CISSP Past Paper PDF

Summary

This document contains practice questions for a CISSP exam. The questions cover various aspects of information security, including business continuity, business impact analysis, and risk management. The questions are in a multiple-choice format, and the answers are possibly available in another corresponding file.

Full Transcript

QUESTION 1
All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT
questions that
A. determine the risk of a business interruption occurring
B. determine the technological dependence of the business processes
C. Identify the operational impacts of a business interruption
D. Identify the financial impacts of a business interruption

QUESTION 2
Which of the following actions will reduce risk to a laptop before traveling to a high risk area?
A. Examine the device for physical tampering
B. Implement more stringent baseline configurations
C. Purge or re-image the hard disk drive
D. Change access codes

QUESTION 3
What is the MOST important consideration from a data security perspective when an organization plans to
relocate?
A. Ensure the fire prevention and detection systems are su icient to protect personnel
B. Review the architectural plans to determine how many emergency exits are present
C. Conduct a gap analysis of a new facilities against existing security requirements
D. Revise the Disaster Recovery and Business Continuity (DR/BC) plan

QUESTION 4
Intellectual property rights are PRIMARY concerned with which of the following?
A. Owner’s ability to realize financial gain
B. Owner’s ability to maintain copyright
C. Right of the owner to enjoy their creation
D. Right of the owner to control delivery method

QUESTION 5
A control to protect from a Denial-of-Service (DoS) attach has been determined to stop 50% of attacks, and
additionally reduces the impact of an attack by 50%. What is the residual risk?
A. 25%
B. 50%
C. 75%
D. 100%

QUESTION 6
What is the term commonly used to refer to a technique of authentication one machine to another by forging
packets from a trusted source?
A. Smurfing
B. Man-in-the-Middle (MITM) attack
C. Session redirect
D. Spoofing

QUESTION 7
Which of the following entails identification of data and links to business processes, applications, and data
stores as well as assignment of ownership responsibilities?
A. Security governance
B. Risk management
C. Security portfolio management
D. Risk assessment

QUESTION 8
Which of the following would MINIMIZE the ability of an attacker to exploit a bu er overflow?
A. Memory review
B. Code review
C. Message division
D. Bu er division

QUESTION 9
Which of the following is MOST important when assigning ownership of an asset to a department?
A. The department should report to the business owner
B. Ownership of the asset should be periodically reviewed
C. Individual accountability should be ensured
D. All members should be trained on their responsibilities

QUESTION 10
Which of the following BEST describes the responsibilities of a data owner?
A. Ensuring quality and validation through periodic audits for ongoing data integrity
B. Maintaining fundamental data availability, including data storage and archiving
C. Ensuring accessibility to appropriate users, maintaining appropriate levels of data security
D. Determining the impact the information has on the mission of the organization

QUESTION 11
An organization has doubled in size due to a rapid market share increase. The size of the Information
Technology (IT) sta has maintained pace with this growth. The organization hires several contractors whose
onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and
has a backlog of account management requests.
Which contract is BEST in o loading the task from the IT sta ?
A. Platform as a Service (PaaS)
B. Identity as a Service (IDaaS)
C. Desktop as a Service (DaaS)
D. Software as a Service (SaaS)

QUESTION 12
When implementing a data classification program, why is it important to avoid too much granularity?
A. The process will require too many resources
B. It will be di icult to apply to both hardware and software
C. It will be di icult to assign ownership to the data
D. The process will be perceived as having value

QUESTION 13
In a data classification scheme, the data is owned by the
A. system security managers
B. business managers
C. Information Technology (IT) managers
D. end users

QUESTION 14
Which factors MUST be considered when classifying information and supporting assets for risk management,
legal discovery, and compliance?
A. System owner roles and responsibilities, data handling standards, storage and secure development
lifecycle requirements
B. Data stewardship roles, data handling and storage standards, data lifecycle requirements
C. Compliance o ice roles and responsibilities, classified material handling standards, storage system
lifecycle requirements
D. System authorization roles and responsibilities, cloud computing standards, lifecycle requirements

QUESTION 15
When network management is outsourced to third parties, which of the following is the MOST e ective method
of protecting critical data assets?
A. Log all activities associated with sensitive systems
B. Provide links to security policies
C. Confirm that confidentially agreements are signed
D. Employ strong access controls

QUESTION 16
Which of the following is the MOST appropriate action when reusing media that contains sensitive data?
A. Erase
B. Sanitize
C. Encrypt
D. Degauss

QUESTION 17
An organization recently conducted a review of the security of its network applications. One of the
vulnerabilities found was that the session key used in encrypting sensitive information to a third party server
had been hard-coded in the client and server applications. Which of the following would be MOST e ective in
mitigating this vulnerability?
A. Di le-Hellman (DH) algorithm
B. Elliptic Curve Cryptography (ECC) algorithm
C. Digital Signature algorithm (DSA)
D. Rivest-Shamir-Adleman (RSA) algorithm

QUESTION 18
Which of the following methods of suppressing a fire is environmentally friendly and the MOST appropriate for a
data center?
A. Inert gas fire suppression system
B. Halon gas fire suppression system
C. Dry-pipe sprinklers
D. Wet-pipe sprinklers

QUESTION 19
Unused space in a disk cluster is important in media analysis because it may contain which of the following?

A. Residual data that has not been overwritten
B. Hidden viruses and Trojan horses
C. Information about the File Allocation table (FAT)
D. Information about patches and upgrades to the system

QUESTION 20
Which of the following is MOST appropriate for protecting confidentially of data stored on a hard drive?
A. Triple Data Encryption Standard (3DES)
B. Advanced Encryption Standard (AES)
C. Message Digest 5 (MD5)
D. Secure Hash Algorithm 2(SHA-2)

QUESTION 21
Which of the following is the MOST e ective method to mitigate Cross-Site Scripting (XSS) attacks?
A. Use Software as a Service (SaaS)
B. Whitelist input validation
C. Require client certificates
D. Validate data output

QUESTION 22
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?
A. Hashing the data before encryption
B. Hashing the data after encryption
C. Compressing the data after encryption
D. Compressing the data before encryption
QUESTION 23
Who in the organization is accountable for classification of data information assets?
A. Data owner
B. Data architect
C. Chief Information Security O icer (CISO)
D. Chief Information O icer (CIO)

QUESTION 24
The use of private and public encryption keys is fundamental in the implementation of which of the following?

A. Di ie-Hellman algorithm
B. Secure Sockets Layer (SSL)
C. Advanced Encryption Standard (AES)
D. Message Digest 5 (MD5)

QUESTION 25
Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege?

A. identity provisioning
B. access recovery
C. multi-factor authentication (MFA)
D. user access review

QUESTION 26
A minimal implementation of endpoint security includes which of the following?
A. Trusted platforms
B. Host-based firewalls
C. Token-based authentication
D. Wireless Access Points (AP)

QUESTION 27
Why is planning in Disaster Recovery (DR) an interactive process?
A. It details o -site storage plans
B. It identifies omissions in the plan
C. It defines the objectives of the plan
D. It forms part of the awareness process

QUESTION 28
Mandatory Access Controls (MAC) are based on:
A. security classification and security clearance
B. data segmentation and data classification
C. data labels and user access permissions
D. user roles and data encryption

QUESTION 29
Which security access policy contains fixed security attributes that are used by the system to determine a
user’s access to a file or object?
A. Mandatory Access Control (MAC)
B. Access Control List (ACL)
C. Discretionary Access Control (DAC)
D. Authorized user control

QUESTION 30
Which of the following is a common characteristic of privacy?
A. Provision for maintaining an audit trail of access to the private data
B. Notice to the subject of the existence of a database containing relevant credit card data
C. Process for the subject to inspect and correct personal data on-site
D. Database requirements for integration of privacy data

QUESTION 31
At a MINIMUM, audits of permissions to individual or group accounts should be scheduled
A. annually
B. to correspond with sta promotions
C. to correspond with terminations
D. continually

QUESTION 32
In a change-controlled environment, which of the following is MOST likely to lead to unauthorized changes to
production programs?
A. Modifying source code without approval
B. Promoting programs to production without approval
C. Developers checking out source code without approval
D. Developers using Rapid Application Development (RAD) methodologies without approval

QUESTION 33
Which of the following combinations would MOST negatively a ect availability?
A. Denial of Service (DoS) attacks and outdated hardware
B. Unauthorized transactions and outdated hardware
C. Fire and accidental changes to data
D. Unauthorized transactions and denial of service attacks

QUESTION 34
Which of the following is a responsibility of a data steward?
A. Ensure alignment of the data governance e ort to the organization.
B. Conduct data governance interviews with the organization.
C. Document data governance requirements.
D. Ensure that data decisions and impacts are communicated to the organization.

