Scribd Logo
Upload

Welcome to Scribd!

  • FROM CISSP

    Uploaded by

    Seid Hussen
    9 views6 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views6 pages

    FROM CISSP

    Uploaded by

    Seid Hussen

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Review Questions

    1. Which of the following contains the primary goals and objectives of security?

    A. A network’s border perimeter B. The CIA Triad

    C. A stand-alone system D. The Internet

    2. Vulnerabilities and risks are evaluated based on their threats against which of the

    following?

    A. One or more of the CIA Triad C. Due care


    principles
    D. Extent of liability
    B. Data usefulness

    3. Which of the following is a principle of the CIA Triad that means authorized subjects are

    granted timely and uninterrupted access to objects?

    A. Identification C. Encryption

    B. Availability D. Layering

    4. Which of the following is not considered a violation of confidentiality?

    A. Stealing passwords C. Hardware destruction

    B. Eavesdropping D. Social engineering

    5. Which of the following is not true?

    A. Violations of confidentiality include C. Violations of confidentiality are


    human error. limited to direct intentional attacks.

    B. Violations of confidentiality include D. Violations of confidentiality can occur


    management oversight. when a transmission is not properly
    encrypted.

    7. If a security mechanism offers availability, then it offers a high level of assurance that

    authorized subjects can _________________________ the data, objects, and resources.


    A. Control C. Access

    B. Audit D. Repudiate

    8. ____________ refers to keeping information confidential that is personally identifiable or

    which might cause harm, embarrassment, or disgrace to someone if revealed.

    A. Seclusion C. Privacy

    B. Concealment D. Criticality

    9. All but which of the following items requires awareness for all individuals affected?

    A. Restricting personal email D. The backup mechanism used to retain


    email messages
    B. Recording phone conversations

    C. Gathering information about surfing


    habits

    12. Which of the following is the most important and distinctive concept in relation to layered

    security?

    A. Multiple D. Filter

    C. Parallel B. Series

    Chapter Two

    7. Which of the following statements is not true?

    A. IT security can provide protection only C. Risks to an IT infrastructure are all


    against logical or technical attacks. computer based.

    B. The process by which the goals of risk D. An asset is anything used in a business
    management are achieved is known as risk process or task.
    analysis.

    8. Which of the following is not an element of the risk analysis process?

    A. Analyzing an environment for risks C. Selecting appropriate safeguards and


    implementing them
    B. Creating a cost/benefit report for
    safeguards to present to upper management
    D. Evaluating each threat event as to its
    likelihood of occurring and cost of the
    resulting damage

    9. Which of the following would generally not be considered an asset in a risk analysis?

    A. A development process C. A proprietary system resource

    B. An IT infrastructure D. Users’ personal files

    10. Which of the following represents accidental or intentional exploitations of vulnerabilities?

    A. Threat events C. Threat agents

    B. Risks D. Breaches

    11. When a safeguard or a countermeasure is not present or is not sufficient, what remains?

    A. Vulnerability C. Risk

    B. Exposure D. Penetration

    12. Which of the following is not a valid definition for risk?

    A. An assessment of probability, C. Risk = threat * vulnerability


    possibility, or chance
    D. Every instance of exposure
    B. Anything that removes a vulnerability
    or protects against one or more specific
    threats

    16. What security control is directly focused on preventing collusion?

    A. Principle of least privilege C. Separation of duties

    B. Job descriptions D. Qualitative risk analysis

    17. What process or event is typically hosted by an organization and is targeted to groups of

    employees with similar job functions?

    A. Education C. Training

    B. Awareness D. Termination
    18. Which of the following is not specifically or directly related to managing the security
    function of an organization?

    A. Worker job satisfaction C. Information security strategies

    B. Metrics D. Budget

    Chapter Three

    1. What is the first step that individuals responsible for the development of a business
    continuity plan should perform?

    A. BCP team selection C. Resource requirements analysis

    B. Business organization analysis D. Legal and regulatory assessment

    2. Once the BCP team is selected, what should be the first item placed on the team’s agenda?

    A. Business impact assessment C. Resource requirements analysis

    B. Business organization analysis D. Legal and regulatory assessment

    3. What is the term used to describe the responsibility of a firm’s officers and directors to

    ensure that adequate measures are in place to minimize the effect of a disaster on the

    organization’s continued viability?

    A. Corporate responsibility C. Due diligence

    B. Disaster requirement D. Going concern responsibility

    4. What will be the major resource consumed by the BCP process during the BCP phase?

    A. Hardware C. Processing time

    B. Software D. Personnel

    16. In which business continuity planning task would you actually design procedures and

    mechanisms to mitigate risks deemed unacceptable by the BCP team?

    A. Strategy development B. Business impact assessment


    C. Provisions and processes D. Resource prioritization

    18. What type of plan outlines the procedures to follow when a disaster interrupts the normal

    operations of a business?

    A. Business continuity plan C. Disaster recovery plan

    B. Business impact assessment D. Vulnerability assessment

    Chapter Four

    1. Which criminal law was the first to implement penalties for the creators of viruses, worms,

    and other types of malicious code that cause harm to computer system(s)?

    A. Computer Security Act C. Computer Fraud and Abuse Act

    B. National Infrastructure Protection Act D. Electronic Communications Privacy Act

    2. Which law first required operators of federal interest computer systems to undergo periodic

    training in computer security issues?

    A. Computer Security Act C. Computer Fraud and Abuse Act

    B. National Infrastructure Protection Act D. Electronic Communications Privacy Act

    3. What type of law does not require an act of Congress to implement at the federal level but

    rather is enacted by the executive branch in the form of regulations, policies, and procedures?

    A. Criminal law C. Civil law

    B. Common law D. Administrative law

    4. Which federal government agency has responsibility for ensuring the security of government
    computer systems that are not used to process sensitive and/or classified information?

    A. National Security Agency

    B. Federal Bureau of Investigation

    C. National Institute of Standards and


    Technology

    D. Secret Service

    You might also like