CISSP Topic 3
Q101. In a DevOps environment, which of the following actions is MOST necessary to have confidence in the quality of the changes being made?
A. Prepare to take corrective actions quickly.
B. Automate functionality testing.
C. Review logs for any anomalies.
D. Receive approval from the change review board.
B
Q102. What is the MAIN purpose of a security assessment plan?
A. Provide education to employees on security and privacy, to ensure their awareness on policies and procedures.
B. Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.
C. Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation.
D. Provide technical information to executives to help them understand information security postures and secure funding.
B
Q103. What documentation is produced FIRST when performing an effective physical loss control process?
A. Deterrent controls list
B. Security standards list
C. Asset valuation list
D. Inventory list
D
Q104. Which organizational department is ultimately responsible for information governance related to e-mail and other e-records?
A. Legal
B. Audit
C. Compliance
D. Security
A
Q105. A cloud service provider requires its customer organizations to enable maximum audit logging for its data storage service and to retain the logs for the period of three months. The audit logging gene has extremely high amount of logs. What is the MOST appropriate strategy for the log retention?
A. Keep all logs in an online storage.
B. Keep last week’s logs in an online storage and the rest in an offline storage.
C. Keep last week’s logs in an online storage and the rest in a near-line storage.
D. Keep all logs in an offline storage.
C
Q106. In Federated Identity Management (FIM), which of the following represents the concept of federation?
A. Collection, maintenance, and deactivation of user objects and attributes in one or more systems, directories or applications
B. Collection of information logically grouped into a single entity
C. Collection of information for common identities in a system
D. Collection of domains that have established trust among themselves
D
Q107. Which of the following is an indicator that a company’s new user security awareness training module has been effective?
A. There are more secure connections to internal e-mail servers.
B. More incidents of phishing attempts are being reported.
C. Fewer incidents of phishing attempts are being reported.
D. There are more secure connections to the internal database servers.
C
Q108. An organization is trying to secure instant messaging (IM) communications through its network perimeter. Which of the following is the MOST significant challenge?
A. IM clients can interoperate between multiple vendors.
B. IM clients can run as executables that do not require installation.
C. IM clients can utilize random port numbers.
D. IM clients can run without administrator privileges.
C
Q109. Using the cipher text and resultant cleartext message to derive the monoalphabetic cipher key is an example of which method of cryptanalytic attack?
A. Known-plaintext attack
B. Ciphertext-only attack
C. Frequency analysis
D. Probable-plaintext attack
A
Q110. When developing an organization’s information security budget, it is important that the:
A. requested funds are at an equal amount to the expected cost of breaches.
B. expected risk can be managed appropriately with the funds allocated.
C. requested funds are part of a shared funding pool with other areas.
D. expected risk to the organization does not exceed the funds allocated.
B
Q111. A subscription service which provides power, climate control, raised flooring, and telephone wiring but NOT the computer and peripheral equipment is BEST described as a:
A. cold site.
B. warm site.
C. hot site.
D. reciprocal site.
A
Q112. An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security service provider (MSSP). The trading organization’s security officer is tasked with drafting the requirements that need to be included in the outsourcing contract. Which of the following MUST be included in the contract?
A. A detailed overview of all equipment involved in the outsourcing contract
B. The right to perform security compliance tests on the MSSP’s equipment
C. The MSSP having an executive manager responsible for information security
D. The right to audit the MSSP’s security process
D
Q113. Which of the following is the PRIMARY type of cryptography required to support non-repudiation of a digitally signed document?
A. Hashing
B. Message digest (MD)
C. Symmetric
D. Asymmetric
D
Q114. What is the MOST effective method to enhance security of a single sign-on (SSO) solution that interfaces with critical systems?
A. Two-factor authentication
B. Reusable tokens for application level authentication
C. High performance encryption algorithms
D. Secure Sockets Layer (SSL) for all communications
A
Q115. Which of the following is MOST appropriate to collect evidence of a zero-day attack?
A. Honeypot
B. Antispam
C. Antivirus
D. Firewall
A
Q116. When assessing web vulnerabilities, how can navigating the dark web add value to a penetration test?
A. Information may be found on hidden vendor patches.
B. The actual origin and tools used for the test can be hidden.
C. Information may be found on related breaches and hacking.
D. Vulnerabilities can be tested without impact on the tested environment.
C
Q117. The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely to be violated?