QUESTION 35
Which security approach will BEST minimize Personally Identifiable Information (PII) loss from a data breach?

A. End-to-end data encryption for data in transit
B. Continuous monitoring of potential vulnerabilities
C. A strong breach notification process
D. Limited collection of individuals’ confidential data

QUESTION 36
What is the MAIN goal of information security awareness and training?
A. To inform users of the latest malware threats
B. To inform users of information assurance responsibilities
C. To comply with the organization information security policy
D. To prepare students for certification

QUESTION 37
Proven application security principles include which of the following?
A. Minimizing attack surface area
B. Hardening the network perimeter
C. Accepting infrastructure security controls
D. Developing independent modules

QUESTION 38
From a security perspective, which of the following assumptions MUST be made about input to an application?
A. It is tested
B. It is logged
C. It is verified
D. It is untrusted

QUESTION 39
What is the PRIMARY goal of fault tolerance?
A. Elimination of single point of failure
B. Isolation using a sandbox
C. Single point of repair
D. Containment to prevent propagation

QUESTION 40
Which of the BEST internationally recognized standard for evaluating security products and systems?
A. Payment Card Industry Data Security Standards (PCI-DSS)
B. Common Criteria (CC)
C. Health Insurance Portability and Accountability Act (HIPAA)
D. Sarbanes-Oxley (SOX)

QUESTION 41
Which one of the following data integrity models assumes a lattice of integrity levels?
A. Take-Grant
B. Biba
C. Harrison-Ruzzo
D. Bell-LaPadula

QUESTION 42
Even though a particular digital watermark is di icult to detect, which of the following represents a way it might
still be inadvertently removed?
A. Truncating parts of the data
B. Applying Access Control Lists (ACL) to the data
C. Appending non-watermarked data to watermarked data
D. Storing the data in a database

QUESTION 43
What is the purpose of an Internet Protocol (IP) spoofing attack?
A. To send excessive amounts of data to a process, making it unpredictable
B. To intercept network tra ic without authorization
C. To disguise the destination address from a target’s IP filtering devices
D. To convince a system that it is communicating with a known entity

QUESTION 44
At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN)
located?
A. Link layer
B. Physical layer
C. Session layer
D. Application layer

QUESTION 45
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating
and establishing a connection with another node?
A. Transport layer
B. Application layer
C. Network layer
D. Session layer
QUESTION 46
Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?
A. Layer 2 Tunneling Protocol (L2TP)
B. Link Control Protocol (LCP)
C. Challenge Handshake Authentication Protocol (CHAP)
D. Packet Transfer Protocol (PTP)

QUESTION 47
Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?
A. Packet filtering
B. Port services filtering
C. Content filtering
D. Application access control

QUESTION 48
An external attacker has compromised an organization’s network security perimeter and installed a sni er onto
an inside computer. Which of the following is the MOST e ective layer of security the organization could have
implemented to mitigate the attacker’s ability to gain further information?
A. Implement packet filtering on the network firewalls
B. Install Host Based Intrusion Detection Systems (HIDS)
C. Require strong authentication for administrators
D. Implement logical network segmentation at the switches

QUESTION 49
An input validation and exception handling vulnerability has been discovered on a critical web-based system.
Which of the following is MOST suited to quickly implement a control?
A. Add a new rule to the application layer firewall
B. Block access to the service
C. Install an Intrusion Detection System (IDS)
D. Patch the application source code

QUESTION 50
Which of the following is BEST achieved through the use of eXtensible Access Markup Language (XACML)?
A. Minimize malicious attacks from third parties
B. Manage resource privileges
C. Share digital identities in hybrid cloud
D. Define a standard protocol

QUESTION 51
An organization has discovered that users are visiting unauthorized websites using anonymous proxies. Which
of the following is the BEST way to prevent future occurrences?
A. Remove the anonymity from the proxy
B. Analyze Internet Protocol (IP) tra ic for proxy requests
C. Disable the proxy server on the firewall
D. Block the Internet Protocol (IP) address of known anonymous proxies

QUESTION 52
A post-implementation review has identified that the Voice Over Internet Protocol (VoIP) system was designed
to have gratuitous Address Resolution Protocol (ARP) disabled.
Why did the network architect likely design the VoIP system with gratuitous ARP disabled?
A. Gratuitous ARP requires the use of Virtual Local Area Network (VLAN) 1.
B. Gratuitous ARP requires the use of insecure layer 3 protocols.
C. Gratuitous ARP requires the likelihood of a successful brute-force attack on the phone.
D. Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM) attack.

QUESTION 53
Within the company, desktop clients receive Internet Protocol (IP) address over Dynamic Host Configuration
Protocol (DHCP). Which of the following represents a valid measure to help protect the network against
unauthorized access?
A. Implement path management
B. Implement port based security through 802.1x
C. Implement DHCP to assign IP address to server systems
D. Implement change management

QUESTION 54
Transport Layer Security (TLS) provides which of the following capabilities for a remote access server?
A. Transport layer handshake compression
B. Application layer negotiation
C. Peer identity authentication
D. Digital certificate revocation

QUESTION 55
What does a Synchronous (SYN) flood attack do?
A. Forces Transmission Control Protocol /Internet Protocol (TCP/IP) connections into a reset state
B. Establishes many new Transmission Control Protocol / Internet Protocol (TCP/IP) connections
C. Empties the queue of pending Transmission Control Protocol /Internet Protocol (TCP/IP) requests
D. Exceeds the limits for new Transmission Control Protocol /Internet Protocol (TCP/IP) connections

QUESTION 56
A Denial of Service (DoS) attack on a syslog server exploits weakness in which of the following protocols?
A. Point-to-Point Protocol (PPP) and Internet Control Message Protocol (ICMP)
B. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
C. Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP)
D. Transport Layer Security (TLS) and Secure Sockets Layer (SSL)

QUESTION 57
In a High Availability (HA) environment, what is the PRIMARY goal of working with a virtual router address as the
gateway to a network?
A. The second of two routers can periodically check in to make sure that the first router is operational.
B. The second of two routers can better absorb a Denial of Service (DoS) attack knowing the first router is
present.
C. The first of two routers fails and is reinstalled, while the second handles the tra ic flawlessly.
D. The first of two routers can better handle specific tra ic, while the second handles the rest of the tra ic
seamlessly.

