wgu cybersecurity degree review
bachelor’s degree in cyber security
wgu master of computer science
online master’s in information technology management
information security degree
wgu master’s
master’s degree in technology
master’s in it degreE
Which two passwords are the weakest?
A. Pa$$w0Rd%^78
B. Love@$MySon80
C. C@1Il@VEm1
D. Password1234
BD
Which two secure methods should be used to keep track of passwords?
A. Encrypt text files of them on the user’s workstation
B. Store them on a sticky note in a convenient spot
C. Share them with a trusted manager or coworker
D. Organization-approved password storage software
AD
Which groups typically report to the chief security officer (CSO)?
A. Security engineering and operations
B. Physical and software security
C. Audit and incident response
D. Facilities and information technology functions
A
A company is considering which controls to buy to protect an asset.
What should the price of the controls be in relation to the cost of the asset?
A. Less than the annual loss expectancy
B. More than the annual loss expectancy
C. Equal to the cost of the asset
D. More than the cost of the asset
A
How many keys are used in asymmetric encryption?
A. No keys are used to encrypt and decrypt a message.
B. One key is used to encrypt and decrypt a message.
C. Two keys are used to encrypt and decrypt a message.
D. Three keys are used to encrypt and decrypt a message.
C
Which protocol is a variant of a standard web transfer protocol that adds a layer of security on the data in transit using a secure socket layer?
A. HTTPS
B. HTTP
C. FTP
D. SFTP
A
Which description characterizes symmetric cryptography?
A. The same key is used to lock and unlock the cipher.
B. Two separate but unrelated keys are used to unlock the cipher.
C. Two separate and related keys are used to unlock the cipher.
D. Keys are unnecessary when using symmetric cryptography to unlock a cipher.
A
An employee uses a secure hashing algorithm for message integrity. The employee sends a plain text message with the embedded hash to a colleague. A rogue device receives and retransmits the message to its destination. Once received and checked by the intended recipient, the hashes do not match.
Which STRIDE concept has been violated?
A. Tampering
B. Repudiation
C. Elevation of privilege
D. Denial-of-service
A
An attacker accesses private emails between the company’s CISO and board members. The attacker then publishes the emails online.
Which type of an attack is this, according to the STRIDE model?
A. Repudiation
B. Information disclosure
C. Elevation of privilege
D. Tampering
B
A security guard at the front desk of a building checks every employee’s name badge with their photo before they are allowed in the building.
Which two factors have been checked to verify identity?
A. Something you have, something you are
B. Something you have, something you know
C. Something you know, where you are at
D. Where you are at, something you are
A
A system data owner needs to give access to a new employee, so the owner formally requests that the system administrator create an account and permit the new employee to use systems necessary to the job.
Which type of control does the system administrator use to grant these permissions?
A. Physical
B. Protocol
C. Access
D. Firewall
C
The chief information security officer (CISO) for an organization knows that the organization’s datacenter lacks the physical controls needed to adequately control access to sensitive corporate systems. The CEO, CIO, and CFO feel that the current physical access is within a tolerable risk level, and they agree not to pay for upgrades to the facility.
Which risk management strategy has the senior leadership decided to employ?
A. Deterrence
B. Assignment
C. Acceptance
D. Avoidance
C
Which phase of the software development life cycle follows system design?
A. System requirements
B. Development
C. Testing
D. Deployment
B
Which question relates to the functional aspect of computer security?
A. Does the system do the right things in the right way?
B. Does the security staff do the right job in the right way?
C. Does the system do the right things in the wrong way?
D. Does the security staff do the right job in the wrong way?
A
Which leg of the CIA triad is addressed when a business contracts with a cloud vendor to backup its information?
A. Information
B. Availability
C. Integrity
D. Confidentiality
B
Which action is an example of a loss of information integrity based on the CIA triad?
A. A system administrator uses another administrator’s password without request.
B. A security engineer accidentally scrambles information in a database.
C. A help desk employee verifies customers’ identities before changing passwords.
D. A help desk employee refuses to share an employee’s information with a partner.
B
What is included in quantitative risk analysis?
A. Risk ranking
B. Risk mitigation
C. Risk transfer
D. Risk insurance
A
What is a fundamentally objective concept in determining risk?