A. Change management
B. Separation of environments
C. Program management
D. Mobile code controls
A
Q118. Which of the following criteria ensures information is protected relative to its importance to the organization?
A. Legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification
B. The value of the data to the organization’s senior management
C. Organizational stakeholders, with classification approved by the management board
D. Legal requirements determined by the organization headquarters’ location
A
Q119. What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program?
A. Collect the security-related information required for metrics, assessments, and reporting.
B. Establish an ISCM program determining metrics, status monitoring frequencies, and control assessment frequencies.
C. Define an ISCM strategy based on risk tolerance.
D. Establish an ISCM technical architecture.
C
Q120. An organization has requested storage area network (SAN) disks for a new project. What Redundant Array of Independent Disks (RAID) level provides the BEST redundancy and fault tolerance?
A. RAID level 1
B. RAID level 3
C. RAID level 4
D. RAID level 5
A
Q121. Which is the FIRST action the Incident Response team should take when an incident is suspected?
A. Choose a containment strategy.
B. Record all facts regarding the incident.
C. Attempt to identify the attacker.
D. Notify management of the incident.
B
Q122. When performing an investigation with the potential for legal action, what should be the analyst’s FIRST consideration?
A. Data decryption
B. Chain-of-custody
C. Authorization to collect
D. Court admissibility
B
Q123. What is the PRIMARY benefit of relying on Security Content Automation Protocol (SCAP)?
A. Standardize specifications between software security products.
B. Achieve organizational compliance with international standards.
C. Improve vulnerability assessment capabilities.
D. Save security costs for the organization.
C
Q124. Which of the following describes the BEST method of maintaining the inventory of software and hardware within the organization?
A. Maintaining the inventory through a combination of asset owner interviews, open-source system management, and open-source management tools
B. Maintaining the inventory through a combination of desktop configuration, administration management, and procurement management tools
C. Maintaining the inventory through a combination of on premise storage configuration, cloud management, and partner management tools
D. Maintaining the inventory through a combination of system configuration, network management, and license management tools
D
Q125. An organization wants to share data securely with their partners via the Internet. Which standard port is typically used to meet this requirement?
A. Setup a server on User Datagram Protocol (UDP) port 69
B. Setup a server on Transmission Control Protocol (TCP) port 21
C. Setup a server on Transmission Control Protocol (TCP) port 22
D. Setup a server on Transmission Control Protocol (TCP) port 80
C
Q126. Which of the following roles is responsible for ensuring that important datasets are developed, maintained, and are accessible within their defined specifications?
A. Data Custodian
B. Data Reviewer
C. Data User
D. Data Owner
A
Q127. What is the FIRST step in risk management?
A. Identify the factors that have potential to impact business.
B. Establish the scope and actions required.
C. Identify existing controls in the environment.
D. Establish the expectations of stakeholder involvement.
A
Q128. What is considered a compensating control for not having electrical surge protectors installed?
A. Having dual lines to network service providers built to the site
B. Having a hot disaster recovery (DR) environment for the site
C. Having network equipment in active-active clusters at the site
D. Having backup diesel generators installed to the site
B
Q129. Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used?
A. Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
B. Discretionary Access Control (DAC) and Access Control List (ACL)
C. Role Based Access Control (RBAC) and Mandatory Access Control (MAC)
D. Role Based Access Control (RBAC) and Access Control List (ACL)
D
Q130. An application team is running tests to ensure that user entry fields will not accept invalid input of any length. What type of negative testing is this an example of?
A. Allowed number of characters
B. Population of required fields
C. Reasonable data
D. Session testing
A
Q131. Which security audit standard provides the BEST way for an organization to understand a vendor’s Information Systems (IS) in relation to confidentiality, integrity, and availability?
A. Service Organization Control (SOC) 2
B. Statement on Standards for Attestation Engagements (SSAE) 18
C. Statement on Auditing Standards (SAS) 70
D. Service Organization Control (SOC) 1
A
Q132. What is the MINIMUM standard for testing a disaster recovery plan (DRP)?
A. Quarterly or more frequently depending upon the advice of the information security manager
B. As often as necessary depending upon the stability of the environment and business requirements
C. Annually or less frequently depending upon audit department requirements
D. Semi-annually and in alignment with a fiscal half-year business cycle
B
Q133. A developer is creating an application that requires secure logging of all user activity. What is the BEST permission the developer should assign to the log file to ensure requirements are met?