QUESTION 58
The MAIN use of Layer 2 Tunneling Protocol (L2TP) is to tunnel data
A. through a firewall at the Session layer
B. through a firewall at the Transport layer
C. in the Point-to-Point Protocol (PPP)
D. in the Payload Compression Protocol (PCP)

QUESTION 59
What protocol is often used between gateway hosts on the Internet?
A. Exterior Gateway Protocol (EGP)
B. Border Gateway Protocol (BGP)
C. Open Shortest Path First (OSPF)
D. Internet Control Message Protocol (ICMP)

QUESTION 60
From a security perspective, which of the following is a best practice to configure a Domain Name Service
(DNS) system?
A. Disable all recursive queries on the name servers
B. Limit zone transfers to authorized devices
C. Configure secondary servers to use the primary server as a zone forwarder
D. Block all Transmission Control Protocol (TCP) connections

QUESTION 61
“Stateful” di ers from “Static” packet filtering firewalls by being aware of which of the following?
A. Di erence between a new and an established connection
B. Originating network location
C. Di erence between a malicious and a benign packet payload
D. Originating application session

QUESTION 62
Access to which of the following is required to validate web session management?
A. Log timestamp
B. Live session tra ic
C. Session state variables
D. Test scripts

QUESTION 63
Which of the following would an attacker BEST be able to accomplish through the use of Remote Access Tools
(RAT)?
A. Reduce the probability of identification
B. Detect further compromise of the target
C. Destabilize the operation of the host
D. Maintain and expand control

QUESTION 64
Digital certificates used in Transport Layer Security (TLS) support which of the following?
A. Information input validation
B. Non-repudiation controls and data encryption
C. Multi-Factor Authentication (MFA)
D. Server identity and data confidentially

QUESTION 65
A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its 20
di erent supplier companies. Which of the following is the BEST solution for the manufacturing organization?

A. Trusted third-party certification
B. Lightweight Directory Access Protocol (LDAP)
C. Security Assertion Markup language (SAML)
D. Cross-certification

QUESTION 66
Users require access rights that allow them to view the average salary of groups of employees. Which control
would prevent the users from obtaining an individual employee’s salary?
A. Limit access to predefined queries
B. Segregate the database into a small number of partitions each with a separate security level
C. Implement Role Based Access Control (RBAC)
D. Reduce the number of people who have access to the system for statistical purposes

QUESTION 67
What is the second step in the identity and access provisioning lifecycle?
A. Provisioning
B. Review
C. Approval
D. Revocation
QUESTION 68
Which of the following MUST be scalable to address security concerns raised by the integration of third-party
identity services?
A. Mandatory Access Controls (MAC)
B. Enterprise security architecture
C. Enterprise security procedures
D. Role Based Access Controls (RBAC)

QUESTION 69
Which of the following is of GREATEST assistance to auditors when reviewing system configurations?
A. Change management processes
B. User administration procedures
C. Operating System (OS) baselines
D. System backup documentation

QUESTION 70
In which of the following programs is it MOST important to include the collection of security process data?
A. Quarterly access reviews
B. Security continuous monitoring
C. Business continuity testing
D. Annual security training

QUESTION 71
A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation. What
MUST an administrator review to audit a user’s access to data files?
A. Host VM monitor audit logs
B. Guest OS access controls
C. Host VM access controls
D. Guest OS audit logs

QUESTION 72
Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?

A. Executive audiences will understand the outcomes of testing and most appropriate next steps for
corrective actions to be taken
B. Technical teams will understand the testing objectives, testing strategies applied, and business risk
associated with each vulnerability
C. Management teams will understand the testing objectives and reputational risk to the organization
D. Technical and management teams will better understand the testing objectives, results of each test
phase, and potential impact levels

QUESTION 73
Which of the following could cause a Denial of Service (DoS) against an authentication system?
A. Encryption of audit logs
B. No archiving of audit logs
C. Hashing of audit logs
D. Remote access audit logs

QUESTION 74
When designing a vulnerability test, which one of the following is likely to give the BEST indication of what
components currently operate on the network?
A. Ping testing
B. Mapping tools
C. Asset register
D. Topology diagrams

QUESTION 75
Which of the following would BEST support e ective testing of patch compatibility when patches are applied to
an organization’s systems?
A. Standardized configurations for devices
B. Standardized patch testing equipment
C. Automated system patching
D. Management support for patching

QUESTION 76
An international medical organization with headquarters in the United States (US) and branches in France
wants to test a drug in both countries. What is the organization allowed to do with the test subject’s data?
A. Aggregate it into one database in the US
B. Process it in the US, but store the information in France
C. Share it with a third party
D. Anonymize it and process it in the US

QUESTION 77
As part of an application penetration testing process, session hijacking can BEST be achieved by which of the
following?
A. Known-plaintext attack
B. Denial of Service (DoS)
C. Cookie manipulation
D. Structured Query Language (SQL) injection

QUESTION 78
Assessing a third party’s risk by counting bugs in the code may not be the best measure of an attack surface
within the supply chain. Which of the following is LEAST associated with the attack surface?
A. Input protocols
B. Target processes
C. Error messages
D. Access rights

QUESTION 79
What are the steps of a risk assessment?
A. identification, analysis, evaluation
B. analysis, evaluation, mitigation
C. classification, identification, risk management
D. identification, evaluation, mitigation

QUESTION 80
After following the processes defined within the change management plan, a super user has upgraded a device
within an Information system. What step would be taken to ensure that the upgrade did NOT a ect the network
security posture?
A. Conduct an Assessment and Authorization (A&A)
B. Conduct a security impact analysis
C. Review the results of the most recent vulnerability scan
D. Conduct a gap analysis with the baseline configuration

QUESTION 81
A vulnerability assessment report has been submitted to a client. The client indicates that one third of the hosts
that were in scope are missing from the report. In which phase of the assessment was this error MOST likely
made?
A. Enumeration
B. Reporting
C. Detection
D. Discovery

QUESTION 82
Which of the following is a responsibility of the information owner?
A. Ensure that users and personnel complete the required security training to access the Information
System (IS)
B. Defining proper access to the Information System (IS), including privileges or access rights
C. Managing identification, implementation, and assessment of common security controls
D. Ensuring the Information System (IS) is operated according to agreed upon security requirements

QUESTION 83
An organization is found lacking the ability to properly establish performance indicators for its Web hosting
solution during an audit. What would be the MOST probable cause?
A. Absence of a Business Intelligence (BI) solution
B. Inadequate cost modeling
C. Improper deployment of the Service-Oriented Architecture (SOA)
D. Insu icient Service Level Agreement (SLA)

QUESTION 84
Which of the following types of business continuity tests includes assessment of resilience to internal and
external risks without endangering live operations?
A. Walkthrough
B. Simulation
C. Parallel
D. White box

QUESTION 85
What is the PRIMARY reason for implementing change management?
A. Certify and approve releases to the environment
B. Provide version rollbacks for system changes
C. Ensure that all applications are approved
D. Ensure accountability for changes to the environment

QUESTION 86
Which of the following is a PRIMARY advantage of using a third-party identity service?
A. Consolidation of multiple providers
B. Directory synchronization
C. Web based logon
D. Automated account management

QUESTION 87
With what frequency should monitoring of a control occur when implementing Information Security
Continuous Monitoring (ISCM) solutions?
A. Continuously without exception for all security controls
B. Before and after each change of the control
C. At a rate concurrent with the volatility of the security control
D. Only during system implementation and decommissioning

QUESTION 88
A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following?
A. Guaranteed recovery of all business functions
B. Minimization of the need decision making during a crisis
C. Insurance against litigation following a disaster
D. Protection from loss of organization resources

QUESTION 89
When is a Business Continuity Plan (BCP) considered to be valid?
A. When it has been validated by the Business Continuity (BC) manager
B. When it has been validated by the board of directors
C. When it has been validated by all threat scenarios
D. When it has been validated by realistic exercises

QUESTION 90
Recovery strategies of a Disaster Recovery planning (DRIP) MUST be aligned with which of the following?
A. Hardware and software compatibility issues
B. Applications’ critically and downtime tolerance
C. Budget constraints and requirements
D. Cost/benefit analysis and business objectives

