CISSP : Certified Information Systems Security Professional : Part 07

CISSP : Certified Information Systems Security Professional : Part 07

CISSP : Certified Information Systems Security Professional : Part 07

  1. Which of the following attributes could be used to describe a protection mechanism of an open design methodology?

    • It exposes the design to vulnerabilities and malicious attacks
    • It can facilitate independent confirmation of the design security
    • It can facilitate blackbox penetration testing
    • It must be tamperproof to protect it from malicious attacks

  2. What is the BEST approach for maintaining ethics when a security professional is unfamiliar with the culture of a country and is asked to perform a questionable task?

    • Exercise due diligence when deciding to circumvent host government requests
    • Become familiar with the means in which the code of ethics is applied and considered
    • Complete the assignment based on the customer’s wishes
    • Execute according to the professional’s comfort level with the code of ethics

  3. What does the term “100-year floodplain” mean to emergency preparedness officials?

    • The odds of a flood at this level are 1 in 100 in any given year
    • The area is expected to be safe from flooding for at least 100 years
    • The last flood of any kind to hit the area was more than 100 years ago
    • The odds are that the next significant flood will hit within the next 100 years

  4. Which one of the following documentation should be included in a Disaster Recovery (DR) package?

    • Source code, compiled code, firmware updates, operational log book and manuals
    • Data encrypted in original format, auditable transaction data, and recovery instructions tailored for future extraction on demand
    • Hardware configuration instructions, hardware configuration software, an operating system image, a data restoration option, media retrieval instructions, and contact information
    • System configuration including hardware, software hardware interfaces, software Application Programming Interface (API) configuration, data structure, and transaction data from the previous period

  5. An organization is designing a large enterprise-wide document repository system. They plan to have several different classification level areas with increasing levels of controls. The BEST way to ensure document confidentiality in the repository is to:

    • encrypt the contents of the repository and document any exceptions to that requirement
    • utilize Intrusion Detection System (IDS) set drop connections if too many requests for documents are detected
    • keep individuals with access to high security areas from saving those documents into lower security areas
    • require individuals with access to the system to sign Non-Disclosure Agreements (NDA)

  6. Which of the following MUST be considered when developing business rules for a data loss prevention (DLP) solution?

    • Data availability
    • Data sensitivity
    • Data ownership
    • Data integrity

  7. Which of the following is an important requirement when designing a secure remote access system?

    • Configure a Demilitarized Zone (DMZ) to ensure that user and service traffic is separated
    • Provide privileged access rights to computer files and systems
    • Ensure that logging and audit controls are included
    • Reduce administrative overhead through password self service

  8. What is the FIRST step in establishing an information security program?

    • Identify critical security infrastructure
    • Establish baseline security controls
    • Establish an information security policy
    • Identify factors affecting information security

  9. What does the result of Cost-Benefit Analysis (CBA) on new security initiatives provide?

    • Quantifiable justification
    • Baseline improvement
    • Risk evaluation
    • Formalized acceptance

  10. In a large company, a system administrator needs to assign users access to files using Role Based Access Control (RBAC). Which option is an example of RBAC?

    • Allowing users access to files based on their group membership
    • Allowing users access to files based on username
    • Allowing users access to files based on the users location at time of access
    • Allowing users access to files based on the file type

  11. Which of the following access control models is MOST restrictive?

    • Discretionary Access Control (DAC)
    • Mandatory Access Control (MAC)
    • Role Based Access Control (RBAC)
    • Rule based access control

  12. Which of the following is a security weakness in the evaluation of Common Criteria (CC) products?

    • The manufacturer can state what configuration of the product is to be evaluated
    • The product can be evaluated by labs in other countries
    • The Target of Evaluation’s (TOE) testing environment is identical to the operating environment
    • The evaluations are expensive and time-consuming to perform

  13. Which of the following is a canon of the (ISC)2 Code of Ethics?

    • Integrity first, association before self, and excellence in all we do
    • Perform all professional activities and duties in accordance with all applicable laws and the highest ethical standards
    • Provide diligent and competent service to principals
    • Cooperate with others in the interchange of knowledge and ideas for mutual security

  14. In the Common Criteria (CC) for Information Technology (IT) security evaluation, increasing Evaluation Assurance Levels (EAL) results in which of the following?

    • Increase in evaluated systems
    • Increased interoperability
    • Increased functionality
    • Increase in resource requirement

  15. To control the scope of a Business Continuity Management (BCM) system, a security practitioner should identify which of the following?

    • Size, nature, and complexity of the organization
    • Business needs of the security organization
    • All possible risks
    • Adaptation model for future recovery planning

  16. When dealing with shared, privileged accounts, especially those for emergencies, what is the BEST way to assure non-repudiation of logs?

    • Implement a password vaulting solution
    • Lock passwords in tamperproof envelopes in a safe
    • Regularly change the passwords
    • Implement a strict access control policy

  17. Which of the following is a characteristic of a challenge/response authentication process?

    • Using a password history blacklist
    • Requiring the use of non-consecutive numeric characters
    • Presenting distorted graphics of text for authentication
    • Transmitting a hash based on the user’s password

  18. Which of the following models uses unique groups contained in unique conflict classes?

    • Chinese Wall
    • Bell-LaPadula
    • Clark-Wilson
    • Biba

  19. Which of the following threats exists with an implementation of digital signatures?

    • Spoofing
    • Substitution
    • Eavesdropping
    • Content tampering

  20. Why should Open Web Application Security Project (OWASP) Application Security Verification Standards (ASVS) Level 1 be considered a MINIMUM level of protection for any web application?

    • Most regulatory bodies consider ASVS Level 1 as a baseline set of controls for applications
    • Securing applications at ASVS Level 1 provides adequate protection for sensitive data
    • ASVS Level 1 ensures that applications are invulnerable to OWASP top 10 threats
    • Opportunistic attackers will look for any easily exploitable vulnerable applications