A. Execute
B. Read
C. Write
D. Append
D
Q134. The Chief Information Security Officer (CISO) is to establish a single, centralized, and relational repository to hold all information regarding the software and hardware assets. Which of the following s ions would be the BEST option?
A. Information Security Management System (ISMS)
B. Configuration Management Database (CMDB)
C. Security Information and Event Management (SIEM)
D. Information Technology Asset Management (ITAM)
B
Q135. A security practitioner detects an Endpoint attack on the organization’s network. What is the MOST reasonable approach to mitigate future Endpoint attacks?
A. Remove all non-essential client-side web services from the network.
B. Harden the client image before deployment.
C. Screen for harmful exploits of client-side services before implementation.
D. Block all client-side web exploits at the perimeter.
B
Q136. Which of the following is the name of an individual or group that is impacted by a change?
A. Change agent
B. End User
C. Stakeholder
D. Sponsor
B
Q137. A developer is creating an application that requires secure logging of all user activity. What is the BEST permission the developer should assign to the log file to ensure requirements are met?
A. Execute
B. Read
C. Write
D. Append
D
Q138. A security practitioner detects an Endpoint attack on the organization’s network. What is the MOST reasonable approach to mitigate future Endpoint attacks?
A. Remove all non-essential client-side web services from the network.
B. Harden the client image before deployment.
C. Screen for harmful exploits of client-side services before implementation.
D. Block all client-side web exploits at the perimeter.
B
Q139. Which of the following is the name of an individual or group that is impacted by a change?
A. Change agent
B. End User
C. Stakeholder
D. Sponsor
B
Q140. A security professional has been assigned to assess a web application. The assessment report recommends switching to Security Assertion Markup Language
(SAML). What is the PRIMARY security benefit in switching to SAML?
A. It enables single sign-on (SSO) for web applications.
B. It uses Transport Layer Security (TLS) to address confidentiality.
C. It limits unnecessary data entry on web forms.
D. The users’ password is not passed during authentication.
D
Q141. An organization has developed a way for customers to share information from their wearable devices with each other. Unfortunately, the users were not informed as to what information collected would be shared. What technical controls should be put in place to remedy the privacy issue while still trying to accomplish the organization’s business goals?
A. Share only what the organization decides is best.
B. Stop sharing data with the other users.
C. Default the user to not share any information.
D. Inform the user of the sharing feature changes after implemented.
C
Q142. An organization is planning a penetration test that simulates the malicious actions of a former network administrator. What kind of penetration test is needed?
A. Functional test
B. Unit test
C. Grey box
D. White box
D
Q143. A hospital has allowed virtual private networking (VPN) access to remote database developers. Upon auditing the internal configuration, the network administrator discovered that split-tunneling was enabled. What is the concern with this configuration?
A. The network intrusion detection system (NIDS) will fail to inspect Secure Sockets Layer (SSL) traffic.
B. Remote sessions will not require multi-layer authentication.
C. Remote clients are permitted to exchange traffic with the public and private network.
D. Multiple Internet Protocol Security (IPSec) tunnels may be exploitable in specific circumstances.
C
Q144. Which of the following is a major component of the federated identity management (FIM) implementation model and used to establish a network between dozens of organizations?
A. Identity as a Service (IDaaS)
B. Attribute-based access control (ABAC)
C. Cross-certification
D. Trusted third party (TTP)
C
Q145. A large international organization that collects information from its consumers has contracted with a Software as a Service (SaaS) cloud provider to process this data. The SaaS cloud provider uses additional data processing to demonstrate other capabilities it wishes to offer to the data owner. This vendor believes additional data processing activity is allowed since they are not disclosing to other organizations. Which of the following BEST supports this rationale?
A. The data was encrypted at all times and only a few cloud provider employees had access.
B. As the data owner, the cloud provider has the authority to direct how the data will be processed.
C. As the data processor, the cloud provider has the authority to direct how the data will be processed.
D. The agreement between the two parties is vague and does not detail how the data can be used.
D
Q146. A bank failed to meet service-level agreements (SLA) with customers after suffering from a database failure of the transaction processing system (TPS) that resulted in delayed financial deposits. A regulatory agency overseeing the bank would like to determine if the cause of the delay was a material weakness. Which of the following documents is MOST relevant for the regulatory agency to review?