QUESTION 91
What would be the MOST cost e ective solution for a Disaster Recovery (DR) site given that the organization’s
systems cannot be unavailable for more than 24 hours?
A. Warm site
B. Hot site
C. Mirror site
D. Cold site

QUESTION 92
Who is accountable for the information within an Information System (IS)?
A. Security manager
B. System owner
C. Data owner
D. Data processor

QUESTION 93
A Security Operations Center (SOC) receives an incident response notification on a server with an active
intruder who has planted a backdoor. Initial notifications
are sent and communications are established.
What MUST be considered or evaluated before performing the next step?
A. Notifying law enforcement is crucial before hashing the contents of the server hard drive
B. Identifying who executed the incident is more important than how the incident happened
C. Removing the server from the network may prevent catching the intruder
D. Copying the contents of the hard drive to another storage device may damage the evidence

QUESTION 94
Due to system constraints, a group of system administrators must share a high-level access set of credentials.
Which of the following would be MOST appropriate to implement?
A. Increased console lockout times for failed logon attempts
B. Reduce the group in size
C. A credential check-out process for a per-use basis
D. Full logging on a ected systems

QUESTION 95
Which of the following is the MOST e icient mechanism to account for all sta during a speedy non-emergency
evacuation from a large security facility?
A. Large mantrap where groups of individuals leaving are identified using facial recognition technology
B. Radio Frequency Identification (RFID) sensors worn by each employee scanned by sensors at each exit
door
C. Emergency exits with push bars with coordinates at each exit checking o the individual against a
predefined list
D. Card-activated turnstile where individuals are validated upon exit

QUESTION 96
What does electronic vaulting accomplish?
A. It protects critical files.
B. It ensures the fault tolerance of Redundant Array of Independent Disks (RAID) systems
C. It stripes all database records
D. It automates the Disaster Recovery Process (DRP)

QUESTION 97
A security analyst for a large financial institution is reviewing network tra ic related to an incident. The analyst
determines the tra ic is irrelevant to the investigation but in the process of the review, the analyst also finds
that an applications data, which included full credit card cardholder data, is transferred in clear text between
the server and user’s desktop. The analyst knows this violates the Payment Card Industry Data Security
Standard (PCI-DSS). Which of the following is the analyst’s next step?
A. Send the log file co-workers for peer review
B. Include the full network tra ic logs in the incident report
C. Follow organizational processes to alert the proper teams to address the issue.
D. Ignore data as it is outside the scope of the investigation and the analyst’s role.

QUESTION 98
What is the MAIN purpose of a change management policy?
A. To assure management that changes to the Information Technology (IT) infrastructure are necessary
B. To identify the changes that may be made to the Information Technology (IT) infrastructure
C. To verify that changes to the Information Technology (IT) infrastructure are approved
D. To determine the necessary for implementing modifications to the Information Technology (IT)
infrastructure

QUESTION 99
Which of the following is the PRIMARY risk with using open source software in a commercial software
construction?
A. Lack of software documentation
B. License agreements requiring release of modified code
C. Expiration of the license agreement
D. Costs associated with support of the software

QUESTION 100
The configuration management and control task of the certification and accreditation process is incorporated
in which phase of the System Development Life Cycle (SDLC)?
A. System acquisition and development
B. System operations and maintenance
C. System initiation
D. System implementation

QUESTION 101
What is the BEST approach to addressing security issues in legacy web applications?
A. Debug the security issues
B. Migrate to newer, supported applications where possible
C. Conduct a security assessment
D. Protect the legacy application with a web application firewall

QUESTION 102
Which of the following is a web application control that should be put into place to prevent exploitation of
Operating System (OS) bugs?
A. Check arguments in function calls
B. Test for the security patch level of the environment
C. Include logging functions
D. Digitally sign each application module

QUESTION 103
An Intrusion Detection System (IDS) has recently been deployed in a Demilitarized Zone (DMZ). The IDS detects
a flood of malformed packets. Which of the
following BEST describes what has occurred?
A. Denial of Service (DoS) attack
B. Address Resolution Protocol (ARP) spoof
C. Bu er overflow
D. Ping flood attack

QUESTION 104
Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create
information leakage?
A. Transference
B. Covert channel
C. Bleeding
D. Cross-talk

QUESTION 105
What is an advantage of Elliptic Curve Cryptography (ECC)?
A. Cryptographic approach that does not require a fixed-length key
B. Military-strength security that does not depend upon secrecy of the algorithm
C. Opportunity to use shorter keys for the same level of security
D. Ability to use much longer keys for greater security

QUESTION 106
Backup information that is critical to the organization is identified through a
A. Vulnerability Assessment (VA).
B. Business Continuity Plan (BCP).
C. Business Impact Analysis (BIA).
D. data recovery analysis.

QUESTION 107
When using Generic Routing Encapsulation (GRE) tunneling over Internet Protocol version 4 (IPv4), where is the
GRE header inserted?
A. Into the options field
B. Between the delivery header and payload
C. Between the source and destination addresses
D. Into the destination address

QUESTION 108
During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a
hardware and software inventory?
A. Calculate the value of assets being accredited.
B. Create a list to include in the Security Assessment and Authorization package.
C. Identify obsolete hardware and software.
D. Define the boundaries of the information system.

QUESTION 109
When evaluating third-party applications, which of the following is the GREATEST responsibility of Information
Security?
A. Accept the risk on behalf of the organization.
B. Report findings to the business to determine security gaps.
C. Quantify the risk to the business for product selection.
D. Approve the application that best meets security requirements.

QUESTION 110
The goal of a Business Impact Analysis (BIA) is to determine which of the following?
A. Cost e ectiveness of business recovery
B. Cost e ectiveness of installing software security patches
C. Resource priorities for recovery and Maximum Tolerable Downtime (MTD)
D. Which security measures should be implemented
QUESTION 111
An organization publishes and periodically updates its employee policies in a file on their intranet. Which of the
following is a PRIMARY security concern?
A. Ownership
B. Confidentiality
C. Availability
D. Integrity

QUESTION 112
What does the Maximum Tolerable Downtime (MTD) determine?
A. The estimated period of time a business critical database can remain down before customers are
a ected.
B. The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning
C. The estimated period of time a business can remain interrupted beyond which it risks never recovering
D. The fixed length of time in a DR process before redundant systems are engaged

QUESTION 113
What is a characteristic of Secure Sockets Layer (SSL) and Transport Layer Security (TLS)?
A. SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol
(TCP).
B. SSL and TLS provide nonrepudiation by default.
C. SSL and TLS do not provide security for most routed protocols.
D. SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).

QUESTION 114
How does a Host Based Intrusion Detection System (HIDS) identify a potential attack?
A. Examines log messages or other indications on the system.
B. Monitors alarms sent to the system administrator
C. Matches tra ic patterns to virus signature files
D. Examines the Access Control List (ACL)

QUESTION 115
Which of the following BEST represents the concept of least privilege?
A. Access to an object is denied unless access is specifically allowed.
B. Access to an object is only available to the owner.
C. Access to an object is allowed unless it is protected by the information security policy.
D. Access to an object is only allowed to authenticated users via an Access Control List (ACL).

QUESTION 116
Which of the following is an advantage of on-premise Credential Management Systems?
A. Lower infrastructure capital costs
B. Control over system configuration
C. Reduced administrative overhead
D. Improved credential interoperability

QUESTION 117
Which of the following approaches is the MOST e ective way to dispose of data on multiple hard drives?
A. Delete every file on each drive.
B. Destroy the partition table for each drive using the command line.
C. Degauss each drive individually.
D. Perform multiple passes on each drive using approved formatting methods.

