Embed Size (px)
Citation preview
CISSP Practice Exam Information Security & Risk Management: Answers
1. Which of the following is not an example of security control that ensures confidentiality?
C: Restricting changes is an integrity protecting security mechanism.
2. Who is ultimately responsible and liable if the security perimeter of an organization is violated by an intruder and asset losses occur?
A: Senior management is ultimately responsible and liable if the security perimeter of an organization is violated by an intruder and asset losses occur. Senior management is responsible for all aspects of security and is the primary decision maker. However, in most cases the implementation of security is delegated to lower levels of the authority hierarchy, such as the network or system administrators.
3. Which of the following is not an example of a technical or logical security control?
B: Personnel screening is an administrative security control. There are three types of security controls: administrative, physical, and logical or technical.
4. Which of the following is an administrative security control?A: Personnel screening is an administrative security control
5. Which of the following is a technical security control?B: Security devices are technical security controls.
6. Which of the following is a physical security control?D: Environmental controls are physical security controls.
7. Which of the following is the best personnel arrangement for the design and management of security for an organization?
B: The best personnel arrangement for the design and management of security for an organization is a team of internal security professionals.
8. Which of the following is not a role or responsibility of the Security Administration team or group within an organization?
D: Approving the security policy is the responsibility of senior management, not that of the Security Administration team or group within an organization.
1
9. Who is ultimately responsible for negligence in protecting the assets of an organization?
A: Senior management is ultimately responsible for implementing prudent due care and is liable for negligence in protecting the assets of an organization.
10. Which of the following is not one of the three security control types that a security administrator can employ to manage and impose security?
C: Administrative, technical, and physical are the three security control types that a security administrator can employ to manage and impose security.
11. Which of the following is not an element in the CIA triad?C: Confidentiality, integrity, and availability are the elements of the CIA
triad.
12. Which of the following is a valid definition for confidentiality?A: Confidentiality can be defined by "Unauthorized disclosure is
prevented."
13. Which of the following is not a task assigned to a data owner?D: Implementing security controls is the responsibility of the security
administration team or data custodians, not senior management.
14. A security administrator may employ all but which of the following types of controls to implement a security solution?
A: Executive is not a valid type of security control. The three valid types of security control are administrative, technical (or logical), and physical.
15. Which of the following is an example of an administrative security control?B: Policies are an example of an administrative security control.
16. Which of the following is not an example of an administrative security control?
C: Identification is an example of a logical/technical security control.
17. Which of the following is not one of the fundamental principles of security included in the CIA triad?
C: While accountability is an important part of IT security, it is not one of the three fundamental principles of security included in the CIA triad, which includes Confidentiality, Integrity and Availability.
2
18. The ability of a computer system to provide adequate capacity for predictable performance represents which of the fundamental security principles of the CIA triad?
D: The ability of a computer system to provide adequate capacity for predictable performance is an example of Availability.
19. Which of the following is not an example of a physical security control?C: Biometric authentication is an example of a technical/logical security
control.
20. Which of the following is not an example of a valid activity of security management?
D: It is not a good security management practice to implement new security controls, especially in mission critical environments, before that control has been thoroughly tested.
21. Which of the following is an example of a technical security control?D: Encryption is an example of a technical/logical security control.
22. Which of the following is not an example of a technical security control?A: Fire detection and suppression is an example of a physical security
control.
23. Which of the following is an example of a physical security control?B: CCTV is an example of a physical security control.
24. Which of the following is an example of a security control that focuses on maintaining availability?
B: Quick recovery from faults is an example of a security control that focuses on maintaining availability.
25. Which of the following is not an example of a security control that focuses on maintaining availability?
C: Implementing need to know access controls is an example of a security control that focuses on maintaining confidentiality.
26. What is a vulnerability?D: A vulnerability is the absence or weakness of a safeguard that could be
exploited.
3
27. Which of the following is not an example of a security control that focuses on maintaining confidentiality?
C: Change restrictions is an example of a security control that focuses on maintaining integrity.
28. Which of the following is an example of a security control that focuses on maintaining integrity?
D: Encryption of data in transit is an example of a security control that focuses on maintaining integrity.
29. Which of the following is not an example of a security control that focuses on maintaining integrity?
A: Network monitoring is an example of a security control that focuses on maintaining availability.
30. For a security policy to be effective and comprehensive, it must thoroughly address the three fundamental principles of security, which are?
A: The three fundamental principles of security are Confidentiality, Integrity, and Availability.
31. Which of the following is an example of a security control that focuses on maintaining confidentiality?
B: Network traffic padding is an example of a security control that focuses on maintaining confidentiality.
32. Which of the following is not an example of a risk?A: Failing to review audit logs is not a risk, but it does show a lack of
compliance with a realistic security policy. Audit logs will often reveal when a risk has become an actual intrusion or attack.
33. Which of the following is not a method by which risk is reduced or eliminated?
B: Waiting is not a valid response to risk and waiting will not reduce risk.
34. An instance of being exposed to losses from a threat is known as?C: Exposure is an instance of being exposed to losses from a threat.
35. Which of the following is not an example of a vulnerability?A: Assigning all users access based on job descriptions is a valid form of
security control, however it is not an example of a vulnerability.
36. Which of the following is an example of a vulnerability?
4
B: Failing to enforce the password policy is an example of a vulnerability.
37. Which of the following is not an example of a threat?C: A biometric device failing to authenticate a valid user is a False
Rejection (Type I) error, but it is not a threat.
38. Which of the following is an example of a threat?D: A user destroying confidential data is an example of a threat.
39. Which of the following is not true regarding an operational security plan?A: A system specific plan includes an approved software list.
40. The purpose of a safeguard is to?D: A safeguard's purpose is to reduce or remove a vulnerability.
41. Which of the following is not an example of a safeguard?A: Relaxing the filters on a firewall is the removal of a safeguard.
42. The top down approach to security management provides for all but which of the following?
B: The top down approach to security management does not provide for the assignment of responsibility to down-level administrators. Senior management is always ultimately responsible for the success or failure of the security policy and resulting security solution.
43. Which of the following is not an example of a risk?C: Replacing human security guards with dogs is a change in a security
access control, it is not an example of a risk.
44. Risk is the ______________ of something happening that will damage assets.D: Risk is the possibility of something happening that will damage assets.
45. When will risk be totally eliminated?A: Risk will be totally eliminated only when the organization ceases to
exist.
46. Which of the following represent the primary security factors that a private sector organization is concerned about?
B: Private sector organizations are primarily concerned about data availability and integrity.
47. The most important aspect of security to military organizations is?C: Confidentiality is the most important aspect of security to military
organizations.
5
48. What is the primary goal of risk management?D: The primary goal of risk management is to reduce risk to an acceptable
level.
49. An effective safeguard, when evaluated via risk analysis, should?A: An effective safeguard from a risk analysis perspective is that the
safeguard should cost less than the cost of the loss due to the risk.
50. All but which of the following apply to senior management in relation to risk analysis?
B: The Risk Assessment Team should be comprised of a representative from most or all departments, not necessarily senior management.
51. The first step in risk analysis is?C: Asset valuation is the first step in risk analysis. If assets have no value,
there is no need to protect them.
52. Risk management attempts to reduce risk to an acceptable level by performing all but which of the following activities?
A: Tracking down intruders for prosecution is not function or element of risk management, it is possibly a factor in intrusion detection.
53. Which of the following is not an example of a risk?B: Blocking ports is a safeguard, not a risk.
54. The value of an asset helps to determine?D: The value of an asset helps to determine the relative strength and cost of
the safeguard selected to protect it.
55. Which of the following is not considered an element in determining the cost of an asset?
A: The cost to train personnel to employ is not as relevant as the costs to develop, acquire, and maintain an asset when determining the cost of an asset. Training costs are often difficult to quantify since training on any specific asset is typically grouped in training regarding overall IT interaction. While this answer is technically correct, it is the least correct answer of those offered.
56. Which of the following is not considered an element in determining the cost of an asset?
6
B: The cost of backward engineering is the competitors cost, not the organization.
57. The purpose of risk management is?
B: The purpose of risk management is risk mitigation. However, even in the most successful implementation, there is always some level of risk.
58. Risk analysis is used to determine whether safeguards are all but which of the following?
C: No safeguard is exhaustive of all risks.
59. The objectives of risk analysis include all but which of the following?D: Risk analysis is used to compare safeguards, but it does not select the
countermeasure to implement. Countermeasure Selection is left to the decision makers, i.e. senior management or their delegated administrators.
60. An exposure factor is?C: An exposure factor is the percentage of loss that a realized threat event
would cause against a specific asset.
61. The annualized loss expectancy can be calculated using which of the following equations?
D: The annualized loss expectancy can be calculated using asset value x exposure factor x annualized rate of occurrence. It can also be calculated using single loss expectancy x annualized rate of occurrence.
62. Which of the following is not considered an element in determining the cost of an asset?
C: The file formats used by the asset are typically not an element in determining the cost of an asset.
63. Determining the value of an asset can be useful in all but which of the following requirements or activities?
B: Asset valuation is useful in assigning classifications. Cost/Benefit analysis can determine which safeguards to select. How much insurance to get to cover a particular asset. Risk to a threat would not be determined by asset value.
64. A quantitative risk analysis approach employs which of the following?
7
A: A quantitative risk analysis approach employs specific dollar values assigned to each risk.
65. Which of the following is not true?B: A purely quantitative risk analysis is not possible, since it is not possible
to quantify all qualitative items.
66. What form of qualitative risk analysis employs a group of people who reach a consensus through an anonymous means of voting and exchanging ideas?
A: The Delphi technique is a form of qualitative risk analysis that employs a group of people who reach a consensus through an anonymous means of voting and exchanging ideas.
67. Which of the following is not a method used in qualitative risk analysis?B: Quantitative, not qualitative, risk analysis can be automated with
software.
68. The value of a safeguard to an organization can be calculated using a formula which includes all but which of the following factors?
C: Residual risk is not used in the formula for calculating the value of a safeguard, instead it is the calculation of risk remaining after safeguards are implemented.
69. What element in a formalized security infrastructure consists of documents that are compulsory in nature?
C: Standards are primarily compulsory in nature.
70. Which of the following describes the practice of a formalized security infrastructure?
D: Procedures detail step-by-step activities, not guidelines.
71. If _____________________________________, managers can be held liable for negligence and held accountable for asset losses.
A: If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for asset losses.
72. Which of the following is not an accepted response to the results of risk analysis?
B: Rejecting risk is not an accepted response to the results of risk analysis.
73. Which response to risk can be implemented by purchasing insurance against loss?
C: Assigning risk can be implemented by purchasing insurance against loss
8
74. Which of the following is not a valid example of assigning risk?D: Delegating security policy implementation responsibilities is not a valid
example of assigning risk. Risk remains the responsibility of senior management, it cannot be delegated.
75. What security mechanism is primarily responsible for implementing security controls that protect data in the most cost-effective manner?
B: Data classification is the security mechanism that is primarily responsible for implementing security controls that protect data in the most cost-effective manner.
76. Which of the following is not one of the five standard data classifications used by the military?
C: Private is a data classification used by the private sector (i.e. corporate business), not the military.
77. What level of private sector data classification represents assets that if disclosed will not cause an adverse impact?
D: The public data classification represents assets that if disclosed will not cause an adverse impact.
78. What is the difference between total risk and residual risk?D: Residual risk is what remains after selected safeguards are applied (i.e.
controls gap). Residual risk = total risk - controls gap.
79. Acceptable risk is?A: Acceptable risk is the amount of risk an organization is willing to
shoulder.
80. What form of security policy outlines the laws and industry restrictions placed upon an organization?
B: Regulatory security policies outline the laws and industry restrictions placed upon an organization.
