CISSP : Certified Information Systems Security Professional : Part 04

CISSP : Certified Information Systems Security Professional : Part 04

1. What is a common mistake in records retention?

   • Adopting a retention policy with the longest requirement period
   • Having the Human Resource (HR) department create a retention policy
   • Adopting a retention policy based on applicable organization requirements
   • Having the organization legal department create a retention policy

2. Of the following, which BEST provides non-repudiation with regards to access to a server room?

   • Fob and Personal Identification Number (PIN)
   • Locked and secured cages
   • Biometric readers
   • Proximity readers

3. What should an auditor do when conducting a periodic audit on media retention?

   • Check electronic storage media to ensure records are not retained past their destruction date
   • Ensure authorized personnel are in possession of paper copies containing Personally Identifiable Information (PII)
   • Check that hard disks containing backup data that are still within a retention cycle are being destroyed correctly
   • Ensure that data shared with outside organizations is no longer on a retention schedule

4. How should the retention period for an organization’s social media content be defined?

   • By the retention policies of each social media service
   • By the records retention policy of the organization
   • By the Chief Information Officer (CIO)
   • By the amount of available storage space

5. What is the FIRST step required in establishing a records retention program?

   • Classify records based on sensitivity
   • Identify and inventory all records storage locations
   • Identify and inventory all records
   • Draft a records retention policy

6. An organization is considering outsourcing applications and data to a Cloud Service Provider (CSP). Which of the following is the MOST important concern regarding privacy?

   • The CSP determines data criticality
   • The CSP provides end-to-end encryption services
   • The CSP’s privacy policy may be developed by the organization
   • The CSP may not be subject to the organization’s country legislation

7. Which of the following will help prevent improper session handling?

   • Ensure JavaScript and plugin support is disabled
   • Ensure that certificates are valid and fail closed
   • Ensure that tokens are sufficiently long, complex, and pseudo-random
   • Ensure that all UIWebView calls do not execute without proper input validation

8. Which of the following is the BEST defense against password guessing?

   • Limit external connections to the network
   • Disable the account after a limited number of unsuccessful attempts
   • Force the password to be changed after an invalid password has been entered
   • Require a combination of letters, numbers, and special characters in the password

9. Which of the following is the MOST secure password technique?

   • Passphrase
   • One-time password
   • Cognitive password
   • Cipthertext

10. To prevent inadvertent disclosure of restricted information, which of the following would be the LEAST effective process for eliminating data prior to the media being discarded?

    • Multiple-pass overwriting
    • Degaussing
    • High-level formatting
    • Physical destruction

11. An organization has implemented a new backup process which protects confidential data by encrypting the information stored on backup tapes. Which of the following is a MAJOR data confidentiality concern after the implementation of this new backup process?

    • Tape backup rotation
    • Pre-existing backup tapes
    • Tape backup compression
    • Backup tape storage location

12. Which of the following objects should be removed FIRST prior to uploading code to public code repositories?

    • Security credentials
    • Inefficient algorithms
    • Coding mistakes
    • Known vulnerabilities

13. Which media sanitization methods should be used for data with a high security categorization?

    • Clear or destroy
    • Clear or purge
    • Destroy or delete
    • Purge or destroy

14. How is it possible to extract private keys securely stored on a cryptographic smartcard?

    • Bluebugging
    • Focused ion-beam
    • Bluejacking
    • Power analysis

15. Which inherent password weakness does a One Time Password (OTP) generator overcome?

    • Static passwords are too predictable
    • Static passwords must be changed frequently
    • Static passwords are difficult to generate
    • Static passwords are easily disclosed

16. Digital non-repudiation requires which of the following?

    • A trusted third-party
    • Appropriate corporate policies
    • Symmetric encryption
    • Multifunction access cards

17. Which security service is served by the process of encryption plaintext with the sender’s private key and decrypting cipher text with the sender’s public key?

    • Confidentiality
    • Integrity
    • Identification
    • Availability

    Explanation: 
    Only the person having correspondent private key can encrypt the plaintext decrypted (verified) by the public key, so proper identification of the endpoints are maintained..

18. Which of the following mobile code security models relies only on trust?

    • Code signing
    • Class authentication
    • Sandboxing
    • Type safety
    Explanation:
    Reference: https://csrc.nist.gov/csrc/media/publications/conference-paper/1999/10/21/proceedings-of-the-22nd-nissc-1999/documents/papers/t09.pdf (11)

19. Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?

    • Hashing the data before encryption
    • Hashing the data after encryption
    • Compressing the data after encryption
    • Compressing the data before encryption

20. What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?

    • Implementation Phase
    • Initialization Phase
    • Cancellation Phase
    • Issued Phase