Professional Documents
Culture Documents
Multiple-Choice Questions
A. Risk
B. Countermeasure
C. Vulnerability
D. Threat
Explanation: A threat is any action that could damage an asset. Information systems face
both natural and human-induced threats.
2. Bob recently accepted a position as the information security and compliance manager
for a medical practice. Which regulation is likely to most directly apply to Bob's
employer?
Answer: B Reference: U.S. Compliance Laws Drive Need for Information Systems
Security
Explanation: HIPAA requires that health care organizations have security and privacy
controls implemented to ensure patient privacy.
3. Rachel is investigating an information security incident that took place at the high
school where she works. She suspects that students may have broken into the student
records system and altered their grades. If correct, which one of the tenets of
information security did this attack violate?
A. Confidentiality
B. Integrity
C. Availability
D. Nonrepudiation
Explanation: The scenario describes a case where an unauthorized user made a change
to information stored in a protected system. The integrity tenet requires that only
authorized users have the ability to change information.
4. Which one of the following measures the average amount of time that it takes to
repair a system, application, or component?
A. Uptime
B. Mean time to failure (MTTF)
C. Mean time to repair (MTTR)
D. Recovery time objective (RTO)
Explanation: MTTR is the average amount of time that it takes to repair a system,
application, or component. The goal is to bring the system back up quickly.
5. Juan's web server was down for an entire day last September. It experienced no other
downtime during that month. Which one of the following represents the web server
uptime for that month?
A. 96.67%
B. 3.33%
C. 99.96%
D. 0.04%
6. Which mitigation plan is most appropriate to limit the risk of unauthorized access to
workstations?
A. Password protection
B. Antivirus software
C. Deactivating USB ports
D. Vulnerability scanning
Answer: D Reference: Risks, Threats, and Vulnerabilities Commonly Found in the WAN
Domain (Internet)
A. 20
B. 22
C. 23
D. 80
Explanation: The Secure Shell (SSH) protocol uses port 22. SSH is a network protocol for
performing remote terminal access to another device. SSH encrypts data for maintaining
confidentiality of communications. Port 20 corresponds to the File Transfer Protocol
(FTP), which is a cleartext protocol. Port 23 corresponds to the Telnet protocol, which is
a cleartext protocol. Port 80 corresponds to the Hypertext Transfer Protocol (HTTP),
which is a cleartext protocol.
9. Which network device is capable of blocking network connections that are identified
as potentially malicious?
Explanation: An IPS examines Internet Protocol (IP) data streams for signs of malicious
activity and can block those streams identified as malicious. IPSs can end the actual
communication session, filter by source IP addresses, and block access to the targeted
host.
10. Which risk is most effectively mitigated by an upstream Internet service provider
(ISP)?
Answer: A Reference: Risks, Threats, and Vulnerabilities Commonly Found in the LAN-to-
WAN Domain
Explanation: Upstream ISPs must participate in DDoS attack prevention and discarding of
IP packets when a stream of half-open Transmission Control Protocol (TCP) SYN packets
start to flood the ISP link.
11. Beth must purchase firewalls for several network circuits used by her organization.
Which one circuit will have the highest possible network throughput?
A. DS1
B. DS3
C. OC-3
D. OC-12
Explanation: OC-12 circuits have a maximum capacity of 622 Mbps compared to 155
Mbps for OC-3, 1.544 Mbps for DS1, and 45 Mbps for DS3.
12. What is NOT a common endpoint for a virtual private network (VPN) connection
used for remote network access?
A. Laptop
B. Firewall
C. Router
D. Content filter
Answer: D Reference: Remote Access Domain
Explanation: VPN connections used for client access to a remote network normally have
one endpoint at a user's workstation, laptop, or mobile device and another endpoint on
a firewall or router.
13. Which one of the following is typically used during the identification phase of a
remote access connection?
A. Username
B. Password
C. Token
D. Fingerprint
Explanation: During the identification process, the user provides identifying information,
such as a username, logon ID, or account number.
14. During what phase of a remote access connection does the end user prove his or her
claim of identity?
A. Identification
B. Authentication
C. Authorization
D. Tokenization
Answer: B Reference: Risks, Threats, and Vulnerabilities Commonly Found in the Remote
Access Domain
Explanation: The authentication process proves that a remote user is who the user
claims to be. The most common authentication method is supplying a password.
A. Password
B. Biometric scan
C. Identification number
D. Token
Answer: C Reference: Risks, Threats, and Vulnerabilities Commonly Found in the Remote
Access Domain
Explanation: Passwords, biometric scans, and tokens are all valid authentication
techniques. Identification numbers are not secret and are more commonly used for the
identification phase, rather than the authentication phase.
16. Which element of the security policy framework requires approval from upper
management and applies to the entire organization?