A. Risk acceptance
B. Risk recovery
C. Resource availability
D. Resource costs
D
Which domain of the (ISC)² Common Body of Knowledge addresses procedures and tools that eliminate or reduce the capability to exploit critical information?
A. Physical (Enviromental) Security
B. Access Control
C. Operations Security
D. Cryptography
C
Which domain of the (ISC)² Common Body of Knowledge addresses identification, authentication, authorization, and logging and monitoring techniques and technologies?
A. Access Control
B. Operations Security
C. Cryptography
D. Software Development Security
A
Which type of policy establishes a security plan, assigns management responsibilities, and states an organization’s computer security objectives?
A. Framework-level
B. Program-level
C. System-specific
D. Issue-specific
B
A company consults a best practices manual from its vendor while deploying a new IT system.Which type of document does this exemplify?
A. Procedures
B. Guidelines
C. Policies
D. Standards
B
Which type of technology are DropBox, Skype, and Office 365 examples of?
A. Local Area Network
B. Wireless
C. Wide Area Network
D. Cloud Computing
D
An organization has all of its offices in several different buildings that are situated on a large city block.
Which type of network is specifically suited to connect these offices to the organization’s network?
A. Wireless
B. Campus
C. Metropolitan
D. Wide
B
A new bookkeeper receives an email claiming to come from an online banking site. The bookkeeper clicks on an embedded link and enters some of the company’s banking information into the cybercriminal’s website.
Which security method can deter this type of attack in the future?
A. Employee security training
B. Principle of least privilege
C. Change management
D. Separation of duties
A
A network security engineer is tasked with preparing audit reports for the auditor. The internal auditor sends the reports to the external auditor who discovers that fraud was committed and that the network security engineer has falsified the reports.
Which security principle should be used to stop this type of fraud from happening?
A. Separation of duties
B. Least privilege
C. Network segmentation
D. Defense in depth
A
An employee has worked for the same organization for years and still has access to legal files even though this employee now works in accounting.
Which principle has been violated?
A. Least privilege
B. Network segmentation
C. Separation of duties
D. Defense in depth
A
A sales specialist is a normal user of a corporate network. The corporate network uses subjects, objects, and labels to grant users access.
Which access control methodology is the corporation using?
A. Least privilege
B. Discretionary
C. Role-based
D. Mandatory
D
Which description is an example of three-factor authentication?
A. Unique information related to the user is added to the two-factor authentication process.
B. A user has three physical devices such as a token, a smart card, and a USB flash drive.
C. A user must enter a strong password, enter a mantrap, and then reenter the password.
D. Unique information related to the user is necessary in addition to a strong password.
A
What is considered a valid method for testing an organization’s disaster recovery plan, according to the Certified Information Systems Security Professional (CISSP)?
A. Checklist
B. Register list
C. Vulnerability testing
D. Penetration testing
A
Which type of disaster recovery site is the most expensive to maintain but the quickest to recover to?
A. Hot
B. Warm
C. Cold
D. Joint
A
Who directs policies and procedures that are designed to protect information resources in an organization?
A. Technical information manager
B. Custodians of information resources
C. Owners of information resources
D. Information resources security officer
D
Which topics should be included in employee security training program?
A. Phishing, social engineering, defensive driving, BYOD
B. Social justice, social networking, 401k training, phishing
C. Social engineering, shoulder surfing, phishing, malware
D. Acceptable use, phishing, employee benefits, BYOD
C
What is a threat to business operations?
A. Recently installed off-the-shelf software with known vulnerabilities
B. Employees who refuse to password protect their computer
C. Sophisticated hacking tools purchased by a disgruntled employee
D. A network administrator who puts off patching server software
C
Which statement describes a threat?
A. Spear phishing attack
B. Unpatched operating system
C. Misconfigured email server
D. Employee filing for bankruptcy
A
Which type of threat can take the form of executable code, scripts, active content, or other software?
A. Malware
B. SQL injection
C. Unpatched OS
D. Brute force
A
What makes a a company’s IT systems more prone to a successful attack?
A. Angry customers
B. Vulnerabilities
C. Hackers
D. Fired employees
B
Which type of control reduces the effect of an attack?
A. Deterrent
B. Preventative
C. Corrective
D. Detective
C
Which security control should be included in a risk management policy?
A. Implementation guidelines
B. Technical specification
C. Exception process
D. Workflow process
C
Which physical security threat consists of the collapse of a building due to weather or moving objects?
A. Structural failure
B. Earth movement
C. Flooding
D. Severe wind event
A
A company wants to use an inexpensive form of biometrics to authenticate employee identity to gain entrance into the corporate headquarters.
What is the least expensive and most reliable type of biometric authentication?
A. Fingerprint recognition
B. Retina scanning
C. Voice prints
D. Signature dynamics
A
Which two types of defenses are perimeter controls?Choose 2 answers.
A. Fences
B. Switches
C. Firewalls
D. Mantraps
AD
The organization applies comprehensive hardening to all its computer assets. Due to the high cost of accomplishing this, the security manager decides to withhold any further spending on IT security for the remainder of the year. The manager believes that because of the complexity and secrecy of the organization’s security configuration, these computer assets are relatively safe.
Which flawed security principle is the security manager relying on?
A. Network segmentation
B. Security through obscurity
C. Least privilege
D. Security hardening
B
The company receives notification from its security monitoring service that an unauthorized physical breach of its datacenter occurred. The perpetrator was able to guess the correct code to the keypad device that controls access.
Which type of risk management control could have prevented this breach from occurring?
A. Single sign-on authentication
B. Multifactor authentication
C. Discretionary access control
D. Mandatory access control
B
The company identifies a risk with an asset that has relatively low value. The cost to secure the asset is $2 million. An insurance company will insure the loss of the asset for $150,000 a year. The company decides not to take any action to protect the asset.
Which risk management strategy did the company choose to follow?
A. Mitigation
B. Acceptance
C. Deterrence
D. Assignment
B
Which type of system controls preserves the state of the system before a crash and prevents further damage or unauthorized access to a system?
A. Fail-secure
B. Fail-open
C. Fail-freeze
D. Fail-close
A
A software development company follows a process where software is moved from the development environment, to the testing environment for quality assurance, and then on to production.
Which individual should be restricted from migrating the software to the production environment?
A. System administrator
B. Security architect
C. Project manager
D. Lead programmer
D
After an audit of user access, a CIO is concerned about improperly granted permissions.
Which type of user access should the CIO be most concerned with?
A. Elevated
B. Standard
C. Guest
D. Read-only
A
Which attack uses common words and phrases to guess passwords?
A. Dictionary
B. Trojan horse
C. Rainbow table
D. Injection
A
What is a disadvantage of discretionary access control (DAC)?
A. Empowers owners to decide access levels
B. Determines access by need to know
C. Controls access through a single sign-on
D. Allows security administrators to decide access levels
A
Which password problem persists when accessing information and systems even with a strong password management and creation policy?
A. Passwords are very insecure.
B. Passwords are repudiable.
C. Passwords are easy to crack.
D. Passwords are hard to share.
B
Which regulation requires corporate executives to review and modernize their company’s financial reporting systems?
A. Fair Credit Reporting Act (FCRA)
B. General Data Protection Regulation (GDPR)
C. Sarbanes-Oxley Act (SOX)
D. Gramm-Leach-Bliley Act (GBLA)
C
Which law protects the confidentiality of patient records?
A. Family Medical Leave Act (FMLA)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. Patient Privacy and Protection Act (PPPA)
B
A company has had problems with attackers hacking user accounts using a variety of password-guessing techniques.
Which type of policy change should the company institute to reduce the effectiveness of this type of hacking?
A. Account lock-out
B. Account provisioning
C. Acceptable use
D. Separation of duties
A
An organization wants to update its policies that govern email acceptable use, internet acceptable use, laptop security, and wireless security.
Which type of policies should the organization update to accomplish this?
A. Program-level
B. Program-framework
C. Issue-specific
D. System-specific
C
Which type of documents do organizations use to explain step-by-step instructions?
A. Procedures
B. Guidelines
C. Baselines
D. Standards
A
Which tool can organizations deploy to manage and monitor corporate email against data leakage on mobile devices?
A. Antivirus software
B. MDM
C. Proxy servers
D. Routers
B
An information systems security officer finds a new vulnerability that has no patch available yet. The security officer creates rules in a monitoring system to watch for the attack pattern and alert the security team if the attack is found.
Which risk management principle has the security officer put into place?
A. Preventative
B. Corrective
C. Deterrent
D. Detective
D
A company’s CISO implements a new policy where employees only have access to information necessary to perform their work requirements.
Which security principle describes this action?
A. Security through obscurity
B. Network segmentation
C. Risk transfer
D. Least privilege
D
The chief information officer (CIO) wants to stop programmers from publishing code directly from development to production.
Which cybersecurity concept should the CIO implement?
A. Discretionary access
B. Network segmentation
C. Pretty good privacy
D. Separation of duties
D
Data entry specialists at a hospital are only supposed to be able to enter new patient records into the database but not be able to access existing records. Because the permissions were not set correctly, some data entry specialists have been accessing existing patient records and making unauthorized changes. Hospital administrators want be able to easily grant permissions based on job type.
Which security principle should the organization implement to solve this problem?
A. Role-based access controls
B. Mandatory access controls
C. Separation of duties
D. Network segmentation
A
A disgruntled database administrator decides to scramble a company’s customer database by swapping client information between clients. Important information such as address, phone number, and credit card number for each client are no longer accurate.
Which type of policies should the company refine?
A. Accountability
B. Confidentiality
C. Integrity
D. Availability
C
A company has a website that contains information on what it does and how to contact someone in sales to purchase the company’s product.
How should this information be classified?
A. Public information
B. Business sensitive
C. Customer confidential
D. Trade secret
A
A company was the victim of a phishing attack. This attack occurred because a cybercriminal recovered employee company email addresses from a stolen laptop.
How should employee company email addresses be classified?
A. Public information
B. Business sensitive
C. Customer confidential
D. Trade secret
B
An accountant finds an error in the way interest is credited to customer accounts. The IT department traces the error to a patch that IT put on the software used to track customer accounts. The error cost the organization about $100,000 in overpayments.
What is the IT department’s role in this case?
A. Custodian
B. Manager
C. Owner
D. User
A
Which information security professionals, also known as white-hat hackers, are responsible for finding bugs or problems with new systems?
A. Security architects
B. Security testers
C. Policymakers
D. Compliance officers
B
Which type of hypervisor installs directly onto the hardware where the host OS would normally reside?
A. Type I
B. Type II
C. Type III
D. Type IV
A
Management is concerned that data will be lost when using virtual machines (VM).
What are two ways to preserve data in VMs?Choose 2 answers.
A. OS updates
B. Full backups
C. Periodic snapshots
D. Hypervisor updates
BC
Which type of investigation is completed internally and examines either operational issues or a violation of the organization’s policies?
A. Operational
B. Administrative
C. Civil
D. Regulatory
B
Which two types of information about evidence are required to preserve the chain of custody? Choose 2 answers.
A. Relevant circumstances surrounding the collection of the evidence
B. General forensic and procedural principles for evidence collection
C. Policies related to the seizure, access, storage, or transfer of digital evidence
D. Name of the person collecting the evidence
AD
You need to implement hardware that provides high availability. Which hardware contingency solutions offer this?
a. RAID
b. tape backups
c. vaulting
d. disk replication
A. point a
B. point b
C. point c
D. point d
E. points a and b
F. points b and c
G. points b and d
H. points a and d
H
You have decided to implement a full/incremental backup strategy. A full backup will be performed each Sunday. An incremental backup will be performed the other days of the week.
What does an incremental backup do?
A It backs up all the new files and files that have changed since the last full or incremental backup and resets the archive bit.
B It backs up all the new files and files that have changed since the last full backup without resetting the archive bit.
C It backs up all the files in a compressed format.
D It backs up all the files.
A
Which protocol is NOT used by network-attached storage?
A NTFS
B SMB
C CIFS
D NFS
A
Your company implements several databases. You are concerned with the security of the data in the databases.
Which statement is correct for database security?
A Data manipulation language (DML) implements access control through authorization.
B Bind variables provide access control through implementing granular restrictions.
C Data control language (DCL) implements security through access control and granular restrictions.
D Data identification language implements security on data components.
C
Which statements are NOT valid regarding SQL commands?
a. An ADD statement is used to add new rows to a table.
b. A DELETE statement is used to delete rows from a table.
c. A REPLACE statement is used to replace rows to a table.
d. A SELECT statement is used to retrieve rows from a table.
e. A GRANT statement is used to grant permissions to a user.
A. points b, d, and e only
B. point e
C. point d
D. point c
E. point b
F. point a
G. points a and c only
H. all of the points
G
Your company follows a full/incremental strategy as a backup solution. The full/incremental strategy starts with a full backup each Saturday evening and an incremental backup all other evenings. Assume that each of the backups was stored on a different tape.
If the system crashed on Monday morning, how many tapes would you need to recover the data?
A one
B three
C four
D two
D
Which database model uses tuples and attributes for storing and organizing information?
A distributed data model
B object-oriented model
C hierarchical model
D relational model
D
Your organization has several databases. Each database is used for a specific purpose within your organization. Management has decided to combine the databases into a single large database for data analysis.
What is this process called?
A data warehousing
B data mining
C metadata
D partitioning
A
You have implemented the three databases that your organization uses to ensure that an entire transaction must be executed to ensure data integrity. If a portion of a transaction cannot complete, the entire transaction is not performed.
Which database security mechanism are you using?
A aggregation
B save points
C concurrency
D two-phase commit
D
You are considering the sensitivity and criticality of your organization’s data. Which of the following statements is NOT true?
A Once data sensitivity and criticality is documented; the organization should work to create a data classification system.
B Data that is sensitive should also be considered critical.
C Sensitivity determines how freely the data can be handled.
D Criticality measures the importance of the data.
B
The new security plan for your organization states that all data on your servers must be classified to ensure appropriate access controls are implemented. What is true of information classification?
a. A data owner must determine the information classification of an asset.
b. Data classification refers to assigning security labels to information assets.
c. A data custodian must determine the classification of an information asset.
d. The two primary classes of data classification deal with government and military institutions and private sector organizations.
e. The two primary classes of the data classification scheme apply to nonprofit organizations and financial institutions.
A. points a, b, and d only
B. points c and e only
C. all of the points
D. point e
E. point d
F. point c
G. point b
H. point a
A
A user in your organization has been disseminating payroll information on several coworkers. Although she has not been given direct access to this data, she was able to determine this information based on some database views to which she has access.
Which term is used for the condition that has occurred?
A aggregation
B save point
C polyinstantiation
D data scavenging
A
You need to ensure that a set of users can access information regarding departmental expenses. However, each user should only be able to view the expenses for the department in which they work. Senior managers should be able to view the expenses for all departments.
Which database security feature provides this granular access control?
A save point
B database view
C noise and perturbation
D partitioning
B
You must ensure that a complete inventory of your organization’s assets is maintained.
Which components are necessary in the asset management inventory?
a. firmware versions
b. operating system versions
c. application versions
d. hardware devices installed
A point c
B point d
C points a and b
D points c and d
E all of the points
F point a
G point b
E
What is the process of combining multiple databases to form a single database?
A data warehouse
B metadata
C data mine
D knowledge base
A
As a security professional, you have been asked to determine the appropriate retention policies for media, hardware, data, and personnel. You decide to first document the appropriate data retention policies.
Which of the following statements is NOT true of developing these policies?
.
A You must understand where data is stored and the type of data stored.
B The personnel that are most familiar with each data type should work with you to determine the data retention policy.
C You should work with data custodians to develop the appropriate data retention policy for each type of data the organization owns.
D Once you create the data retention policies, personnel must be trained to comply with the data retention policies.
C
You need to format data from your database so that it can be easily displayed using Web technologies.
Which interface language should you use?
A JDBC
B OLE DB
C ADO
D XML
D
Certain employees within your organization must have access to communication test equipment as part of their job. Currently, all of this type of equipment is located in an unlocked file cabinet drawer.
Which statement BEST applies to this type of equipment?
A Their use should be prohibited.
B Their use should be controlled and monitored.
C The equipment can be used to control computer viruses.
D Their use should be restricted to top management.
B
You need to ensure that a set of users can access information regarding departmental expenses. However, each user should only be able to view the expenses for the department in which they work. Senior managers should be able to view the expenses for all departments.
Which database security feature provides this granular access control?
A database view
B noise and perturbation
C partitioning
D save point
A
What is the primary function of portable storage media, such as Zip, Jaz, and flash drives?
A to classify data
B to exchange data
C to erase data
D to modify data
B
Which statement most correctly defines a database management system (DBMS)?
A an application programming interface used to provide connectivity between database and applications
B a suite of software programs providing access to data and implementing permissions on data components
C an outline of tasks performed at each step in the software development process
D a central repository of data elements and their respective relationships
B
Which database interface language is a replacement for Open Database Connectivity (ODBC) and can only be used by Microsoft Windows clients?