A. Business continuity plan (BCP)
B. Business impact analysis (BIA)
C. Continuity of Operations Plan (COOP)
D. Enterprise resource planning (ERP)
A
Q147. Which of the following is a key responsibility for a data steward assigned to manage an enterprise data lake?
A. Ensure proper business definition, value, and usage of data collected and stored within the enterprise data lake.
B. Ensure adequate security controls applied to the enterprise data lake.
C. Ensure proper and identifiable data owners for each data element stored within an enterprise data lake.
D. Ensure that any data passing within remit is being used in accordance with the rules and regulations of the business.
A
Q148. Which of the following is considered the FIRST step when designing an internal security control assessment?
A. Create a plan based on comprehensive knowledge of known breaches.
B. Create a plan based on reconnaissance of the organization’s infrastructure.
C. Create a plan based on a recognized framework of known controls.
D. Create a plan based on recent vulnerability scans of the systems in question.
C
Q149. Which is the PRIMARY mechanism for providing the workforce with the information needed to protect an agency’s vital information resources?
A. Implementation of access provisioning process for coordinating the creation of user accounts
B. Incorporating security awareness and training as part of the overall information security program
C. An information technology (IT) security policy to preserve the confidentiality, integrity, and availability of systems
D. Execution of periodic security and privacy assessments to the organization
B
Q150. Which of the following is the MOST effective corrective control to minimize the effects of a physical intrusion?
A. Rapid response by guards or police to apprehend a possible intruder
B. Sounding a loud alarm to frighten away a possible intruder
C. Automatic videotaping of a possible intrusion
D. Activating bright lighting to frighten away a possible intruder
A
Q151. What is the MAIN purpose of conducting a business impact analysis (BIA)?
A. To determine the cost for restoration of damaged information system
B. To determine the controls required to return to business critical operations
C. To determine the critical resources required to recover from an incident within a specified time period
D. To determine the effect of mission-critical information system failures on core business processes
D
Q152. To minimize the vulnerabilities of a web-based application, which of the following FIRST actions will lock down the system and minimize the risk of an attack?
A. Apply the latest vendor patches and updates
B. Run a vulnerability scanner
C. Review access controls
D. Install an antivirus on the server
A
Q153. When designing a Cyber-Physical System (CPS), which of the following should be a security practitioner’s first consideration?
A. Detection of sophisticated attackers
B. Topology of the network used for the system
C. Risk assessment of the system
D. Resiliency of the system
C
Q154. An internal audit for an organization recently identified malicious actions by a user account. Upon further investigation, it was determined the offending user account was used by multiple people at multiple locations simultaneously for various services and applications. What is the BEST method to prevent this problem in the future?
A. Ensure each user has their own unique account.
B. Allow several users to share a generic account.
C. Ensure the security information and event management (SIEM) is set to alert.
D. Inform users only one user should be using the account at a time.
A
Q155. Which software defined networking (SDN) architectural component is responsible for translating network requirements?
A. SDN Controller
B. SDN Datapath
C. SDN Northbound Interfaces
D. SDN Application
A
Q156. A systems engineer is designing a wide area network (WAN) environment for a new organization. The WAN will connect sites holding information at various levels of sensitivity, from publicly available to highly confidential. The organization requires a high degree of interconnectedness to support existing business processes.
What is the BEST design approach to securing this environment?
A. Use reverse proxies to create a secondary “shadow” environment for critical systems.
B. Place firewalls around critical devices, isolating them from the rest of the environment.
C. Layer multiple detective and preventative technologies at the environment perimeter.
D. Align risk across all interconnected elements to ensure critical threats are detected and handled.
C
Q157. A Chief Information Security Officer (CISO) of a firm which decided to migrate to cloud has been tasked with ensuring an optimal level of security. Which of the following would be the FIRST consideration?
A. Analyze the firm’s applications and data repositories to determine the relevant control requirements.
B. Request a security risk assessment of the cloud vendor be completed by an independent third-party.
C. Define the cloud migration roadmap and set out which applications and data repositories should be moved into the cloud.
D. Ensure that the contract between the cloud vendor and the firm clearly defines responsibilities for operating security controls.
C
Q158. Which of the following is the strongest physical access control?
A. Biometrics, a password, and personal identification number (PIN)
B. Individual password for each user
C. Biometrics and badge reader
D. Biometrics, a password, and badge reader
D
Q159. What BEST describes the confidentiality, integrity, availability triad?
