Professional Documents
Culture Documents
2. Which group is responsible for ensuring that systems are auditable and pro
tected from excessive privileges?
A) compliance officers
B) access coordinators
Feedback: Pages 9 and 10
C) security administrators
D) policy makers
Feedback: Pages 9 and 10Points Earned: 0.0/7.0
Correct Answer(s): C
9. Which of the following groups help security development teams with risk an
alysis?
A) security testers
Feedback: Pages 9 and 10
B) compliance officers
C) security consultants
D) security architects
Feedback: Pages 9 and 10Points Earned: 0.0/7.0
Correct Answer(s): C
10. Information security is discipline that manages which of the following? (
Select all correct answers.
A) technology
Feedback: All of Chapter 1
B) people
Feedback: All of Chapter 1
C) processes
Feedback: All of Chapter 1
D) oraganizations
Points Earned: 6.0/8.0
Correct Answer(s): A , B , C , D
11. Which of the following would make an individual seeking a career in netwo
rk/info security more marketable?
A) CISSP certification
Feedback: Pages 5 & 6
B) GIAC certification
C) evaluating virus and network protection products in a home lab
D) all of the above answers
Feedback: Pages 5 & 6Points Earned: 0.0/7.0
Correct Answer(s): D
Chapter 2
1. A weakness in a system that may possibly be exploited is called a(n):
A) risk.
B) exposure.
Feedback: Page 28
C) vulnerability.
D) threat.
Feedback: Page 28Points Earned: 0.0/8.0
Correct Answer(s): C
5. The three types of security controls that are necessary to secure a networ
k or system are:
A) people, functions, and technology.
Feedback: Page 29
B) people, process, and technology.
C) technology,roles, and separation of duties.
D) separation of duties, processes, and people.
Feedback: Page 29Points Earned: 0.0/8.0
Correct Answer(s): B
8. Making sure that data hasn't been changed unintentionally due to accident
or malice is:
A) availability
B) auditability
Feedback: Page 22
C) integrity
D) confidentially
Feedback: Page 22Points Earned: 0.0/8.0
Correct Answer(s): C
10. Defense in Depth is needed to assure that which three mandatory activitie
s are present in a security system?
A) prevention, response, and management
B) prevention, detection, and response
Feedback: Page 23
C) response, collection of evidence, and prosecution
D) prevention, response, and prosecution
Feedback: Page 23Points Earned: 8.0/8.0
Correct Answer(s): B
11. Functional requirements describe:
A) quality assurance description and testing approach.
B) what a security system should do by design
Feedback: Page 26
C) how to implement the system.
D) what controls a security system must implement.
Feedback: Page 26Points Earned: 8.0/8.0
Correct Answer(s): B
Chapter 3
1. ISC2 was formed for which of the following purposes
A) certifying industry professionals and practitioners in an international IS st
andard
B) all of the above
C) ensuring credentials are maintained, primarily through continuing education
D) maintaining a Common Body of Knowledge for network and information security
Feedback: See page 41.
Feedback: See page 41.Points Earned: 0.0/1.0
Correct Answer(s): B
Chapter 4
1. 24. Step-by-step directions to execute a specific security activity is referr
ed to as a:
A) Standard
B) Guideline
C) Regulation
D) Procedure
Points Earned: 0.0/1.0
Correct Answer(s): D
3. What can be best defined as high-level statements, beliefs, goals, and obj
ectives?
A) standards
B) guidelines
Feedback: See page 61.
C) policies
D) procedures
Feedback: See page 61.Points Earned: 0.0/1.0
Correct Answer(s): C
7. An effective security policy would not have which of the following charact
eristics?
A) specify areas of responsibility and authority
Feedback: See pages 59-70.
B) be understandable and supported by all stakeholders
C) include seperations of duty
D) be designed for short to mid-term focus
Feedback: See pages 59-70.Points Earned: 0.0/1.0
Correct Answer(s): D
13. A(n) ____________ policy might prescribe the need for information securit
y and may delegate the creation and management of the program.
A) System-specific
B) Programme-level
C) Programme-framework
D) Issue-specific
Points Earned: 0.0/1.0
Correct Answer(s): B
14. What is the difference between advisory and regulatory security policies?
A) Regulatory policies are high-level policies, whereas advisory policies are ve
ry detailed
B) Advisory polices are mandated and regulatory polies are not.
C) There are no differences between them
D) Advisory polices provide recommendations
Feedback: See pages 70 and 71.
Feedback: See pages 70 and 71.Points Earned: 1.0/1.0
Correct Answer(s): D
15. 23. The supporting documents derived from policy statements include which
of the following? Select all correct answers.
A) Regulations
B) Procedural maps
C) Standards and baselines
D) Guidelines
Points Earned: 1.0/1.0
Correct Answer(s): A , C , D
Chapter 5
1. Which Orange Book security rating introduces security labels?
A) B1
Feedback: See page 99.
B) C2
C) B2
D) B3
Feedback: See page 99.Points Earned: 1.0/1.0
Correct Answer(s): A
2. Which of the listed Orange Book ratings represent the highest security lev
el?
A) F6
B) B1
C) C2
Feedback: See page 99.
D) B2
Feedback: See page 99.Points Earned: 0.0/1.0
Correct Answer(s): D
4. What can best be defined as the sum of protection mechanisms inside a comp
uter, including hardware, firmware, and software?
A) security kernel
B) security perimeter
Feedback: See page 90.
C) trusted system
D) trusted computing base
Feedback: See page 90.Points Earned: 0.0/1.0
Correct Answer(s): D
10. Which of the following places the Orange Book classifications in order fr
om most secure to least secure?
A) Division D, Division B, Division A, Division C
B) Division A, Division B, Division C, Division D
C) Division D, Division C, Division B, Division A
Feedback: See pages 98 - 101.
D) Division C, Division D, Division B, Division A
Feedback: See pages 98 - 101.Points Earned: 0.0/1.0
Correct Answer(s): B
15. Which of the following choices describes a condition when RAM and seconda
ry storage are used together?
A) real storage
B) primary storage
C) virtual storage
Feedback: See page 95.
D) secondary storage
Feedback: See page 95.Points Earned: 1.0/1.0
Correct Answer(s): C
Chapter 6
1. Which of the following would be considered a man-made disaster?
A) earthquake
B) wildcat strike
C) tornado
D) flooding caused by a hurricane
Points Earned: 1.0/1.0
Correct Answer(s): B
3. The scope definition of the BCP should include all of the following EXCEPT
:
A) prioritizing critical business processes.
Feedback: See page bottom of page 127 and the top of page 128.
B) calculating the value and cost of continuing important business processes.
C) assessing the cost to the business if critical services are disrupted.
D) performing a dry run of emergency fire and medical evacuation procedures.
Feedback: See page bottom of page 127 and the top of page 128.Points Earned: 0.
0/1.0
Correct Answer(s): D
8. The BIA prioritizes systems for recovery and ____________ are at the top o
f the list.
A) Less critical systems
B) Mission-required systems
C) Mission-critical systems
D) Nice to have systems
Points Earned: 1.0/1.0
Correct Answer(s): C
10. Using multiple centers as a recovery site has what main disadvantage?
A) Services may be shared between in-house and out-side services.
B) Processing is shared by multiple sites.
C) Multiple center offer redundant processing.
D) Multiple centers are more difficult to administer than other types.
Feedback: See page 131.
Feedback: See page 131.Points Earned: 1.0/1.0
Correct Answer(s): D