You are on page 1of 18

Chapter 1

1. Which of the following college curriculum is more appropiated for a career in
network/info security?
A) business administration
B) computer information systems
Feedback: Page 1
C) both of the above
D) none of the above
Feedback: Page 1Points Earned: 0.0/7.0
Correct Answer(s): C

2. Which group is responsible for ensuring that systems are auditable and pro
tected from excessive privileges?
A) compliance officers
B) access coordinators
Feedback: Pages 9 and 10
C) security administrators
D) policy makers
Feedback: Pages 9 and 10Points Earned: 0.0/7.0
Correct Answer(s): C

3. Sound network/Info Security policy:
A) is a balance between the cost of protecting information and resourses and the
value of those items being protected.
B) is worth any price.
C) belongs exclusively to the IT department.
D) results in unique practices and polices specific to the owning IT department.
Feedback: Page 8
Feedback: Page 8Points Earned: 0.0/7.0
Correct Answer(s): A

4. Careers in Information and Network Security are booming because of which f
actors
A) threats of cyber terrorism
B) government regulations
C) growth of the Internet
D) All of the above
Feedback: Page 3Points Earned: 0.0/7.0
Correct Answer(s): D

5. A career in network/info security:
A) has better job growth outlook than other areas of IT.
Feedback: Page 4
B) is limited by programing languages the candidate knows.
C) will eventually disappear with improvements in network/info security tools.
D) is a highly complex but narrow disapline.
Feedback: Page 4Points Earned: 7.0/7.0
Correct Answer(s): A

6. A good definition of network/info security should include:
A) security policies and procedures.
Feedback: Page 9
B) intentional attacks only.
C) unintentional attacks only.
D) none of the other listed answers.
Feedback: Page 9Points Earned: 7.0/7.0
Correct Answer(s): A

7. Which of the following would be part of a program in network/info security
? Select all correct answers.
A) laws and ethical practices.
Feedback: Page 8
B) file and access controls
Feedback: Page 8
C) probability and statistics.
Feedback: Page 8
D) None of the other answers are fit topics for such a program.
Feedback: Page 8Points Earned: 6.0/6.0
Correct Answer(s): A , B , C

8. The growing demand for network/information security specialists is occurri
ng predominately in what types of organizations?
A) government
B) corporations
C) not-for-profit organizations
D) all of the above answers
Feedback: Page 3
E) none of the above answers
Feedback: Page 3Points Earned: 7.0/7.0
Correct Answer(s): D

9. Which of the following groups help security development teams with risk an
alysis?
A) security testers
Feedback: Pages 9 and 10
B) compliance officers
C) security consultants
D) security architects
Feedback: Pages 9 and 10Points Earned: 0.0/7.0
Correct Answer(s): C
10. Information security is discipline that manages which of the following? (
Select all correct answers.
A) technology
Feedback: All of Chapter 1
B) people
Feedback: All of Chapter 1
C) processes
Feedback: All of Chapter 1
D) oraganizations
Points Earned: 6.0/8.0
Correct Answer(s): A , B , C , D

11. Which of the following would make an individual seeking a career in netwo
rk/info security more marketable?
A) CISSP certification
Feedback: Pages 5 & 6
B) GIAC certification
C) evaluating virus and network protection products in a home lab
D) all of the above answers
Feedback: Pages 5 & 6Points Earned: 0.0/7.0
Correct Answer(s): D

12. The three objectives of network/information security are:
A) confidentiality, integrity, and availability
Feedback: Page 2
B) confidentiality, secrecy, and privacy
C) resilience, privacy, and safety
D) safety, access control, and secrecy
Feedback: Page 2Points Earned: 7.0/7.0
Correct Answer(s): A

13. What is meant by the umbrella of InfoSec?
A) When it rains it pours.
B) Network/Info Security incorporates many different pursuits and disciplines.
Feedback: Page 9
C) Just as it is bad luck to open an umbrella indoors, it's equally bad luck to
not have a Network/Info Security policy.
D) Network/Info Security policies, like umbrellas, should never be loaned to oth
ers as they are easily lost or misused.
Feedback: Page 9Points Earned: 7.0/7.0
Correct Answer(s): B

Chapter 2
1. A weakness in a system that may possibly be exploited is called a(n):
A) risk.
B) exposure.
Feedback: Page 28
C) vulnerability.
D) threat.
Feedback: Page 28Points Earned: 0.0/8.0
Correct Answer(s): C

2. The two types of security requirements are:
A) logical and physical.
B) logical and assurance.
C) functional and logical.
D) functional and physical.
E) functional and assurance.
Feedback: Page 26
Feedback: Page 26Points Earned: 8.0/8.0
Correct Answer(s): E

3. The CIA triad is usually represented as a:
A) ellipse
B) circle
C) diagonal
D) triangle.
Feedback: Page 22
Feedback: Page 22Points Earned: 8.0/8.0
Correct Answer(s): D

4. The three goals of network/information security are:
A) safety, access control, and secrecy
B) confidentiality, integrity, and availability
Feedback: Page 21
C) resilience, privacy, and safety
D) confidentiality, secrecy, and privacy
Feedback: Page 21Points Earned: 8.0/8.0
Correct Answer(s): B

5. The three types of security controls that are necessary to secure a networ
k or system are:
A) people, functions, and technology.
Feedback: Page 29
B) people, process, and technology.
C) technology,roles, and separation of duties.
D) separation of duties, processes, and people.
Feedback: Page 29Points Earned: 0.0/8.0
Correct Answer(s): B

6. A cookbook on how to take advantage of a vulnerability is called a(n):
A) risk.
B) program.
C) exploit.
Feedback: Page 29
D) threat.
Feedback: Page 29Points Earned: 8.0/8.0
Correct Answer(s): C

7. Related to network/info security, confidentiality is the opposite of which
of the following?
A) disclosure
Feedback: Page 21
B) disposal
C) closure
D) diaster
Feedback: Page 21Points Earned: 8.0/8.0
Correct Answer(s): A

8. Making sure that data hasn't been changed unintentionally due to accident
or malice is:
A) availability
B) auditability
Feedback: Page 22
C) integrity
D) confidentially
Feedback: Page 22Points Earned: 0.0/8.0
Correct Answer(s): C

9. The probability that a threat to a information system/network will materia
lize is called:
A) hole
B) vulnerability
Feedback: Pages 27 and 28
C) threat
D) risk
Feedback: Pages 27 and 28Points Earned: 0.0/8.0
Correct Answer(s): D

10. Defense in Depth is needed to assure that which three mandatory activitie
s are present in a security system?
A) prevention, response, and management
B) prevention, detection, and response
Feedback: Page 23
C) response, collection of evidence, and prosecution
D) prevention, response, and prosecution
Feedback: Page 23Points Earned: 8.0/8.0
Correct Answer(s): B
11. Functional requirements describe:
A) quality assurance description and testing approach.
B) what a security system should do by design
Feedback: Page 26
C) how to implement the system.
D) what controls a security system must implement.
Feedback: Page 26Points Earned: 8.0/8.0
Correct Answer(s): B

12. The weakest link in any security system is the:
A) process element.
B) technology element.
C) Answers B and C
Feedback: Page 23
D) human element.
Feedback: Page 23Points Earned: 0.0/8.0
Correct Answer(s): D

Chapter 3
1. ISC2 was formed for which of the following purposes
A) certifying industry professionals and practitioners in an international IS st
andard
B) all of the above
C) ensuring credentials are maintained, primarily through continuing education
D) maintaining a Common Body of Knowledge for network and information security
Feedback: See page 41.
Feedback: See page 41.Points Earned: 0.0/1.0
Correct Answer(s): B

2. The Business Continuity domain includes:
A) plans for recovering business operations in the event of loss of access by pe
rsonnel
Feedback: See page 44.
B) documented plans for interacting with law enforcement
C) maintenance of current versions of all software in use by the organization
D) management practices to determine business risks
Feedback: See page 44.Points Earned: 1.0/1.0
Correct Answer(s): A

3. The Physical Security domain includes:
A) a code of conduct for employees
B) perimeter security controls and protection mechanisms
C) data center controls and specifications for physically secure operations
D) Both answers "B" and "C"
Feedback: See pages 44 and 45.Points Earned: 0.0/1.0
Correct Answer(s): D
4. The Network Security Architecture and Models domain includes:
A) concepts and principles for secure designs of computing
B) concepts and principles for secure application development
C) concepts and principles for secure programs
D) concepts and principles for secure operations
Feedback: See page 43.Points Earned: 0.0/1.0
Correct Answer(s): A

5. People more interested in certifying themselves as security technical prac
titioners should consider preparing for which of the following?
A) CISA
B) CISSP
Feedback: See page 48.
C) CISM
D) GAIC
Feedback: See page 48.Points Earned: 0.0/1.0
Correct Answer(s): D

6. The CBK contains:
A) 9 domains
B) 7 domains
C) 5 domains
D) 3 domains
E) 10 domains
F) 11 domains
G) 6 domains
Feedback: See page 42.Points Earned: 1.0/1.0
Correct Answer(s): E

7. The Application Development Security domain includes:
A) a quality assurance testing of custom-developed software
B) a recipe book for developers to follow in building secure applications
C) a language guide on programming security functions
D) an outline for the software development environment to address security conce
rns
Feedback: See page 47.Points Earned: 0.0/1.0
Correct Answer(s): D

8. The Access Control Systems and Methodology domain includes:
A) a methodology for applications development
B) instructions on how to install perimeter door security
C) a methodology for secure network/data center operations
D) a collection of mechanisms to create secure architectures for asset protectio
n
Feedback: See page 45.Points Earned: 0.0/1.0
Correct Answer(s): D

9. Security Management Practices domain includes:
A) identification of security products
B) documented policies, standards, procedures, and guidelines
C) management of risks to corporate assests
D) answers B and C only
Feedback: See page 43.Points Earned: 0.0/1.0
Correct Answer(s): D

10. The Operation Security domain includes:
A) a mechanism to detect a physical intrusion into a data center
Feedback: See page 45.
B) identification of procedural controls over hardware, media, and personnel
C) evidence collection and preservation for computer crimes
D) password management
Feedback: See page 45.Points Earned: 0.0/1.0
Correct Answer(s): B

11. The Telecommunications, Network, and Internet Security domain includes:
A) technology, principles, and best practices to secure telephone networks
B) technology, principles, and best practices to secure corporate data networks
C) technology, principles, and best practices to secure Internet attached networ
ks
D) All of the above
Feedback: See page 46.Points Earned: 1.0/1.0
Correct Answer(s): D

12. The Law, Investigation, and Ethics domain includes:
A) a council to determine the ethical behavior of security personnel
B) methods to investigate computer crime incidents
Feedback: See page 44.
C) teams of lawyers to determine the legality of security decisions
D) private law enforcement personnel
Feedback: See page 44.Points Earned: 1.0/1.0
Correct Answer(s): B

13. People more interested in certifying themselves as security experts in a
business context should consider preparing for which certification?
A) CompTIA's Security + and GIAC
B) Symantec Technology Architect and CompTIA's Security +
C) CISA and CISM
D) GAIC and Cisco Firewall Specialist
Feedback: See page 47.
Feedback: See page 47.Points Earned: 0.0/1.0
Correct Answer(s): C

14. The network/information security Common Body of Knowledge is
ISC2
A) a compilation and distillation of all security information collected internat
ionally of relevance to network/information security professionals
B) a volume of books published by ISC2
C) an encyclopedia of information security principles, best practices, and regul
ations
D) a reference list of books and other publications put together by practitioner
s in network/information security
Feedback: See Page 42.Points Earned: 0.0/1.0
Correct Answer(s): A

15. The Cryptological domain includes:
A) tools and techniques to intercept competitor's secrets
B) principles, means, and methods to disguise information to assure confidential
ity, integrity, and authenticity
C) procedures on how to protect Internet communications
D) procedures on how to discover cryptographic keys
Feedback: See page 46
Feedback: See page 46Points Earned: 0.0/1.0
Correct Answer(s): B

Chapter 4
1. 24. Step-by-step directions to execute a specific security activity is referr
ed to as a:
A) Standard
B) Guideline
C) Regulation
D) Procedure
Points Earned: 0.0/1.0
Correct Answer(s): D

