Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. - (Topic 4)
The organization has an IT driver on cloud computing to improve delivery times for IT solution provisioning. Separate to this initiative, a business case has been approved for replacing the existing banking platform for credit card processing with a newer offering. It is the security practitioner’s responsibility to evaluate whether the new credit card processing platform can be hosted within a cloud environment. Which of the following BEST balances the security risk and IT drivers for cloud computing?
A. A third-party cloud computing platform makes sense for new IT solutions. This should be endorsed going forward so as to align with the IT strategy. However, the security practitioner will need to ensure that the third-party cloud provider does regular penetration tests to ensure that all data is secure.
B. Using a third-party cloud computing environment should be endorsed going forward. This aligns with the organization’s strategic direction. It also helps to shift any risk and regulatory compliance concerns away from the company’s internal IT department. The next step will be to evaluate each of the cloud computing vendors, so that a vendor can then be selected for hosting the new credit card processing platform.
C. There may be regulatory restrictions with credit cards being processed out of country or processed by shared hosting providers. A private cloud within the company should be considered. An options paper should be created which outlines the risks, advantages, disadvantages of relevant choices and it should recommended a way forward.
D. Cloud computing should rarely be considered an option for any processes that need to be significantly secured. The security practitioner needs to convince the stakeholders that the new platform can only be delivered internally on physical infrastructure.
Answer: C
Q2. - (Topic 1)
A security administrator wants to prevent sensitive data residing on corporate laptops and desktops from leaking outside of the corporate network. The company has already implemented full-disk encryption and has disabled all peripheral devices on its desktops and laptops. Which of the following additional controls MUST be implemented to minimize the risk of data leakage? (Select TWO).
A. A full-system backup should be implemented to a third-party provider with strong encryption for data in transit.
B. A DLP gateway should be installed at the company border.
C. Strong authentication should be implemented via external biometric devices.
D. Full-tunnel VPN should be required for all network communication.
E. Full-drive file hashing should be implemented with hashes stored on separate storage.
F. Split-tunnel VPN should be enforced when transferring sensitive data.
Answer: B,D
Q3. - (Topic 4)
Which of the following BEST explains SAML?
A. A security attestation model built on XML and SOAP-based services, which allows for the exchange of A&A data between systems and supports Federated Identity Management.
B. An XML and SOAP-based protocol, which enables the use of PKI for code signing and SSO by using SSL and SSH to establish a trust model.
C. A security model built on the transfer of assertions over XML and SOAP-based protocols, which allows for seamless SSO and the open exchange of data.
D. A security verification model built on SSO and SSL-based services, which allows for the exchange of PKI data between users and supports XACML.
Answer: A
Q4. - (Topic 5)
A security officer is leading a lessons learned meeting. Which of the following should be components of that meeting? (Select TWO).
A. Demonstration of IPS system
B. Review vendor selection process
C. Calculate the ALE for the event
D. Discussion of event timeline
E. Assigning of follow up items
Answer: D,E
Q5. - (Topic 2)
The following has been discovered in an internally developed application:
Error - Memory allocated but not freed: char *myBuffer = malloc(BUFFER_SIZE); if (myBuffer != NULL) { *myBuffer = STRING_WELCOME_MESSAGE;
printf(“Welcome to: %s\n”, myBuffer);
}
exit(0);
Which of the following security assessment methods are likely to reveal this security weakness? (Select TWO).
A. Static code analysis
B. Memory dumping
C. Manual code review
D. Application sandboxing
E. Penetration testing
F. Black box testing
Answer: A,C
Q6. - (Topic 3)
A security administrator wants to verify and improve the security of a business process which is tied to proven company workflow. The security administrator was able to improve security by applying controls that were defined by the newly released company security standard. Such controls included code improvement, transport encryption, and interface restrictions. Which of the following can the security administrator do to further increase security after having exhausted all the technical controls dictated by the company’s security standard?
A. Modify the company standard to account for higher security and meet with upper management for approval to implement the new standard.
B. Conduct a gap analysis and recommend appropriate non-technical mitigating controls, and incorporate the new controls into the standard.
C. Conduct a risk analysis on all current controls, and recommend appropriate mechanisms to increase overall security.
D. Modify the company policy to account for higher security, adapt the standard accordingly, and implement new technical controls.
Answer: B
Q7. - (Topic 3)
As part of the ongoing information security plan in a large software development company, the Chief Information officer (CIO) has decided to review and update the company’s privacy policies and procedures to reflect the changing business environment and business requirements.
Training and awareness of the new policies and procedures has been incorporated into the security awareness program which should be:
A. presented by top level management to only data handling staff.
B. customized for the various departments and staff roles.
C. technical in nature to ensure all development staff understand the procedures.
D. used to promote the importance of the security department.
Answer: B
Q8. - (Topic 5)
Executive management is asking for a new manufacturing control and workflow automation solution. This application will facilitate management of proprietary information and closely guarded corporate trade secrets.
The information security team has been a part of the department meetings and come away with the following notes:
-Human resources would like complete access to employee data stored in the application. They would like automated data interchange with the employee management application, a cloud-based SaaS application.
-Sales is asking for easy order tracking to facilitate feedback to customers.
-Legal is asking for adequate safeguards to protect trade secrets. They are also concerned with data ownership questions and legal jurisdiction.
-Manufacturing is asking for ease of use. Employees working the assembly line cannot be bothered with additional steps or overhead. System interaction needs to be quick and easy.
-Quality assurance is concerned about managing the end product and tracking overall performance of the product being produced. They would like read-only access to the entire workflow process for monitoring and baselining.
The favored solution is a user friendly software application that would be hosted onsite. It has extensive ACL functionality, but also has readily available APIs for extensibility. It supports read-only access, kiosk automation, custom fields, and data encryption.
Which of the following departments’ request is in contrast to the favored solution?
A. Manufacturing
B. Legal
C. Sales
D. Quality assurance
E. Human resources
Answer: E
Q9. - (Topic 4)
During a new desktop refresh, all hosts are hardened at the OS level before deployment to comply with policy. Six months later, the company is audited for compliance to regulations. The audit discovers that 40% of the desktops do not meet requirements. Which of the following is the cause of the noncompliance?
A. The devices are being modified and settings are being overridden in production.
B. The patch management system is causing the devices to be noncompliant after issuing the latest patches.
C. The desktop applications were configured with the default username and password.
D. 40% of the devices have been compromised.
Answer: A
Q10. - (Topic 2)
A company decides to purchase commercially available software packages. This can introduce new security risks to the network. Which of the following is the BEST description of why this is true?
A. Commercially available software packages are typically well known and widely available. Information concerning vulnerabilities and viable attack patterns are never revealed by the developer to avoid lawsuits.
B. Commercially available software packages are often widely available. Information concerning vulnerabilities is often kept internal to the company that developed the software.
C. Commercially available software packages are not widespread and are only available in limited areas. Information concerning vulnerabilities is often ignored by business managers.
D. Commercially available software packages are well known and widely available. Information concerning vulnerabilities and viable attack patterns are always shared within the IT community.
Answer: B
Q11. - (Topic 4)
A security policy states that all applications on the network must have a password length of eight characters. There are three legacy applications on the network that cannot meet this policy. One system will be upgraded in six months, and two are not expected to be upgraded or removed from the network. Which of the following processes should be followed?
A. Establish a risk matrix
B. Inherit the risk for six months
C. Provide a business justification to avoid the risk
D. Provide a business justification for a risk exception
Answer: D
Q12. - (Topic 4)
The lead systems architect on a software development project developed a design which is optimized for a distributed computing environment. The security architect assigned to the project has concerns about the integrity of the system, if it is deployed in a commercial cloud. Due to poor communication within the team, the security risks of the proposed design are not being given any attention. A network engineer on the project has a security background and is concerned about the overall success of the project. Which of the following is the BEST course of action for the network engineer to take?
A. Address the security concerns through the network design and security controls.
B. Implement mitigations to the security risks and address the poor communications on the team with the project manager.
C. Document mitigations to the security concerns and facilitate a meeting between the architects and the project manager.
D. Develop a proposal for an alternative architecture that does not leverage cloud computing and present it to the lead architect.
Answer: C
Q13. - (Topic 1)
An assessor identifies automated methods for identifying security control compliance through validating sensors at the endpoint and at Tier 2. Which of the following practices satisfy continuous monitoring of authorized information systems?
A. Independent verification and validation
B. Security test and evaluation
C. Risk assessment
D. Ongoing authorization
Answer: D
Q14. - (Topic 1)
Company XYZ provides hosting services for hundreds of companies across multiple industries including healthcare, education, and manufacturing. The security architect for company XYZ is reviewing a vendor proposal to reduce company XYZ’s hardware costs by combining multiple physical hosts through the use of virtualization technologies. The security architect notes concerns about data separation, confidentiality, regulatory requirements concerning PII, and administrative complexity on the proposal. Which of the following BEST describes the core concerns of the security architect?
A. Most of company XYZ’s customers are willing to accept the risks of unauthorized disclosure and access to information by outside users.
B. The availability requirements in SLAs with each hosted customer would have to be re-written to account for the transfer of virtual machines between physical platforms for regular maintenance.
C. Company XYZ could be liable for disclosure of sensitive data from one hosted customer when accessed by a malicious user who has gained access to the virtual machine of another hosted customer.
D. Not all of company XYZ’s customers require the same level of security and the administrative complexity of maintaining multiple security postures on a single hypervisor negates hardware cost savings.
Answer: C
Q15. - (Topic 2)
The Chief Information Security Officer (CISO) at a large organization has been reviewing some security-related incidents at the organization and comparing them to current industry trends. The desktop security engineer feels that the use of USB storage devices on office computers has contributed to the frequency of security incidents. The CISO knows the acceptable use policy prohibits the use of USB storage devices. Every user receives a popup warning about this policy upon login. The SIEM system produces a report of USB violations on a monthly basis; yet violations continue to occur. Which of the following preventative controls would MOST effectively mitigate the logical risks associated with the use of USB storage devices?
A. Revise the corporate policy to include possible termination as a result of violations
B. Increase the frequency and distribution of the USB violations report
C. Deploy PKI to add non-repudiation to login sessions so offenders cannot deny the offense
D. Implement group policy objects
Answer: D