CISSP

(1)

CISSP.examcollection.premium.exam.1238q

Number: CISSP Passing Score: 800 Time Limit: 120 min File Version: 17.4

CISSP

Certified Information Systems Security Professional Version 17.4

Sections

1. Security and Risk Management 2. Asset Security

3. Security Engineering

4. Communication and Network Security 5. Identity and Access Management 6. Security Assessment and Testing 7. Security Operations

(2)

Exam A QUESTION 1

Which of the following issues is NOT addressed by Kerberos? A. Availability

B. Confidentiality C. Integrity D. Authentication Correct Answer: A

Section: Security and Risk Management Explanation

Explanation/Reference: Explanation:

Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT. In Greek mythology, Kerberos is a three-headed dog that guards the entrance to the Underworld. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network of which a client requires services.

Kerberos addresses the confidentiality and integrity of information. It does not address availability. Incorrect Answers:

B: Kerberos does address confidentiality. C: Kerberos does address integrity. D: Kerberos does address authentication. References:

Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley Publishing, Indianapolis, 2007, p. 78

QUESTION 2

Which of the following statements is not listed within the 4 canons of the (ISC)2 Code of Ethics?

A. All information systems security professionals who are certified by (ISC)2 shall observe all contracts and agreements, express or implied.

B. All information systems security professionals who are certified by (ISC)2 shall render only those services for which they are fully competent and qualified.

C. All information systems security professionals who are certified by (ISC)2 shall promote and preserve public trust and confidence in information and systems.

D. All information systems security professionals who are certified by (ISC)2 shall think about the social consequences of the program they write.

Correct Answer: D

The social consequences of the programs that are written are not included in the ISC Code of Ethics Canon. Note: The ISC Code of Ethics Canon includes:

Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals. Advance and protect the profession.

(3)

A: The ISC Code of Ethics Canon states that you should provide diligent and competent service to principals. This means that you should observe all contracts and agreements.

B: The ISC Code of Ethics Canon states that you should provide diligent and competent service to principals. This means that you should render only those services for which you are fully competent and qualified. C: The ISC Code of Ethics Canon states that you should protect the necessary public trust and the infrastructure/systems.

References:

https://www.isc2.org/ethics/default.aspx?terms=code of ethics QUESTION 3

Regarding codes of ethics covered within the ISC2 CBK, within which of them is the phrase "Discourage unsafe practice" found?

A. Computer Ethics Institute commandments B. (ISC)2 Code of Ethics

C. Internet Activities Board's Ethics and the Internet (RFC1087) D. CIAC Guidelines

Correct Answer: B

The (ISC)2 Code of Ethics include the phrase Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures.

Incorrect Answers:

A: The phrase "Discourage unsafe practice" is not included in the Computer Ethics Institute commandments. It is included in the (ISC)2 Code of Ethics.

C: The phrase "Discourage unsafe practice" is not included in RFC1087. It is included in the (ISC)2 Code of Ethics.

D: The phrase "Discourage unsafe practice" is not included in CIAC Guidelines. It is included in the (ISC)2 Code of Ethics.

References:

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1064 QUESTION 4

Which of the following is NOT a factor related to Access Control? A. integrity

B. authenticity C. confidentiality D. availability Correct Answer: B

Authenticity is not a factor related to Access Control.

Access controls are security features that control how users and systems communicate and interact with other systems and resources.

Access controls give organization the ability to control, restrict, monitor, and protect resource availability, integrity and confidentiality.

(4)

Incorrect Answers:

A: Integrity is a factor related to Access Control. C: Confidentiality is a factor related to Access Control. D: Availability is a factor related to Access Control. References:

https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems QUESTION 5

Which of the following is the correct set of assurance requirements for EAL 5? A. Semiformally verified design and tested

B. Semiformally tested and checked C. Semiformally designed and tested D. Semiformally verified tested and checked Correct Answer: C

The EAL 5 requirement is: Semiformally designed and tested; this is sought when developing specialized Target of Evaluations for high-risk situations.

Incorrect Answers:

A: Semiformally verified design and tested is EAL 7, not EAL 5.

B: EAL 5 is not semiformally tested and checked. EAL 5 is semiformally designed and tested. D: Semiformally verified tested and checked is similar to EAL 7, but it is not EAL 5.

References:

Tipton, Harold F. (Ed), Official (ISC)2 Guide to the CISSP CBK, 2nd Edition, CRC Press, New York, 2009, p. 668

QUESTION 6

Which of the following is needed for System Accountability? A. Audit mechanisms.

B. Documented design as laid out in the Common Criteria. C. Authorization.

D. Formal verification of system design. Correct Answer: A

Accountability is the ability to identify users and to be able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed.

Incorrect Answers:

B: Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability.

C: Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions.

(5)

D: Formal verification involves Validating and testing highly trusted systems. It does not, however, involve System Accountability.

References:

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 203, 248-250, 402. QUESTION 7

The major objective of system configuration management is which of the following? A. System maintenance.

B. System stability. C. System operations. D. System tracking. Correct Answer: B

Configuration Management is defined as the identification, control, accounting, and documentation of all changes that take place to system hardware, software, firmware, supporting documentation, and test results throughout the lifespan of the system.

A system should have baselines set pertaining to the system’s hardware, software, and firmware configuration. The configuration baseline will be tried and tested and known to be stable. Modifying the configuration settings of a system could lead to system instability.

System configuration management will help to ensure system stability by ensuring a consistent configuration across the systems.

Incorrect Answers:

A: System configuration management could aid system maintenance. However, this is not a major objective of system configuration management.

C: System configuration management will help to ensure system stability which will help in system operations. However, system operations are not a major objective of system configuration management.

D: System tracking is not an objective of system configuration management. References:

The Internet Architecture Board (IAB) characterizes which of the following as unethical behavior for Internet users?

A. Writing computer viruses. B. Monitoring data traffic. C. Wasting computer resources. D. Concealing unauthorized accesses. Correct Answer: C

IAB considers wasting resources (people, capacity, and computers) through purposeful actions unethical. Note: The IAB considers the following acts unethical and unacceptable behavior:

(6)

Disrupting the intended use of the Internet

Wasting resources (people, capacity, and computers) through purposeful actions Destroying the integrity of computer-based information

Compromising the privacy of others

Negligence in the conduct of Internet-wide experiments Incorrect Answers:

A: The IAB list of unethical behavior for Internet users does not include writing computer viruses. B: IAB does not consider monitoring data traffic unethical.

D: The IAB list of unethical behavior for Internet users does not include concealing unauthorized accesses. References:

A deviation from an organization-wide security policy requires which of the following? A. Risk Acceptance

B. Risk Assignment C. Risk Reduction D. Risk Containment Correct Answer: A

A deviation from an organization-wide security policy is a ‘risk’.

Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it.

One approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value. In this question, if the deviation from an organization-wide security policy will remain, that is an example of risk acceptance.

Incorrect Answers:

B: Risk Assignment would be to transfer the risk. An example of this would be insurance where the risk is transferred to the insurance company. A deviation from an organization-wide security policy does not require risk assignment.

C: Risk reduction would be to reduce the deviation from the organization-wide security policy. A deviation from an organization-wide security policy does not require risk reduction.

D: A deviation from an organization-wide security policy does not require risk containment; it requires acceptance of the risk posed by the deviation.

References:

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98 QUESTION 10

Which of the following is the most important ISC2 Code of Ethics Canons? A. Act honorably, honestly, justly, responsibly, and legally

B. Advance and protect the profession

C. Protect society, the commonwealth, and the infrastructure D. Provide diligent and competent service to principals Correct Answer: C

(7)

The first and most important statement of ISC2 Code of Ethics Canon is to protect society, the common good, necessary public trust and confidence, and the infrastructure.

Incorrect Answers:

A: Act honorably, honestly, justly, responsibly, and legally is the second canon of the ISC2 Code of Ethics and less important that the first canon.

B: Advance and protect the profession is the fourth canon of the ISC2 Code of Ethics and less important that the first canon.

D: Provide diligent and competent service to principals is the third canon of the ISC2 Code of Ethics and less important that the first canon.

References:

Within the realm of IT security, which of the following combinations best defines risk? A. Threat coupled with a breach.

B. Threat coupled with a vulnerability. C. Vulnerability coupled with an attack. D. Threat coupled with a breach of security. Correct Answer: B

Risk is defined as “the probability of a threat agent exploiting a vulnerability and the associated impact”.

The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional it is your responsibility to know which is the best approach for your organization and its needs.

NIST developed a risk methodology, which is specific to IT threats and how they relate to information security risks. It lays out the following steps:

System characterization Threat identification Vulnerability identification Control analysis Likelihood determination Impact analysis Risk determination Control recommendations Results documentation Incorrect Answers:

A: Threat coupled with a breach is not the definition of risk. C: Vulnerability coupled with an attack is not the definition of risk. D: Threat coupled with a breach of security is not the definition of risk. References:

(8)

QUESTION 12

Which of the following is considered the weakest link in a security system? A. People

B. Software

C. Communications D. Hardware Correct Answer: A

Although society has evolved to be extremely dependent upon technology in the workplace, people are still the key ingredient to a successful company. But in security circles, people are often the weakest link. Either accidentally through mistakes or lack of training, or intentionally through fraud and malicious intent, personnel causes more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure. Although the future actions of individuals cannot be predicted, it is possible to minimize the risks by implementing preventive measures. These include hiring the most qualified individuals, performing background checks, using detailed job descriptions, providing necessary training, enforcing strict access controls, and terminating individuals in a way that protects all parties involved.

Incorrect Answers:

B: Software generally does what it is configured to do. It is not considered the weakest link in a security system. C: It is easy to configure secure communications where they are required. Communications are not considered the weakest link in a security system.

D: Hardware generally does what it is configured to do. It is not considered the weakest link in a security system.

References:

Which one of the following represents an ALE calculation? A. Single loss expectancy x annualized rate of occurrence. B. Gross loss expectancy x loss frequency.

C. Actual replacement cost - proceeds of salvage. D. Asset value x loss expectancy.

Correct Answer: A

The Annualized Loss Expectancy (ALE) is the monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as:

ALE = SLE * ARO

where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

Single loss expectancy is one instance of an expected loss if a specific vulnerability is exploited and how it affects a single asset. Asset Value × Exposure Factor = SLE.

The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe.

(9)

B: Gross loss expectancy and loss frequency are not terms used for calculations in Quantitative Risk Analysis. C: Actual replacement cost and proceeds of salvage are not terms used for calculations in Quantitative Risk Analysis.

D: Asset value x loss expectancy is not the correct formula to calculate the Annualized Loss Expectancy (ALE). References:

Which of the following is the best reason for the use of an automated risk analysis tool? A. Much of the data gathered during the review cannot be reused for subsequent analysis. B. Automated methodologies require minimal training and knowledge of risk analysis.

C. Most software tools have user interfaces that are easy to use and do not require any training.

D. Information gathering would be minimized and expedited due to the amount of information already built into the tool.

Correct Answer: D

Collecting all the necessary data that needs to be plugged into risk analysis equations and properly interpreting the results can be overwhelming if done manually. Several automated risk analysis tools on the market can make this task much less painful and, hopefully, more accurate. The gathered data can be reused, greatly reducing the time required to perform subsequent analyses.

The objective of these tools is to reduce the manual effort of these tasks, perform calculations quickly, estimate future expected losses, and determine the effectiveness and benefits of the security countermeasures chosen. Incorrect Answers:

A: The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. B: Training and knowledge of risk analysis is still required when using automated risk analysis tools.

C: Training is still required when using automated risk analysis tools even if the user interface is easy to use. References:

How is Annualized Loss Expectancy (ALE) derived from a threat? A. ARO x (SLE - EF)

B. SLE x ARO C. SLE/EF D. AV x EF

Correct Answer: B

The Annualized Loss Expectancy (ALE) is the monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as:

ALE = SLE * ARO

where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

(10)

affects a single asset. Asset Value × Exposure Factor = SLE.

Incorrect Answers:

A: ARO x (SLE - EF) is not the correct formula for calculating the Annualized Loss Expectancy (ALE). C: SLE/EF is not the correct formula for calculating the Annualized Loss Expectancy (ALE).

D: AV x EF is not the correct formula for calculating the Annualized Loss Expectancy (ALE). References:

What does "residual risk" mean?

A. The security risk that remains after controls have been implemented B. Weakness of an asset which can be exploited by a threat

C. Risk that remains after risk assessment has been performed

D. A security risk intrinsic to an asset being audited, where no mitigation has taken place. Correct Answer: A

The reason a company implements countermeasures is to reduce its overall risk to an acceptable level. No system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk.

Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard.

There is an important difference between total risk and residual risk and which type of risk a company is willing to accept. The following are conceptual formulas:

threats × vulnerability × asset value = total risk

(threats × vulnerability × asset value) × controls gap = residual risk You may also see these concepts illustrated as the following:

total risk – countermeasures = residual risk Incorrect Answers:

B: The weakness of an asset which can be exploited by a threat is not the definition of residual risk.

C: Risk that remains after risk assessment has been performed (with no countermeasures in place) is total risk, not residual risk.

D: A security risk intrinsic to an asset being audited, where no mitigation has taken place) is total risk of the asset, not residual risk.

References:

Preservation of confidentiality within information systems requires that the information is not disclosed to: A. Authorized persons

B. Unauthorized persons or processes. C. Unauthorized persons.

D. Authorized persons and processes Correct Answer: B

(11)

Confidentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of confidentiality.

Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination.

Incorrect Answers:

A: Authorized persons are allowed to access the information.

C: Unauthorized processes should be included in the answer, not just unauthorized persons. D: Authorized persons and processes are allowed to access the information.

References:

Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson model? A. Prevention of the modification of information by unauthorized users.

B. Prevention of the unauthorized or unintentional modification of information by authorized users. C. Preservation of the internal and external consistency.

D. Prevention of the modification of information by authorized users. Correct Answer: D

Prevention of the modification of information by authorized users is not one of the three goals of integrity addressed by the Clark-Wilson model.

Clark-Wilson addresses the following three goals of integrity in its model: Prevent unauthorized users from making modifications

Prevent authorized users from making improper modifications (separation of duties) Maintain internal and external consistency (well-formed transaction)

The Clark-Wilson model enforces the three goals of integrity by using access triple (subject, software [TP], object), separation of duties, and auditing. This model enforces integrity by using well-formed transactions (through access triple) and separation of duties.

Incorrect Answers:

A: Prevention of the modification of information by unauthorized users is one of the three goals of integrity addressed by the Clark-Wilson model.

B: Prevention of the unauthorized or unintentional modification of information by authorized users is one of the three goals of integrity addressed by the Clark-Wilson model.

C: Preservation of the internal and external consistency is one of the three goals of integrity addressed by the Clark-Wilson model.

References:

(12)

A. Vulnerability B. Threat agent C. Weakness D. Threat

Correct Answer: D

A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information.

Incorrect Answers:

A: Vulnerability is what can be exploited by a threat agent. It is not an event or activity that has the potential to cause harm to the information systems or networks.

B: Threat agent is what can exploit a vulnerability. It is not an event or activity that has the potential to cause harm to the information systems or networks.

C: A weakness is another work for vulnerability. It is not an event or activity that has the potential to cause harm to the information systems or networks.

References:

A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks is called:

A. a vulnerability. B. a risk.

C. a threat. D. an overflow. Correct Answer: A

A vulnerability is defined as “the absence or weakness of a safeguard that could be exploited”.

A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.

Incorrect Answers:

B: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. C: A threat is any potential danger that is associated with the exploitation of a vulnerability.

D: An overflow is not what is described in this question. References:

(13)

What is called the probability that a threat to an information system will materialize? A. Threat

B. Risk

C. Vulnerability D. Hole

Correct Answer: B

A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

Incorrect Answers:

A: A threat is any potential danger that is associated with the exploitation of a vulnerability. C: A vulnerability is the absence or weakness of a safeguard that could be exploited. D: A hole is not the probability that a threat to an information system will materialize. References:

Risk mitigation and risk reduction controls for providing information security are classified within three main categories, which of the following are being used?

A. Preventive, corrective, and administrative. B. Detective, corrective, and physical. C. Physical, technical, and administrative. D. Administrative, operational, and logical. Correct Answer: C

Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical. Administrative controls are commonly referred to as “soft controls” because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.

Incorrect Answers:

A: Neither preventive nor corrective are one of the three main categories of risk reduction controls. B: Neither detective nor corrective are one of the three main categories of risk reduction controls.

(14)

D: Operational is not one of the three main categories of risk reduction controls. References:

Which of the following would be best suited to oversee the development of an information security policy? A. System Administrators

B. End User C. Security Officers D. Security administrators Correct Answer: C

The chief security officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations.

Incorrect Answers:

A: System Administrators work in the IT department and manage the IT infrastructure from a technical

perspective. They do not specialize in security and are therefore not best suited to oversee the development of an information security policy.

B: End users are the least qualified to oversee the development of an information security policy.

D: The security administrator is responsible for implementing and maintaining specific security network devices and software in the enterprise. Security administrators are not best suited to oversee the development of an information security policy.

References:

Which of the following is the MOST important aspect relating to employee termination? A. The details of employee have been removed from active payroll files.

B. Company property provided to the employee has been returned. C. User ID and passwords of the employee have been deleted. D. The appropriate company staff is notified about the termination. Correct Answer: D

Because terminations can happen for a variety of reasons, and terminated people have different reactions, companies should have a specific set of procedures to follow with every termination. For example:

The employee must leave the facility immediately under the supervision of a manager or security guard. The employee must surrender any identification badges or keys, complete an exit interview, and return company supplies.

(15)

It seems harsh and cold when this actually takes place, but too many companies have been hurt by vengeful employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled in any way, or the termination is unfriendly, that employee’s accounts should be disabled right away, and all passwords on all systems changed.

To ensure that the termination procedures are carried out properly, you need to ensure that the appropriate people (the people who will carry out the procedures) are notified about the termination.

Incorrect Answers:

A: Removing the details of the employee from active payroll files is not the MOST important aspect relating to employee termination.

B: Ensuring company property provided to the employee has been returned should be part of the termination procedure. However, this is not the MOST important aspect relating to employee termination; company security is more important.

C: The user ID and passwords of the employee should be disabled, not deleted. Furthermore, notifying the appropriate staff of the termination will ensure the accounts get disabled.

References:

Making sure that only those who are supposed to access the data can access is which of the following? A. confidentiality

B. capability C. integrity D. availability Correct Answer: A

Confidentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of

confidentiality. Control mechanisms need to be in place to dictate who can access data and what the subject can do with it once they have accessed it. These activities need to be controlled, audited, and monitored. Examples of information that could be considered confidential are health records, financial account information, criminal records, source code, trade secrets, and military tactical plans. Some security mechanisms that would provide confidentiality are encryption, logical and physical access controls, transmission protocols, database views, and controlled traffic flow.

Incorrect Answers:

B: Capability is the functions that a system or user is able to perform. With reference to a user, it is defined by the access a user is granted. However, making sure that only those who are supposed to access the data can access is best defined by the term confidentiality.

C: Integrity refers to ensuring that the information and systems are the accuracy and reliable and has not been modified by unauthorized entities.

D: Availability refers to ensuring that authorized users have reliable and timeous access to data and resources. References:

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 160, 229-230 QUESTION 26

Related to information security, confidentiality is the opposite of which of the following? A. closure

(16)

B. disclosure C. disposal D. disaster

Correct Answer: B

Confidentiality prevents disclosure of information. The opposite of confidentiality is the disclosure of the information.

Incorrect Answers:

A: Closure is not the opposite of confidentiality. C: Disposal is not the opposite of confidentiality. D: Disaster is not the opposite of confidentiality. References:

Related to information security, integrity is the opposite of which of the following? A. abstraction

B. alteration C. accreditation D. application Correct Answer: B

Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination.

The opposite of integrity is alteration. Incorrect Answers:

A: Abstraction is not the opposite of integrity. C: Accreditation is not the opposite of integrity. D: Application is not the opposite of integrity. References:

Making sure that the data is accessible when and where it is needed is which of the following? A. confidentiality

(17)

B. integrity C. acceptability D. availability Correct Answer: D

Availability protection ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components.

Incorrect Answers:

A: Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This is not what is described in the question.

B: Integrity ensures that data is unaltered. This is not what is described in the question.

C: Making sure that the data is accessible when and where it is needed is not the definition of acceptability. References:

Related to information security, availability is the opposite of which of the following? A. delegation

B. distribution C. documentation D. destruction Correct Answer: D

Availability ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components.

The opposite of availability is destruction. The destruction of data makes it unavailable. Incorrect Answers:

A: Delegation is not the opposite of availability. B: Distribution is not the opposite of availability. C: Documentation is not the opposite of availability. References:

(18)

contents is which of the following? A. Confidentiality B. Integrity C. Availability D. capability Correct Answer: A

Confidentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of confidentiality.

Incorrect Answers:

B: Integrity ensures that data is unaltered. This is not what is described in the question.

C: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question.

D: Capability is not the prevention of the intentional or unintentional unauthorized disclosure of contents. References:

Good security is built on which of the following concept?

A. The concept of a pass-through device that only allows certain traffic in and out. B. The concept of defense in depth.

C. The concept of preventative controls. D. The concept of defensive controls. Correct Answer: B

Defense-in-depth is the coordinated use of multiple security controls in a layered approach. A multilayered defense system minimizes the probability of successful penetration and compromise because an attacker would have to get through several different types of protection mechanisms before she gained access to the critical assets.

Incorrect Answers:

A: Pass-through devices are not the central concept in building good security. C: Preventative controls are not the central concept in building good security. D: Defensive Controls is not the central concept in building good security. References:

(19)

A. Honesty

B. Ethical behavior C. Legality

D. Control

Correct Answer: D

ISC2 code of Ethics does not refer to control. To follow the ISC2 code of Ethics you should act honorably, honestly, justly, responsibly, and legally, and protect society.

Incorrect Answers:

A: To follow the ISC2 code of Ethics you should act honestly.

B: To follow the ISC2 code of Ethics you should use ethical behavior as you should act honorably, honestly, justly, responsibly, and legally, and protect society.

C: To follow the ISC2 code of Ethics you should act legally. References:

One of these statements about the key elements of a good configuration process is NOT true A. Accommodate the reuse of proven standards and best practices

B. Ensure that all requirements remain clear, concise, and valid

C. Control modifications to system hardware in order to prevent resource changes

D. Ensure changes, standards, and requirements are communicated promptly and precisely Correct Answer: C

Configuration management should not be designed to prevent resource changes. Incorrect Answers:

A: Standards and best practices need to be developed that outline proper configuration management processes.

B: Configuration requirements should be developed to be clear, concise, and valid.

D: Standards need to be developed that outline proper configuration management processes. Once these standards are developed and put into place these standards are developed and put into place, then employees can be trained on these issues and how to implement and maintain what is outlined in the standards.

References:

Which of the following is NOT part of user provisioning? A. Creation and deactivation of user accounts

B. Business process implementation

(20)

D. Delegating user administration Correct Answer: B

User provisioning involves the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. Business process implementation is not part of this.

Incorrect Answers:

A: User provisioning involves creating, maintaining, and deactivating accounts as necessary according to business requirements.

C: User provisioning involves the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes.

D: Delegated user administration is a component of user provisioning software. References:

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 179 QUESTION 35

Which of the following is MOST appropriate to notify an internal user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement Correct Answer: D

In this question, the user is an internal user. There is another version of this question where the user is in external user so you need to read the questions carefully.

With an internal user, as opposed to an external user, you will be able to meet the user face-to-face. Therefore, you can ask the user to sign a written agreement to acknowledge that the user has been informed that session monitoring is being conducted.

Incorrect Answers:

A: Logon Banners are a good way of notifying users that session monitoring is being conducted. However, with the user signing a written agreement, you have legal proof that the user knows that session monitoring is being conducted which makes a written agreement a better answer.

B: A wall poster is not the most appropriate way to notify an internal user that session monitoring is being conducted. You have no guarantee that the user has read the wall poster so you cannot prove that the user knows that session monitoring is being conducted.

C: An employee handbook is not the most appropriate way to notify an internal user that session monitoring is being conducted. You have no guarantee that the user has read the employee handbook so you cannot prove that the user knows that session monitoring is being conducted.

QUESTION 36

What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month?

(21)

A. 100 B. 120 C. 1 D. 1200

Correct Answer: D

In this question, the ARO of the threat "user input error" is the number of "user input errors" in a year.

We have 100 employees each making one user input error each month. That’s 100 errors per month. In a year, that is 1200 errors (100 errors per month x 12 months).

Therefore, the annualized rate of occurrence (ARO) is 1200. Incorrect Answers:

A: The annualized rate of occurrence (ARO) is not 100. B: The annualized rate of occurrence (ARO) is not 120. C: The annualized rate of occurrence (ARO) is not 1. References:

Which of the following is NOT defined in the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087) as unacceptable and unethical activity?

A. uses a computer to steal

B. destroys the integrity of computer-based information

C. wastes resources such as people, capacity and computers through such actions D. involves negligence in the conduct of Internet-wide experiments

Correct Answer: A

Stealing using a computer is not addressed in RFC 1087.

Note: The IAB, through RFC 1087, considers the following acts as unethical and unacceptable behavior: Purposely seeking to gain unauthorized access to Internet resources

Disrupting the intended use of the Internet

Wasting resources (people, capacity, and computers) through purposeful actions Destroying the integrity of computer-based information

Compromising the privacy of others

Conducting Internet-wide experiments in a negligent manner Incorrect Answers:

B: Destroying the integrity of computer-based information is included in RFC 1087.

C: Wasting resources (people, capacity, and computers) through purposeful actions is included in RFC 1087. D: Conducting Internet-wide experiments in a negligent manner is addressed in RFC 1087.

References:

(22)

QUESTION 38

Keeping in mind that these are objectives that are provided for information only within the CBK as they only apply to the committee and not to the individuals. Which of the following statements pertaining to the (ISC)2 Code of Ethics is NOT true?

A. All information systems security professionals who are certified by (ISC)2 recognize that such a certification is a privilege that must be both earned and maintained.

B. All information systems security professionals who are certified by (ISC)2 shall provide diligent and competent service to principals.

C. All information systems security professionals who are certified by (ISC)2 shall forbid behavior such as associating or appearing to associate with criminals or criminal behavior.

D. All information systems security professionals who are certified by (ISC)2 shall promote the understanding and acceptance of prudent information security measures.

Correct Answer: C

The ISC Code of Ethics does not explicitly state that an individual who are certified by (ISC)2 should not associate with criminals or with criminal behavior.

Incorrect Answers:

A: According to the (ISC)2 Code Of Ethics all information security professionals who are certified by (ISC)2 recognize that such certification is a privilege that must be both earned and maintained.

B: The ICS code of Ethics states that you should provide competent service to your employers and clients, and should avoid any conflicts of interest.

D: The ICS code of Ethics states that you should support efforts to promote the understanding and acceptance of prudent information security measures throughout the public, private and academic sectors of our global information society.

References:

Which approach to a security program ensures people responsible for protecting the company's assets are driving the program?

A. The Delphi approach. B. The top-down approach. C. The bottom-up approach. D. The technology approach. Correct Answer: B

A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to assign needed resources, and are the only ones

(23)

who can ensure true enforcement of the stated security rules and policies. Incorrect Answers:

A: Delphi is a group decision method used to ensure that each member of a group gives an honest and anonymous opinion pertaining to the company’s risks.

C: The bottom-up approach is the opposite to the top-down approach. The bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction.

D: The technology approach is not a defined security program approach. References:

Which of the following is NOT a part of a risk analysis? A. Identify risks

B. Quantify the impact of potential threats

C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure

D. Choose the best countermeasure Correct Answer: D

Risk assessment is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.

A risk analysis has four main goals:

Identify assets and their value to the organization. Identify vulnerabilities and threats.

Quantify the probability and business impact of these potential threats.

Provide an economic balance between the impact of the threat and the cost of the countermeasure. Choosing the best countermeasure is not part of risk analysis. Choosing the best countermeasure would be part of risk mitigation.

Incorrect Answers:

A: Identifying risks is part of risk analysis.

B: Quantifying the impact of potential threats is part of risk analysis.

C: Providing an economic balance between the impact of the risk and the cost of the associated countermeasure is part of risk analysis.

References:

How should a risk be handled when the cost of the countermeasure outweighs the cost of the risk? A. Reject the risk.

(24)

B. Perform another risk analysis. C. Accept the risk.

D. Reduce the risk. Correct Answer: C

Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it.

One approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.

Incorrect Answers:

A: Rejecting a risk is not a valid method of dealing with risk.

B: Performing another risk analysis will not help. It will most likely return the same results as the previous risk analysis.

D: Reducing the risk would require a countermeasure. In this question, the countermeasure outweighs the cost of the risk.

References:

Which one of these statements about the key elements of a good configuration process is NOT true? A. Accommodate the reuse of proven standards and best practices

B. Ensure that all requirements remain clear, concise, and valid

C. Control modifications to system hardware in order to prevent resource changes

D. Ensure changes, standards, and requirements are communicated promptly and precisely Correct Answer: C

Standards are developed to outline proper configuration management processes and approved baseline configuration settings. Systems can be tested against what is laid out in the standards, and systems can be monitored to detect if there are configurations that do not meet the requirements outlined in the standards. A good configuration process will follow proven standards and best practices. Requirements must remain clear, concise, and valid. Changes, standards, and requirements must be communicated promptly and precisely. The statement “Control modifications to system hardware in order to prevent resource changes” is not a key element of a good configuration process. Modifications to system hardware should be controlled by a change control procedure.

Incorrect Answers:

A: Accommodating the reuse of proven standards and best practices is one of the key elements of a good configuration process.

B: Ensuring that all requirements remain clear, concise, and valid is one of the key elements of a good configuration process.

D: Ensuring changes, standards, and requirements are communicated promptly and precisely is one of the key elements of a good configuration process.

(25)

QUESTION 43

Which of the following is NOT an administrative control? A. Logical access control mechanisms

B. Screening of personnel

C. Development of policies, standards, procedures and guidelines D. Change control procedures

Correct Answer: A

Administrative controls are security mechanisms that are management’s responsibility and referred to as “soft” controls. These controls include the development and publication of policies, standards, procedures, and guidelines; the screening of personnel; security-awareness training; the monitoring of system activity; and change control procedures.

Logical access control mechanisms are not an example of administrative controls. They are an example of a “Logical control” also known as a “Technical control”.

Incorrect Answers:

B: Screening of personnel is an example of an administrative control.

C: Development of policies, standards, procedures and guidelines is an example of an administrative control. D: Change control procedures are an example of an administrative control.

References:

Which of the following outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations?

A. The Computer Security Act of 1987.

B. The Federal Sentencing Guidelines of 1991. C. The Economic Espionage Act of 1996. D. The Computer Fraud and Abuse Act of 1986. Correct Answer: B

Senior management could be responsible for monetary damages up to $10 million or twice the gain of the offender for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991.

Incorrect Answers:

A: The Computer Security Law of 1987 is not addressing senior management responsibility. The purpose is to improve the security and privacy of sensitive information in federal computer systems and to establish a minimum acceptable security practices for such systems.

C: The Economic Espionage Act of 1996 does not address senior management responsibility. Deals with a wide range of issues, including not only industrial espionage, but the insanity defense, the Boys & Girls Clubs of America, requirements for presentence investigation reports, and the United States Sentencing Commission reports regarding encryption or scrambling technology, and other technical and minor amendments.

(26)

certain financial institutions are involved. It does not address senior management responsibility. References:

Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 548

QUESTION 45

What are the three FUNDAMENTAL principles of security? A. Accountability, confidentiality and integrity

B. Confidentiality, integrity and availability C. Integrity, availability and accountability D. Availability, accountability and confidentiality Correct Answer: B

The three principles of security, which are to provide availability, integrity, and confidentiality (AIC triad) protection for critical assets.

Availability protection ensures reliability and timely access to data and resources to authorized individuals. Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented.

Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.

Incorrect Answers:

A: Accountability is not one of the three principles of security. C: Accountability is not one of the three principles of security. D: Accountability is not one of the three principles of security. References:

What would BEST define risk management? A. The process of eliminating the risk B. The process of assessing the risks

C. The process of reducing risk to an acceptable level D. The process of transferring risk

Correct Answer: C

Risk management is defined the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level.

However, the process of identifying and assessing risk is also defined as risk assessment. This leaves reducing risk to an acceptable level as the BEST definition of risk management as required in this question.

Incorrect Answers:

(27)

‘reduce’ risk rather than eliminate risk because you can never fully eliminate risk.

B: The process of assessing the risks is defined by the phrase risk assessment which means this is not the BEST answer as required in this question.

D: The process of transferring risk can be a method of reducing risk. However, this is not the BEST definition of risk management.

References:

Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment? A. A baseline B. A standard C. A procedure D. A guideline Correct Answer: A

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

Baselines are also used to define the minimum level of protection required. In security, specific baselines can be defined per system type, which indicates the necessary settings and the level of protection being provided. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline. This means that only systems that have gone through the Common Criteria process and achieved this rating can be used in this department. Once the systems are properly configured, this is the necessary baseline.

Incorrect Answers:

B: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that specific technologies, applications, parameters, and procedures are carried out in a uniform way across the organization. They do not provide a minimum level of security acceptable for an environment.

C: A procedure provides detailed step-by-step instructions to achieve a certain task, which are used by users, IT staff, operations staff, security members, and others. It does not provide a minimum level of security acceptable for an environment.

D: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a specific standard does not apply. They do not provide a minimum level of security acceptable for an environment.

References:

Related to information security, the guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered is an example of which of the following?

A. Integrity B. Confidentiality C. Availability

(28)

D. Identity

Correct Answer: A

Information must be accurate, complete, and protected from unauthorized modification. When a security mechanism provides integrity, it protects data, or a resource, from being altered in an unauthorized fashion. If any type of illegitimate modification does occur, the security mechanism must alert the user or administrator in some manner.

Hashing can be used in emails to guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered.

Incorrect Answers:

B: Confidentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. This is not what is described in the question.

C: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question.

D: Identity would be the sender or recipient of the email message. It does not guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered. References:

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 159 QUESTION 49

Which of the following is NOT a technical control? A. Password and resource management

B. Identification and authentication methods C. Monitoring for physical intrusion

D. Intrusion Detection Systems Correct Answer: C

Technical controls, also called logical access control mechanisms, work in software to provide confidentiality, integrity, or availability protection. Some examples are passwords, identification and authentication methods, security devices, auditing, and the configuration of the network.

Physical controls are controls that pertain to controlling individual access into the facility and different

departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and checking environmental controls.

Monitoring for physical intrusion is an example of a physical control, not a technical control. Incorrect Answers:

A: Password and resource management is an example of a technical control. B: Identification and authentication methods are an example of a technical control. D: Intrusion Detection Systems are an example of a technical control.

References:

(29)

A. Security policy being outdated

B. Data owners not laying out the foundation of data protection

C. Network administrator not taking mandatory two-week vacation as planned

D. Latest security patches for servers being installed as per the Patch Management process Correct Answer: D

Due diligence is the act of gathering the necessary information so the best decision-making activities can take place. Before a company purchases another company, it should carry out due diligence activities so that the purchasing company does not have any “surprises” down the road. The purchasing company should investigate all relevant aspects of the past, present, and predictable future of the business of the target company. If this does not take place and the purchase of the new company hurts the original company financially or legally, the decision makers could be found liable (responsible) and negligent by the shareholders.

In information security, similar data gathering should take place so that there are no “surprises” down the road and the risks are fully understood before they are accepted.

Latest security patches for servers being installed as per the Patch Management process is a good security measure that should take place. This measure would not violate Due Diligence.

Incorrect Answers:

A: Security policy being outdated is a security risk that would violate due diligence.

B: Data owners not laying out the foundation of data protection is a security risk that would violate due diligence.

C: A network administrator not taking mandatory two-week vacation as planned protection is a security risk that would violate due diligence.

References:

Ensuring least privilege does NOT require: A. Identifying what the user's job is.

B. Ensuring that the user alone does not have sufficient rights to subvert an important process. C. Determining the minimum set of privileges required for a user to perform their duties. D. Restricting the user to required privileges and nothing more.

Correct Answer: B

Least privilege means an individual should have just enough permissions and rights to fulfill his role in the company and no more. If an individual has excessive permissions and rights, it could open the door to abuse of access and put the company at more risk than is necessary.

Ensuring least privilege requires the following:

Identifying what the user's job is (and therefore what he needs to do).

Determining the minimum set of privileges required for a user to perform their duties. Restricting the user to required privileges and nothing more.

Ensuring that the user alone does not have sufficient rights to subvert an important process is not a

requirement for least privilege. This is an example of separation of duties where it would take collusion between two or more people to subvert the process.