2. Which of the following would be the first step in establishing a network/i
nformation security program?
A) purchase of security access control software
B) development and implementation of a network/information security standards ma
nual
Feedback: See page 60.
C) adoption of a corporate network/information security policy statement
D) development of a security awareness-training program for employees
Feedback: See page 60.Points Earned: 0.0/1.0
Correct Answer(s): C

3. What can be best defined as high-level statements, beliefs, goals, and obj
ectives?
A) standards
B) guidelines
Feedback: See page 61.
C) policies
D) procedures
Feedback: See page 61.Points Earned: 0.0/1.0
Correct Answer(s): C

4. Within Network and IT security, which of the following combinations best d
escribe risk
A) threat coupled with a breach of security
B) threat coupled with an attack
C) threat coupled with a vulnerability
Feedback: See pages 78 - 79.
D) vulnerability coupled with a breach
Feedback: See pages 78 - 79.Points Earned: 1.0/1.0
Correct Answer(s): C

5. Which of the following is not part of a security policy?
A) statement of management intent, supporting the goals and principles of inform
ation security
B) definition of the overall steps of information security and the importance of
security
C) description of specific technologies used in the field of information securit
y regulations
D) definition of general and specific responsibilities for information security
management
Feedback: See pages 60 and 63
Feedback: See pages 60 and 63Points Earned: 0.0/1.0
Correct Answer(s): C

6. Which of the following is an advantage of qualitative over quantitative ri
sk analysis?
A) It prioritizes the risks and identifies areas for imediate improvement in add
ressing the vulnerabilities.
Feedback: See page 80.
B) It makes a cost-benefit analysis of recommended controls easier.
C) It can be easily automated.
D) It provides specific quantifiable measurements of th magnitude of the impacts
.
Feedback: See page 80.Points Earned: 1.0/1.0
Correct Answer(s): A

7. An effective security policy would not have which of the following charact
eristics?
A) specify areas of responsibility and authority
Feedback: See pages 59-70.
B) be understandable and supported by all stakeholders
C) include seperations of duty
D) be designed for short to mid-term focus
Feedback: See pages 59-70.Points Earned: 0.0/1.0
Correct Answer(s): D

8. Step by step instructions used to satisfy control requirements are called
a
A) guideline.
B) procedure.
Feedback: See pages 71 and 74.
C) standard.
D) policy.
Feedback: See pages 71 and 74.Points Earned: 1.0/1.0
Correct Answer(s): B

9. Controls are implemented to
A) eliminate risk and eliminate potential for loss
B) mitigate risk and reduce the potential for loss
C) eliminate risk and reduce potential for loss
Feedback: See page 79.
D) mitigate risk and eliminate the potential for loss
Feedback: See page 79.Points Earned: 0.0/1.0
Correct Answer(s): B

10. Which of the following shouldn't be addressed by employee termination pra
ctices?
A) removal of the employee from active payroll files
B) employee bonding to protect against losses due to theft
C) return of access badges
Feedback: See pages 76 - 77.
D) deletion of assigned logon ID and passwords to prohibit system access
Feedback: See pages 76 - 77.Points Earned: 0.0/1.0
Correct Answer(s): B

11. Which of the following would be defined as an absence or weakness of a sa
feguard that could be exploited?
A) an exposure
B) a threat
C) a risk
D) a vulnerability
Feedback: See page 78.
Feedback: See page 78.Points Earned: 1.0/1.0
Correct Answer(s): D
12. What can be defined as an event that could cause harm to network/informat
ion system?
A) a weakness
B) a threat
Feedback: See page 78.
C) a vulnerability
D) a risk
Feedback: See page 78.Points Earned: 1.0/1.0
Correct Answer(s): B

13. A(n) ____________ policy might prescribe the need for information securit
y and may delegate the creation and management of the program.
A) System-specific
B) Programme-level
C) Programme-framework
D) Issue-specific
Points Earned: 0.0/1.0
Correct Answer(s): B

14. What is the difference between advisory and regulatory security policies?
A) Regulatory policies are high-level policies, whereas advisory policies are ve
ry detailed
B) Advisory polices are mandated and regulatory polies are not.
C) There are no differences between them
D) Advisory polices provide recommendations
Feedback: See pages 70 and 71.
Feedback: See pages 70 and 71.Points Earned: 1.0/1.0
Correct Answer(s): D