A. A vulnerability assessment to see how well the organization’s data is protected
B. The three-step approach to determine the risk level of an organization
C. The implementation of security systems to protect the organization’s data
D. A tool used to assist in understanding how to protect the organization’s data
C
Q160. A software development company has a short timeline in which to deliver a software product. The software development team decides to use open-source software libraries to reduce the development time. What concept should software developers consider when using open-source software libraries?
A. Open source libraries contain known vulnerabilities, and adversaries regularly exploit those vulnerabilities in the wild.
B. Open source libraries can be used by everyone, and there is a common understanding that the vulnerabilities in these libraries will not be exploited.
C. Open source libraries contain unknown vulnerabilities, so they should not be used.
D. Open source libraries are constantly updated, making it unlikely that a vulnerability exists for an adversary to exploit.
A
Q161. An organization is considering partnering with a third-party supplier of cloud services. The organization will only be providing the data and the third-party supplier will be providing the security controls. Which of the following BEST describes this service offering?
A. Platform as a Service (PaaS)
B. Anything as a Service (XaaS)
C. Infrastructure as a Service (IaaS)
D. Software as a Service (SaaS)
A
Q162. Building blocks for software-defined networks (SDN) require which of the following?
A. The SDN is composed entirely of client-server pairs.
B. Random-access memory (RAM) is used in preference to virtual memory.
C. The SDN is mostly composed of virtual machines (VM).
D. Virtual memory is used in preference to random-access memory (RAM).
D
Q163. Which of the following is a secure design principle for a new product?
A. Restrict the use of modularization.
B. Do not rely on previously used code.
C. Build in appropriate levels of fault tolerance.
D. Utilize obfuscation whenever possible.
C
Q164. A user’s credential for an application is stored in a relational database. Which control protects the confidentiality of the credential while it is stored?
A. Use a salted cryptographic hash of the password.
B. Validate passwords using a stored procedure.
C. Allow only the application to have access to the password field in order to verify user authentication.
D. Encrypt the entire database and embed an encryption key in the application.
A
Q165. With regards to physical security, what is the MOST critical element of an organization’s recovery plan?
A. Restore monitoring.
B. Restore communications.
C. Restore the network.
D. Restore power.
D
Q166. An organization has experienced multiple distributed denial-of-service (DDoS) attacks in recent months that have impact of their public-facing web and e-commerce sites that were previously all on-premises. After an analysis of the problems, the network engineers have recommended that the organization implement additional name service providers and redundant network paths. What is another recommendation that helps ensure the future availability of their web and e-commerce sites?
A. Move all cloud-based operations back to on-premises to mitigate attacks.
B. Move all websites to a new location.
C. Review current detection strategies and employ signature-based techniques.
D. Review the service-level agreements (SLA) with their cloud service providers.
D
Q167. An organization wants to ensure that employees that move to a different department within the organization do not retain access privileges from their former department. To this end, the organization has implemented role-based access control (RBAC). Which additional measure is MOST important to successfully limit excess access privileges?
A. Business role review
B. Line manager review of assigned roles
C. Segregation of duties (SoD) review
D. Access control matrix
A
Q168. Which of the following is one of the key objectives regarding data management roles and responsibilities?
A. Determine data quality metrics.
B. Define important data ownership regardless of functions.
C. Establish data ownership during the final phase of a project.
D. Install data accountability.
B
Q169. Which of the following security tools will ensure authorized data is sent to the application when implementing a cloud-based application?
A. Host-based intrusion prevention system (HIPS)
B. Access control list (ACL)
C. Data loss prevention (DLP)
D. File integrity monitoring (FIM)
C
Q170. If the wide area network (WAN) is supporting converged applications like Voice over Internet Protocol (VoIP), which of the following becomes even MORE essential to the assurance of the network?
A. Boundary routing
B. Classless Inter-Domain Routing (CIDR)
C. Internet Protocol (IP) routing lookups
D. Deterministic routing
D
Q171. A security professional has reviewed a recent site assessment and has noted that a server room on the second floor of a building has Heating, Ventilation, and Air
Conditioning (HVAC) intakes on the ground level that have ultraviolet light fi lters installed, Aero-K Fire suppression in the server room, and pre-action fire suppression on floors above the server room. Which of the following changes can the security professional recommend to reduce risk associated with these conditions?