QUESTION 118
Which of the following BEST describes Recovery Time Objective (RTO)?
A. Time of application resumption after disaster
B. Time of application verification after disaster.
C. Time of data validation after disaster.
D. Time of data restoration from backup after disaster.

QUESTION 119
The PRIMARY purpose of accreditation is to:
A. comply with applicable laws and regulations.
B. allow senior management to make an informed decision regarding whether to accept the risk of
operating the system.
C. protect an organization’s sensitive data.
D. verify that all security controls have been implemented properly and are operating in the correct
manner.

QUESTION 120
Which of the following is a weakness of Wired Equivalent Privacy (WEP)?
A. Length of Initialization Vector (IV)
B. Protection against message replay
C. Detection of message tampering
D. Built-in provision to rotate keys

QUESTION 121
Which of the following is the MAIN reason for using configuration management?
A. To provide centralized administration
B. To reduce the number of changes
C. To reduce errors during upgrades
D. To provide consistency in security controls

QUESTION 122
Which of the following is MOST important when deploying digital certificates?
A. Validate compliance with X.509 digital certificate standards
B. Establish a certificate life cycle management framework
C. Use a third-party Certificate Authority (CA)
D. Use no less than 256-bit strength encryption when creating a certificate

QUESTION 123
A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A
Discretionary Access Control (DAC) methodology is in place. Which is the MOST suitable approach that the
administrator should take?
A. Administrator should request data owner approval to the user access
B. Administrator should request manager approval for the user access
C. Administrator should directly grant the access to the non-sensitive files
D. Administrator should assess the user access need and either grant or deny the access

QUESTION 124
A proxy firewall operates at what layer of the Open System Interconnection (OSI) model?
A. Transport
B. Data link
C. Network
D. Application

QUESTION 125
Which of the following restricts the ability of an individual to carry out all the steps of a particular process?
A. Job rotation
B. Separation of duties
C. Least privilege
D. Mandatory vacations

QUESTION 126
Although code using a specific program language may not be susceptible to a bu er overflow attack,
A. most calls to plug-in programs are susceptible.
B. most supporting application code is susceptible.
C. the graphical images used by the application could be susceptible.
D. the supporting virtual machine could be susceptible.

QUESTION 127
What is the BEST way to encrypt web application communications?
A. Secure Hash Algorithm 1 (SHA-1)
B. Secure Sockets Layer (SSL)
C. Cipher Block Chaining Message Authentication Code (CBC-MAC)
D. Transport Layer Security (TLS)

QUESTION 128
Which of the following are e ective countermeasures against passive network-layer attacks?
A. Federated security and authenticated access controls
B. Trusted software development and run time integrity controls
C. Encryption and security enabled applications
D. Enclave boundary protection and computing environment defense

QUESTION 129
What is the MOST important element when considering the e ectiveness of a training program for Business
Continuity (BC) and Disaster Recovery (DR)?
A. Management support
B. Consideration of organizational need
C. Technology used for delivery
D. Target audience

QUESTION 130
A database administrator is asked by a high-ranking member of management to perform specific changes to
the accounting system database. The administrator is specifically instructed to not track or evidence the
change in a ticket. Which of the following is the BEST course of action?
A. Ignore the request and do not perform the change.
B. Perform the change as requested, and rely on the next audit to detect and report the situation.
C. Perform the change, but create a change ticket regardless to ensure there is complete traceability.
D. Inform the audit committee or internal audit directly using the corporate whistleblower process.

QUESTION 131
Which of the following is the MOST important goal of information asset valuation?
A. Developing a consistent and uniform method of controlling access on information assets
B. Developing appropriate access control policies and guidelines
C. Assigning a financial value to an organization’s information assets
D. Determining the appropriate level of protection

QUESTION 132
Which of the following BEST describes a chosen plaintext attack?
A. The cryptanalyst can generate ciphertext from arbitrary text.
B. The cryptanalyst examines the communication being sent back and forth.
C. The cryptanalyst can choose the key and algorithm to mount the attack.
D. The cryptanalyst is presented with the ciphertext from which the original message is determined.

QUESTION 133
For network based evidence, which of the following contains tra ic details of all network sessions in order to
detect anomalies?
A. Alert data
B. User data
C. Content data
D. Statistical data
QUESTION 134
The PRIMARY outcome of a certification process is that it provides documented
A. interconnected systems and their implemented security controls.
B. standards for security assessment, testing, and process evaluation.
C. system weakness for remediation.
D. security analyses needed to make a risk-based decision.

QUESTION 135
A security architect plans to reference a Mandatory Access Control (MAC) model for implementation. This
indicates that which of the following properties are being prioritized?
A. Confidentiality
B. Integrity
C. Availability
D. Accessibility
Explanation:
Mandatory Access Control (MAC) is system-enforced access control based on a subject’s clearance and an
object’s labels. Subjects and Objects have clearances and labels, respectively, such as confidential, secret,
and top secret. A subject may access an object only if the subject’s clearance is equal to or greater than the
object’s label. Subjects cannot share objects with other subjects who lack the proper clearance, or “write
down” objects to a lower classification level (such as from top secret to secret). MAC systems are usually
focused on preserving the confidentiality of data.

QUESTION 136
A vulnerability in which of the following components would be MOST di icult to detect?
A. Kernel
B. Shared libraries
C. Hardware
D. System application

QUESTION 137
During which of the following processes is least privilege implemented for a user account?
A. Provision
B. Approve
C. Request
D. Review

QUESTION 138
Which of the following is a document that identifies each item seized in an investigation, including date and
time seized, full name and signature or initials of the person who seized the item, and a detailed description of
the item?
A. Property book
B. Chain of custody form
C. Search warrant return
D. Evidence tag

QUESTION 139
Which of the following is needed to securely distribute symmetric cryptographic keys?
A. O icially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certificates
B. O icially approved and compliant key management technology and processes
C. An organizationally approved communication protection policy and key management plan
D. Hardware tokens that protect the user’s private key.

QUESTION 140
Reciprocal backup site agreements are considered to be
A. a better alternative than the use of warm sites.
B. di icult to test for complex systems.
C. easy to implement for similar types of organizations.
D. easy to test and implement for complex systems.

QUESTION 141
In order to assure authenticity, which of the following are required?
A. Confidentiality and authentication
B. Confidentiality and integrity
C. Authentication and non-repudiation
D. Integrity and non-repudiation

QUESTION 142
At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a
datagram handled?
A. Transport Layer
B. Data-Link Layer
C. Network Layer
D. Application Layer

QUESTION 143
An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be
covered for the test to be e ective?
A. Third-party vendor with access to the system
B. System administrator access compromised
C. Internal attacker with access to the system
D. Internal user accidentally accessing data

QUESTION 144
A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions:
Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In
which of the following the controls categories does this company need to improve when analyzing its processes
individually?
A. Asset Management, Business Environment, Governance and Risk Assessment
B. Access Control, Awareness and Training, Data Security and Maintenance
C. Anomalies and Events, Security Continuous Monitoring and Detection Processes
D. Recovery Planning, Improvements and Communications

QUESTION 145
What is the di erence between media marking and media labeling?
A. Media marking refers to the use of human-readable security attributes, while media labeling refers to
the use of security attributes in internal data structures.
B. Media labeling refers to the use of human-readable security attributes, while media marking refers to
the use of security attributes in internal data structures.
C. Media labeling refers to security attributes required by public policy/law, while media marking refers to
security required by internal organizational policy.
D. Media marking refers to security attributes required by public policy/law, while media labeling refers to
security attributes required by internal organizational policy.

QUESTION 146
What balance MUST be considered when web application developers determine how informative application
error messages should be constructed?
A. Risk versus benefit
B. Availability versus auditability
C. Confidentiality versus integrity
D. Performance versus user satisfaction

QUESTION 147
What operations role is responsible for protecting the enterprise from corrupt or contaminated media?
A. Information security practitioner
B. Information librarian
C. Computer operator
D. Network administrator

QUESTION 148
In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN
purpose of the DMZ?
A. Reduced risk to internal systems.
B. Prepare the server for potential attacks.
C. Mitigate the risk associated with the exposed server.
D. Bypass the need for a firewall.

QUESTION 149
Network-based logging has which advantage over host-based logging when reviewing malicious activity about a
victim machine?
A. Addresses and protocols of network-based logs are analyzed.
B. Host-based system logging has files stored in multiple locations.
C. Properly handled network-based logs may be more reliable and valid.
D. Network-based systems cannot capture users logging into the console.

QUESTION 150
Between which pair of Open System Interconnection (OSI) Reference Model layers are routers used as a
communications device?
A. Transport and Session
B. Data-Link and Transport
C. Network and Session
D. Physical and Data-Link

QUESTION 151
Which type of security testing is being performed when an ethical hacker has no knowledge about the target
system but the testing target is notified before the test?
A. Reversal
B. Gray box
C. Blind
D. White box

QUESTION 152
Which of the following countermeasures is the MOST e ective in defending against a social engineering attack?

A. Mandating security policy acceptance
B. Changing individual behavior
C. Evaluating security awareness training
D. Filtering malicious e-mail content

QUESTION 153
A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach
should be followed to determine and maintain ownership information to bring the company into compliance?

A. Enterprise asset management framework
B. Asset baseline using commercial o the shelf software
C. Asset ownership database using domain login records
D. A script to report active user logins on assets

QUESTION 154
In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software inventories is a
critical part of
A. systems integration.
B. risk management.
C. quality assurance.
D. change management.

QUESTION 155
As a best practice, the Security Assessment Report (SAR) should include which of the following sections?
A. Data classification policy
B. Software and hardware inventory
C. Remediation recommendations
D. Names of participants

QUESTION 156
Which of the following media sanitization techniques is MOST likely to be e ective for an organization using
public cloud services?
A. Low-level formatting
B. Secure-grade overwrite erasure
C. Cryptographic erasure
D. Drive degaussing

QUESTION 157
What type of wireless network attack BEST describes an Electromagnetic Pulse (EMP) attack?
A. Radio Frequency (RF) attack
B. Denial of Service (DoS) attack
C. Data modification attack
D. Application-layer attack

QUESTION 158
Which of the following is a remote access protocol that uses a static authentication?
A. Point-to-Point Tunneling Protocol (PPTP)
B. Routing Information Protocol (RIP)
C. Password Authentication Protocol (PAP)
D. Challenge Handshake Authentication Protocol (CHAP)

QUESTION 159
Which of the following sets of controls should allow an investigation if an attack is not blocked by preventive
controls or detected by monitoring?
A. Logging and audit trail controls to enable forensic analysis
B. Security incident response lessons learned procedures
C. Security event alert triage done by analysts using a Security Information and Event Management (SIEM)
system
D. Transactional controls focused on fraud prevention

QUESTION 160
Determining outage costs caused by a disaster can BEST be measured by the
A. cost of redundant systems and backups.
B. cost to recover from an outage.
C. overall long-term impact of the outage.
D. revenue lost during the outage.

QUESTION 161
Which of the following is considered a secure coding practice?
A. Use concurrent access for shared variables and resources
B. Use checksums to verify the integrity of libraries
C. Use new code for common tasks
D. Use dynamic execution functions to pass user supplied data
QUESTION 162
As part of the security assessment plan, the security professional has been asked to use a negative testing
strategy on a new website. Which of the following actions would be performed?
A. Use a web scanner to scan for vulnerabilities within the website.
B. Perform a code review to ensure that the database references are properly addressed.
C. Establish a secure connection to the web server to validate that only the approved ports are open.
D. Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.

QUESTION 163
Who has the PRIMARY responsibility to ensure that security objectives are aligned with organization goals?
A. Senior management
B. Information security department
C. Audit committee
D. All users

QUESTION 164
Which of the following alarm systems is recommended to detect intrusions through windows in a high-noise,
occupied environment?
A. Acoustic sensor
B. Motion sensor
C. Shock sensor
D. Photoelectric sensor

QUESTION 165
Which of the following is the MOST e ective practice in managing user accounts when an employee is
terminated?
A. Implement processes for automated removal of access for terminated employees.
B. Delete employee network and system IDs upon termination.
C. Manually remove terminated employee user-access to all systems and applications.
D. Disable terminated employee network ID to remove all access.

QUESTION 166
Which of the following is the MOST important part of an awareness and training plan to prepare employees for
emergency situations?
A. Having emergency contacts established for the general employee population to get information
B. Conducting business continuity and disaster recovery training for those who have a direct role in the
recovery
C. Designing business continuity and disaster recovery training programs for di erent audiences
D. Publishing a corporate business continuity and disaster recovery plan on the corporate website

QUESTION 167
What is the process of removing sensitive data from a system or storage device with the intent that the data
cannot be reconstructed by any known technique?
A. Purging
B. Encryption
C. Destruction
D. Clearing

QUESTION 168
Which one of the following considerations has the LEAST impact when considering transmission security?
A. Network availability
B. Node locations
C. Network bandwidth
D. Data integrity

QUESTION 169
The security accreditation task of the System Development Life Cycle (SDLC) process is completed at the end
of which phase?
A. System acquisition and development
B. System operations and maintenance
C. System initiation
D. System implementation

QUESTION 170
Which of the following is the BEST reason for the use of security metrics?
A. They ensure that the organization meets its security objectives.
B. They provide an appropriate framework for Information Technology (IT) governance.
C. They speed up the process of quantitative risk assessment.
D. They quantify the e ectiveness of security processes.

QUESTION 171
Which of the following are important criteria when designing procedures and acceptance criteria for acquired
software?
A. Code quality, security, and origin
B. Architecture, hardware, and firmware
C. Data quality, provenance, and scaling
D. Distributed, agile, and bench testing

QUESTION 172
An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will
provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary
losses?
A. The Data Protection Authority (DPA)
B. The Cloud Service Provider (CSP)
C. The application developers
D. The data owner

QUESTION 173
What capability would typically be included in a commercially available software package designed for access
control?
A. Password encryption
B. File encryption
C. Source library control
D. File authentication

QUESTION 174
An organization plan on purchasing a custom software product developed by a small vendor to support its
business model.
Which unique consideration should be made part of the contractual agreement potential long-term risks
associated with creating this dependency?
A. A source code escrow clause
B. Right to request an independent review of the software source code
C. Due diligence form requesting statements of compliance with security requirements
D. Access to the technical documentation

QUESTION 175
Which of the following is the MOST important security goal when performing application interface testing?
A. Confirm that all platforms are supported and function properly
B. Evaluate whether systems or components pass data and control correctly to one another
C. Verify compatibility of software, hardware, and network connections
D. Examine error conditions related to external interfaces to prevent application details leakage

QUESTION 176
Which of the following is the MOST common method of memory protection?
A. Compartmentalization
B. Segmentation
C. Error correction
D. Virtual Local Area Network (VLAN) tagging

QUESTION 177
Which of the following is the MOST important output from a mobile application threat modeling exercise
according to Open Web Application Security Project (OWASP)?
A. The likelihood and impact of a vulnerability
B. Application interface entry and endpoints
C. Countermeasures and mitigations for vulnerabilities
D. A data flow diagram for the application and attack surface analysis

QUESTION 178
Continuity of operations is BEST supported by which of the following?
A. Confidentiality, availability, and reliability
B. Connectivity, reliability, and redundancy
C. Connectivity, reliability, and recovery
D. Confidentiality, integrity, and availability

QUESTION 179
Which of the following is true of Service Organization Control (SOC) reports?
A. SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an organization’s
controls
B. SOC 2 Type 2 reports include information of interest to the service organization’s management
C. SOC 2 Type 2 reports assess internal controls for financial reporting
D. SOC 3 Type 2 reports assess internal controls for financial reporting

QUESTION 180
What testing technique enables the designer to develop mitigation strategies for potential vulnerabilities?
A. Manual inspections and reviews
B. Penetration testing
C. Threat modeling
D. Source code review

QUESTION 181
Asymmetric algorithms are used for which of the following when using Secure Sockets Layer/Transport Layer
Security (SSL/TLS) for implementing network security?
A. Peer authentication
B. Payload data encryption
C. Session encryption
D. Hashing digest

QUESTION 182
What is the MOST common component of a vulnerability management framework?
A. Risk analysis
B. Patch management
C. Threat analysis
D. Backup management

QUESTION 183
A new Chief Information O icer (CIO) created a group to write a data retention policy based on applicable laws.
Which of the following is the PRIMARY motivation for the policy?
A. To back up data that is used on a daily basis
B. To dispose of data in order to limit liability
C. To reduce costs by reducing the amount of retained data
D. To classify data according to what it contains

QUESTION 184
What determines the level of security of a combination lock?
A. Complexity of combination required to open the lock
B. Amount of time it takes to brute force the combination
C. The number of barrels associated with the internal mechanism
D. The hardness score of the metal lock material

QUESTION 185
A user downloads a file from the Internet, then applies the Secure Hash Algorithm 3 (SHA-3) to it. Which of the
following is the MOST likely reason for doing so?
A. It verifies the integrity of the file.
B. It checks the file for malware.
C. It ensures the entire file downloaded.
D. It encrypts the entire file.

QUESTION 186
Which of the following is held accountable for the risk to organizational systems and data that result from
outsourcing Information Technology (IT) systems and services?
A. The acquiring organization
B. The service provider
C. The risk executive (function)
D. The IT manager

QUESTION 187
Which of the following is a process in the access provisioning lifecycle that will MOST likely identify access
aggregation issues?
A. Test
B. Assessment
C. Review
D. Peer review

QUESTION 188
Which of the following is the PRIMARY reason a sni er operating on a network is collecting packets only from its
own host?
A. An Intrusion Detection System (IDS) has dropped the packets.
B. The network is connected using switches.
C. The network is connected using hubs.
D. The network’s firewall does not allow sni ing.

QUESTION 189
Which of the following is the PRIMARY mechanism used to limit the range of objects available to a given subject
within di erent execution domains?
A. Process isolation
B. Data hiding and abstraction
C. Use of discrete layering and Application Programming Interfaces (API)
D. Virtual Private Network (VPN)

QUESTION 190
Once the types of information have been identified, who should an information security practitioner work with
to ensure that the information is properly categorized?
A. Information Owner (IO)
B. System Administrator
C. Business Continuity (BC) Manager
D. Chief Information O icer (CIO)
QUESTION 191
What should be the FIRST action for a security administrator who detects an intrusion on the network based on
precursors and other indicators?
A. Isolate and contain the intrusion.
B. Notify system and application owners.
C. Apply patches to the Operating Systems (OS).
D. Document and verify the intrusion.

QUESTION 192
Which of the following needs to be taken into account when assessing vulnerability?
A. Risk identification and validation
B. Threat mapping
C. Risk acceptance criteria
D. Safeguard selection

QUESTION 193
For the purpose of classification, which of the following is used to divide trust domain and trust boundaries?

A. Network architecture
B. Integrity
C. Identity Management (IdM)
D. Confidentiality management

QUESTION 194
Which of the following is MOST e ective in detecting information hiding in Transmission Control
Protocol/Internet Protocol (TCP/IP) tra ic?
A. Packet-filter firewall
B. Content-filtering web proxy
C. Stateful inspection firewall
D. Application-level firewall

QUESTION 195
An application team is running tests to ensure that user entry fields will not accept invalid input of any length.
What type of negative testing is this an example of?
A. Reasonable data
B. Population of required fields
C. Allowed number of characters
D. Session testing

QUESTION 196
An Internet software application requires authentication before a user is permitted to utilize the resource.
Which testing scenario BEST validates the functionality of the application?
A. Reasonable data testing
B. Input validation testing
C. Web session testing
D. Allowed data bounds and limits testing

QUESTION 197
Which of the following techniques BEST prevents bu er overflows?
A. Boundary and perimeter o set
B. Character set encoding
C. Code auditing
D. Variant type and bit length
Explanation:
Some products installed on systems can also watch for input values that might result in bu er overflows, but
the best countermeasure is proper programming. This means use bounds checking. If an input value is only
sup-posed to be nine characters, then the application should only accept nine characters and no more. Some
languages are more susceptible to bu er overflows than others, so programmers should understand these
issues, use the right languages for the right purposes, and carry out code review to identify bu er overflow
vulnerabilities.

QUESTION 198
A security architect is responsible for the protection of a new home banking system. Which of the following
solutions can BEST improve the confidentiality and integrity of this external system?
A. Intrusion Prevention System (IPS)
B. Denial of Service (DoS) protection solution
C. One-time Password (OTP) token
D. Web Application Firewall (WAF)

QUESTION 199
What principle requires that changes to the plaintext a ect many parts of the ciphertext?
A. Encapsulation
B. Permutation
C. Di usion
D. Obfuscation
Explanation:
Di usion, on the other hand, means that a single plaintext bit has influence over several of the ciphertext bits.
Changing a plaintext value should change many ciphertext values, not just one. In fact, in a strong block cipher,
if one plaintext bit is changed, it will change every ciphertext bit with the probability of 50 percent. This means
that if one plaintext bit changes, then about half of the ciphertext bits will change.

QUESTION 200
Which of the following BEST describes how access to a system is granted to federated user accounts?
A. With the federation assurance level
B. Based on defined criteria by the Relying Party (RP)
C. Based on defined criteria by the Identity Provider (IdP)
D. With the identity assurance level

QUESTION 201
A development operations team would like to start building new applications delegating the cybersecurity
responsibility as much as possible to the service provider. Which of the following environments BEST fits their
need?
A. Cloud Virtual Machines (VM)
B. Cloud application container within a Virtual Machine (VM)
C. On premises Virtual Machine (VM)
D. Self-hosted Virtual Machine (VM)

QUESTION 202
Why is planning the MOST critical phase of a Role Based Access Control (RBAC) implementation?
A. The criteria for measuring risk is defined.
B. User populations to be assigned to each role is determined.
C. Role mining to define common access patterns is performed.
D. The foundational criteria are defined.

QUESTION 203
Vulnerability scanners may allow for the administrator to assign which of the following in order to assist in
prioritizing remediation activities?
A. Definitions for each exposure type
B. Vulnerability attack vectors
C. Asset values for networks
D. Exploit code metrics

QUESTION 204
Which of the following Service Organization Control (SOC) report types should an organization request if they
require a period of time report covering security and availability for a particular system?
A. SOC 1 Type 1
B. SOC 1 Type 2
C. SOC 2 Type 1
D. SOC 2 Type 2

QUESTION 205
Physical assets defined in an organization’s Business Impact Analysis (BIA) could include which of the
following?
A. Personal belongings of organizational sta members
B. Supplies kept o -site at a remote facility
C. Cloud-based applications
D. Disaster Recovery (DR) line-item revenues

QUESTION 206
What is the best way for mutual authentication of devices belonging to the same organization?
A. Token
B. Certificates
C. User ID and passwords
D. Biometric

QUESTION 207
A financial company has decided to move its main business application to the Cloud. The legal department
objects, arguing that the move of the platform should comply with several regulatory obligations such as the
General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security O icer (CISO)
says that the cloud provider has met all regulations requirements and even provides its own encryption
solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the
legal requirements in this situation?
A. No, because the encryption solution is internal to the cloud provider.
B. Yes, because the cloud provider meets all regulations requirements.
C. Yes, because the cloud provider is GDPR compliant.
D. No, because the cloud provider is not certified to host government data.