15. 23. The supporting documents derived from policy statements include which
of the following? Select all correct answers.
A) Regulations
B) Procedural maps
C) Standards and baselines
D) Guidelines
Points Earned: 1.0/1.0
Correct Answer(s): A , C , D

Chapter 5
1. Which Orange Book security rating introduces security labels?
A) B1
Feedback: See page 99.
B) C2
C) B2
D) B3
Feedback: See page 99.Points Earned: 1.0/1.0
Correct Answer(s): A
2. Which of the listed Orange Book ratings represent the highest security lev
el?
A) F6
B) B1
C) C2
Feedback: See page 99.
D) B2
Feedback: See page 99.Points Earned: 0.0/1.0
Correct Answer(s): D

3. Which of the following uses a specific OS and lacks a standard interface t
o connect to other systems?
A) Finite-state machine
B) None of the above
C) Open system
D) Closed system
Points Earned: 1.0/1.0
Correct Answer(s): D

4. What can best be defined as the sum of protection mechanisms inside a comp
uter, including hardware, firmware, and software?
A) security kernel
B) security perimeter
Feedback: See page 90.
C) trusted system
D) trusted computing base
Feedback: See page 90.Points Earned: 0.0/1.0
Correct Answer(s): D

5. Functional requirements and assurance requirements answer which of the fol
lowing questions?
A) Both of the above
B) Does the system do the right things?
C) None of the above
D) Does the system do the right things in the right way?
Points Earned: 0.0/1.0
Correct Answer(s): A

6. Which Orange Book hierarchical levels requires mandatory protections
A) Divisions B and C
B) Divisions A and B
Feedback: See pages 99-101
C) Divisions A, B, and C
D) Divisions D and B
Feedback: See pages 99-101Points Earned: 1.0/1.0
Correct Answer(s): B
7. What is the Biba security model concerned with?
A) availability
B) integrity
Feedback: See page 114.
C) confidentiality
D) reliability
Feedback: See page 114.Points Earned: 1.0/1.0
Correct Answer(s): B

8. Which of the following statements about the CC is NOT true?
A) Users and developers defining security requirements ignore environmental thre
ats
B) CC breaks functional and assurance requirements into distinct elements
C) CC provides a common language for security requirements
D) Users and developers of IT security products create protection profiles
Points Earned: 0.0/1.0
Correct Answer(s): A

9. Which of the following isn't a method to protect subjects, objects, and da
ta within the objects?
A) layering
B) abstraction
C) data hiding
D) data mining
Feedback: See page 94.
Feedback: See page 94.Points Earned: 1.0/1.0
Correct Answer(s): D

10. Which of the following places the Orange Book classifications in order fr
om most secure to least secure?
A) Division D, Division B, Division A, Division C
B) Division A, Division B, Division C, Division D
C) Division D, Division C, Division B, Division A
Feedback: See pages 98 - 101.
D) Division C, Division D, Division B, Division A
Feedback: See pages 98 - 101.Points Earned: 0.0/1.0
Correct Answer(s): B

11. What is the main concern of the Bell-LaPadula security model?
A) availability
B) confidentiality
C) integrity
Feedback: See page 113.
D) accountability
Feedback: See page 113.Points Earned: 0.0/1.0
Correct Answer(s): B
12. The ITSEC was written to address which of the following that the Orange B
ook did not address?
A) integrity and confidentiality
B) confidentiality and availability
C) none of the above
Feedback: See page 102.
D) integrity and availability
Feedback: See page 102.Points Earned: 0.0/1.0
Correct Answer(s): D

13. The Orange Book is founded upon which security model?
A) the Biba model
B) TEMPEST
C) the Bell-LaPadula model
Feedback: See page 113.
D) the Clark-Wilson model
Feedback: See page 113.Points Earned: 1.0/1.0
Correct Answer(s): C

14. What does CC stand for?
A) enCrypted Communications
B) Common Criteria for Information Security Evaluation
Feedback: See page 105.
C) Circular Certificate rollover
D) Certificate Creation
Feedback: See page 105.Points Earned: 1.0/1.0
Correct Answer(s): B