81. A vulnerability is?C: The absence of a safeguard is a vulnerability.
82. Which of the following is not a vulnerability?D: Human error is a threat not a vulnerability
83. Which of the following is not a threat?
9
B: Not inspecting the fire suppression system is an exposure.
84. Which of the following is a valid definition for integrity?B: Integrity can be defined by "Unauthorized modification is prevented."
85. Which of the following is a valid definition for availability?C: Availability can be defined by "Resources are accessible at all times by
authorized users."
86. How can risk be reduced?A: Removing the vulnerability or removing the threat agent will reduce risk
87. Which of the following is not used to mitigate a potential risk?C: Activity logging is not used to mitigate potential risk, as least not
directly.
88. Which of the following is the best definition for countermeasures and safeguards?
D: Reduces the risk of a threat taking advantage of a vulnerability is the best definition offered in this question for countermeasures and safeguards.
89. Which of the following is a security control that ensures availability?B: Blocking DoS attacks ensures availability.
90. Which of the following is typically not considered a countermeasure or safeguard?
B: Punching through a firewall for VPN connections is not a safeguard or countermeasure and may introduce new vulnerabilities.
91. Who within an organization is responsible for establishment of the foundations of security as well as ongoing support and direction?
C: Upper or senior management is responsible for establishment of the foundations of security as well as ongoing support and direction.
92. Who within an organization is responsible for the development and management of standards, guidelines, and procedures?
B: Middle management is responsible for the development and management of standards, guidelines, and procedures.
93. What aspect of an asset determines whether it should be protected and to what extent that protection should extend?
10
C: The value of asset determines its need for security.
94. Which of the following is typically not included in the valuation of an asset?D: The cost to store and serve an asset is not included in the value
evaluation of an asset, that is considered a cost of the infrastructure.
95. What is the primary security purpose for mandatory week long minimum yearly vacations?
D: Mandatory vacations are used to perform auditing.
96. Who is responsible for assigning data classifications?B: The data owner is responsible for assigning data classification.
97. Which of the following is not a goal of risk analysis?A: Expanding security awareness training is not a goal of risk analysis.
98. Guidelines serve all but which of the following purposes within an organization's formalized security structure?
A: Guidelines do not serve as step-by-step implementation manuals.
99. A ________________ is a document that includes general statements about the overall state of security for an organization. Senior management creates this document.
D: A policy is a document that includes general statements about the overall state of security for an organization. Senior management creates this document.
100. All but which of the following are characteristics of an effective security plan?
C: Implementing cost effective safeguards is an aspect of a security plan, but not all safeguards or security mechanisms are inexpensive. The cost is not a characteristic of an efficient security plan.
101. What is the formula used to derive annualized loss expectancy?A: Asset value x Exposure Factor x Annualized Rate of Occurrence or
Single Loss Expectancy x Annualized Rate of Occurrence is the formula for the Annualized Loss Expectancy.
102. The security model employed by an organization depends upon their primary needs. What is the primary need of a government or military organization?
11
D: Confidentiality is the primary need of government and military organizations.
103. Baselines are used for all but which of the following within an organization's formalized security structure.
D: Baselines are not used as operational guides.
104. Which element of a formalized security structure is positioned just above actual implementation and which defines the steps or actions required to deploy security in an organization?
B: A procedure is positioned just above actual implementation and which defines the steps or actions required to deploy security in an organization.
105. Which of the following statements is true?C: A purely quantitative risk analysis cannot be performed since qualitative
aspects cannot be quantified.
106. The greatest number of threats to the assets of an organization come from where?
A: The greatest number of threats to the assets of an organization come from inside the organization (over 85%).
107. Which of the following is not a task that should be performed by the risk assessment/risk analysis team?
C: To implement an appropriate countermeasure is not a task of the risk assessment team. They are only to provide cost/analysis of countermeasures. It is the responsibility of management to select an appropriate countermeasure based on the analysis and assign the implementation procedure to the security management/administration team.
108. Who is held liable for an organization's failure to perform due care and due diligence?
C: The senior management is held liable for the failure to perform due care and due diligence.
109. What is the cardinal rule of risk analysis?D: The annual cost of safeguards should not exceed the possible annual cost
of the loss of an asset is the cardinal rule of risk analysis.
110. Which of the following risk analysis approaches assigns real numbers to the costs of asset loss and countermeasure implementation?
12
B: Quantitative analysis assigns real numbers to the costs of asset loss and countermeasure implementation.
111. Which of the following military data classification levels is used to label assets that may cause some serious damage to national security if that asset was disclosed?
B: Secret assets may cause serious damage to national security if that asset was disclosed.
112. What security mechanism is often employed as the primary defense against collusion?
A: Job rotation is the primary defense against collusion.
113. In the formula for calculating residual risk, what does the controls gap element represent?
C: The controls gap represents countermeasures and safeguards.
114. Which of the following commercial business data classification levels represents the most sensitive collection of assets?
A: The confidential classification represents the most sensitive collection of assets.
115. Standards are used for what purpose in a formalized security structure?C: Standards are used to establish uniformity across an organization.
116. Which qualitative analysis method is a group decision method that seeks a consensus while retaining the anonymity of the participants?
A: Delphi Technique
117. All but which of the following statements are true in regards to security awareness training?
B: Obtaining certifications is not a function of Security Awareness Training.
118. What is the most important aspect of the exit interview for terminated employees?
A: The most important aspect of the exit interview is to review non-disclosure agreements.
119. Which of the following is not a reason, benefit, or requirement to perform asset valuation?
13
A: Asset valuation does not typically improve asset hosting costs.
120. The risk assessment team should be comprised how?B: The risk assessment team should include members from every
department or division. This often requires assigning or appointing team membership rather than relying on volunteers.
121. Risk analysis is used to ensure all but which of the following?C: No system is 100% risk free.
122. What is the weakest element in an organization's security?D: People are the weakest element in an organization's security.
123. Which of the following is true?D: No system can be 100% risk free.
124. The security model employed by an organization depends upon their primary needs. What are the primary needs of a private sector business?
C: The primary needs of a private sector business are integrity and availability.
125. Which of the four possible responses to the identification and cost/benefit analysis of risk is considered an invalid response?
B: Reject is considered an invalid response.
126. Who is responsible for protecting the confidentiality, integrity, and availability of data?
C: The data custodian is responsible for protecting the confidentiality, integrity, and availability of data.
127. What type of policy is not enforceable?A: Informative policies cannot be enforced.
128. Identification establishes _____________.D: Accountability. Identification is a means to verify who you are. It
enables systems to trace activities to individual users that may be held responsible for their actions.
129. Which of the following is not a type of risk?
14
B: Backup media verification is not a type of risk, rather it is a safeguard to ensure the viability of backup restorations.
130. How is the value of a safeguard determined?B: Annual Loss Expectancy before the safeguard - Annual Loss Expectancy
after the safeguard - cost of implementing safeguard is the method used to calculate the value of a safeguard.
131. The percentage of loss of the value of an asset, which an organization would incur if a threat event was realized, is known as?
D: The exposure factor is the percentage of loss of the value of an asset, which an organization would incur if a threat event was realized.
132. In the realm of risk analysis, senior management is responsible for all but which of the following?
A: The risk assessment team, not senior management, is responsible for performing the cost/benefit analysis.
133. Job rotation as a security mechanism has shown itself effective against which of the following?
C: Job rotation is directly affective against collusion.
134. The likelihood of a threat taking advantage of a vulnerability is known as?A: Risk is the likelihood of a threat taking advantage of a vulnerability.
135. The security administration team should be responsible for all but which of the following?
C: Approving the security policy is the responsibility of senior management, not the security administration team.
15
![CISSP boxed set / [Book 1] / CISSP exam guide : … · CISSP ® EXAM GUIDE Fifth ... Summary 138 QuickTips 139 Questions I42 Answers-I48. Chapter4 Access Control 153](https://img.pdfslide.net/doc/110x75/5b94191809d3f22b0a8c9eba/cissp-boxed-set-book-1-cissp-exam-guide-cissp-exam-guide-fifth-.jpg)