A. Policy
B. Standard
C. Guideline
D. Procedure
Explanation: Policies are short written statements that the people in charge of an
organization have set as a course of action or direction. A policy comes from upper
management and applies to the entire organization.
17. Which element of the security policy framework offers suggestions rather than
mandatory actions?
A. Policy
B. Standard
C. Guideline
D. Procedure
Explanation: Guidelines are suggested courses of action for using policies, standards,
and/or procedures. Guidelines can be specific or flexible regarding use.
18. Chris is writing a document that provides step-by-step instructions for end users
seeking to update the security software on their computers. Performing these updates is
mandatory. Which type of document is Chris writing?
A. Policy
B. Standard
C. Guideline
D. Procedure
Explanation: Procedures are written instructions for carrying out actions required by a
policy or standard. They may include a plan of action, installation, testing, and auditing
of security controls.
19. Which element of the IT security policy framework provides detailed written
definitions for hardware and software and how they are to be used?
A. Policy
B. Standard
C. Guideline
D. Procedure
Explanation: A standard is a detailed written definition for hardware and software and
how they are to be used. Standards ensure that consistent security controls are used
throughout the IT system.
Type: Multiple Choice Difficulty: Easy Category: Remember
20. Which classification level is the highest level used by the U.S. federal government?
A. Top Secret
B. Secret
C. Confidential
D. Private
Explanation: Top Secret is the highest classification level used by the U.S. government. It
applies to information that the classifying authority finds would cause grave damage to
national security if it were disclosed.
True/False Questions
A. True
B. False
Explanation:
Type: True/False
A. True
B. False
Type: True/False
A. True
B. False
Explanation:
Type: True/False
A. True
B. False
Explanation:
Type: True/False
5. The Sarbanes-Oxley (SOX) Act requires all types of financial institutions to protect
customers' private financial information.
A. True
B. False
Answer: B Reference: U.S. Compliance Laws Drive Need for Information Systems
Security
Explanation: The Gramm-Leach-Bliley Act (GLBA) requires all types of financial
institutions to protect customers' private financial information. SOX requires publicly
traded companies to submit accurate and reliable financial reporting.
Type: True/False
6. Access control lists (ACLs) are used to permit and deny traffic in an IP router.
A. True
B. False
Explanation:
Type: True/False
7. Service-level agreements (SLAs) are optical backbone trunks for private optical
backbone networks.
A. True
B. False
Explanation: Nationwide optical backbones are optical backbone trunks for private
optical backbone networks.
Type: True/False
A. True
B. False
Type: True/False
A. True
B. False
Explanation: An Internet Protocol (IP) stateful firewall is a security appliance that is used
to filter IP packets and block unwanted IP, Transmission Control Protocol (TCP), and User
Datagram Protocol (UDP) packet types from entering or leaving the network.
Type: True/False
10. Simple Network Management Protocol (SNMP) is used for network device
monitoring, alarm, and performance.
A. True
B. False
Explanation:
Type: True/False
11. The most critical aspect of a WAN services contract is how the service provider
supplies troubleshooting, network management, and security management services.
A. True
B. False
Answer: A Reference: Risks, Threats, and Vulnerabilities Commonly Found in the WAN
Domain (Internet)
Explanation:
Type: True/False
12. A IT security policy framework is like an outline that identifies where security
controls should be used.
A. True
B. False
Explanation:
Type: True/False
13. Hypertext Transfer Protocol (HTTP) encrypts data transfers between secure browsers
and secure web pages.
A. True
B. False
Type: True/False
14. Cryptography is the process of transforming data from cleartext into ciphertext.
A. True
B. False
Type: True/False
A. True
B. False
Explanation:
Type: True/False
16. The System/Application Domain holds all the mission-critical systems, applications,
and data.
A. True
B. False
Explanation:
Type: True/False
17. In the Remote Access Domain, if private data or confidential data is compromised
remotely, you should set automatic blocking for attempted logon retries.
A. True
B. False
Answer: B Reference: Risks, Threats, and Vulnerabilities Commonly Found in the Remote
Access Domain
Type: True/False
18. Encrypting the data within databases and storage devices gives an added layer of
security.
A. True
B. False
Explanation:
Type: True/False
19. The asset protection policy defines an organization's data classification standard.
A. True
B. False
Explanation: The asset protection policy helps organizations define a priority for mission-
critical IT systems and data. The asset classification policy defines an organization's data
classification standard.
Type: True/False
20. For businesses and organizations under recent compliance laws, data classification
standards typically include private, confidential, internal use only, and public domain
categories.
A. True
B. False
Answer: A Reference: Data Classification Standards
Explanation:
Type: True/False
Category Stats
Analyze: 1
Apply: 4
Evaluate: 0
Remember: 4
Understand: 11
Difficulty Stats
Easy: 4 Medium: 12 Hard: 4