15. Which of the following choices describes a condition when RAM and seconda
ry storage are used together?
A) real storage
B) primary storage
C) virtual storage
Feedback: See page 95.
D) secondary storage
Feedback: See page 95.Points Earned: 1.0/1.0
Correct Answer(s): C

Chapter 6
1. Which of the following would be considered a man-made disaster?
A) earthquake
B) wildcat strike
C) tornado
D) flooding caused by a hurricane
Points Earned: 1.0/1.0
Correct Answer(s): B

2. The primary goal of a DRP is to:
A) reassure employees that the organization puts their safety above all else.
B) protect the image of the organization above all.
C) educate employees about emergency evacuation procedures
Feedback: See page 124.
D) alarm employees as a call to arms.
Feedback: See page 124.Points Earned: 0.0/1.0
Correct Answer(s): A

3. The scope definition of the BCP should include all of the following EXCEPT
:
A) prioritizing critical business processes.
Feedback: See page bottom of page 127 and the top of page 128.
B) calculating the value and cost of continuing important business processes.
C) assessing the cost to the business if critical services are disrupted.
D) performing a dry run of emergency fire and medical evacuation procedures.
Feedback: See page bottom of page 127 and the top of page 128.Points Earned: 0.
0/1.0
Correct Answer(s): D

4. What is a mobile unit site?
A) a SWAT team that provides first-response service.
B) a backup power supply, typically a diesel or gasoline generator.
C) fully equipped recovery site on wheels.
Feedback: See page 132.
D) a convenient means for employees to give blood.
Feedback: See page 132.Points Earned: 1.0/1.0
Correct Answer(s): C

5. What is the purpose of a BIA?
A) To define a strategy that minimizes the effect of disturbances and allow for
the resumption of business processes.
Feedback: See page 129.
B) To emphasize the organization's commitment to employees and vendors.
C) To create a document that's used to help management understand what impact a
disruptive event would have on the business.
D) To work with executive management to develop a DRP.
Feedback: See page 129.Points Earned: 0.0/1.0
Correct Answer(s): C

6. According to the Gartner Group:
A) Organizations with fewer than 100 employees generally do not need a DRP.
B) Organizations with sound business continuity plans never experience an interr
uption of business.
C) The BCP and DRP are interchangeable most organizations.
D) Approximately 40% of business that experience a disaster of some sort go out
of business.
Feedback: See page 125.
Feedback: See page 125.Points Earned: 1.0/1.0
Correct Answer(s): D

7. Which of the following options would not be considered in a disaster recov
ery plan or business continuity plan?
A) Multiple centers to spread processing across sites
B) New business
C) Service bureaus for fast response
D) Mobile units provided by a third party
Points Earned: 0.0/1.0
Correct Answer(s): B

8. The BIA prioritizes systems for recovery and ____________ are at the top o
f the list.
A) Less critical systems
B) Mission-required systems
C) Mission-critical systems
D) Nice to have systems
Points Earned: 1.0/1.0
Correct Answer(s): C

9. What is a benefit of cold sites?
A) high cost
B) hardware and communication links
C) quick recovery
D) low cost
Feedback: See page 131.
Feedback: See page 131.Points Earned: 1.0/1.0
Correct Answer(s): D

10. Using multiple centers as a recovery site has what main disadvantage?
A) Services may be shared between in-house and out-side services.
B) Processing is shared by multiple sites.
C) Multiple center offer redundant processing.
D) Multiple centers are more difficult to administer than other types.
Feedback: See page 131.
Feedback: See page 131.Points Earned: 1.0/1.0
Correct Answer(s): D

11. What is the prime priority of disaster recovery?
A) protecting hardware
Feedback: See page 124 (Mid-page).
B) personnel safety
C) transaction processing
D) protecting software
Feedback: See page 124 (Mid-page).Points Earned: 0.0/1.0
Correct Answer(s): B

12. Why is a BCP important?
A) It has spawned a new cottage industry for business planning experts.
B) It minimizes disruption in business continuity.
Feedback: See page 126.
C) It eliminates risk in an organization.
D) The public is unaware of problems within the organization.
Feedback: See page 126.Points Earned: 1.0/1.0
Correct Answer(s): B