CISSP CYBEX Chap 1

Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?. Gamification. Computer‐based training. Content reviews. Live training.

Gavin is creating a report for management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?. Inherent risk. Residual risk. Control risk. Mitigated risk.

Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?. Binding corporate rules. Privacy Shield. Standard contractual clauses. Safe harbor.

Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?. FISMA. PCI DSS. HIPAA. GISRA.

Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?. Memory chips. Office productivity applications. Hard drives. Encryption software.

Brenda’s organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition?. Consolidation of security functions. Integration of security tools. Protection of intellectual property. Documentation of security policies.

Laura has been asked to perform a security controls assessment (SCA). What type of organization is she most likely in?. Higher education. Banking. Government. Healthcare.

Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?. Data custodian. Data owner. User. Auditor.

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?. Impact. RPO. MTO. Likelihood.

What important function do senior managers normally fill on a business continuity planning team?. Arbitrating disputes about criticality. Evaluating the legal environment. Training staff. Designing failure controls.

Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would NOT apply to a piece of software?. Trademark. Copyright. Patent. Trade secret.

Frances is reviewing her organization’s business continuity plan documentation for completeness. Which one of the following is not normally included in business continuity plan documentation?. Statement of accounts. Statement of importance. Statement of priorities. Statement of organizational responsibility.

Jeff would like to adopt an industry‐standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use?. CMM. SW‐CMM. RMM. COBIT.

Elise is helping her organization prepare to evaluate and adopt a new cloud‐based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?. Compliance with all laws and regulations. Handling information in the same manner her organization would. Elimination of all identified security risks. Compliance with the vendor’s own policies.

Which one of the following components should be included in an organization’s emergency response guidelines?. List of individuals who should be notified of an emergency incident. Long‐term business continuity protocols. Activation procedures for the organization’s cold sites. Contact information for ordering equipment.

Chas recently completed the development of his organization’s business continuity plan (BCP). Who is the ideal person to approve an organization’s business continuity plan?. Chief information officer. Chief executive officer. Chief information security officer. Chief operating office.

Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?. Structured analysis of the organization. Review of the legal and regulatory landscape. Creation of a BCP team. Documentation of the plan.

Greg’s company recently experienced a significant data breach involving the personal data of many of their customers. The company operates only in the United States and has facilities in several different states. The personal information relates only to residents of the United States. Which breach laws should they review to ensure that they are taking appropriate action?. The breach laws in the state where they are headquartered along with federal breach laws. The breach laws of states they do business in or where their customers reside along with federal breach laws. Only federal breach laws. Breach laws only cover government agencies, not private businesses.

Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?. ITIL. ISO 27002. CMM. PMBOK Guide.

Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?. ITIL. ISO 27002. CMM. PMBOK Guide.

Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt’s clients pursuant to a search warrant. Which one of the following laws requires that communications service providers cooperate with law enforcement requests?. ECPA. CALEA. Privacy Act. HITECH Act.

Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement?. NCA. SLA. NDA. RTO.

Which one of the following stakeholders is not typically included on a business continuity planning team?. Core business function leaders. Information technology staff. CEO. Support departments.

What principle of information security states that an organization should implement overlapping security controls whenever possible?. Least privilege. Separation of duties. Defense in depth. Security through obscurity.

Ryan is a CISSP‐certified cybersecurity professional working in a nonprofit organization. Which of the following ethical obligations apply to his work? (Select all that apply.). ISC2 Code of Ethics. Organizational code of ethics. Federal code of ethics. RFC 1087.

Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?. Purchasing insurance. Encrypting the database contents. Removing the data. Objecting to the exception.

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?. Informing other employees of the termination. Retrieving the employee’s photo ID. Calculating the final paycheck. Revoking electronic access rights.

You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?. Integrity. Denial. Availability. Confidentiality.

Alan is performing threat modeling and decides that it would be useful to decompose the system into the core elements shown here. What tool is he using?. Vulnerability assessment. Fuzzing. Reduction analysis. Data modeling.

Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the threat?. Unpatched web application. Web defacement. Malicious hacker. Operating system.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s data center?. 10%. 25%. 50%. 75%.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s data center?. 0.0025. 0.005. 0.01. 0.015.

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s data center?. $25,000. $50,000. $250,000. $500,000.

John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?. Spoofing. Repudiation. Information disclosure. Elevation of privilege.

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?. His supply chain. His vendor contracts. His post‐purchase build process. The original equipment manufacturer (OEM).

In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe?. Regression testing. Code review. Change management. Fuzz testing.

After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95% completion rate he was aiming for. What is this type of measure called?. A KPI. A metric. An awareness control. A return on investment rate.

Which of the following is not typically included in a prehire screening process?. A drug test. A background check. Social media review. Fitness evaluation.

Which of the following would normally be considered a supply chain risk? (Select all that apply.). Adversary tampering with hardware prior to being shipped to the end customer. Adversary hacking into a web server run by the organization in an IaaS environment. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts. Adversary conducting a denial‐of‐service attack using a botnet.