CISSP : Certified Information Systems Security Professional : Part 02

CISSP : Certified Information Systems Security Professional : Part 02

  1. How does security in a distributed file system using mutual authentication differ from file security in a multi-user host?

    • Access control can rely on the Operating System (OS), but eavesdropping is not a risk
    • Access control cannot rely on the Operating System (OS), and eavesdropping is a risk
    • Access control can rely on the Operating System (OS), and eavesdropping is a risk
    • Access control cannot rely on the Operating System (OS), and eavesdropping is not a risk

  2. When defining a set of security controls to mitigate a risk, which of the following actions MUST occur?

    • Each control’s effectiveness must be evaluated individually
    • Each control must completely mitigate the risk
    • The control set must adequately mitigate the risk
    • The control set must evenly divide the risk

  3. Which of the following provides the BEST method to verify that security baseline configurations are maintained?

    • Perform regular system security testing
    • Design security early in the development cycle
    • Analyze logs to determine user activities
    • Perform quarterly risk assessments

  4. Which of the following is the MOST critical success factor in the security patch management process?

    • Tracking and reporting on inventory
    • Supporting documentation
    • Management review of reports
    • Risk and impact analysis

  5. Which of the following is MOST important when determining appropriate countermeasures for an identified risk?

    • Interaction with existing controls
    • Organizational risk tolerance
    • Patch availability
    • Cost

  6. What is the MAIN reason to ensure the appropriate retention periods are enforced for data stored on electronic media?

    • To reduce the carbon footprint by eliminating paper
    • To create an inventory of data assets stored on disk for backup recovery
    • To declassify information that has been improperly classified
    • To reduce the risk of loss, unauthorized access, use, modification, and disclosure

  7. What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?

    • Establish Maximum Tolerable Downtime (MTD) Information Systems (IS)
    • Define the variable cost for extended downtime scenarios
    • Identify potential threats to business availability
    • Establish personnel requirements for various downtime scenarios

  8. A security professional is assessing the risk in an application and does not take into account any mitigating or compensating controls. This type of risk rating is an example of which of the following?

    • Transferred risk
    • Inherent risk
    • Residual risk
    • Avoided risk

  9. Which of the following is MOST important when assigning ownership of an asset to a department?

    • The department should report to the business owner
    • Ownership of the asset should be periodically reviewed
    • Individual accountability should be ensured
    • All members should be trained on their responsibilities

  10. Which one of the following affects the classification of data?

    • Assigned security label
    • Multilevel Security (MLS) architecture
    • Minimum query size
    • Passage of time

  11. Which of the following BEST describes the responsibilities of a data owner?

    • Ensuring quality and validation through periodic audits for ongoing data integrity
    • Maintaining fundamental data availability, including data storage and archiving
    • Ensuring accessibility to appropriate users, maintaining appropriate levels of data security
    • Determining the impact the information has on the mission of the organization

    Explanation:

    Reference: http://resources.infosecinstitute.com/category/certifications-training/cissp/domains/asset-security/data-and-system-ownership/#gref

  12. An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests.

    Which contract is BEST in offloading the task from the IT staff?

    • Platform as a Service (PaaS)
    • Identity as a Service (IDaaS)
    • Desktop as a Service (DaaS)
    • Software as a Service (SaaS)

  13. When implementing a data classification program, why is it important to avoid too much granularity?

    • The process will require too many resources
    • It will be difficult to apply to both hardware and software
    • It will be difficult to assign ownership to the data
    • The process will be perceived as having value
    Explanation:
    Reference: http://www.ittoday.info/AIMS/DSM/82-02-55.pdf 

  14. In a data classification scheme, the data is owned by the

    • system security managers
    • business managers
    • Information Technology (IT) managers
    • end users

  15. Which of the following is an initial consideration when developing an information security management system?

    • Identify the contractual security obligations that apply to the organizations
    • Understand the value of the information assets
    • Identify the level of residual risk that is tolerable to management
    • Identify relevant legislative and regulatory compliance requirements

  16. Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?

    • Personal Identity Verification (PIV)
    • Cardholder Unique Identifier (CHUID) authentication
    • Physical Access Control System (PACS) repeated attempt detection
    • Asymmetric Card Authentication Key (CAK) challenge-response

  17. Which factors MUST be considered when classifying information and supporting assets for risk management, legal discovery, and compliance?

    • System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements 
    • Data stewardship roles, data handling and storage standards, data lifecycle requirements
    • Compliance office roles and responsibilities, classified material handling standards, storage system lifecycle requirements
    • System authorization roles and responsibilities, cloud computing standards, lifecycle requirements

  18. When network management is outsourced to third parties, which of the following is the MOST effective method of protecting critical data assets?

    • Log all activities associated with sensitive systems
    • Provide links to security policies
    • Confirm that confidentially agreements are signed
    • Employ strong access controls 

  19. Which of the following is the MOST appropriate action when reusing media that contains sensitive data?

    • Erase
    • Sanitize 
    • Encrypt
    • Degauss

  20. An organization recently conducted a review of the security of its network applications. One of the vulnerabilities found was that the session key used in encrypting sensitive information to a third party server had been hard-coded in the client and server applications. Which of the following would be MOST effective in mitigating this vulnerability?

    • Diffle-Hellman (DH) algorithm 
    • Elliptic Curve Cryptography (ECC) algorithm
    • Digital Signature algorithm (DSA)
    • Rivest-Shamir-Adleman (RSA) algorithm
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments