Q1. A security consultant has been asked to research an organization's legal obligations to protect privacy-related information. What kind of reading material is MOST relevant to this project?
A. The organization's current security policies concerning privacy issues
B. Privacy-related regulations enforced by governing bodies applicable to the organization
C. Privacy best practices published by recognized security standards organizations
D. Organizational procedures designed to protect privacy information
Answer: B
Q2. By allowing storage communications to run on top of Transmission Control
Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the
A. confidentiality of the traffic is protected.
B. opportunity to sniff network traffic exists.
C. opportunity for device identity spoofing is eliminated.
D. storage devices are protected against availability attacks.
Answer: B
Q3. Are companies legally required to report all data breaches?
A. No, different jurisdictions have different rules.
B. No, not if the data is encrypted.
C. No, companies' codes of ethics don't require it.
D. No, only if the breach had a material impact.
Answer: A
Q4. Which of the following BEST mitigates a replay attack against a system using identity federation and Security Assertion Markup Language (SAML) implementation?
A. Two-factor authentication
B. Digital certificates and hardware tokens
C. Timed sessions and Secure Socket Layer (SSL)
D. Passwords with alpha-numeric and special characters
Answer: C
Q5. Including a Trusted Platform Module (TPM) in the design of a computer system is an example of a technique to what?
A. Interface with the Public Key Infrastructure (PKI)
B. Improve the quality of security software
C. Prevent Denial of Service (DoS) attacks
D. Establish a secure initial state
Answer: D
Q6. When constructing.an.Information Protection.Policy.(IPP), it is important that the stated rules are necessary, adequate, and
A. flexible.
B. confidential.
C. focused.
D. achievable.
Answer: D
Q7. Refer.to the information below to answer the question.
During the investigation of a security incident, it is determined that an unauthorized individual accessed a system which hosts a database containing financial information.
If the intrusion causes the system processes to hang, which of the following has been affected?
A. System integrity
B. System availability
C. System confidentiality
D. System auditability
Answer: B
Q8. Which of the following BEST represents the principle of open design?
A. Disassembly, analysis, or reverse engineering will reveal the security functionality of the computer system.
B. Algorithms must be protected to ensure the security and interoperability of the designed system.
C. A knowledgeable user should have limited privileges on the system to prevent their ability to compromise security capabilities.
D. The security of a mechanism should not depend on the secrecy of its design or implementation.
Answer: D
Q9. Which of the following BEST describes Recovery Time Objective (RTO)?
A. Time of data validation after disaster
B. Time of data restoration from backup after disaster
C. Time of application resumption after disaster
D. Time of application verification after disaster
Answer: C
Q10. The implementation of which features of an identity management system reduces costs and administration overhead while improving audit and accountability?
A. Two-factor authentication
B. Single Sign-On (SSO)
C. User self-service
D. A metadirectory
Answer: C
Q11. Which of the following violates identity and access management best practices?
A. User accounts
B. System accounts
C. Generic accounts
D. Privileged accounts
Answer: C
Q12. At a MINIMUM, a formal review of any Disaster Recovery Plan (DRP) should be conducted
A. monthly.
B. quarterly.
C. annually.
D. bi-annually.
Answer: C
Q13. Which methodology is recommended for penetration testing to be effective in the development phase of the life-cycle process?
A. White-box testing
B. Software fuzz testing
C. Black-box testing
D. Visual testing
Answer: A
Q14. Which of the following is the BEST example of weak management commitment to the protection of security assets and resources?
A. poor governance over security processes and procedures
B. immature security controls and procedures
C. variances against regulatory requirements
D. unanticipated increases in security incidents and threats
Answer: A
Q15. Refer.to the information below to answer the question.
.A large, multinational organization has decided to outsource a portion of their Information Technology (IT) organization to a third-party provider’s facility. This provider will be responsible for the design, development, testing, and support of several critical, customer-based applications used by the organization.
What additional considerations are there if the third party is located in a different country?
A. The organizational structure of the third party and how it may impact timelines within the organization
B. The ability of the third party to respond to the organization in a timely manner and with accurate information
C. The effects of transborder data flows and customer expectations regarding the storage or processing of their data
D. The quantity of data that must be provided to the third party and how it is to be used
Answer: C