Which of the following is MOST important when deploying digital certificates?
A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach should be followed to determine and maintain ownership information to bring the company into compliance?
The application of a security patch to a product previously validate at Common Criteria (CC) Evaluation Assurance Level (EAL) 4 would
In order to assure authenticity, which of the following are required?
What operations role is responsible for protecting the enterprise from corrupt or contaminated media?
Match the types of e-authentication tokens to their description.
Drag each e-authentication token on the left to its corresponding description on the right.
The goal of a Business Impact Analysis (BIA) is to determine which of the following?
An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective?
A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually?
What balance MUST be considered when web application developers determine how informative application error messages should be constructed?
Which of the following is the MOST important consideration when developing a Disaster Recovery Plan (DRP)?
Which of the following is needed to securely distribute symmetric cryptographic keys?
During which of the following processes is least privilege implemented for a user account?
Which of the following BEST describes a chosen plaintext attack?
What does the Maximum Tolerable Downtime (MTD) determine?
In order for a security policy to be effective within an organization, it MUST include
Retaining system logs for six months or longer can be valuable for what activities?
Which of the following BEST describes the purpose of the security functional requirements of Common Criteria?
A health care provider is considering Internet access for their employees and patients. Which of the following is the organization's MOST secure solution for protection of data?
Which of the following is the PRIMARY security concern associated with the implementation of smart cards?
Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access? Click on the correct specification in the image below.
Which of the following command line tools can be used in the reconnaisance phase of a network vulnerability assessment?
A global organization wants to implement hardware tokens as part of a multifactor authentication solution for remote access. The PRIMARY advantage of this implementation is
What is the process called when impact values are assigned to the security objectives for information types?
In the Open System Interconnection (OSI) model, which layer is responsible for the transmission of binary data over a communications network?
An organization has developed a major application that has undergone accreditation testing. After receiving the results of the evaluation, what is the final step before the application can be accredited?
The PRIMARY outcome of a certification process is that it provides documented
What does an organization FIRST review to assure compliance with privacy requirements?
Are companies legally required to report all data breaches?
What is the GREATEST challenge to identifying data leaks?
A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its 20 different supplier companies. Which of the following is the BEST solution for the manufacturing organization?
Which of the following BEST describes an access control method utilizing cryptographic keys derived from a smart card private key that is embedded within mobile devices?
What is the BEST approach for controlling access to highly sensitive information when employees have the same level of security clearance?
Users require access rights that allow them to view the average salary of groups of employees. Which control would prevent the users from obtaining an individual employee’s salary?
Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?
Which of the following could cause a Denial of Service (DoS) against an authentication system?
In which of the following programs is it MOST important to include the collection of security process data?
Which of the following is of GREATEST assistance to auditors when reviewing system configurations?
A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation. What MUST an administrator review to audit a user’s access to data files?
Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution?
What can happen when an Intrusion Detection System (IDS) is installed inside a firewall-protected internal network?
A security compliance manager of a large enterprise wants to reduce the time it takes to perform network,
system, and application security compliance audits while increasing quality and effectiveness of the results.
What should be implemented to BEST achieve the desired results?
Which of the following is the MOST challenging issue in apprehending cyber criminals?
It is MOST important to perform which of the following to minimize potential impact when implementing a new vulnerability scanning tool in a production environment?
Match the functional roles in an external audit to their responsibilities.
Drag each role on the left to its corresponding responsibility on the right.
Select and Place:
Which of the following is an initial consideration when developing an information security management system?
Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?
In a data classification scheme, the data is owned by the
Which of the following BEST describes the responsibilities of a data owner?
Which one of the following affects the classification of data?
An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests.
Which contract is BEST in offloading the task from the IT staff?
Which of the following is MOST important when assigning ownership of an asset to a department?
When implementing a data classification program, why is it important to avoid too much granularity?
A company is attempting to enhance the security of its user authentication processes. After evaluating several options, the company has decided to utilize Identity as a Service (IDaaS).
Which of the following factors leads the company to choose an IDaaS as their solution?
Computer forensics requires which of the following MAIN steps?
Which of the (ISC)? Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?
What is the PRIMARY purpose of auditing, as it relates to the security review cycle?
Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?
Which of the following vulnerabilities can be BEST detected using automated analysis?
Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-system gracefully handle invalid input?
When assessing an organization’s security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?
Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas?
Which of the following actions will reduce risk to a laptop before traveling to a high risk area?
All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that
Which of the following represents the GREATEST risk to data confidentiality?
A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with?
An important principle of defense in depth is that achieving information security requires a balanced focus on which PRIMARY elements?
Intellectual property rights are PRIMARY concerned with which of the following?
What is the MOST important consideration from a data security perspective when an organization plans to relocate?
Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to estimate the severity of vulnerabilities identified automated vulnerability assessments?
The use of private and public encryption keys is fundamental in the implementation of which of the following?
Who in the organization is accountable for classification of data information assets?
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?
Which of the following mobile code security models relies only on trust?
Which security service is served by the process of encryption plaintext with the sender’s private key and decrypting cipher text with the sender’s public key?
Which of the following can BEST prevent security flaws occurring in outsourced software development?
The type of authorized interactions a subject can have with an object is
Which of the following is TRUE about Disaster Recovery Plan (DRP) testing?
What would be the PRIMARY concern when designing and coordinating a security assessment for an Automatic Teller Machine (ATM) system?
Checking routing information on e-mail to determine it is in a valid format and contains valid information is an example of which of the following anti-spam approaches?
What maintenance activity is responsible for defining, implementing, and testing updates to application systems?
While impersonating an Information Security Officer (ISO), an attacker obtains information from company employees about their User IDs and passwords. Which method of information gathering has the attacker used?
What is the term commonly used to refer to a technique of authenticating one machine to another by forging packets from a trusted source?
The FIRST step in building a firewall is to
Which of the following is an attacker MOST likely to target to gain privileged access to a system?
By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the
A software scanner identifies a region within a binary image having high entropy. What does this MOST likely indicate?
Multi-threaded applications are more at risk than single-threaded applications to
Which of the following wraps the decryption key of a full disk encryption implementation and ties the hard disk drive to a particular device?
Who must approve modifications to an organization's production infrastructure configuration?
A large bank deploys hardware tokens to all customers that use their online banking system. The token generates and displays a six digit numeric password every 60 seconds. The customers must log into their bank accounts using this numeric password. This is an example of
What is a common challenge when implementing Security Assertion Markup Language (SAML) for identity integration between on-premise environment and an external identity provider service?
Which of the following is an example of two-factor authentication?
Which of the following assures that rules are followed in an identity management architecture?
A security manager has noticed an inconsistent application of server security controls resulting in vulnerabilities on critical systems. What is the MOST likely cause of this issue?
Which of the following methods provides the MOST protection for user credentials?
What component of a web application that stores the session state in a cookie can be bypassed by an attacker?
Refer to the information below to answer the question.
An organization experiencing a negative financial impact is forced to reduce budgets and the number of Information Technology (IT) operations staff performing basic logical access security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles.
Which of the following will indicate where the IT budget is BEST allocated during this time?
Refer to the information below to answer the question.
An organization has hired an information security officer to lead their security department. The officer has adequate people resources but is lacking the other necessary components to have an effective security program. There are numerous initiatives requiring security involvement.
The effectiveness of the security program can PRIMARILY be measured through
When using third-party software developers, which of the following is the MOST effective method of providing software development Quality Assurance (QA)?
Refer to the information below to answer the question.
During the investigation of a security incident, it is determined that an unauthorized individual accessed a system which hosts a database containing financial information.
Aside from the potential records which may have been viewed, which of the following should be the PRIMARY concern regarding the database information?
Refer to the information below to answer the question.
In a Multilevel Security (MLS) system, the following sensitivity labels are used in increasing levels of sensitivity: restricted, confidential, secret, top secret. Table A lists the clearance levels for four users, while Table B lists the security classes of four different files.
Which of the following is true according to the star property (*property)?
From a security perspective, which of the following is a best practice to configure a Domain Name Service (DNS) system?
Which of the following is the MOST crucial for a successful audit plan?
Refer to the information below to answer the question.
A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization’s Information Technology (IT) department discovers that a peer-to-peer program has been installed on the computer using the employee's access.
Which of the following solutions would have MOST likely detected the use of peer-to-peer programs when the computer was connected to the office network?
When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?
Which of the following is the PRIMARY risk with using open source software in a commercial software construction?
A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the MOST probable security feature of Java preventing the program from operating as intended?
The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?
Which of the following is the BEST method to prevent malware from being introduced into a production environment?
Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?
What is the BEST approach to addressing security issues in legacy web applications?
Which of the following is a PRIMARY advantage of using a third-party identity service?
What is the PRIMARY reason for implementing change management?
What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application?
What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?
What would be the MOST cost effective solution for a Disaster Recovery (DR) site given that the organization’s systems cannot be unavailable for more than 24 hours?
With what frequency should monitoring of a control occur when implementing Information Security Continuous Monitoring (ISCM) solutions?
Recovery strategies of a Disaster Recovery planning (DRIP) MUST be aligned with which of the following?
A continuous information security monitoring program can BEST reduce risk through which of the following?
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?
An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly implement a control?
What is the purpose of an Internet Protocol (IP) spoofing attack?
Which of the following is the BEST network defense against unknown types of attacks or stealth attacks in progress?
Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?
An external attacker has compromised an organization’s network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information?
Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?
Which of the following factors contributes to the weakness of Wired Equivalent Privacy (WEP) protocol?
At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located?
Digital certificates used transport Layer security (TLS) support which of the following?
Which of the following is the MOST important reason for timely installation of software patches?
Which of the following is a characteristic of a challenge/response authentication process?
Which of the following would present the higher annualized loss expectancy (ALE)?
For the purpose of classification, which of the following is used to divide trust domain and trust boundaries?
A security professional recommends that a company integrate threat modeling into its Agile development processes. Which of the following BEST describes the benefits of this approach?