A JDBC
B ADO
C OLE DB
D XML
B
Which of the following should NOT affect the asset retention policies?
A asset or data type
B asset or data age
C laws and regulations
D asset or data quality
D
Your company has a backup solution that performs a full backup each Saturday evening and a differential backup all other evenings. A vital system crashes on Tuesday morning.
How many backups will need to be restored?
A Two
B Four
C Three
D One
A
What is typically part of an information policy?
A classification of information
B employee termination procedure
C acceptable use
D authentication
A
You are developing a new database for your organization. The database will be used to track warehouse inventory. You need to ensure that each inventory item is uniquely identified in the database tables.
Which key or keys should you use?
a. tuple
b. foreign
c. primary
d. attribute
e. cell
A. points b and c only
B. points a and d only
C. points a and b only
D. point e
E. point d
F. point c
G. point b
H. point a
A
You have been asked to provide scoping and tailoring guidance for an organization’s security controls.
Which of the following guidelines is NOT true regarding this process?
A Scoping provides instruction to an organization on how to apply and implement security controls.
B Scoping and tailoring are closely tied to access control lists.
C Scoping and tailoring allow an organization to narrow its focus.
D Tailoring matches security controls to the needs of the organization.
B
In object-oriented programming (OOP), what defines the functions that an object can carry out?
A attribute
B method
C message
D class
B
You have been hired as a security consultant for an organization that does contract work for the U.S. Department of Defense (DoD). You must ensure that all data that is part of the contract work is categorized appropriately.
What is the highest data classification category you can use?
A Top Secret
B Confidential
C Secret
D Sensitive
A
In the context of backup media, what is meant by the term retention time?
A the amount of time a tape takes to restore the data
B the amount of time a tape is used before being destroyed
C the amount of time a tape takes to back up the data
D the amount of time a tape is stored before its data is overwritten
D
You are establishing the media handling requirements, including the appropriate procedures for marking, labelling, storing, and destroying data that is stored on digital media. Currently, you are concerned with the capacity of any storage medium that you may use.
What should you consider as part of this storage medium aspect?
A how easily a given medium will last before it deteriorates
B how long the industry will support various media options
C how transportable the stored records should be
D the volume of records that you can store on the medium
D
Which of the following is a specific set of requirements for technology implementation and is used as a benchmark for future changes?
A guidelines
B standards
C procedures
D baselines
D
Which operation must you undertake to avoid mishandling of tapes, CDs, DVDs, floppies, and printed material?
A offsite storage
B labeling
C degaussing
D zeroization
B
Which statement correctly describes Bind variables in structured query language (SQL)?
A Bind variables are used to replace values in SQL commands.
B Bind variables are used to enhance the performance of the database.
C Bind variables implement database security.
D Bind variables are used to normalize a database.
B
Which statement best describes data normalization?
A Data normalization implements data fragmentation and provides faster access.
B Data normalization improves the efficiency and performance of a database.
C Data normalization assists in implementing polyinstantiation.
D Data normalization ensures that attributes in a database table depend on the primary key.
D
You are reviewing the access control methods used by an organization. The organization is concerned with the cost of access control.
Which aspect of the information being safeguarded will most affect this cost?
A information redundancy
B information type
C information value
D information replacement cost
C
Management is concerned that data loss may occur in the event of a hard drive failure. You have been asked to provide a disk system that protects against data loss if a single drive in any vital system fails.
Which disk systems should you evaluate?
a. disk striping
b. disk mirroring
c. disk striping with parity
d. failure resistant disk system (FRDS)
A. point a
B. point b
C. point c
D. point d
E. points a, b, and c
F. all of the points
G. points b, c, and d
G
Management is concerned that attackers will attempt to access information in the database. They have asked you to implement database protection using bogus data in hopes that the bogus data will mislead attackers.
Which technique is being requested?
A cell suppression
B partitioning
C noise and perturbation
D trusted front-end
C
You are researching RAID implementations to determine which RAID level is best for your organization.
Which RAID level provides only performance enhancements and does not provide fault tolerance?
A disk mirroring
B RAID 3
C RAID 5
D clustering
E disk striping
E
Which method is NOT recommended for removing data from a storage media that is used to store confidential information?
A zeroization
B formatting
C destruction
D degaussing
B
Which policy defines the sensitivity of a company’s data?
A backup policy
B information policy
C use policy
D security policy
B
Information security is primarily a discipline to manage the behavior of _.
A Technology
B People
C Processes
D Organizations
B
A program for information security should include which of the following elements?
A Security policies and procedures
B Intentional attacks only
C Unintentional attacks only
D None of these
A
The formal study of information security has accelerated primarily for what reason?
A Common breaches of computer systems
B The formation of the U.S. Department of Homeland Security
C Object-oriented programming
D Increasingly interconnected global networks
D
What is meant by the phrase “the umbrella of information security”?
A When it rains, it pours.
B IS incorporates many different pursuits and disciplines.
C Just as it is bad luck to open an umbrella indoors, it is bad luck not to have an information security policy.
D IS policies, like umbrellas, should never be loaned to others because they are easily lost or misused.
B
Which of the following roles helps development teams meet security requirements?
A Policymakers
B Compliance officers
C Security consultants
D Security architects
C
Which of the following roles is responsible for ensuring that third-party suppliers and outsourced functions remain in security compliance?
A Compliance officers
B Vendor managers
C Security architects
D Access coordinators
B
Related to information security, confidentiality is the opposite of which of the following?
A Closure
B Disclosure
C Disaster
D Disposal
B
Which of the following terms best describes the assurance that data has not been changed unintentionally due to an accident or malice?
A Availability
B Confidentiality
C Integrity
D Auditability
C
Defense in depth is needed to ensure that which three mandatory activities are present in a security system?
A Prevention, response, and prosecution
B Response, collection of evidence, and prosecution
C Prevention, detection, and response
D Prevention, response, and management
C
Which of the following best represents the two types of IT security requirements?
A Functional and logical
B Logical and physical
C Functional and assurance
D Functional and physical
D
Which of the following statements is true?
A Security assurance requirements describe how to test the system.
B Security assurance requirements describe how to program the system.
C Security assurance requirements describe to what degree the testing of the system is conducted.
D Security assurance requirements describe implementation considerations.
C
Which of the following terms best describes the probability that a threat to an information system will materialize?
A Threat
B Vulnerability
C Hole
D Risk
D
Which of the following terms best describes the absence or weakness in a system that may possibly be exploited?
A Vulnerability
B Threat
C Risk
D Exposure
A
Which of the following statements is true?
A Controls are implemented to eliminate risk and eliminate the potential for loss.
B Controls are implemented to mitigate risk and reduce the potential for loss.
C Controls are implemented to eliminate risk and reduce the potential for loss.
D Controls are implemented to mitigate risk and eliminate the potential for loss.
B
Security functional requirements describe which of the following?
A What a security system should do by design
B What controls a security system must implement
C Quality assurance description and testing approach
D How to implement the system
A
Which of the following represents the three types of security controls?
A People, functions, and technology
B People, process, and technology
C Technology, roles, and separation of duties
D Separation of duties, processes, and people
B
ISC2 was formed for which of the following purposes?
A Maintaining a Common Body of Knowledge for information security
B Certifying industry professionals and practitioners in an international IS standard
C Ensuring that credentials are maintained, primarily through continuing education
D All of these
D
Which of the following places the Orange Book classifications in order from most secure to least secure?
A Division A, Division B, Division C, Division D
B Division D, Division C, Division B, Division A
C Division D, Division B, Division A, Division C
D Division C, Division D, Division B, Division A
A
:The Orange Book is founded upon which security policy model?
A Biba model
B Bell-LaPadula model
C Clark-Wilson model
D Common Criteria
B
The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address?
A Integrity and confidentiality
B Confidentiality and availability
C Integrity and availability
D None of these
C
Which of the following terms best describes the primary concern of the Biba security model?
A Confidentiality
B Reliability
C Availability
D Integrity
D
Which of the following terms best describes the primary concern of the Bell-LaPadula security model?
A Accountability
B Integrity
C Confidentiality
D Availability
C
Which of the following statements best defines a covert channel?
A undocumented back door that a programmer has left in an operating system.
B open system port that should be closed.
C communication channel that allows transfer of information in a manner that violates the system’s security policy.
D Trojan horse.
C
Which of the following is considered the most extensive type of disaster recovery testing?
A Checklists
B Full interruption
C Simulation
D Parallel testing
C