QUESTION 208
Which of the following is PRIMARILY adopted for ensuring the integrity of information is preserved?
A. Data at rest protection
B. Transport Layer Security (TLS)
C. Role Based Access Control (RBAC)
D. One-way encryption

QUESTION 209
Which of the following o ers the BEST security functionality for transmitting authentication tokens?
A. JavaScript Object Notation (JSON)
B. Terminal Access Controller Access Control System (TACACS)
C. Security Assertion Markup Language (SAML)
D. Remote Authentication Dial-In User Service (RADIUS)

QUESTION 210
What is the MAIN purpose for writing planned procedures in the design of Business Continuity Plans (BCP)?
A. Establish lines of responsibility.
B. Minimize the risk of failure.
C. Accelerate the recovery process.
D. Eliminate unnecessary decision making.

QUESTION 211
Which of the following is the BEST reason to apply patches manually instead of automated patch
management?
A. The cost required to install patches will be reduced.
B. The time during which systems will remain vulnerable to an exploit will be decreased.
C. The target systems reside within isolated networks.
D. The ability to cover large geographic areas is increased.

QUESTION 212
When should the software Quality Assurance (QA) team feel confident that testing is complete?
A. When release criteria are met
B. When the time allocated for testing the software is met
C. When senior management approves the test results
D. When the software has zero security vulnerabilities

QUESTION 213
What is the MOST e icient way to verify the integrity of database backups?
A. Test restores on a regular basis.
B. Restore every file in the system to check its health.
C. Use checksum as part of the backup operation to make sure that no corruption has occurred.
D. Run DBCC CHECKDB on a regular basis to check the logical and physical integrity of the database
objects.

QUESTION 214
Which of the following are the FIRST two steps to securing employees from threats involving workplace violence
and acts of terrorism?
A. Physical barriers impeding unauthorized access and security guards at each entrance
B. Physical barriers and the ability to identify people as they enter the workplace
C. Security guards and metal detectors posted at each entrance
D. Metal detectors and the ability to identify people as they enter the workplace

QUESTION 215
Which step of the Risk Management Framework (RMF) identifies the initial set of baseline security controls?

A. Selection
B. Monitoring
C. Implementation
D. Assessment

QUESTION 216
What is the MAIN reason for having a developer sign a Non-Disclosure Agreement (NDA)?
A. Signing the NDA always gives consent to the developer to access tools and privileged company
information to do their work.
B. Signing the NDA allows the developer to use their developed coding methods.
C. Signing the NDA protects confidential, technical, or Intellectual Property (IP) from disclosure to others.
D. Signing the NDA is legally binding for up to one year of employment.

QUESTION 217
Which of the following provides for the STRONGEST protection of data confidentiality in a Wi-Fi environment?

A. Wi-Fi Protected Access (WPA) + Temporal Key Integrity Protocol (TKIP)
B. Wi-Fi Protected Access 2 (WPA2) + Advanced Encryption Standard (AES)
C. Wi-Fi Protected Access 2 (WPA2) + Counter Mode with Cipher Block Chaining Message Authentication
Code Protocol (CCMP)
D. Wired Equivalent Privacy (WEP) + Advanced Encryption Standard (AES)

QUESTION 218
What is a consideration when determining the potential impact an organization faces in the event of the loss of
confidentiality of Personally Identifiable Information (PII)?
A. Quantity
B. Availability
C. Quality
D. Criticality

QUESTION 219
A security team member was selected as a member of a Change Control Board (CCB) for an organization.
Which of the following is one of their responsibilities?
A. Approving or disapproving the change
B. Determining the impact of the change
C. Carrying out the requested change
D. Logging the change

QUESTION 220
A data owner determines the appropriate job-based access for an employee to perform their duties. Which
type of access control is this?
A. Discretionary Access Control (DAC)
B. Non-discretionary access control
C. Mandatory Access Control (MAC)
D. Role-based access control (RBAC)

QUESTION 221
Which of the following is the MOST relevant risk indicator after a penetration test?
A. Lists of hosts vulnerable to remote exploitation attacks
B. Details of vulnerabilities and recommended remediation
C. Lists of target systems on the network identified and scanned for vulnerabilities
D. Details of successful vulnerability exploitations

QUESTION 222
Which of the following is the BEST type of authentication and encryption for a Secure Shell (SSH)
implementation when network tra ic traverses between a host and an infrastructure device?
A. Lightweight Directory Access Protocol (LDAP)
B. Public-key cryptography
C. Remote Authentication Dial-In User Service (RADIUS)
D. Private-key cryptography

QUESTION 223
Lack of which of the following options could cause a negative e ect on an organization’s reputation, revenue,
and result in legal action, if the organization fails to perform due diligence?
A. Threat modeling methodologies
B. Service Level Requirement (SLR)
C. Service Level Agreement (SLA)
D. Third-party risk management

QUESTION 224
What is the BEST approach to annual safety training?
A. Base safety training requirements on sta member job descriptions.
B. Safety training should address any gaps in a sta member’s skill set.
C. Ensure that sta members in positions with known safety risks are given proper training.
D. Ensure that all sta members are provided with identical safety training.

QUESTION 225
Which of the following is a credible source to validate that security testing of Commercial O -The-Shelf (COTS)
software has been performed with international standards?
A. Common Criteria (CC)
B. Evaluation Assurance Level (EAL)
C. National Information Assurance Partnership (NIAP)
D. International Standards Organization (ISO)

QUESTION 226
What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain
confidence in a service organization’s systems?
A. SOC 1 Type 1
B. SOC 1 Type 2
C. SOC 2
D. SOC 3

QUESTION 227
Which of the following questions will be addressed through the use of a Privacy Impact Assessment (PIA)?
A. How the information is to be maintained
B. Why the information is to be collected
C. What information is to be destroyed
D. Where the information is to be stored

QUESTION 228
An organization discovers that its Secure File Transfer Protocol (SFTP) server has been accessed by an
unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of
the organization’s general Information Technology (IT) controls, specifically pertaining to software change
control and security patch management, but not in other control areas.
Which of the following is the MOST probable attack vector used in the security breach?
A. Bu er overflow
B. Distributed Denial of Service (DDoS)
C. Cross-Site Scripting (XSS)
D. Weak password due to lack of complexity rules

QUESTION 229
Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal
controls?
A. The risk culture of the organization
B. The impact of the control
C. The nature of the risk
D. The cost of the control
QUESTION 230
Which layer of the Open System Interconnection (OSI) model is reliant on other layers and is concerned with
the structure, interpretation and handling of information?
A. Presentation Layer
B. Session Layer
C. Application Layer
D. Transport Layer
QUESTION 231
When conveying the results of a security assessment, which of the following is the PRIMARY audience?
A. Information System Security O icer (ISSO)
B. Authorizing O icial (AO)
C. Information System Security Manager (ISSM)
D. Security Control Assessor (SCA)

QUESTION 232
What is the motivation for use of the Online Certificate Status Protocol (OCSP)?
A. To return information on multiple certificates
B. To control access to Certificate Revocation List (CRL) requests
C. To provide timely up-to-date responses to certificate queries
D. To issue X.509v3 certificates more quickly