CISSP : Certified Information Systems Security Professional : Part 05

CISSP : Certified Information Systems Security Professional : Part 05

CISSP : Certified Information Systems Security Professional : Part 05

  1. Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to estimate the severity of vulnerabilities identified automated vulnerability assessments?

    • Common Vulnerabilities and Exposures (CVE)
    • Common Vulnerability Scoring System (CVSS)
    • Asset Reporting Format (ARF)
    • Open Vulnerability and Assessment Language (OVAL)

  2. Who in the organization is accountable for classification of data information assets?

    • Data owner
    • Data architect
    • Chief Information Security Officer (CISO)
    • Chief Information Officer (CIO)

  3. The use of private and public encryption keys is fundamental in the implementation of which of the following?

    • Diffie-Hellman algorithm
    • Secure Sockets Layer (SSL)
    • Advanced Encryption Standard (AES)
    • Message Digest 5 (MD5)

  4. Which of the following MUST be in place to recognize a system attack?

    • Stateful firewall
    • Distributed antivirus
    • Log analysis 
    • Passive honeypot

  5. Which of the following is the GREATEST benefit of implementing a Role Based Access Control (RBAC) system?

    • Integration using Lightweight Directory Access Protocol (LDAP)
    • Form-based user registration process
    • Integration with the organizations Human Resources (HR) system
    • A considerably simpler provisioning process 

  6. Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege?

    • identity provisioning
    • access recovery
    • multi-factor authentication (MFA)
    • user access review

  7. A minimal implementation of endpoint security includes which of the following?

    • Trusted platforms
    • Host-based firewalls 
    • Token-based authentication
    • Wireless Access Points (AP)

  8. What is the expected outcome of security awareness in support of a security awareness program?

    • Awareness activities should be used to focus on security concerns and respond to those concerns accordingly
    • Awareness is not an activity or part of the training but rather a state of persistence to support the program
    • Awareness is training. The purpose of awareness presentations is to broaden attention of security.
    • Awareness is not training. The purpose of awareness presentation is simply to focus attention on security. 

  9. Which security modes is MOST commonly used in a commercial environment because it protects the integrity of financial and accounting data?

    • Biba
    • Graham-Denning
    • Clark-Wilson 
    • Beil-LaPadula

  10. Why is planning in Disaster Recovery (DR) an interactive process?

    • It details off-site storage plans
    • It identifies omissions in the plan 
    • It defines the objectives of the plan
    • It forms part of the awareness process

  11. Mandatory Access Controls (MAC) are based on:

    • security classification and security clearance 
    • data segmentation and data classification
    • data labels and user access permissions
    • user roles and data encryption

  12. In Disaster Recovery (DR) and Business Continuity (DC) training, which BEST describes a functional drill?

    • a functional evacuation of personnel
    • a specific test by response teams of individual emergency response functions
    • an activation of the backup site
    • a full-scale simulation of an emergency and the subsequent response functions. 

  13. What is the foundation of cryptographic functions?

    • Cipher
    • Encryption
    • Hash
    • Entropy

  14. Which of the following methods protects Personally Identifiable Information (PII) by use of a full replacement of the data element?

    • Data tokenization 
    • Volume encryption
    • Transparent Data Encryption (TDE)
    • Column level database encryption

  15. The organization would like to deploy an authorization mechanism for an Information Technology (IT) infrastructure project with high employee turnover.

    Which access control mechanism would be preferred?

    • Attribute Based Access Control (ABAC)
    • Discretionary Access Control (DAC)
    • Mandatory Access Control (MAC)
    • Role-Based Access Control (RBAC) 

  16. Which of the following management process allows ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?

    • Configuration 
    • Identity
    • Compliance
    • Patch

  17. Which security access policy contains fixed security attributes that are used by the system to determine a user’s access to a file or object?

    • Mandatory Access Control (MAC)
    • Access Control List (ACL)
    • Discretionary Access Control (DAC)
    • Authorized user control

  18. Which of the following is a common characteristic of privacy?

    • Provision for maintaining an audit trail of access to the private data 
    • Notice to the subject of the existence of a database containing relevant credit card data
    • Process for the subject to inspect and correct personal data on-site
    • Database requirements for integration of privacy data

  19. At a MINIMUM, audits of permissions to individual or group accounts should be scheduled

    • annually 
    • to correspond with staff promotions
    • to correspond with terminations
    • continually

  20. Which of the following MUST be part of a contract to support electronic discovery of data stored in a cloud environment?

    • identification of data location 
    • integration with organizational directory services for authentication
    • accommodation of hybrid deployment models
    • tokenization of data