A. Remove the ultraviolet light filters on the HVAC intake and replace the fire suppression system on the upper floors with a dry system
B. Elevate the HVAC intake by constructing a plenum or external shaft over it and convert the server room fire suppression to a pre-action system
C. Add additional ultraviolet light fi lters to the HVAC intake supply and return ducts and change server room fire suppression to FM-200
D. Apply additional physical security around the HVAC intakes and update upper floor fire suppression to FM-200
D
Q172. An organization implements Network Access Control (NAC) using Institute of Electrical and Electronics Engineers (IEEE) 802.1x and discovers the printers do not support the IEEE 802.1x standard. Which of the following is the BEST resolution?
A. Implement port security on the switch ports for the printers.
B. Do nothing; IEEE 802.1x is irrelevant to printers.
C. Install an IEEE 802.1x bridge for the printers.
D. Implement a virtual local area network (VLAN) for the printers.
D
Q173. Which of the following is a safeguard that could be used to validate a service provider and the authenticity of their service?
A. Information graphing
B. Code signing
C. Service signing
D. Code graphing
C
Q174. Which of the following is a strong security protection provided by Trusted Platform Module (TPM)?
A. Providing data integrity through digital signatures
B. Creation of a secure kernel
C. Separation of encryption keys from storage devices
D. Reporting of system integrity
C
Q175. A system developer has a requirement for an application to check for a secure digital signature before the application is accessed on a user’s laptop. Which security mechanism addresses this requirement?
A. Trusted Platform Module (TPM)
B. Certificate revocation list (CRL) policy
C. Key exchange
D. Hardware encryption
B
Q176. A security engineer is required to integrate security into a software project that is implemented by small groups that quickly, continuously, and independently develop, test, and deploy code to the cloud. The engineer will MOST likely integrate with which software development process?
A. Devops Integrated Product Team (IPT)
B. Structured Waterfall Programming Development
C. Service-oriented architecture (SOA)
D. Spiral Methodology
D
Q177. Which of the following is established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls?
A. Security Assessment Report (SAR)
B. Organizational risk tolerance
C. Risk assessment report
D. Information Security Continuous Monitoring (ISCM)
D
Q178. What is the benefit of an operating system (OS) feature that is designed to prevent an application from executing code from a non-executable memory region?
A. Identifies which security patches still need to be installed on the system
B. Reduces the risk of polymorphic viruses from encrypting their payload
C. Stops memory resident viruses from propagating their payload
D. Helps prevent certain exploits that store code in buffers
D
Q179. A new employee formally reported suspicious behavior to the organization security team. The report claims that someone not affiliated with the organization was inquiring about the member’s work location, length of employment, and building access controls. The employee’s reporting is MOST likely the result of which of the following?
A. Security engineering
B. Security awareness
C. Phishing
D. Risk avoidance
B
Q180. A project manager for a large software firm has acquired a government contract that generates large amounts of Controlled Unclassified Information (CUI). The organization’s information security manager had received a request to transfer project-related CUI between systems of differing security classifications. What role provides the authoritative guidance for this transfer?
A. PM
B. Information owner
C. Data Custodian
D. Mission/Business Owner
B
Q181. A scan report returned multiple vulnerabilities affecting several production servers that are mission critical. Attempts to apply the patches in the development environment have caused the servers to crash. What is the BEST course of action?
A. Mitigate the risks with compensating controls.
B. Upgrade the software affected by the vulnerability.
C. Remove the affected software from the servers.
D. Inform management of possible risks.
A
Q182. When telephones in a city are connected by a single exchange, the caller can only connect with the switchboard operator. The operator then manually connects the call. This is an example of which type of network topology?
A. Point-to-Point Protocol (PPP)
B. Bus
C. Star
D. Tree
C
Q183. An organization is attempting to strengthen the configuration of its enterprise resource planning (ERP) software in order to enforce sufficient segregation of duties (SoD). Which of the following approaches would BEST improve SoD effectiveness?
A. Implementation of frequent audits of access and activity in the ERP by a separate team with no operational duties
B. Implementation of strengthened authentication measures including mandatory second-factor authentication
C. Review of ERP access profiles to enforce the least-privilege principle based on existing employee responsibilities
D. Review of employee responsibilities and ERP access profiles to differentiate mission activities from system support activities
D
Q184. An application developer is deciding on the amount of idle session time that the application allows before a timeout. Which of the following is the BEST reason for determining the session timeout requirement?
