display of associated vulnerability components
C. Assessment of Risk
D. Identification of Critical Information
Answer: A,C,D
Explanation:
QUESTION NO: 126
You work as a project manager for SoftTech Inc. A threat with a dollar value of $150,000 is expected to happen in your project and the frequency of threat occurrence per year is 0.001. What will be the annualized loss expectancy in your project?
A. $180.25
B. $150
C. $100
D. $120
Answer: B
Explanation:
QUESTION NO: 127
Which of the following are the responsibilities of the owner with regard to data in an information classification program? Each correct answer represents a complete solution. Choose threE.
A. Determining what level of classification the information requires.
B. Delegating the responsibility of the data protection duties to a custodian.
C. Reviewing the classification assignments at regular time intervals and making changes as the business needs change.
D. Running regular backups and routinely testing the validity of the backup data
Answer: A,B,C
Explanation:
QUESTION NO: 128
You work as the Network Administrator for a defense contractor. Your company works with sensitive materials and all IT personnel have at least a secret level clearance. You are still concerned that one individual could perhaps compromise the network (intentionally or unintentionally) by setting up improper or unauthorized remote access. What is the best way to avoid this problem?
A. Implement separation of duties.
B. Implement RBAC.
C. Implement three way authentication.
D. Implement least privileges.
Answer: A
Explanation:
QUESTION NO: 129
Which of the following statements is true about auditing?
A. It is used to protect the network against virus attacks.
B. It is used to track user accounts for file and object access, logon attempts, etc.
C. It is used to secure the network or the computers on the network.
D. It is used to prevent unauthorized access to network resources.
Answer: B
Explanation:
QUESTION NO: 130 CORRECT TEXT
SIMULATION
Fill in the blank with an appropriate phrase. _______is a branch of forensic science pertaining to legal evidence found in computers and digital storage media
Answer:
Computer forensics
QUESTION NO: 131
Your project team has identified a project risk that must be responded to. The risk has been recorded in the risk register and the project team has been discussing potential risk responses for the risk event. The event is not likely to happen for several months but the probability of the event is high. Which one of the following is a valid response to the identified risk event?
A. Earned value management
B. Risk audit
C. Technical performance measurement
D. Corrective action
Answer: D
Explanation:
