Test bank CISSP Cert Guide 3e Docx 3rd Edition Test Bank - Exam Pack | CISSP Cert Guide 3e Abernathy by Robin Abernathy. DOCX document preview.
Question ID: CISSP-2018-CQ-01-001
Question: Which security principle is the opposite of disclosure?
A: integrity
B: availability
C: confidentiality
D: authorization
Question ID: CISSP-2018-CQ-01-002
Question: Which of the following controls is an administrative control?
A: security policy
B: CCTV
C: data backups
D: locks
Question ID: CISSP-2018-CQ-01-003
Question: What is a vulnerability?
A: the entity that carries out a threat
B: the exposure of an organizational asset to losses
C: an absence or a weakness of a countermeasure that is in place
D: a control that reduces risk
Question ID: CISSP-2018-CQ-01-004
Question: Which framework uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual)?
A: Six Sigma
B: SABSA
C: ITIL
D: ISO/IEC 27000 series
Question ID: CISSP-2018-CQ-01-005
Question: Which group of threat agents includes hardware and software failure, malicious code, and new technologies?
A: human
B: natural
C: environmental
D: technical
Question ID: CISSP-2018-CQ-01-006
Question: Which term indicates the monetary impact of each threat occurrence?
A: ARO
B: ALE
C: EF
D: SLE
Question ID: CISSP-2018-CQ-01-007
Question: What is risk avoidance?
A: risk that is left over after safeguards have been implemented
B: terminating the activity that causes a risk or choosing an alternative that is not as risky
C: passing the risk on to a third party
D: defining the acceptable risk level the organization can tolerate and reducing the risk to that level
Question ID: CISSP-2018-CQ-01-008
Question: Which security policies provide instruction on acceptable and unacceptable activities?
A: informative security policies
B: regulatory security policies
C: system-specific security policies
D: advisory security policies
Question ID: CISSP-2018-CQ-01-009
Question: Which organization role determines the classification level of the information to protect the data for which he is responsible?
A: data owner
B: data custodian
C: security administrator
D: security analyst
Question ID: CISSP-2018-CQ-01-010
Question: Which type of crime occurs when a computer is used as a tool to help commit a crime?
A: computer-assisted crime
B: incidental computer crime
C: computer-targeted crime
D: computer prevalence crime
Question ID: CISSP-2018-CQ-01-011
Question: Which access control type reduces the effect of an attack or another undesirable event?
A: compensative control
B: preventive control
C: detective control
D: corrective control
Question ID: CISSP-2018-CQ-01-012
Question: What is the first stage of the security program life cycle?
A: Plan and Organize
B: Implement
C: Operate and Maintain
D: Monitor and Evaluate
- Plan and Organization
- Implement
- Operate and Maintain
- Monitor and Evaluate
Question ID: CISSP-2018-CQ-01-013
Question: Which of the following frameworks is a two-dimensional model that intersects communication interrogatives (What, Why, Where, and so on) with various viewpoints (Planner, Owner, Designer, and so on)?
A: SABSA
B: Zachman framework
C: TOGAF
D: ITIL
Question ID: CISSP-2018-CQ-01-014
Question: Which management officer implements and manages all aspects of security, including risk analysis, security policies and procedures, training, and emerging technologies?
A: CPO
B: CFO
C: CSO
D: CIO
Question ID: CISSP-2018-CQ-01-015
Question: Which of the following do organizations have employees sign in order to protect trade secrets?
A: trademark
B: patent
C: DRM
D: NDA
Question ID: CISSP-2018-CQ-01-016
Question: Which type of access control type is an acceptable use policy (AUP) most likely considered?
A: corrective
B: detective
C: compensative
D: directive
Question ID: CISSP-2018-CQ-01-017
Question: What is the legal term used to describe an organization taking all reasonable measures to prevent security breaches and also taking steps to mitigate damages caused by successful breaches?
A: due care
B: due diligence
C: default stance
D: qualitative risk analysis
Question ID: CISSP-2018-CQ-01-018
Question: Which threat modeling perspective profiles malicious characteristics, skills, and motivation to exploit vulnerabilities?
A: application-centric
B: asset-centric
C: attacker-centric
D: hostile-centric
Question ID: CISSP-2018-CQ-01-019
Question: Which of the following is NOT a consideration for security professionals during mergers and acquisitions?
A: new data types
B: new technology types
C: cost of the merger or acquisition
D: the other organization’s security awareness training program
Question ID: CISSP-2018-CQ-01-020
Question: What is the first step of CRAMM?
A: identify threats and vulnerabilities
B: identify and value assets
C: identify countermeasures
D: prioritize countermeasures
- Identify and value assets.
- Identify threats and vulnerabilities and calculate risks.
- Identify and prioritize countermeasures.
Question ID: CISSP-2018-CQ-02-001
Question: What is the highest military security level?
A: Confidential
B: Top Secret
C: Private
D: Sensitive
- Top Secret
- Secret
- Confidential
- Sensitive but unclassified
- Unclassified
Question ID: CISSP-2018-CQ-02-002
Question: Which of the following is also called disk striping?
A: RAID 0
B: RAID 1
C: RAID 10
D: RAID 5
Question ID: CISSP-2018-CQ-02-003
Question: Which of the following is also called disk mirroring?
A: RAID 0
B: RAID 1
C: RAID 10
D: RAID 5
Question ID: CISSP-2018-CQ-02-004
Question: Which of the following is composed of high-capacity storage devices that are connected by a high-speed private (separate from the LAN) network using storage-specific switches?
A: HSM
B: SAN
C: NAS
D: RAID
Question ID: CISSP-2018-CQ-02-005
Question: Who is responsible for deciding which users have access to data?
A: business owner
B: system owner
C: data owner
D: data custodian
Question ID: CISSP-2018-CQ-02-006
Question: Which term is used for the fitness of data for use?
A: data sensitivity
B: data criticality
C: data quality
D: data classification
Question ID: CISSP-2018-CQ-02-007
Question: What is the highest level of classification for commercial systems?
A: public
B: sensitive
C: private
D: confidential
- Confidential
- Private
- Sensitive
- Public
Question ID: CISSP-2018-CQ-02-008
Question: What is the first phase of the information life cycle?
A: maintain
B: use
C: distribute
D: create/receive
- Create/receive
- Distribute
- Use
- Maintain
- Dispose/store
Question ID: CISSP-2018-CQ-02-009
Question: Which organizational role owns a system and must work with other users to ensure that data is secure?
A: business owner
B: data custodian
C: data owner
D: system owner
Question ID: CISSP-2018-CQ-02-010
Question: What is the last phase of the information life cycle?
A: distribute
B: maintain
C: dispose/store
D: use
- Create/receive
- Distribute
- Use
- Maintain
- Dispose/store
Question ID: CISSP-2018-CQ-03-001
Question: Which of the following is provided if data cannot be read?
A: integrity
B: confidentiality
C: availability
D: defense in depth
Question ID: CISSP-2018-CQ-03-002
Question: In a distributed environment, which of the following is software that ties the client and server software together?
A: embedded systems
B: mobile code
C: virtual computing
D: middleware
Question ID: CISSP-2018-CQ-03-003
Question: Which of the following comprises the components (hardware, firmware, and/or software) that are trusted to enforce the security policy of the system?
A: security perimeter
B: reference monitor
C: Trusted Computer Base (TCB)
D: security kernel
Question ID: CISSP-2018-CQ-03-004
Question: Which process converts plaintext into ciphertext?
A: hashing
B: decryption
C: encryption
D: digital signature
Question ID: CISSP-2018-CQ-03-005
Question: Which type of cipher is the Caesar cipher?
A: polyalphabetic substitution
B: mono-alphabetic substitution
C: polyalphabetic transposition
D: mono-alphabetic transposition
Question ID: CISSP-2018-CQ-03-006
Question: What is the most secure encryption scheme?
A: concealment cipher
B: symmetric algorithm
C: one-time pad
D: asymmetric algorithm
Question ID: CISSP-2018-CQ-03-007
Question: Which 3DES implementation encrypts each block of data three times, each time with a different key?
A: 3DES-EDE3
B: 3DES-EEE3
C: 3DES-EDE2
D: 3DES-EEE2
Question ID: CISSP-2018-CQ-03-008
Question: Which of the following is NOT a hash function?
A: ECC
B: MD6
C: SHA-2
D: RIPEMD-160
Question ID: CISSP-2018-CQ-03-009
Question: Which of the following is an example of preventing an internal threat?
A: a door lock system on a server room
B: an electric fence surrounding a facility
C: armed guards outside a facility
D: parking lot cameras
Question ID: CISSP-2018-CQ-03-010
Question: Which of the following is NOT one of the three main strategies that guide CPTED?
A: Natural Access Control
B: Natural Surveillance Reinforcement
C: Natural Territorials Reinforcement
D: Natural Surveillance
Question ID: CISSP-2018-CQ-03-011
Question: What occurs when different encryption keys generate the same ciphertext from the same plaintext message?
A: key clustering
B: cryptanalysis
C: keyspace
D: confusion
Question ID: CISSP-2018-CQ-03-012
Question: Which encryption system uses a private or secret key that must remain secret between the two parties?
A: running key cipher
B: concealment cipher
C: asymmetric algorithm
D: symmetric algorithm
Question ID: CISSP-2018-CQ-03-013
Question: Which of the following is an asymmetric algorithm?
A: IDEA
B: Twofish
C: RC6
D: RSA
Question ID: CISSP-2018-CQ-03-014
Question: Which PKI component contains a list of all the certificates that have been revoked?
A: CA
B: RA
C: CRL
D: OCSP
Question ID: CISSP-2018-CQ-03-015
Question: Which attack executed against a cryptographic algorithm uses all possible keys until a key is discovered that successfully decrypts the ciphertext?
A: frequency analysis
B: reverse engineering
C: ciphertext-only attack
D: brute force
Question ID: CISSP-2018-CQ-03-016
Question: In ISO/IEC 15288:2018, which process category includes acquisition and supply?
A: Technical management processes
B: Technical processes
C: Agreement processes
D: Organizational project-enabling processes
- Agreement processes, including acquisition and supply
- Organizational project-enabling processes, including infrastructure management, quality management, and knowledge management
- Technical management processes, including project planning, risk management, configuration management, and quality assurance
- Technical processes, including system requirements definition, system analysis, implementation, integration, operation, maintenance, and disposal
Question ID: CISSP-2018-CQ-03-017
Question: Which of the following is NOT a principle in the risk-based category of NIST 800-27 Rev A?
A: Assume that external systems are insecure.
B: Eliminate risk.
C: Protect information while being processed, in transit, and in storage.
D: Protect against all likely classes of attacks.
- Reduce risk to an acceptable level.
- Assume that external systems are insecure.
- Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.
- Implement tailored system security measures to meet organizational security goals.
- Protect information while being processed, in transit, and in storage.
- Consider custom products to achieve adequate security.
- Protect against all likely classes of attacks.
Question ID: CISSP-2018-CQ-03-018
Question: Which statement is true of dedicated security mode?
A: It employs a single classification level.
B: All users have the same security clearance, but they do not all possess a need-to-know clearance for all the information in the system.
C: All users must possess the highest security clearance, but they must also have valid need-to-know clearance, a signed NDA, and formal approval for all information to which they have access.
D: Systems allow two or more classification levels of information to be processed at the same time.
Question ID: CISSP-2018-CQ-03-019
Question: What is the first step in ISO/IEC 27001:2013?
A: Identify the requirements.
B: Perform risk assessment and risk treatment.
C: Maintain and monitor the ISMS.
D: Obtain management support.
Question ID: CISSP-2018-CQ-03-020
Question: Which two processor states are supported by most processors?
A: supervisor state and problem state
B: supervisor state and kernel state
C: problem state and user state
D: supervisor state and elevated state
Question ID: CISSP-2018-CQ-03-021
Question: When supporting a BYOD initiative, from which group do you probably have most to fear?
A: hacktivists
B: careless users
C: software vendors
D: mobile device vendors
Question ID: CISSP-2018-CQ-03-022
Question: Which term for applies to embedded devices that bring with them security concerns because engineers that design these devices do not always worry about security?
A: BYOD
B: NDA
C: IoT
D: ITSEC
Question ID: CISSP-2018-CQ-03-023
Question: Which option best describes the primary concern of NIST SP 800-57?
A: asymmetric encryption
B: symmetric encryption
C: message integrity
D: key management
Question ID: CISSP-2018-CQ-03-024
Question: Which of the following key types requires only integrity security protection?
A: public signature verification key
B: private signature key
C: symmetric authentication key
D: private authentication key
Question ID: CISSP-2018-CQ-03-025
Question: What is the final phase of the cryptographic key management life cycle, according to NIST SP 800-57?
A: operational phase
B: destroyed phase
C: pre-operational phase
D: post-operational phase
Question ID: CISSP-2018-CQ-04-001
Question: At which layer of the OSI model does the encapsulation process begin?
A: Transport
B: Application
C: Physical
D: Session
Question ID: CISSP-2018-CQ-04-002
Question: Which two layers of the OSI model are represented by the Link layer of the TCP/IP model? (Choose two.)
A: Data Link
B: Physical
C: Session
D: Application
E: Presentation
Question ID: CISSP-2018-CQ-04-003
Question: Which of the following represents the range of port numbers that are referred to as "well-known" port numbers?
A: 49152-65535
B: 0-1023
C: 1024-49151
D: all above 500
Question ID: CISSP-2018-CQ-04-004
Question: What is the port number for HTTP?
A: 23
B: 443
C: 80
D: 110
23 - Telnet
443 - HTTPS
80 - HTTP
110 - POP3
Question ID: CISSP-2018-CQ-04-005
Question: What protocol in the TCP/IP suite resolves IP addresses to MAC addresses?
A: ARP
B: TCP
C: IP
D: ICMP
Question ID: CISSP-2018-CQ-04-006
Question: How many bits are contained in an IPv4 address?
A: 128
B: 48
C: 32
D: 64
Question ID: CISSP-2018-CQ-04-007
Question: Which of the following is a Class C address?
A: 172.16.5.6
B: 192.168.5.54
C: 10.6.5.8
D: 224.6.6.6
Question ID: CISSP-2018-CQ-04-008
Question: Which of the following is a valid private IP address?
A: 10.2.6.6
B: 172.15.6.6
C: 191.6.6.6
D: 223.54.5.5
Class | Range |
Class A | 10.0.0.0-10.255.255.255 |
Class B | 172.16.0.0-172.31.255.255 |
Class C | 192.168.0.0-192.168.255.255 |
Question ID: CISSP-2018-CQ-04-009
Question: Which service converts private IP addresses to public IP addresses?
A: DHCP
B: DNS
C: NAT
D: WEP
Question ID: CISSP-2018-CQ-04-010
Question: Which type of transmission uses stop and start bits?
A: asynchronous
B: unicast
C: multicast
D: synchronous
Question ID: CISSP-2018-CQ-04-011
Question: Which protocol encapsulates Fibre Channel frames over Ethernet networks?
A: MPLS
B: FCoE
C: iSCSI
D: VoIP
Question ID: CISSP-2018-CQ-04-012
Question: Which protocol uses port 143?
A: RDP
B: AFP
C: IMAP
D: SSH
Question ID: CISSP-2018-CQ-04-013
Question: Which of the following best describes NFS?
A: a file-sharing protocol
B: a directory query protocol that is based on X.500
C: an Application layer protocol that is used to retrieve information from network devices
D: a client/server file-sharing protocol used in UNIX/Linux
Question ID: CISSP-2018-CQ-04-014
Question: Which of the following is a multi-layer protocol that is used between components in process automation systems in electric and water companies?
A: DNP3
B: VoIP
C: WPA
D: WPA2
Question ID: CISSP-2018-CQ-04-015
Question: Which wireless implementation includes MU MIMO?
A: 802.11a
B: 802.11ac
C: 802.11g
D: 802.11n
Question ID: CISSP-2018-CQ-05-001
Question: Which of the following is NOT an example of a knowledge authentication factor?
A: password
B: mother's maiden name
C: city of birth
D: smart card
Question ID: CISSP-2018-CQ-05-002
Question: Which of the following statements about memory cards and smart cards is false?
A: A memory card is a swipe card that contains user authentication information.
B: Memory cards are also known as integrated circuit cards (ICCs).
C: Smart cards contain memory and an embedded chip.
D: Smart card systems are more reliable than memory card systems.
Question ID: CISSP-2018-CQ-05-003
Question: Which biometric method is most effective?
A: iris scan
B: retina scan
C: fingerprint
D: hand print
Question ID: CISSP-2018-CQ-05-004
Question: What is a Type I error in a biometric system?
A: crossover error rate (CER)
B: false rejection rate (FRR)
C: false acceptance rate (FAR)
D: throughput rate
Question ID: CISSP-2018-CQ-05-005
Question: Which access control model is most often used by routers and firewalls to control access to networks?
A: discretionary access control
B: mandatory access control
C: role-based access control
D: rule-based access control
Question ID: CISSP-2018-CQ-05-006
Question: Which threat is NOT considered a social engineering threat?
A: phishing
B: pharming
C: DoS attack
D: dumpster diving
Question ID: CISSP-2018-CQ-05-007
Question: Which of the following statements best describes an IDaaS implementation?
A: Ensures that any instance of identification and authentication to a resource is managed properly.
B: Collects and verifies information about an individual to prove that the person who has a valid account is who he or she claims to be.
C: Provides a set of identity and access management functions to target systems on customers' premises and/or in the cloud.
D: It is an SAML standard that exchanges authentication and authorization data between organizations or security domains.
Question ID: CISSP-2018-CQ-05-008
Question: Which of the following is an example of multi-factor authentication?
A: username and password
B: username, retina scan, and smart card
C: retina scan and finger scan
D: smart card and security token
Question ID: CISSP-2018-CQ-05-009
Question: You decide to implement an access control policy that requires that users logon from certain workstations within your enterprise. Which type of authentication factor are you implementing?
A: knowledge factor
B: location factor
C: ownership factor
D: characteristic factor
Question ID: CISSP-2018-CQ-05-010
Question: Which threat is considered a password threat?
A: buffer overflow
B: sniffing
C: spoofing
D: brute-force attack
Question ID: CISSP-2018-CQ-05-011
Question: Which session management mechanisms are often used to manage desktop sessions?
A: screensavers and timeouts
B: FIPS 201.2 and NIST SP 800-79-2
C: Bollards and locks
D: KDC, TGT, and TGS
Question ID: CISSP-2018-CQ-05-012
Question: Which of the following is a major disadvantage of implementing an SSO system?
A: Users are able to use stronger passwords.
B: Users need to remember the login credentials for a single system.
C: User and password administration are simplified.
D: If a user's credentials are compromised, attacker can access all resources.
Question ID: CISSP-2018-CQ-05-013
Question: Which type of attack is carried out from multiple locations using zombies and botnets?
A: TEMPEST
B: DDoS
C: Backdoor
D: Emanating
Question ID: CISSP-2018-CQ-06-000
Question: Which monitoring method captures and analyzes every transaction of every application or website user?
A: RUM
B: synthetic transaction monitoring
C: code review and testing
D: misuse case testing
Question ID: CISSP-2018-CQ-06-001
Question: For which of the following penetration tests does the testing team know an attack is coming but have limited knowledge of the network systems and devices and only publicly available information?
A: target test
B: physical test
C: blind test
D: double-blind test
Question ID: CISSP-2018-CQ-06-002
Question: Which of the following is NOT a guideline according to NIST SP 800-92?
A: Organizations should establish policies and procedures for log management.
B: Organizations should create and maintain a log management infrastructure.
C: Organizations should prioritize log management appropriately throughout the organization.
D: Choose auditors with security experience.
Question ID: CISSP-2018-CQ-06-003
Question: According to NIST SP 800-92, which of the following are facets of log management infrastructure? (Choose all that apply.)
A: general functions (log parsing, event filtering, and event aggregation)
B: storage (log rotation, log archival, log reduction, log conversion, log normalization, log file integrity checking)
C: log analysis (event correlation, log viewing, log reporting)
D: log disposal (log clearing)
Question ID: CISSP-2018-CQ-06-004
Question: What are the two ways of collecting logs using security information and event management (SIEM) products, according to NIST SP 800-92?
A: passive and active
B: agentless and agent-based
C: push and pull
D: throughput and rate
Question ID: CISSP-2018-CQ-06-006
Question: Which type of testing is also known as negative testing?
A: RUM
B: synthetic transaction monitoring
C: code review and testing
D: misuse case testing
Question ID: CISSP-2018-CQ-06-007
Question: What is the first step of the information security continuous monitoring (ISCM) plan, according to NIST SP 800-137?
A: Establish an ISCM program.
B: Define the ISCM strategy.
C: Implement an ISCM program.
D: Analyze the data collected.
1. Define an ISCM strategy.
2. Establish an ISCM program.
3. Implement an ISCM program.
4. Analyze the data collected, and report findings.
5. Respond to findings.
6. Review and update the monitoring program.
Question ID: CISSP-2018-CQ-06-008
Question: What is the second step of the information security continuous monitoring (ISCM) plan, according to NIST SP 800-137?
A: Establish an ISCM program.
B: Define the ISCM strategy.
C: Implement an ISCM program.
D: Analyze the data collected.
1. Define an ISCM strategy.
2. Establish an ISCM program.
3. Implement an ISCM program.
4. Analyze the data collected, and report findings.
5. Respond to findings.
6. Review and update the monitoring program.
Question ID: CISSP-2018-CQ-06-009
Question: Which of the following is NOT a guideline for internal and third-party audits?
A: Choose auditors with security experience.
B: Define the ISCM strategy.
C: Implement an ISCM program.
D: Analyze the data collected.
- At minimum, perform annual audits to establish a security baseline.
- Determine your organization’s objectives for the audit and share them with the auditors.
- Set the ground rules for the audit, including the dates/times of the audit, before the audit starts.
- Choose auditors who have security experience.
- Involve business unit managers early in the process.
- Ensure that auditors rely on experience, not just checklists.
- Ensure that the auditor's report reflects risks that the organization has identified.
- Ensure that the audit is conducted properly.
- Ensure that the audit covers all systems and all policies and procedures.
- Examine the report when the audit is complete.
Question ID: CISSP-2018-CQ-06-010
Question: Which SOC report should be shared with the general public?
A: SOC 1, Type 1
B: SOC 1, Type 2
C: SOC 2
D: SOC 3
Question ID: CISSP-2018-CQ-07-001
Question: What is the first step of the incident response process?
A: Respond to the incident.
B: Detect the incident.
C: Report the incident.
D: Recover from the incident.
1. Detect the incident.
2. Respond to the incident.
3. Report the incident to the appropriate personnel.
4. Recover from the incident.
5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.
6. Review the incident and document all findings.
Question ID: CISSP-2018-CQ-07-002
Question: What is the second step of the forensic investigations process?
A: identification
B: collection
C: preservation
D: examination
1. Identification
2. Preservation
3. Collection
4. Examination
5. Analysis
6. Presentation
7. Decision
Question ID: CISSP-2018-CQ-07-003
Question: Which of the following is NOT one of the five rules of evidence?
A: Be accurate.
B: Be complete.
C: Be admissible.
D: Be volatile.
- Be authentic.
- Be accurate.
- Be complete.
- Be convincing.
- Be admissible.
Question ID: CISSP-2018-CQ-07-004
Question: Which of the following refers to allowing users access only to the resources required to do their jobs?
A: job rotation
B: separation of duties
C: need to know/least privilege
D: mandatory vacation
Question ID: CISSP-2018-CQ-07-005
Question: Which of the following is an example of an intangible asset?
A: disc drive
B: recipe
C: people
D: server
Question ID: CISSP-2018-CQ-07-006
Question: Which of the following is not a step in incident response management?
A: detect
B: respond
C: monitor
D: report
1. Detect
2. Respond
3. Report
4. Recover
5. Remediate
6. Review
Question ID: CISSP-2018-CQ-07-007
Question: Which of the following is NOT a backup type?
A: full
B: incremental
C: grandfather/father/son
D: transaction log
Question ID: CISSP-2018-CQ-07-008
Question: Which term is used for a leased facility that contains all the resources needed for full operation?
A: cold site
B: hot site
C: warm site
D: tertiary site
Question ID: CISSP-2018-CQ-07-009
Question: Which electronic backup type stores data on optical discs and uses robotics to load and unload the optical disks as needed?
A: optical jukebox
B: hierarchical storage management
C: tape vaulting
D: replication
Question ID: CISSP-2018-CQ-07-010
Question: What is failsoft?
A: the capacity of a system to switch over to a backup system if a failure in the primary system occurs
B: the capability of a system to terminate non-critical processes when a failure occurs
C: a software product that provides load-balancing services
D: high-capacity storage devices that are connected by a high-speed private network using storage-specific switches
Question ID: CISSP-2018-CQ-07-011
Question: What investigation type specifically refers to litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process?
A: data loss prevention (DLP)
B: regulatory
C: eDiscovery
D: operations
Question ID: CISSP-2018-CQ-07-012
Question: An organization’s firewall is monitoring the outbound flow of information from one network to another. What specific type of monitoring is this?
A: egress monitoring
B: continuous monitoring
C: CMaaS
D: resource provisioning
Question ID: CISSP-2018-CQ-07-013
Question: Which of the following are considered virtual assets? (Choose all that apply.)
A: software-defined networks
B: virtual storage-area networks
C: guest OSs deployed on VMs
D: virtual routers
Question ID: CISSP-2018-CQ-07-014
Question: Which of the following describes the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption?
A: quality of service (QoS)
B: recovery time objective (RTO)
C: recovery point objective (RPO)
D: system resilience
Question ID: CISSP-2018-CQ-07-015
Question: Which of the following are the main factors that affect the selection of an alternate location during the development of a DRP? (Choose all that apply.)
A: geographic location
B: organizational needs
C: location's cost
D: location's restoration effort
- Geographic location
- Organizational needs
- Location's cost
- Location's restoration effort
Question ID: CISSP-2018-CQ-08-001
Question: Which of the following is the last step in the System Development Life Cycle?
A: Operate/Maintain
B: Dispose
C: Acquire/Develop
D: Initiate
1. Initiate
2. Acquire/Develop
3. Implement
4. Operate/Maintain
5. Dispose
Question ID: CISSP-2018-CQ-08-002
Question: In which of the following stages of the Software Development Life Cycle is the software actually coded?
A: Gather Requirements
B: Design
C: Develop
D: Test/Validate
Question ID: CISSP-2018-CQ-08-003
Question: Which of the following initiatives was developed by the Department of Homeland Security?
A: WASC
B: BSI
C: OWASP
D: ISO
Question ID: CISSP-2018-CQ-08-004
Question: Which of the following development models includes no formal control mechanisms to provide feedback?
A: Waterfall
B: V-Shaped
C: Build and Fix
D: Spiral
Question ID: CISSP-2018-CQ-08-005
Question: Which language type delivers instructions directly to the processor?
A: assembly languages
B: high-level languages
C: machine languages
D: natural languages
Question ID: CISSP-2018-CQ-08-006
Question: Which term describes how many different tasks a module can carry out?
A: polymorphism
B: cohesion
C: coupling
D: data structures
Question ID: CISSP-2018-CQ-08-007
Question: Which term describes a standard for communication between processes on the same computer?
A: CORBA
B: DCOM
C: COM
D: SOA
Question ID: CISSP-2018-CQ-08-008
Question: Which of the following is a Microsoft technology?
A: ActiveX
B: Java
C: SOA
D: CORBA
Question ID: CISSP-2018-CQ-08-009
Question: Which of the following is the dividing line between the trusted parts of the system and those that are untrusted?
A: security perimeter
B: reference monitor
C: trusted computer base (TCB)
D: security kernel
Question ID: CISSP-2018-CQ-08-010
Question: Which of the following is a system component that enforces access controls on an object?
A: security perimeter
B: reference monitor
C: trusted computer base (TCB)
D: security kernel
Question ID: CISSP-2018-CQ-08-011
Question: Which of the following ensures that the customer (either internal or external) is satisfied with the functionality of the software?
A: Integration testing
B: Acceptance testing
C: Regression testing
D: Accreditation
Question ID: CISSP-2018-CQ-08-012
Question: In which of the following models is less time spent on the upfront analysis and more emphasis placed on learning from the process feedback and incorporating lessons learned in real time?
A: Agile
B: Rapid Application Development
C: Cleanroom
D: Modified Waterfall
Question ID: CISSP-2018-CQ-08-013
Question: Which of the following software development risk analysis and mitigation strategy guidelines should security professionals follow? (Choose all that apply.)
A: Integrate risk analysis and mitigation in the Software Development Life Cycle.
B: Use qualitative, quantitative, and hybrid risk analysis approaches based on standardized risk analysis methods.
C: Track and manage weaknesses that are discovered throughout risk assessment, change management, and continuous monitoring.
D: Encapsulate data to make it easier to apply the appropriate policies to objects.
- Integrate risk analysis and mitigation in the Software Development Life Cycle.
- Use qualitative, quantitative, and hybrid risk analysis approaches based on standardized risk analysis methods.
- Track and manage weaknesses that are discovered throughout risk assessment, change management, and continuous monitoring.
Question ID: CISSP-2018-CQ-08-014
Question: Which of the following are valid guidelines for providing API security? (Choose all that apply.)
A: Use the same security controls for APIs as any web application on the enterprise.
B: Use Hash-based Message Authentication Code (HMAC).
C: Use encryption when passing static keys.
D: Implement password encryption instead of single key-based authentication.
- Use the same security controls for APIs as for any web application on the enterprise.
- Use Hash-based Message Authentication Code (HMAC).
- Use encryption when passing static keys.
- Use a framework or an existing library to implement security solutions for APIs.
- Implement password encryption instead of single key-based authentication.
Question ID: CISSP-2018-CQ-08-015
Question: Which of the following is NOT one of the four phases of acquiring software?
A: Planning
B: Contracting
C: Development
D: Monitoring and accepting
1. Planning: During this phase, the organization performs a needs assessment, develops the software requirements, creates the acquisition strategy, and develops evaluation criteria and plan.
2. Contracting: Once planning is complete, the organization creates a request for proposal (RFP) or other supplier solicitation forms, evaluates the supplier proposals, and negotiates the final contract with the selected seller.
3. Monitoring and accepting: When a contract is in place, the organization establishes the contract work schedule, implements change control procedures, and reviews and accepts the software deliverables.
4. Follow-up: When the software is in place, the organization must sustain the software, including managing risks and changes. At some point, it may be necessary for the organization to decommission the software.
Question ID: CISSP-2018-RA-01-1-061
Question: Which term is used for an instance of being subjected to losses from a threat?
A: Safeguard
B: Vulnerability
C: Exposure
D: Trigger
Question ID: CISSP-2018-RA-01-1-062
Question: Which term is used for an event that indicates that a risk has occurred or is about to occur?
A: Safeguard
B: Vulnerability
C: Exposure
D: Trigger
Question ID: CISSP-2018-RA-01-1-063
Question: What are the detailed instructions used to accomplish a task or a goal?
A: Procedures
B: Standards
C: Guidelines
D: Baselines
Question ID: CISSP-2018-RA-01-1-064
Question: What are the mandated rules that govern the acceptable level of security?
A: Procedures
B: Standards
C: Guidelines
D: Baselines
Question ID: CISSP-2018-RA-01-1-065
Question: Which of the following is a process management development standard?
A: NIST SP 800-53
B: Zachman framework
C: ITIL
D: ISO 27000
Question ID: CISSP-2018-RA-01-1-066
Question: Which of the following is a security program development standard?
A: NIST SP 800-53
B: Zachman framework
C: ITIL
D: ISO 27000
Question ID: CISSP-2018-RA-01-1-067
Question: During which stage of the security program life cycle do you obtain management approval?
A: Plan and Organize
B: Implement
C: Operate and Maintain
D: Monitor and Evaluate
Question ID: CISSP-2018-RA-01-1-068
Question: During which stage of the security program life cycle do you identify assets?
A: Plan and Organize
B: Implement
C: Operate and Maintain
D: Monitor and Evaluate
Question ID: CISSP-2018-RA-01-1-069
Question: When designing the security awareness training for your organization, which group needs their training to focus on the risk to the organization and the laws and regulations that affect the organization?
A: Technical staff
B: Regular staff
C: Senior management
D: Middle management
Question ID: CISSP-2018-RA-01-1-070
Question: When designing the security awareness training for your organization, which group needs its training to focus on the policies, standards, baselines, guidelines, and procedures that affect security?
A: Technical staff
B: Regular staff
C: Senior management
D: Middle management
Question ID: CISSP-2018-RA-01-1-081
Question: Which business continuity document considers all aspects that are affected by a disaster, including functions, systems, personnel, and facilities, and lists and prioritizes the services that are needed?
A: BIA
B: Contingency plan
C: BCP
D: DRP
Question ID: CISSP-2018-RA-01-1-082
Question: Which business continuity document is implemented when the emergency occurs and includes the steps to restore functions and systems?
A: BIA
B: Contingency plan
C: BCP
D: DRP
Question ID: CISSP-2018-RA-01-1-083
Question: As part of the process of conducting a business impact analysis (BIA), you are creating a list of all the business assets. Which step of the BIA are you performing?
A: Identify critical processes and resources.
B: Identify resource requirements.
C: Identify outage impacts, and estimate downtime.
D: Identify recovery priorities.
Question ID: CISSP-2018-RA-01-1-084
Question: As part of the process of conducting a business impact analysis (BIA), you document the device name, operating system or platform version, hardware requirements, and device interrelationships of all devices. Which step of the BIA are you performing?
A: Identify critical processes and resources.
B: Identify resource requirements.
C: Identify outage impacts, and estimate downtime
D: Identify recovery priorities.
Question ID: CISSP-2018-RA-01-1-092
Question: You are responsible for investigating all computer crime that occurs against your organization. What is the biggest hindrance to your investigations?
A: Computer criminals employ more sophisticated tools than computer investigators.
B: Computer crime has no borders or jurisdictions.
C: Fighting computer crime is often underfunded.
D: Most computer crime cannot be prosecuted.
Question ID: CISSP-2018-RA-01-1-101
Question: Which of the following statements regarding the CIA triad are TRUE?
A: Confidentiality ensures that data is not disclosed to unauthorized entities.
B: The opposite of integrity is corruption.
C: Availability ensures that data is accessible when it is needed.
D: Statements a and b only
E: Statements b and c only
F: All the statements
G: None of the statements
Question ID: CISSP-2018-RA-01-1-102
Question: What are the three main concepts for the security of information assets?
A: Confidentiality, integrity, and availability
B: Confidentiality, integrity, and authentication
C: Confidentiality, integrity, and accountability
D: Risks, threats, and vulnerabilities
Question ID: CISSP-2018-RA-01-1-103
Question: Your organization has recently decided to develop a comprehensive security program. The security program has been authorized by management. What is the first step in this process?
A: Define the scope of the security program.
B: Identify the assets that require protection.
C: Determine the level of protection each asset needs.
D: Determine the responsibilities of personnel.
E: Develop consequences for noncompliance.
Question ID: CISSP-2018-RA-01-1-104
Question: Your organization has put all policies, procedures, and standards into place as a result of a security audit. Which security tenet did the organization fulfill by doing this?
A: Due care
B: Due diligence
C: Confidentiality
D: Integrity
Question ID: CISSP-2018-RA-01-1-105
Question: When an organization fails to do all it can to protect its employees’ PII, it has exhibited which concept?
A: Due care
B: Due diligence
C: REP
D: Negligence
Question ID: CISSP-2018-RA-01-1-107
Question: You are the security analyst for a healthcare provider. You need to ensure that your company complies with all governmental laws and regulations. Which of the following must you consider as part of your security plan?
A: HIPAA
B: DoDAF
C: MODAF
D: SOX
Question ID: CISSP-2018-RA-01-1-108
Question: Which document is an agreement between a software vendor and a business customer, such as a company or organization, specifying terms of use
A: Software license agreement
B: End user license agreement
C: Nondisclosure agreement
D: Acceptable use policy
Question ID: CISSP-2018-RA-01-1-109
Question: Which document is an agreement between a software vendor and the home computer owner?
A: Software license agreement
B: End user license agreement
C: Nondisclosure agreement
D: Acceptable use policy
Question ID: CISSP-2018-RA-01-1-110
Question: Which statement BEST describes the Internet Architecture Board (IAB)?
A: It maintains an ethics-related statement concerning the use of the Internet.
B: It is a group dedicated to making the Internet better.
C: It develops standards for new technologies, including wireless.
D: It is responsible for the allocation of IP addresses and management of DNS.
Question ID: CISSP-2018-RA-01-1-111
Question: Which statement BEST describes the Internet Engineering Task Force (IETF)?
A: It maintains an ethics-related statement concerning the use of the Internet.
B: It is a group dedicated to making the Internet better.
C: It develops standards for new technologies, including wireless.
D: It is responsible for the allocation of IP addresses and management of DNS.
Question ID: CISSP-2018-RA-01-1-112
Question: Which of the following statements regarding security policies are TRUE?
A: An organizational security must be supported by all stakeholders.
B: An organizational security policy must be established by management.
C: An organizational security policy should be reviewed on a regular basis.
D: An organizational security policy should control the business objectives.
E: Statements a, b, and c only
F: Statements b, c, and d only
G: All the statements
Question ID: CISSP-2018-RA-01-1-113
Question: Which of the following is NOT an issue-specific policy?
A: E-mail retention policy
B: Auditing policy
C: File server logout policy
D: Acceptable use policy
E: Statements a, b, and c only
F: Statements a, c, and d only
G: All the statements
Question ID: CISSP-2018-RA-01-1-114
Question: You have been asked to develop the business continuity plan and scope. You are working with a team with members from each organizational department. The team has a list of different scenarios that may require the development of a disaster recovery plan. Which of the following scenarios is NOT important as part of this plan?
A: Hardware failure
B: Employee termination
C: Natural disaster
D: Hardware relocation
E: Statements a and c
F: Statements b and d
G: All the statements
Question ID: CISSP-2018-RA-01-1-115
Question: You are assembling the business continuity project scope and plan. Which of the following guidelines should you NOT consider?
A: The business continuity team should include members from all organizational departments.
B: The business continuity plan should consider all aspects of the organization.
C: Senior management should endorse any business continuity plan that is adopted.
D: The scope of the project should be properly defined first.
E: None of the statements
F: All the statements
Question ID: CISSP-2018-RA-01-1-116
Question: What is the first step of business continuity?
A: Develop the contingency plan.
B: Develop recovery strategies.
C: Identify preventative controls.
D: Develop the continuity planning policy statement.
Question ID: CISSP-2018-RA-01-1-117
Question: Which of the following should NOT be completed prior to hiring new personnel?
A: Education verification
B: Work history verification
C: Professional licensing verification
D: Employee training verification
E: None of the options
Question ID: CISSP-2018-RA-01-1-118
Question: Which of the following should NOT be included in the procedures for unfriendly personnel termination?
A: Security escort from the premises
B: System and facility access removal following the termination
C: Immediate seizure of all company assets
D: Statements a and b only
E: Statements b and c only
F: Statements a and c only
G: None of the statements
Question ID: CISSP-2018-RA-01-1-119
Question: Which of the following statements are TRUE regarding access control categories?