A. Application requirements
B. Industry best practices
C. Industry feedback
D. Management feedback
A
Q185. Which dynamic routing protocol is BEST suited for a dispersed campus network utilizing Internet Protocol version 6 (IPv6) addresses?
A. Open Shortest Path First (OPSF) version 3
B. Enhanced Interior Gateway Routing Protocol (EIGRP)
C. Border Gateway Protocol (BGP) version 4
D. Routing Information Protocol (RIP) version 2
A
Q186. Which of the following are key activities when conducting a security assessment?
A. Schedule, collect, examine
B. Interview, examine, simulate
C. Collect, interview, test
D. Examine, interview, test
D
Q187. An organization is building an enterprise system using attribute-based access control (ABAC). To avoid inadvertent exposure, what should organizations do to ensure the proper handling of personally identifiable information (PII) and enforcement of PII regulations across the enterprise?
A. Employ trust agent.
B. Employ trust agreements.
C. Employ training program.
D. Employ regulations from leadership.
C
Q188. A security architect is reviewing an implemented security framework. After the review, the security architect wants to enhance the security by implementing segregation of duties (SoD) to address protection against fraud. Which security model BEST protects the integrity of data?
A. The Brewer-Nash model
B. The Biba Integrity model
C. The Bell-LaPadula model
D. The Clark-Wilson model
D
Q189. When developing an external facing web-based system, which of the following would be the MAIN focus of the security assessment prior to implementation and production?
A. Ensuring Secure Sockets Layer (SSL) certificates are signed by a certificate authority
B. Ensuring Secure Sockets Layer (SSL) certificates are internally signed
C. Assessing the Uniform Resource Locator (URL)
D. Ensuring that input validation is enforced
D
Q190. At which layer of the Open Systems Interconnection (OSI) model does a circuit-level firewall operate?
A. Session layer
B. Network layer
C. Application layer
D. Transport layer
A
Q191. Which of the following security tools monitors devices and records the information in a central database for further analysis?
A. Antivirus
B. Host-based intrusion detection system (HIDS)
C. Security orchestration automation and response
D. Endpoint detection and response (EDR)
D
Q192. When implementing single sign-on (SSO) on a network, which authentication approach BEST allows users to use credentials across multiple applications?
A. Public key infrastructure (PKI)
B. Security Assertion Markup Language (SAML)
C. Delegated Identity Management
D. Federated Identity Management
D
Q193. When designing a new Voice over Internet Protocol (VoIP) network, an organization’s top concern is preventing unauthorized users accessing the VoIP network.
Which of the following will BEST help secure the VoIP network?
A. 802.11g
B. Web application firewall (WAF)
C. Transport Layer Security (TLS)
D. 802.1x
D
Q194. Which element of software supply chain management has the GREATEST security risk to organizations?
A. Unsupported libraries are often used.
B. Applications with multiple contributors are difficult to evaluate.
C. Vulnerabilities are difficult to detect.
D. New software development skills are hard to acquire.
A
Q195. Which is MOST important when negotiating an Internet service provider (ISP) service-level agreement (SLA) by an organization that solely provides Voice over
Internet Protocol (VoIP) services?
A. Mean time to repair (MTTR)
B. Quality of Service (QoS) between applications
C. Financial penalties in case of disruption
D. Availability of network services
D
Q196. What is the MOST important goal of conducting security assessments?
A. To align the security program with organizational risk appetite
B. To demonstrate proper function of security controls and processes to senior management
C. To prepare the organization for an external audit, particularly by a regulatory entity
D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them
D
Q197. A client server infrastructure that provides user-to-server authentication describes which one of the following?
A. Secure Sockets Layer (SSL)
B. User-based authorization
C. Kerberos
D. X.509
C
Q198. An Information System Security Officer (ISSO) employed by a large corporation, while also freelancing in a similar role for a competitor, violates what canon of the (ISC)2 Code of Professional Ethics?
A. Advance and protect the profession
B. Provide diligent and competent service to principals
C. Act honorably, honestly, justly, responsibly, and legally
D. Protect society, the commonwealth, and the infrastructure
B
Q199. The disaster recovery (DR) process should always include:
A. periodic inventory review
B. financial data analysis
C. plan maintenance
D. periodic vendor review
C
Q200. In the last 15 years a company has experienced three electrical failures. The cost associated with each failure is listed below. Which of the following would be a reasonable annual loss expectation?
A. 3,500
B. 140,000
C. 14,000
D. 350,000
C
