CISSP : Certified Information Systems Security Professional : Part 04
CISSP : Certified Information Systems Security Professional : Part 04
-
What is a common mistake in records retention?
- Adopting a retention policy with the longest requirement period
- Having the Human Resource (HR) department create a retention policy
- Adopting a retention policy based on applicable organization requirements
- Having the organization legal department create a retention policy
-
Of the following, which BEST provides non-repudiation with regards to access to a server room?
- Fob and Personal Identification Number (PIN)
- Locked and secured cages
- Biometric readers
- Proximity readers
-
What should an auditor do when conducting a periodic audit on media retention?
- Check electronic storage media to ensure records are not retained past their destruction date
- Ensure authorized personnel are in possession of paper copies containing Personally Identifiable Information (PII)
- Check that hard disks containing backup data that are still within a retention cycle are being destroyed correctly
- Ensure that data shared with outside organizations is no longer on a retention schedule
-
How should the retention period for an organization’s social media content be defined?
- By the retention policies of each social media service
- By the records retention policy of the organization
- By the Chief Information Officer (CIO)
- By the amount of available storage space
-
What is the FIRST step required in establishing a records retention program?
- Classify records based on sensitivity
- Identify and inventory all records storage locations
- Identify and inventory all records
- Draft a records retention policy
-
An organization is considering outsourcing applications and data to a Cloud Service Provider (CSP). Which of the following is the MOST important concern regarding privacy?
- The CSP determines data criticality
- The CSP provides end-to-end encryption services
- The CSP’s privacy policy may be developed by the organization
- The CSP may not be subject to the organization’s country legislation
-
Which of the following will help prevent improper session handling?
- Ensure JavaScript and plugin support is disabled
- Ensure that certificates are valid and fail closed
- Ensure that tokens are sufficiently long, complex, and pseudo-random
- Ensure that all UIWebView calls do not execute without proper input validation
-
Which of the following is the BEST defense against password guessing?
- Limit external connections to the network
- Disable the account after a limited number of unsuccessful attempts
- Force the password to be changed after an invalid password has been entered
- Require a combination of letters, numbers, and special characters in the password
-
Which of the following is the MOST secure password technique?
- Passphrase
- One-time password
- Cognitive password
- Cipthertext
-
To prevent inadvertent disclosure of restricted information, which of the following would be the LEAST effective process for eliminating data prior to the media being discarded?
- Multiple-pass overwriting
- Degaussing
- High-level formatting
- Physical destruction
-
An organization has implemented a new backup process which protects confidential data by encrypting the information stored on backup tapes. Which of the following is a MAJOR data confidentiality concern after the implementation of this new backup process?
- Tape backup rotation
- Pre-existing backup tapes
- Tape backup compression
- Backup tape storage location
-
Which of the following objects should be removed FIRST prior to uploading code to public code repositories?
- Security credentials
- Inefficient algorithms
- Coding mistakes
- Known vulnerabilities
-
Which media sanitization methods should be used for data with a high security categorization?
- Clear or destroy
- Clear or purge
- Destroy or delete
- Purge or destroy
-
How is it possible to extract private keys securely stored on a cryptographic smartcard?
- Bluebugging
- Focused ion-beam
- Bluejacking
- Power analysis
-
Which inherent password weakness does a One Time Password (OTP) generator overcome?
- Static passwords are too predictable
- Static passwords must be changed frequently
- Static passwords are difficult to generate
- Static passwords are easily disclosed
-
Digital non-repudiation requires which of the following?
- A trusted third-party
- Appropriate corporate policies
- Symmetric encryption
- Multifunction access cards
-
Which security service is served by the process of encryption plaintext with the sender’s private key and decrypting cipher text with the sender’s public key?
- Confidentiality
- Integrity
- Identification
- Availability
Explanation:
Only the person having correspondent private key can encrypt the plaintext decrypted (verified) by the public key, so proper identification of the endpoints are maintained.. -
Which of the following mobile code security models relies only on trust?
- Code signing
- Class authentication
- Sandboxing
- Type safety
Explanation:Reference: https://csrc.nist.gov/csrc/media/publications/conference-paper/1999/10/21/proceedings-of-the-22nd-nissc-1999/documents/papers/t09.pdf (11) -
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?
- Hashing the data before encryption
- Hashing the data after encryption
- Compressing the data after encryption
- Compressing the data before encryption
-
What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?
- Implementation Phase
- Initialization Phase
- Cancellation Phase
- Issued Phase