A: Corrective controls include data backups and fire extinguishers.
B: Detective controls include guards and audit logs.
C: Deterrent controls include NDAs and fencing.
D: Preventive controls include antivirus software and guards.
E: Statements a, b, and c only
F: Statements a, c, and d only
G: All the statements
Question ID: CISSP-2018-RA-01-1-120
Question: Which of the following statements regarding administrative controls are FALSE?
A: Detective administrative controls include job rotation and background checks.
B: Preventive administrative controls include personnel procedures and security awareness training.
C: Recovery administrative controls include disaster recovery plans and data backups.
D: Statements a and b only
E: Statements b and c only
F: All the statements
G: None of the statements
Question ID: CISSP-2018-RA-01-1-121
Question: Which statements regarding threat modeling are TRUE?
A: Threat modeling begins with understanding the systems that are implemented by the organization.
B: Identifying assets and access points is a critical step in the threat modeling process.
C: The final step is to identify the threats.
D: Statements a and b only
E: Statements b and c only
F: Statements a and c only
G: All the statements
Question ID: CISSP-2018-RA-01-1-122
Question: During threat modeling, organizations must identify access points that can be threatened. Which of the following access points should be identified?
A: Open sockets
B: Hardware ports
C: Trust boundaries
D: Statements a and b only
E: Statements b and c only
F: Statements a and c only
G: All the statements
Question ID: CISSP-2018-RA-01-1-123
Question: Threats are often classified into six categories: spoofing, tampering, repudiation, information disclosure, denial- of-service, and elevation of privilege. Which of these categories involves the changing of data to carry out an attack?
A: Spoofing
B: Tampering
C: Repudiation
D: Information disclosure
E: Denial-of-service
F: Escalation of privilege
Question ID: CISSP-2018-RA-01-1-124
Question: Threats are often classified into six categories: spoofing, tampering, repudiation, information disclosure, denial-of-service, and elevation of privilege. Which of these categories involves being unable to prove that a user carried out a certain action?
A: Spoofing
B: Tampering
C: Repudiation
D: Information disclosure
E: Denial-of-service
F: Escalation of privilege
Question ID: CISSP-2018-RA-01-1-125
Question: Threats are often classified into six categories: spoofing, tampering, repudiation, information disclosure, denial-of-service, and elevation of privilege. Which of these categories involves using another person’s credentials to access an organization’s assets?
A: Spoofing
B: Tampering
C: Repudiation
D: Information disclosure
E: Denial-of-service
F: Escalation of privilege
Question ID: CISSP-2018-RA-01-1-126
Question: Threats are often classified into six categories: spoofing, tampering, repudiation, information disclosure, denial-of-service, and elevation of privilege. Which of these categories involves a valid user being denied access to an asset that they can normally access?
A: Spoofing
B: Tampering
C: Repudiation
D: Information disclosure
E: Denial-of-service
F: Escalation of privilege
Question ID: CISSP-2018-RA-01-1-127
Question: Threats are often classified into six categories: spoofing, tampering, repudiation, information disclosure, denial-of-service, and elevation of privilege. Which of these categories occurs when a user has obtained read-and-write permissions to an asset that the user should only be able to read?
A: Spoofing
B: Tampering
C: Repudiation
D: Information disclosure
E: Denial-of-service
F: Escalation of privilege
Question ID: CISSP-2018-RA-01-1-128
Question: Why is it important to audit a third party’s access to internal resources?
A: To determine the level of access needed by the third party
B: To determine third-party compliance with organizational security policies and standards
C: To determine if appropriate and inappropriate actions are being carried out by third-party personnel
D: To document the guidelines that the third party will follow
Question ID: CISSP-2018-RA-01-1-129
Question: At which time should new personnel be given security awareness training?
A: At termination
B: At hiring
C: At the next regularly scheduled session
D: After completing the probation period
Question ID: CISSP-2018-RA-01-1-130
Question: What is the main focus of security awareness training?
A: How security is implemented
B: Why security is important
C: Who implements security
D: When security is important
Question ID: CISSP-2018-RA-01-2-003
Question: A governmental agency decides that it must digitally sign certain e-mail messages that are sent. Which tenet will this cover?
A: Confidentiality
B: Integrity
C: Availability
D: Accountability
Question ID: CISSP-2018-RA-01-2-061
Question: Which term is used for a control designed to counteract a threat?
A: Safeguard
B: Vulnerability
C: Exposure
D: Trigger
Question ID: CISSP-2018-RA-01-2-062
Question: Which term is used for a flaw or weakness in the system, software, or hardware?
A: Safeguard
B: Vulnerability
C: Exposure
D: Trigger
Question ID: CISSP-2018-RA-01-2-063
Question: What are the actions that are suggested when standards are not applicable in a particular situation?
A: Procedures
B: Standards
C: Guidelines
D: Baselines
Question ID: CISSP-2018-RA-01-2-064
Question: What defines the minimum level of security or performance?
A: Procedures
B: Standards
C: Guidelines
D: Baselines
Question ID: CISSP-2018-RA-01-2-065
Question: Which of the following is a security controls development framework?
A: NIST SP 800-53
B: Zachman framework
C: ITIL
D: ISO 27000
Question ID: CISSP-2018-RA-01-2-066
Question: Which of the following is an enterprise architecture framework?
A: NIST SP 800-53
B: Zachman framework
C: ITIL
D: ISO 27000
Question ID: CISSP-2018-RA-01-2-067
Question: During which stage of the security program life cycle do you perform audits?
A: Plan and Organize
B: Implement
C: Operate and Maintain
D: Monitor and Evaluate
Question ID: CISSP-2018-RA-01-2-068
Question: During which stage of the security program life cycle do you review audit logs?
A: Plan and Organize
B: Implement
C: Operate and Maintain
D: Monitor and Evaluate
Question ID: CISSP-2018-RA-01-2-069
Question: When designing the security awareness training for your organization, which group needs its training to focus on configuring and maintaining security controls, including how to recognize an attack when it occurs?
A: Technical staff
B: Regular staff
C: Senior management
D: Middle management
Question ID: CISSP-2018-RA-01-2-070
Question: When designing the security awareness training for your organization, which group needs its training to focus on its responsibilities regarding security so that it performs its day-to-day tasks in a secure manner?
A: Technical staff
B: Regular staff
C: Senior management
D: Middle management
Question ID: CISSP-2018-RA-01-2-081
Question: Which business continuity document is a functional analysis that lists the critical and necessary business functions, their resource dependencies, and their level of criticality to the overall organization?
A: BIA
B: Contingency plan
C: BCP
D: DRP
Question ID: CISSP-2018-RA-01-2-082
Question: Which business continuity document provides instruction on what personnel should do until the functions and systems are restored to full functionality?
A: BIA
B: Contingency plan
C: BCP
D: DRP
Question ID: CISSP-2018-RA-01-2-083
Question: As part of the process of conducting a business impact analysis (BIA), you perform the MTD, MTTR, and MTBF calculations. Which step of the BIA are you performing?
A: Identify critical processes and resources.
B: Identify resource requirements.
C: Identify outage impacts, and estimate downtime.
D: Identify recovery priorities.
Question ID: CISSP-2018-RA-01-2-084
Question: As part of the process of conducting a business impact analysis (BIA), you take into account all the recovery calculations to produce a recovery hierarchy. Which step of the BIA are you performing?
A: Identify critical processes and resources.
B: Identify resource requirements.
C: Identify outage impacts, and estimate downtime.
D: Identify recovery priorities.
Question ID: CISSP-2018-RA-01-2-091
Question: What is the Patriot Act?
A: A United States law established in 2001 to reduce restrictions on the searches of telephone, e-mail communications, medical, financial, and other records
B: A type of attack that involved attempting to exploit or corrupt an enemy's information to gain military or economic advantage
C: A United States government program that reduces electronic equipment emanations
D: The U.S. government entity responsible for dealing with federal computer security incidents that occur in civilian agencies
Question ID: CISSP-2018-RA-01-2-092
Question: What is information warfare?
A: A United States law established in 2001 to reduce restrictions on the searches of telephone, e-mail communications, medical, financial, and other records
B: A type of attack that involved attempting to exploit or corrupt an enemy's information to gain military or economic advantage
C: A United States government program that reduces electronic equipment emanations
D: The U.S. government entity responsible for dealing with federal computer security incidents that occur in civilian agencies
Question ID: CISSP-2018-RA-01-2-101
Question: The company you work for has decided to implement a server farm for the company’s databases. Which security tenet will this cover?
A: Confidentiality
B: Integrity
C: Availability
D: Accountability
Question ID: CISSP-2018-RA-01-2-102
Question: Your company decides to implement hashing to ensure that several crucial files are not changed. Which security tenet will this cover?
A: Confidentiality
B: Integrity
C: Availability
D: Accountability
Question ID: CISSP-2018-RA-01-2-103
Question: Your organization performs the appropriate audits and assessments to ensure that the organization is protected. Which security tenet did the organization fulfill be doing this?
A: Due care
B: Due diligence
C: Confidentiality
D: Integrity
Question ID: CISSP-2018-RA-01-2-104
Question: Which approach is recommended for an information security program?
A: Centralized
B: Decentralized
C: Top-down
D: Bottom-up
Question ID: CISSP-2018-RA-01-2-105
Question: Which of the following is information that can be used to identify an employee?
A: REP
B: PCI DSS
C: PII
D: AUP
Question ID: CISSP-2018-RA-01-2-106
Question: Which legislation requires that all assets of the organization, whether substantial or not, be protected?
A: Computer Security Act of 1987
B: Economic Espionage Act of 1996
C: Privacy Act of 1974
D: European Union Principles on Privacy
Question ID: CISSP-2018-RA-01-2-107
Question: Which type of law applies to offenders who violate government laws meant to protect the public?
A: Criminal law
B: Copyright law
C: Administrative law
D: Civil law
Question ID: CISSP-2018-RA-01-2-108
Question: Which type of law governs the payment of compensation and fines without sentencing the offenders to jail?
A: Criminal law
B: Copyright law
C: Administrative law
D: Civil law
Question ID: CISSP-2018-RA-01-2-109
Question: What term describes the extent of liability that exists for not exercising due care and diligence?
A: Legal liability
B: Residual risk
C: Downstream liability
D: Total risk
Question ID: CISSP-2018-RA-01-2-110
Question: Which statement BEST describes the Institute of Electrical and Electronics Engineers (IEEE)?
A: It maintains an ethics-related statement concerning the use of the Internet.
B: It is a group dedicated to making the Internet better.
C: It develops standards for new technologies, including wireless.
D: It is responsible for the allocation of IP addresses and management of DNS.
Question ID: CISSP-2018-RA-01-2-111
Question: Which statement BEST describes the Internet Corporation for Assigned Names and Numbers (ICANN)?
A: It maintains an ethics-related statement concerning the use of the Internet.
B: It is a group dedicated to making the Internet better.
C: It develops standards for new technologies, including wireless.
D: It is responsible for the allocation of IP addresses and management of DNS.
Question ID: CISSP-2018-RA-01-2-112
Question: Which of the following is a system-specific policy?
A: Database server security policy
B: Acceptable use policy
C: Auditing policy
D: Personnel hiring/termination policy
Question ID: CISSP-2018-RA-01-2-113
Question: Which of the following is mandatory?
A: Regulatory policy
B: Advisory policy
C: Informative policy
D: Guidelines
Question ID: CISSP-2018-RA-01-2-114
Question: Which of the following activities do NOT occur during the initiation stage of the business continuity program?
A: Obtain senior management support.
B: Define the project scope.
C: Define the project objectives.
D: Conduct the business impact analysis.
Question ID: CISSP-2018-RA-01-2-115
Question: Which entity is ultimately responsible for approving the business continuity scope and plan?
A: Project manager
B: BCP team
C: Senior management
D: Department managers
Question ID: CISSP-2018-RA-01-2-116
Question: Your team has developed the business continuity scope and plan that will be presented to management for approval. You have been asked to provide a business case to prove the need for the scope and plan. Which of the following should you NOT give in this scenario?
A: Natural disasters
B: Utility disruption
C: Legal requirements
D: Competitive advantage
Question ID: CISSP-2018-RA-01-2-117
Question: Which agreements normally apply to personnel even after they are no longer employed by the organization?
A: NDAs
B: Noncompete clauses
C: Code of conduct
D: Ethics agreement
E: Statements a and b only
F: Statements b and c only
G: None of the statements
Question ID: CISSP-2018-RA-01-2-118
Question: Which agreements normally apply to personnel only while they are employed by the organization?
A: NDAs
B: Noncompete clauses
C: Code of conduct
D: Ethics agreement
E: Statements a and b only
F: Statements c and d only
G: None of the statements
Question ID: CISSP-2018-RA-01-2-119
Question: After accessing your organization and its security needs, you make several recommendations to management. Management decides to implement most of your recommendations. However, they feel that one of your recommendations is too expensive to implement. Management comes up with an alternative recommendation that is less expensive. This an example of which type of control?
A: Corrective
B: Deterrent
C: Preventive
D: Compensative
Question ID: CISSP-2018-RA-01-2-120
Question: After accessing your organization and its security needs, you make several recommendations regarding security training for personnel. Management decides to adopt all the security training recommendations. Of which type of control are these recommendations an example?
A: Administrative
B: Technical
C: Physical
D: Recovery
Question ID: CISSP-2018-RA-01-2-121
Question: As part of your company’s comprehensive security program, the security auditor periodically reviews the audit logs to determine if any new controls need to be implemented. This an example of which type of control?
A: Administrative control
B: Technical control
C: Physical control
D: Detective control
E: Preventive control
F: Recovery control
G: Statements b and d only
H: Statements a and e only
I: Statements c and f only
Question ID: CISSP-2018-RA-01-2-122
Question: Because security-in-depth has been adopted as a goal of your company, a security analyst was hired to complete a security audit. During the audit, the security analyst recommended that your company periodically create server images for storage at an offsite location. Of which type of controls are these images?
A: Administrative control
B: Technical control
C: Physical control
D: Corrective control
E: Preventive control
F: Recovery control
G: Statements b and d only
H: Statements a and e only
I: Statements c and f only
Question ID: CISSP-2018-RA-01-2-123
Question: Because security-in-depth has been adopted as a goal of your company, a security analyst was hired to complete a security audit. During the audit, the security analyst suggests that your company adopt a companywide security policy. Of which type of controls is this policy?
A: Administrative control
B: Technical control
C: Physical control
D: Corrective control
E: Preventive control
F: Recovery control
G: Statements b and d only
H: Statements a and e only
I: Statements c and f only
Question ID: CISSP-2018-RA-01-2-124
Question: Because security-in-depth has been adopted as a goal of your company, a security analyst was hired to complete a security audit. During the audit, the security analyst suggests that your company’s data center be protected by implementing biometrics. Of which type of controls is this data center protection?
A: Administrative control
B: Technical control
C: Physical control
D: Corrective control
E: Preventive control
F: Recovery control
G: Statements b and d only
H: Statements a and f only
I: Statements c and e only
Question ID: CISSP-2018-RA-01-2-125
Question: Because security-in-depth has been adopted as a goal of your company, a security analyst was hired to complete a security audit. During the audit, the security analyst suggests that your company implements job rotation in several departments. Of which type of controls is this personnel policy?
A: Administrative control
B: Technical control
C: Physical control
D: Corrective control
E: Preventive control
F: Recovery control
G: Statements b and d only
H: Statements a and f only
I: Statements c and e only
Question ID: CISSP-2018-RA-01-2-126
Question: Which framework gives guidelines on how to develop and maintain an information security management system?
A: Zachman Framework
B: ISO/IEC 27000
C: NIST SP 800-53
D: ITIL
Question ID: CISSP-2018-RA-01-2-127
Question: Which framework is an enterprise architecture framework that uses a two-dimensional classification system based on six communication questions (What, Where, When, Why, Who, and How) that intersect with different views (Planner, Owner, Designer, Builder, Subcontractor, and Actual System)?
A: Zachman Framework
B: ISO/IEC 27000
C: NIST SP 800-53
D: ITIL
Question ID: CISSP-2018-RA-01-2-128
Question: Which of the following should be considered as part of any third-party governance?
A: On-site assessment
B: Policy review
C: Document exchange
D: Document review
E: Statements a, b, and c only
F: All the statements
Question ID: CISSP-2018-RA-01-2-129
Question: Which of the following is NOT included in the security awareness training provided to nonspecialized personnel?
A: Organizational security policies
B: Social engineering issues
C: Laws that affect the organization’s security practices
D: Data classification
Question ID: CISSP-2018-RA-01-2-130
Question: Which of the following statements regarding security awareness training are FALSE?
A: The security awareness training should explain the organizational security policy.
B: The security awareness training should explain how the organizational security policy affects personnel and their roles in the organization.
C: The security awareness training should give the penalties for noncompliance with the organizational security policy.
D: The security awareness training should only be given to non-managerial personnel.
E: Statements a and d only
F: Statements b and d only
G: Statements c and d only
Question ID: CISSP-2018-RA-01-3-001
Question: Your organization implements hard drive encryption on a file server. Which security tenet will this cover?
A: Confidentiality
B: Integrity
C: Availability
D: Accountability
Question ID: CISSP-2018-RA-01-3-002
Question: The security administrator at your company suggests that auditing is configured on all servers. Management decides to make this part of the company’s security policy. Which tenet will this cover?
A: Confidentiality
B: Integrity
C: Availability
D: Accountability
Question ID: CISSP-2018-RA-01-3-004
Question: A company decides to implement a redundant network backbone. Which tenet will this cover?
A: Confidentiality
B: Integrity
C: Availability
D: Authentication
Question ID: CISSP-2018-RA-01-3-005
Question: Which components act as limiting factors on an organization’s security function?
A: Budget
B: Metrics
C: Resources
D: Skills and abilities
E: Statements a, b, and c only
F: All the statements
Question ID: CISSP-2018-RA-01-3-006
Question: Which group of users poses the greatest threat to an organization’s security?
A: Hackers
B: Hactivists
C: Internal users
D: Guests
Question ID: CISSP-2018-RA-01-3-007
Question: Which security model is a framework in addition to a methodology in that it prescribes the processes to follow to build and maintain the architecture?
A: SABSA
B: TOGAF
C: Zachman Framework
D: IOS/IEC 27000
E: COBiT
Question ID: CISSP-2018-RA-01-3-008
Question: Which security model is a two-dimensional model that intersects communication interrogatives with various viewpoints?
A: SABSA
B: TOGAF
C: Zachman Framework
D: IOS/IEC 27000
E: COBIT
Question ID: CISSP-2018-RA-01-3-009
Question: Which security model calls for an Architectural Development Method (ADM) that employs an iterative process?
A: SABSA
B: TOGAF
C: Zachman Framework
D: IOS/IEC 27000
E: COBIT
Question ID: CISSP-2018-RA-01-3-010
Question: Which laws should be consulted to determine the types of employee monitoring that are permissible?
A: State
B: Local
C: County
D: Federal
Question ID: CISSP-2018-RA-01-3-011
Question: Which type of law grants the right to control either the distribution or the reproduction of a work?
A: Criminal law
B: Copyright law
C: Administrative law
D: Civil law
Question ID: CISSP-2018-RA-01-3-012
Question: What term describes risk that remains after implementing countermeasures?
A: Legal liability
B: Residual risk
C: Downstream liability
D: Total risk
Question ID: CISSP-2018-RA-01-3-013
Question: Which type of law ensures that companies and individuals adhere to regulatory standards?
A: Criminal law
B: Copyright law
C: Administrative law
D: Civil law
Question ID: CISSP-2018-RA-01-3-014
Question: What concept ensures that organizations working together under a contract are responsible for their information security management and the security controls deployed by each organization?
A: Legal liability
B: Residual risk
C: Downstream liability
D: Total risk
Question ID: CISSP-2018-RA-01-3-015
Question: Which legislation requires appropriate training of system users or owners where the systems house sensitive information?
A: Computer Security Act of 1987
B: Economic Espionage Act of 1996
C: Privacy Act of 1974
D: European Union Principles on Privacy
Question ID: CISSP-2018-RA-01-3-016
Question: Which legislation affects financial institutions?
A: GLBA
B: CFAA
C: HIPAA
D: SOX
Question ID: CISSP-2018-RA-01-3-017
Question: Which legislation states that the data gathered for private individuals should be used only for the purpose for which it is collected?
A: Computer Security Act of 1987
B: Economic Espionage Act of 1996
C: Privacy Act of 1974
D: European Union Principles on Privacy
Question ID: CISSP-2018-RA-01-3-018
Question: Which of the following regulations applies to “protected computers”?
A: SOX
B: HIPAA
C: GLBA
D: Computer Fraud and Abuse Act
Question ID: CISSP-2018-RA-01-3-019
Question: Which of the following was the first law written to require a formal computer security plan?
A: CFAA
B: ECPA
C: Federal Privacy Act of 1974
D: FISA
E: Computer Security Act of 1987
Question ID: CISSP-2018-RA-01-3-020
Question: Which of the following laws provides guidelines to prevent sentencing disparities that existed across the United States?
A: Economic Espionage Act of 1996
B: Communications Assistance for Law Enforcement Act (CALEA) of 1994
C: Personal Information Protection and Electronic Documents Act (PIPEDA)
D: United States Federal Sentencing Guidelines of 1991
E: Federal Information Security Management Act (FISMA) of 2002
F: Payment Card Industry Data Security Standard (PCI DSS)
Question ID: CISSP-2018-RA-01-3-021
Question: As a security professional, you must adhere to the Code of Ethics of many organizations, including (ISC)2. If any guidelines within the different Code of Ethics contradict each other, which Code of Ethics should take precedence?
A: The Code of Ethics that you agreed to adhere to first
B: The Code of Ethics that you agreed to adhere to last
C: The most restrictive guidelines in the Code of Ethics
D: The least restrictive guidelines in the Code of Ethics
Question ID: CISSP-2018-RA-01-3-022
Question: Which of the following is NOT a part of the (ISC)² Code of Ethics?
A: Act honorably and justly.
B: Work diligently to provide competent service.
C: Comply with the letter of the law.
D: Avoid conflicts of interest.
Question ID: CISSP-2018-RA-01-3-023
Question: Which of the following organizations issues ethics related statements concerning the use of the Internet?
A: IEEE
B: IAB
C: IANA
D: CSIRT
Question ID: CISSP-2018-RA-01-3-024
Question: Which RFC is called Ethics and the Internet?
A: RFC 1087
B: RFC 2010
C: RFC 1589
D: RFC 1150
Question ID: CISSP-2018-RA-01-3-025
Question: The (ISC)² Code of Ethics includes which of the following behaviors for a CISSP?
A: Behavioral
B: Physical
C: Control
D: Detection
Question ID: CISSP-2018-RA-01-3-026
Question: What is the purpose of a baseline?
A: To provide the steps necessary to achieve security
B: To assess the security state
C: To provide all the detailed actions that personnel are required to follow
D: To provide recommended actions to carry out under certain conditions
Question ID: CISSP-2018-RA-01-3-027
Question: What is the purpose of procedures?
A: To provide the steps necessary to achieve security
B: To assess the security state
C: To provide all the detailed actions that personnel are required to follow
D: To provide recommended actions to carry out under certain conditions
Question ID: CISSP-2018-RA-01-3-028
Question: What is the purpose of guidelines?
A: To provide the steps necessary to achieve security
B: To assess the security state
C: To provide all the detailed actions that personnel are required to follow
D: To provide recommended actions to carry out under certain conditions
Question ID: CISSP-2018-RA-01-3-029
Question: What is the purpose of standards?
A: To provide the steps necessary to achieve security
B: To assess the security state
C: To provide all the detailed actions that personnel are required to follow
D: To provide recommended actions to carry out under certain conditions
Question ID: CISSP-2018-RA-01-3-030
Question: Which of the following should be included as part of the initial stage when developing the business continuity scope and plan?
A: Define roles.
B: Implement controls.
C: Develop recovery strategies.
D: Test the plan.
Question ID: CISSP-2018-RA-01-3-031
Question: Which of the following should you NOT consider while developing the business continuity scope?
A: Organizational policies
B: Laws
C: Risks
D: Industry standards
Question ID: CISSP-2018-RA-01-3-032
Question: Who is responsible for establishing the priorities of the goals outlined in the business continuity scope?
A: BCP team
B: BCP project manager
C: Business units
D: Senior management
Question ID: CISSP-2018-RA-01-3-033
Question: How often should an organization review the business continuity scope?
A: Monthly
B: Quarterly
C: Annually
D: When a significant change occurs in the organization
E: When a senior management member leaves the organization
F: Statements a and d only
G: Statements a, d, and e only
H: Statements c and d only
I: Statements c, d, and e only
Question ID: CISSP-2018-RA-01-3-034
Question: Which of the following is generally NOT performed as part of a background check?
A: Military record
B: Medical history
C: Immigration status check
D: Drug screening
E: Statements a and b only
F: Statements b and c only
Question ID: CISSP-2018-RA-01-3-035
Question: Which of the following passwords does NOT strengthen the security of passwords?
A: Require that passwords are changed every 90 days.
B: Require that passwords consist of eight characters.
C: Require that passwords consist of uppercase and lowercase letter, numerals, and symbols.
D: Require that passwords consist of dictionary words.
Question ID: CISSP-2018-RA-01-3-036
Question: At which time should new personnel sign all agreements and contracts?
A: At termination
B: At hiring
C: At the annual employment anniversary
D: After completing the probation period
Question ID: CISSP-2018-RA-01-3-037
Question: At which time should personnel complete an exit interview?
A: At termination
B: At hiring
C: At the annual performance review
D: After completing the probation period
Question ID: CISSP-2018-RA-01-3-038
Question: On which personnel would an organization MOST likely need to obtain a credit report?
A: Human Resources personnel
B: Accounting personnel
C: Assembly line manager
D: IT personnel
Question ID: CISSP-2018-RA-01-3-039
Question: Which framework is a security controls development framework?
A: Zachman Framework
B: ISO/IEC 27000
C: NIST SP 800-53
D: ITIL
Question ID: CISSP-2018-RA-01-3-040
Question: Which framework is a process management development standard?
A: Zachman Framework
B: ISO/IEC 27000
C: NIST SP 800-53
D: ITIL
Question ID: CISSP-2018-RA-01-3-041
Question: Which model or framework is a process improvement approach that addresses three areas of interest: development, services, and acquisitions?
A: CMMI
B: Six Sigma
C: CobiT
D: DoDAF
Question ID: CISSP-2018-RA-01-3-042
Question: Which model or framework includes the DMAIC and DMADV methodologies?
A: CMMI
B: Six Sigma
C: CobiT
D: DoDAF
Question ID: CISSP-2018-RA-01-3-043
Question: Which model or framework uses a process model to subdivide IT into four domains: Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME)?
A: CMMI
B: Six Sigma
C: CobiT
D: DoDAF
Question ID: CISSP-2018-RA-01-3-044
Question: Which model or framework organizes a set of products under four views: operational view (OV), system view (SV), technical standards view (TV), and all view (AV)?
A: CMMI
B: Six Sigma
C: CobiT
D: DoDAF
Question ID: CISSP-2018-RA-01-3-045
Question: Which framework is designed for use with the military?
A: DoDAF
B: MODAF
C: Zachman
D: TOGAF
E: Statements a and b only
F: All the statements
Question ID: CISSP-2018-RA-01-3-046
Question: Which enterprise architecture framework is based on four inter-related domains: technology, applications, data, and business?
A: TOGAF
B: DoDAF
C: MODAF
D: SABSA
Question ID: CISSP-2018-RA-01-3-047
Question: Which enterprise architecture framework uses the six communication questions (What, Where, When, Why, Who, and How) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual)?
A: TOGAF
B: DoDAF
C: MODAF
D: SABSA
Question ID: CISSP-2018-RA-01-3-048
Question: Which enterprise architecture framework organizes a set of products under four views: operational view (OV), system view (SV), technical standards view (TV), and all view (AV)?
A: TOGAF
B: DoDAF
C: MODAF
D: SABSA
Question ID: CISSP-2018-RA-01-3-049
Question: Your company has decided to hire a third party to assess the organization’s security issues. The personnel of this third party will need access to organizational assets both locally and remotely. What is the first step in properly establishing this relationship?
A: Perform a risk assessment on the third party’s network.
B: Establish a written security policy with the third party.
C: Provide access to internal resources for the third-party personnel.
D: Audit the third party’s access to internal resources.
Question ID: CISSP-2018-RA-01-3-050
Question: Why is it important to perform a risk assessment on a third party that will be remotely accessing internal resources?
A: To determine the level of access needed by the third party
B: To determine third party compliance with organizational security policies and standards
C: To determine if appropriate and inappropriate actions are being carried out by third-party personnel
D: To document the guidelines that the third party will follow
Question ID: CISSP-2018-RA-01-3-051
Question: A third party will be accessing your organization’s compliance to ISO/IEC guidelines for auditing. Which ISO/IEC 27000 Series standard should you reference?
A: 27007
B: 27005
C: 27033
D: 27034
Question ID: CISSP-2018-RA-01-3-052
Question: A third party will be accessing your organization’s compliance to ISO/IEC guidelines for risk management. Which ISO/IEC 27000 Series standard should you reference?
A: 27007
B: 27005
C: 27033
D: 27034
Question ID: CISSP-2018-RA-01-3-053
Question: A third party will be accessing your organization’s compliance to ISO/IEC guidelines for network security. Which ISO/IEC 27000 Series standard should you reference?
A: 27007
B: 27005
C: 27033
D: 27034
Question ID: CISSP-2018-RA-01-3-054
Question: A third party will be accessing your organization’s compliance to ISO/IEC guidelines for application security. Which ISO/IEC 27000 Series standard should you reference?
A: 27007
B: 27005
C: 27033
D: 27034
Question ID: CISSP-2018-RA-01-3-055
Question: You work for a telecommunications company that must comply with ISO/IEC standards. Which specific ISO/IEC 27000 Series standard should you reference for your industry?
A: 27011
B: 27015
C: 27037
D: 27799
Question ID: CISSP-2018-RA-01-3-056
Question: You work for a financial organization that must comply with ISO/IEC standards. Which specific ISO/IEC 27000 Series standard should you reference for your industry?
A: 27011
B: 27015
C: 27037
D: 27799
Question ID: CISSP-2018-RA-01-3-057
Question: You work for a financial organization that must comply with ISO/IEC standards for digital evidence identification, collection, acquisition, and preservation. Which specific ISO/IEC 27000 Series standard should you reference for your industry?
A: 27011
B: 27015
C: 27037
D: 27799
Question ID: CISSP-2018-RA-01-3-058
Question: You work for a healthcare organization that must comply with ISO/IEC standards. Which specific ISO/IEC 27000 Series standard should you reference for your industry?
A: 27011
B: 27015
C: 27037
D: 27799
Question ID: CISSP-2018-RA-01-3-059
Question: During a recent security audit, you discovered that the appropriate security patches have not been applied to an application. A hacker recently discovered this issue and, as a result, breached your network. You immediately update the application with all the latest security patches. Which aspect of this scenario is a control?
A: The update you performed
B: The audit you performed
C: The issue you discovered
D: The attack that occurred
Question ID: CISSP-2018-RA-01-3-060
Question: During a recent security audit, you discovered that the appropriate security patches have not been applied to an application. A hacker recently discovered this issue and, as a result, breached your network. You immediately update the application with all the latest security patches. Which aspect of this scenario is a vulnerability?
A: The update you performed
B: The audit you performed
C: The issue you discovered
D: The attack that occurred
Question ID: CISSP-2018-RA-01-3-061
Question: What should you identify first as part of any risk assessment as part of NIST SP 800-30?
A: Assets and their value
B: Threats
C: Vulnerabilities
D: Likelihood
Question ID: CISSP-2018-RA-01-3-062
Question: What should you identify last as part of any risk assessment as part of NIST SP 800-30?
A: Assets and their value
B: Risk
C: Vulnerabilities
D: Likelihood
Question ID: CISSP-2018-RA-01-3-063
Question: What should you identify immediately after the threats and vulnerabilities are determined during a risk assessment as part of NIST SP 800-30?
A: Assets and their value
B: Risk
C: Likelihood
D: Impact
Question ID: CISSP-2018-RA-01-3-064
Question: Your organization has applied for approval by an industry governing agency. As part of this process, a third party will be reviewing all the policies and procedures that you have in place. What is the BEST description of the purpose of this review?
A: To document inaccuracies
B: To document performance metrics
C: To document service levels
D: To document compliance or noncompliance
Question ID: CISSP-2018-RA-01-3-065
Question: What is the most cost-effective way to enrich a security awareness program?
A: List penalties for noncompliance.
B: Create an award or recognition program.
C: Add an educational component.
D: Implement a security incident reporting mechanism.
Question ID: CISSP-2018-RA-01-4-001
Question: A company has a virtual private network (VPN) that employees use to remotely access company resources. The security administrator decides to mandate the use of IPSec on the VPN. Which tenet will this cover?
A: Confidentiality
B: Integrity
C: Availability
D: Authentication
Question ID: CISSP-2018-RA-01-4-002
Question: A department manager requests that a RAID-5 array be implemented on a file server that contains data that is crucial to the department. Which tenet will this cover?
A: Confidentiality
B: Integrity
C: Availability
D: Authentication
Question ID: CISSP-2018-RA-01-4-003
Question: Recently, a hacker used a social engineering attack to discover the passwords of several users. Which security tenet was compromised as a result of this attack?
A: Confidentiality
B: Integrity
C: Availability
D: Authentication
Question ID: CISSP-2018-RA-01-4-004
Question: Recently, hackers successfully carried out a denial of service (DoS) attack against your company’s database. Which security tenet was compromised during this attack?
A: Confidentiality
B: Integrity
C: Availability
D: Authentication
Question ID: CISSP-2018-RA-01-4-005
Question: Several systems on your network have been infected with a virus. Which security tenet was compromised as a result of this infection?
A: Confidentiality
B: Integrity
C: Availability
D: Authentication
Question ID: CISSP-2018-RA-01-4-006
Question: Which security model establishes information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)?
A: SABSA
B: TOGAF
C: Zachman Framework
D: IOS/IEC 27000
E: COBIT
Question ID: CISSP-2018-RA-01-4-007
Question: Which security model is a set of control objectives used as a framework for IT governance?
A: SABSA
B: TOGAF
C: Zachman Framework
D: IOS/IEC 27000
E: COBIT
Question ID: CISSP-2018-RA-01-4-008
Question: When an organization has taken the necessary steps to protect the organization, its resources, and personnel, it has applied which security principle?
A: Due diligence
B: Due care
C: Job rotation
D: Separation of duties
Question ID: CISSP-2018-RA-01-4-009
Question: Which of the following concepts indicates that an organization properly investigated?
A: Chain of custody
B: Due diligence
C: Due care
D: Liability
Question ID: CISSP-2018-RA-01-4-010
Question: Who is ultimately responsible for the protection of private employee data on systems?
A: IT department
B: User
C: Manager
D: Security auditor
Question ID: CISSP-2018-RA-01-4-011
Question: Which of the following laws affect any entities that may engage in hacking of “protected computers”?
A: CFAA
B: ECPA
C: Federal Privacy Act of 1974
D: FISA
E: Computer Security Act of 1987
Question ID: CISSP-2018-RA-01-4-012
Question: Which of the following laws affects companies that have trade secrets?
A: Economic Espionage Act of 1996
B: Communications Assistance for Law Enforcement Act (CALEA) of 1994
C: Personal Information Protection and Electronic Documents Act (PIPEDA)
D: United States Federal Sentencing Guidelines of 1991
E: Federal Information Security Management Act (FISMA) of 2002
F: Payment Card Industry Data Security Standard (PCI DSS)
Question ID: CISSP-2018-RA-01-4-013
Question: Which of the following laws extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer?
A: CFAA
B: ECPA
C: Federal Privacy Act of 1974
D: FISA
E: Computer Security Act of 1987
Question ID: CISSP-2018-RA-01-4-014
Question: Which of the following laws requires federal agencies to develop, document, and implement an agency-wide information security program?
A: Economic Espionage Act of 1996
B: Communications Assistance for Law Enforcement Act (CALEA) of 1994
C: Personal Information Protection and Electronic Documents Act (PIPEDA)
D: United States Federal Sentencing Guidelines of 1991
E: Federal Information Security Management Act (FISMA) of 2002
F: Payment Card Industry Data Security Standard (PCI DSS)
Question ID: CISSP-2018-RA-01-4-015
Question: Which of the following laws give procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between "foreign powers" and "agents of foreign powers"?
A: CFAA
B: ECPA
C: Federal Privacy Act of 1974
D: FISA
E: Computer Security Act of 1987
Question ID: CISSP-2018-RA-01-4-016
Question: Which of the following laws requires telecommunications carriers to modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities?
A: Economic Espionage Act of 1996
B: Communications Assistance for Law Enforcement Act (CALEA) of 1994
C: Personal Information Protection and Electronic Documents Act (PIPEDA)
D: United States Federal Sentencing Guidelines of 1991
E: Federal Information Security Management Act (FISMA) of 2002
F: Payment Card Industry Data Security Standard (PCI DSS)
Question ID: CISSP-2018-RA-01-4-017
Question: Which of the following laws affect any computer that contains records used by a federal agency?
A: CFAA
B: ECPA
C: Federal Privacy Act of 1974
D: FISA
E: Computer Security Act of 1987
Question ID: CISSP-2018-RA-01-4-018
Question: Which of the following regulations was written to prevent medical organizations from sharing patient healthcare information without consent?
A: SOX
B: HIPAA
C: GLBA
D: Base II
Question ID: CISSP-2018-RA-01-4-019
Question: Which of the following laws affects private sector organizations that collect, use, and disclose personal information in the course of commercial business in Canada?
A: Economic Espionage Act of 1996
B: Communications Assistance for Law Enforcement Act (CALEA) of 1994
C: Personal Information Protection and Electronic Documents Act (PIPEDA)
D: United States Federal Sentencing Guidelines of 1991
E: Federal Information Security Management Act (FISMA) of 2002
F: Payment Card Industry Data Security Standard (PCI DSS)
Question ID: CISSP-2018-RA-01-4-020
Question: Which of the following regulations is built on three main pillars: minimum capital requirements, supervision, and market discipline?
A: SOX
B: HIPAA
C: GLBA
D: Base II
Question ID: CISSP-2018-RA-01-4-021
Question: In which document is the phrase ”Observe and abide by all contracts” found?
A: (ISC)² Code of Ethics
B: CEI commandments
C: RFC 1087
D: CIAC guidelines
Question ID: CISSP-2018-RA-01-4-022
Question: Which type of engineering is considered unethical?
A: Inverse
B: Compound
C: Reverse
D: Source
Document Information
Connected Book
Explore recommendations drawn directly from what you're reading
Test bank CISSP Cert Guide 3e Docx
DOCX Ch. All in one Current
CISSP Cert Guide Exam Questions 3e
DOCX Ch. All in one
Abernathy CISSP Cert Guide 3e Questions bank
DOCX Ch. All in one
All chapters in this product are shown above