CISSP : Certified Information Systems Security Professional : Part 01

  1. All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that

    • determine the risk of a business interruption occurring
    • determine the technological dependence of the business processes
    • Identify the operational impacts of a business interruption
    • Identify the financial impacts of a business interruption

    Explanation:

    Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjbktbTp-LaAhVIr48KHZuhB0UQFggmMAA&url=http%3A%2F%2Fwww.oregon.gov%2Fdas%2FProcurement%2FGuiddoc%2FBusImpAnalysQs.doc&usg=AOvVaw1wBxcnLP8ceI_yhv2rsI9h

  2. Which of the following actions will reduce risk to a laptop before traveling to a high risk area?

    • Examine the device for physical tampering
    • Implement more stringent baseline configurations
    • Purge or re-image the hard disk drive
    • Change access codes
  3. Which of the following represents the GREATEST risk to data confidentiality?

    • Network redundancies are not implemented
    • Security awareness training is not completed
    • Backup tapes are generated unencrypted
    • Users have administrative privileges
  4. What is the MOST important consideration from a data security perspective when an organization plans to relocate?

    • Ensure the fire prevention and detection systems are sufficient to protect personnel
    • Review the architectural plans to determine how many emergency exits are present
    • Conduct a gap analysis of a new facilities against existing security requirements
    • Revise the Disaster Recovery and Business Continuity (DR/BC) plan
  5. A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with?

    • Application
    • Storage
    • Power
    • Network
    Explanation:
    Reference: https://www.colocationamerica.com/data-center/tier-standards-overview.htm
  6. When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?

    • Only when assets are clearly defined
    • Only when standards are defined
    • Only when controls are put in place
    • Only procedures are defined
  7. Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas?

    • Install mantraps at the building entrances
    • Enclose the personnel entry area with polycarbonate plastic
    • Supply a duress alarm for personnel exposed to the public
    • Hire a guard to protect the public area
  8. An important principle of defense in depth is that achieving information security requires a balanced focus on which PRIMARY elements?

    • Development, testing, and deployment
    • Prevention, detection, and remediation
    • People, technology, and operations
    • Certification, accreditation, and monitoring
    Explanation:
    Reference: https://www.giac.org/paper/gsec/3873/information-warfare-cyber-warfare-future-warfare/106165 (14)
  9. Intellectual property rights are PRIMARY concerned with which of the following?

    • Owner’s ability to realize financial gain
    • Owner’s ability to maintain copyright
    • Right of the owner to enjoy their creation
    • Right of the owner to control delivery method
  10. A control to protect from a Denial-of-Service (DoS) attach has been determined to stop 50% of attacks, and additionally reduces the impact of an attack by 50%. What is the residual risk?

    • 25%
    • 50%
    • 75%
    • 100%
  11. In the Open System Interconnection (OSI) model, which layer is responsible for the transmission of binary data over a communications network?

    • Physical Layer 
    • Application Layer
    • Data-Link Layer
    • Network Layer
  12. What is the term commonly used to refer to a technique of authentication one machine to another by forging packets from a trusted source?

    • Smurfing
    • Man-in-the-Middle (MITM) attack
    • Session redirect
    • Spoofing 
  13. Which of the following entails identification of data and links to business processes, applications, and data stores as well as assignment of ownership responsibilities?

    • Security governance
    • Risk management 
    • Security portfolio management
    • Risk assessment
  14. Which of the following mandates the amount and complexity of security controls applied to a security risk?

    • Security vulnerabilities
    • Risk tolerance 
    • Risk mitigation
    • Security staff
  15. When determining who can accept the risk associated with a vulnerability, which of the following is MOST important?

    • Countermeasure effectiveness
    • Type of potential loss
    • IncideDefine additional security controls directly after the merger nt likelihood 
    • Information ownership
  16. A security professional determines that a number of outsourcing contracts inherited from a previous merger do not adhere to the current security requirements. Which of the following BEST minimizes the risk of this happening again?

    • Define additional security controls directly after the merger
    • Include a procurement officer in the merger team
    • Verify all contracts before a merger occurs
    • Assign a compliancy officer to review the merger conditions
  17. Which of the following is a direct monetary cost of a security incident?

    • Morale
    • Reputation
    • Equipment 
    • Information
  18. Which of the following would MINIMIZE the ability of an attacker to exploit a buffer overflow?

    • Memory review
    • Code review 
    • Message division
    • Buffer division
  19. Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack?

    • parameterized database queries
    • whitelist input values
    • synchronized session tokens 
    • use strong ciphers
  20. What is the PRIMARY purpose for an organization to conduct a security audit?

    • To ensure the organization is adhering to a well-defined standard
    • To ensure the organization is applying security controls to mitigate identified risks
    • To ensure the organization is configuring information systems efficiently
    • To ensure the organization is documenting findings
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments