ALWAYS REMEMBER TO READ EACH QUESTION VERY WELL AND CHECK

ALL ANSWER OPTIONS, EVEN WHEN YOU THINK YOU HAVE FOUND THE
CORRECT ANSWER
Tort law: A body of rights, obligations, and remedies that sets out reliefs for
persons suffering harm because of the wrongful acts of others.
A Privacy Impact Assessment (PIA) is a process used to evaluate the
potential effects that a project, system, or process may have on the privacy
of individuals. It helps organizations identify, assess, and mitigate privacy
risks associated with the collection, use, and storage of personal data. PIAs
are crucial for ensuring compliance with privacy laws and regulations and
for safeguarding individuals' personal information.
Sarbanes-Oxley Act (SOX): U.S. legislation enacted to protect shareholders
and the public from accounting errors and fraudulent practices.
Privacy Level Agreement (PLA) : Similar in concept to a Service Level
Agreement (SLA) in that it defines roles and responsibilities as well as
clearly defining service commitments for the protection of privacy
information between a service provider and consumer.
Link Encryption: Encrypts data at the link layer or physical layer, protecting
it only while it is on a specific network link. Once the data reaches the end
of the link, it is decrypted and available in plaintext for further processing.
End-to-End Encryption: Encrypts data from the source to the final
destination, ensuring that it remains encrypted throughout its entire journey
across multiple network links and systems. Only the intended recipient can
decrypt and access the data.
NIST Special Publication 800-53, titled "Security and Privacy Controls for
Information Systems and Organizations," is a key document in the NIST
Special Publication series. It provides a comprehensive set of security and
privacy controls designed to protect information systems and the data they
handle. This publication is a cornerstone of the NIST Risk Management
Framework (RMF) and is widely used by federal agencies, contractors, and
private organizations to manage and secure their information systems.
NIST Special Publication 800-37, titled "Guide for Applying the Risk
Management Framework to Federal Information Systems: A Security Life
Cycle Approach," provides a comprehensive approach to managing risk for
federal information systems. This guide is a key document within the
National Institute of Standards and Technology (NIST) Special Publication
series and is crucial for organizations implementing the Risk Management
Framework (RMF).
Security Content Automation Protocol (SCAP)
SCAP is a suite of specifications for standardized vulnerability management,
measurement, and policy compliance evaluation. It is used to automate the
assessment and management of security vulnerabilities in computer
systems. SCAP aims to standardize how security vulnerabilities and
configuration issues are represented, assessed, and managed, facilitating
automated compliance checking and vulnerability assessment.
Components:
Common Vulnerabilities and Exposures (CVE): Provides a reference-method
for publicly known information-security vulnerabilities and exposures.
Common Configuration Enumeration (CCE): A list of identifiers for
configuration issues that can affect system security.
Common Platform Enumeration (CPE): A standardized method of naming
software, hardware, and operating systems.
Open Vulnerability and Assessment Language (OVAL): A language for
encoding system details, vulnerability definitions, and configuration checks.
Extensible Configuration Checklist Description Format (XCCDF): A standard
for specifying security checklists and policies.
Generic Routing Encapsulation (GRE) tunneling over Internet Protocol
version 4
GRE is a tunneling protocol that encapsulates a wide variety of network
layer protocols into a point-to-point connection over an IP network. GRE
tunneling allows for the creation of a virtual point-to-point link to routers at
remote locations.
Lack of Encryption: GRE does not provide encryption on its own. For secure
transmission, it is often used in conjunction with IPsec.
VPNs: Used as part of Virtual Private Networks (VPNs) to tunnel data
securely between different network segments.
Routing Protocols: GRE tunnels can be used to transport routing protocols
that may not be supported directly over the underlying IP network.
Northbound application-programming interface (API)
Definition: A northbound API refers to the interface used by applications or
higher-level software to interact with lower-level services or systems within
a network architecture, particularly in the context of Software-Defined
Networking (SDN).
SDN Controllers: In an SDN environment, northbound APIs are used by
network applications to request changes or gather information from the SDN
controller.
Link Control Protocol (LCP)
Definition: LCP is a protocol used in the Point-to-Point Protocol (PPP) to
establish, configure, and test the data-link connection between two network
nodes.
Features:
Link Establishment: Responsible for establishing, maintaining, and
terminating PPP connections.
Configuration: Allows for the negotiation of various link parameters and
options, such as authentication methods and network protocol
configurations.
Error Detection: Provides mechanisms for detecting and reporting errors in
the PPP link.
Use Cases:
Dial-Up Connections: LCP is commonly used in dial-up connections to
configure and establish the data link between modems.
WAN Links: Used in wide-area network (WAN) links to manage and maintain
PPP connections between routers or other network devices.
Key Functions:
Configuration Negotiation: Enables negotiation of options such as maximum
frame size, authentication methods, and compression protocols.
Link Termination: Manages the orderly termination of the PPP link when no
longer needed.
ISO/IEC 31000:2018 is an international standard for risk management that
provides guidelines and principles for creating a risk management
framework and process. The standard is designed to be applicable to any
organization, regardless of size or industry, and helps organizations manage
risks effectively to achieve their objectives and improve decision-making.
ISO/IEC 27018:2019 is an international standard that provides guidelines for
protecting personal data in the cloud. It builds on the information security
management framework of ISO/IEC 27002 and the requirements of ISO/IEC
27001, specifically focusing on the protection of personal data (Personally
Identifiable Information, PII) processed by cloud service providers (CSPs).
ISO/IEC 27050 is a series of international standards related to the
management of electronic evidence and e-discovery. This series provides
guidelines for the effective management of electronic information
throughout its lifecycle, especially for legal and regulatory purposes. The
standards cover a range of topics from the discovery of electronic
information to its use in legal contexts.
E-discovery, or electronic discovery, refers to the process of identifying,
collecting, reviewing, and producing electronic data that is relevant to legal
proceedings. This process is crucial in both civil and criminal cases where
electronic records might be used as evidence. E-discovery involves various
technologies, legal principles, and best practices to ensure that electronic
evidence is handled correctly and efficiently.
1
In order to assure authenticity, which of the following are required?
C Authentication and non-repudiation
71
Which of the following is the BEST method to assess the effectiveness
of an organization's vulnerability management program?
B Periodic third party vulnerability assessment
33
The Chief Information Officer (CIO) has decided that as part of
business modernization efforts the organization will move towards
a cloud architecture. All business-critical data will be migrated to
either internal or external cloud services within the next two years.
The CIO has a PRIMARY obligation to work with personnel in which
role in order to ensure proper protection of data during and after
the cloud migration?
C Chief Information Security Officer (CISO)
23
When a system changes significantly, who is PRIMARILY responsible
for assessing the security impact?
C Information System Security Officer (ISSO)
87
At what stage of the Software Development Life Cycle (SDLC) does
software vulnerability remediation MOST likely cost the least to
implement?
D Design
97
When in the Software Development Life Cycle (SDLC) MUST software
security functional requirements be defined?
D After the business functional analysis and the data security
categorization have been performed
43
When is security personnel involvement in the Systems Development
Life Cycle (SDLC) process MOST beneficial?
C Requirements definition phase
36
When developing solutions for mobile devices, in which phase of the
Software Development Life Cycle (SDLC) should technical limitations
related to devices be specified?
B Initiation
The initiation phase is the first phase of the SDLC, where the project scope,
objectives, requirements, and constraints are defined and documented. The
technical limitations related to devices are part of the constraints that affect
the design and development of the software solutions for mobile devices,
such as the screen size, memory capacity, battery life, network
connectivity, or security features.
8
Functional security testing is MOST critical during which phase of the
system development life cycle (SDLC)?
C Acquisition / Development
57
A software engineer uses automated tools to review application code
and search for application flaws, back doors, or other malicious
code. Which of the following is the FIRST Software Development Life
Cycle (SDLC) phase where this takes place?
C Development
14
Which of the following does the Encapsulating Security Payload (ESP)
provide?
C Integrity and confidentiality
ESP is a protocol that is part of the IPsec suite, which is a set of protocols
and standards that provide security for Internet Protocol (IP)
communications. ESP encrypts the payload of an IP packet, which is the
data portion of the packet, to provide confidentiality. ESP also adds a trailer
and an authentication data field to the packet, to provide integrity. ESP does
not provide authorization or availability
82
The security architect has been assigned the responsibility of ensuring
integrity of the organization's electronic records. Which of the
following methods provides the strongest level of integrity?
D Digital signature = integrity, non-repudiation and authentication
Encryption = confidentiality and integrity
Hashing = integrity
A digital signature is a cryptographic technique that uses public key
cryptography (asymmetric) and hashing to verify the authenticity, integrity,
and non-repudiation of an electronic record.
Encryption can help to protect the confidentiality and integrity of an
electronic record, but it does not provide non-repudiation or
authentication of the electronic record.
Hashing can help to verify the integrity of an electronic record, but it does
not provide confidentiality, authentication, or non-repudiation of the
electronic record.
Data Steward: Ensuring quality and validation through periodic audits for
ongoing data integrity
Data Custodian: Maintaining fundamental data availability, including data
storage and archiving
Data Controller: Ensuring accessibility to appropriate users, maintaining
appropriate levels of data security
92
When conducting a remote access session using Internet Protocol Security
(IPSec), which Open Systems Interconnection (OSI) model layer does this
connection use?
B Network
5
Which Open Systems Interconnection (OSI) layer(s) BEST corresponds
to the network access layer in the Transmission Control
Protocol/Internet Protocol (TCP/IP) model?
B Data Link and Physical layer
Network Interface Layer = OSI Layers 1 (Physical) + 2 (Data Link)
Internet Layer = OSI Layer 3 (Network)
Transport Layer = OSI Layer 4 (Transport)
Application Layer = OSI Layers 5 (Session) + 6 (Presentation) + 7
(Application)
70
Which layer of the Open system Interconnect (OSI) model is responsible for
secure data transfer between applications, flow control, and error detection
and correction?
B Layer 4 (or the transport layer)
Layer 1: Physical layer. This layer is responsible for transmitting and
receiving the raw data or signals over the physical medium, such as cables,
wires, or wireless channels. This layer defines the physical characteristics
and specifications of the medium, such as voltage, frequency, or
modulation.
Layer 2: Data link layer. This layer is responsible for establishing and
maintaining the link or connection between the devices or nodes on the
network, such as switches, routers, or hosts. This layer defines the methods
and protocols for addressing, framing, and accessing the medium, such as
MAC, LLC, or Ethernet.
Layer 3: Network layer. This layer is responsible for routing and forwarding
the data or packets across the network, from the source to the destination.
This layer defines the methods and protocols for addressing, routing, and
switching the packets, such as IP, IPSec, BGP, RIP, ICMP, or OSPF.
Layer 4: Transport layer. This layer is responsible for ensuring the reliable
and secure data transfer between the applications or processes on the
devices or nodes, from the source to the destination. This layer defines the
methods and protocols for segmenting, reassembling, and sequencing the
data, and for providing flow control, error detection and correction, and
security features, such as TCP, UDP, or TLS.
Layer 5: Session layer. This layer is responsible for establishing, managing,
and terminating the sessions or connections between the applications or
processes on the devices or nodes. This layer defines the methods and
protocols for synchronizing, coordinating, and controlling the
communication, and for providing authentication and authorization features,
such as RPC, SSH, SSL/TLS , NFS, or Kerberos.
Layer 6: Presentation layer. This layer is responsible for formatting,
encoding, and decoding the data or messages between the applications or
processes on the devices or nodes. This layer defines the methods and
protocols for converting the data or messages into a common or standard
format, and for providing encryption and compression features, such as
ASCII, JPEG, or SSL/TLS.
Layer 7: Application layer. This layer is responsible for providing the
interface and the functionality for the applications or processes on the
devices or nodes. This layer defines the methods and protocols for
accessing, exchanging, and delivering the data or messages, and for
providing various services or functions, such as HTTP, FTP, SSL/TLS,or DNS.
33
An information security administrator wishes to block peer-to-peer (P2P)
traffic over Hypertext Transfer Protocol (HTTP) tunnels. Which of the
following layers of the Open Systems Interconnection (OSI) model requires
inspection?
D Application
32
Which layer handle packet fragmentation and reassembly in the Open
system interconnection (OSI) Reference model?
D Network
7
Which of the following operates at the Network Layer of the Open System
Interconnection (OSI) model?
A Packet filtering
The network layer is the third layer from the bottom of the OSI model, and it
is responsible for routing and forwarding data packets between different
networks or subnets.
4
A proxy firewall operates at what layer of the Open System Interconnection
(OSI) model?
D Application
50
Between which pair of Open System Interconnection (OSI) Reference
Model layers are routers used as a communications device?
C Network and Session
68
Which one of the following operates at the session, transport, or
network layer of the Open System Interconnection (OSI) model?
D Integrity checking software
30
When conducting a remote access session using Internet Protocol
Security (IPSec), which Open Systems Interconnection (OSI) model
layer does this connection use?
B Network

100
At what level of the Open System Interconnection (OSI) model is data at
rest on a Storage Area Network (SAN) located?
B Physical layer
NOT : link layer
43
Which layer handle packet fragmentation and reassembly in the Open
system interconnection (OSI) Reference model?
D Network layer (Layer 3)
60
Which layer of the Open systems Interconnection (OSI) model is being
targeted in the event of a Synchronization (SYN) flood attack?
B Transport
A Synchronization (SYN) flood attack is a type of denial-of-service (DoS)
attack that exploits the three-way handshake mechanism of the
Transmission Control Protocol (TCP), which operates at the transport layer of
the Open Systems Interconnection (OSI) model.
8
How is Remote Authentication Dial-In User Service (RADIUS)
authentication accomplished?
C It uses clear text and shared secret keys
RADIUS is a protocol that provides centralized authentication,
authorization, and accounting for remote network access. RADIUS
uses User Datagram Protocol (UDP) to communicate between the client
and the server. RADIUS authentication uses clear text to send the
username and password of the user, but it also uses a shared secret key
to encrypt a message authentication code (MAC) that is appended to the
packet. The MAC is used to verify the integrity and authenticity of the
packet. The shared secret key is only known by the client and the server,
and it is never transmitted over the network.
1
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which
layer is responsible for negotiating and establishing a connection with
another node?
A Transport layer
Negotiating and establishing a connection (the three-way handshake
mechanism of the Transmission Control Protocol (TCP)) SYN, ACK, SYN-ACK
99
Which of the following types of firewall only examines the
"handshaking" between packets before forwarding traffic?
C Circuit-level firewalls (verify that the packets belong to a valid
and established session)
Circuit-level firewalls operate at the transport layer of the OSI model,
and they establish a virtual circuit or session between the source and
the destination hosts. Circuit-level firewalls do not inspect the content or the
header of the packets, but they only verify that the packets belong to a
valid and established session. Circuit-level firewalls are faster and less
resource-intensive than other types of firewalls, but they provide less
security and visibility.
Proxy firewalls are a type of firewall that act as an intermediary
between the source and the destination hosts, and they inspect and
filter the packets at the application layer of the OSI model.
Host-based firewalls are a type of firewall that are installed and
configured on individual hosts, and they protect the hosts from
incoming and outgoing network traffic.
Network Address Translation (NAT) firewalls are a type of firewall that
modify the source or the destination IP addresses of the packets, and
they provide a layer of obfuscation and security for the internal network
hosts.
64
Digital certificates use transport Layer security (TLS) to support which
of the following?
D Non-repudiation controls and data encryption
40
Which of the following attributes could be used to describe a protection
mechanism of an open design methodology?
B It can facilitate independent confirmation of the design security
36
Which of the following techniques is MOST useful when dealing with
Advanced persistent Threat (APT) intrusions on live virtualized
environments?
c) Memory forensics
Memory forensics involves analyzing the memory (RAM) of a live system to
detect and understand malicious activity. This technique is crucial for
dealing with APTs because it allows investigators to uncover hidden
processes, ongoing network connections, and malicious code that may not
be visible on disk.
22
Which of the following is the MOST common use of the Online
Certificate Status Protocol (OCSP)?
B To obtain the revocation status of an X.509 digital certificate
4
Change management policies and procedures belong to which of the
following types of controls?
A Directive (administrative control)
Directive controls are the type of controls that guide and regulate the
actions and the behaviors of the organization's staff, processes, and
systems, and that ensure that they follow the organization's policies,
standards, and regulations
9
Directive controls are a form of change management policy and procedures.
Which of the following subsections are recommended as part of the change
management process?
a) Build and test
30
What type of encryption is used to protect sensitive data in transit over a
network?
B Payload encryption and transport encryption
1
An organization implements a remote access server (RAS), once users
connect to the server, digital certificates are used to authenticate their
identity. What type of extensible Authentication protocol (EAP) would the
organization use during this authentication?
D) Transport Layer Security (TLS)
EAP-TLS is a widely used authentication protocol that relies on digital
certificates for both the client and the server to mutually authenticate
each other. It provides strong security through the use of Public Key
Infrastructure (PKI) and is well-suited for environments where certificate-
based authentication is required.
1
A software engineer uses automated tools to review application code and
search for application flaws, back doors, or other malicious code. Which
of the following is the FIRST Software Development Life Cycle (SDLC) phase
where this takes place?
C Development
1
Which of the following technologies would provide the BEST alternative to
anti-malware software?
B Application whitelisting
1
Which security feature fully encrypts code and data as it passes to the
servers and only decrypts below the hypervisor layer?
D Trusted execution environments
1
To protect auditable information, which of the following MUST be
configured to only allow read access?
B Transaction log files
1
Which of the following analyses is performed to protect information
assets?
C Cost benefit analysis
1
Which security architecture strategy could be applied to secure an
operating system (OS) baseline for deployment within the corporate
enterprise?
C Principle of Secure Default
1
Which of the following authorization standards is built to handle Application
Programming Interface (API) access for Federated Identity Management
(FIM)?
B Open Authentication (OAUTH)
1
Which of the following controls is the most appropriate for a system
identified as critical in terms of data and function to the organization?
A Preventive controls
1
Which of the following four iterative steps are conducted on third-party
vendors in an on-going basis?
B Frame, Assess, Respond, Monitor
The TPRM process consists of four iterative steps that are conducted on
third-party vendors in an on-going basis. The steps are:
Frame: This step involves defining the scope, objectives, and governance of
the TPRM process, as well as establishing the criteria and thresholds for risk
assessment and acceptance.
Assess: This step involves collecting and analyzing information about the
third-party vendors, such as their security policies, controls, practices,
certifications, and performance, to evaluate their risk profile and compliance
status.
Respond: This step involves developing and implementing strategies and
actions to address the risks identified in the assessment step, such as
negotiating contracts, enforcing service level agreements, applying
controls, conducting audits, or terminating relationships.
Monitor: This step involves tracking and reviewing the performance and risk
posture of the third-party vendors on a regular basis, as well as updating
the TPRM process as needed to reflect changes in the business
environment, regulatory requirements, or risk appetite.
1
Which one of the following is a threat related to the use of web-based
client side input validation?
A Users would be able to alter the input after validation has occurred
1
Refer to the information below to answer the question. An organization has
hired an information security officer to lead their security department. The
officer has adequate people resources but is lacking the other necessary
components to have an effective security program. There are numerous
initiatives requiring security involvement. Which of the following is
considered the MOST important priority for the information security
officer?
A Formal acceptance of the security strategy
11
Refer to the information below to answer the question. An organization has
hired an information security officer to lead their security department. The
officer has adequate people resources but is lacking the other necessary
components to have an effective security program. There are numerous
initiatives requiring security involvement. The effectiveness of the security
program can PRIMARILY be measured through
A Audit findings
93
Refer to the information below to answer the question. An organization has
hired an information security officer to lead their security
department. The officer has adequate people resources but is lacking the
other necessary components to have an effective security program.
There are numerous initiatives requiring security involvement. The
security program can be considered effective when
D Risk is lowered to an acceptable level.
1
Which of the following phases involves researching a target's configuration
from public sources when performing a penetration test?
A Information gathering

1
A user's credential for an application is stored in a relational database.
Which control protects the confidentiality of the credential while it is stored?
C Use a salted cryptographic hash of the password
1
Disaster Recovery Plan (DRP) training material should be
A consistent so that all audiences receive the same training
1
Which of the following is an authentication protocol in which a new random
number is generated uniquely for each login session?
A Challenge Handshake Authentication Protocol (CHAP)
1
Which of the following is a peer entity authentication method for Point-
to-Point Protocol (PPP)?
A Challenge Handshake Authentication Protocol (CHAP)
71
Which of the following is a characteristic of a challenge/response
authentication process?
B Transmitting a hash based on the user's password
A challenge/response authentication process is a type of authentication
method that involves the exchange of a challenge and a response between
the authenticator and the authenticatee. The challenge is usually a
random or unpredictable value, such as a nonce or a timestamp, that is
sent by the authenticator to the authenticatee. The response is usually a
value that is derived from the challenge and the user's password,
such as a hash or a message authentication code (MAC), that is sent by the
authenticatee to the authenticator.
1
A project requires the use of an authentication mechanism where playback
must be protected and plaintext secret must be used. Which of the
following should be used?
B Challenge Handshake Authentication Protocol (CHAP)
1
83
A project requires the use of an authentication mechanism where playback
must be protected and plaintext secret must be used. Which of the following
should be used?
D Challenge Handshake Authentication Protocol (CHAP)
CHAP protects against playback attacks by using a random challenge value
(nonces) that changes periodically. CHAP also uses a plaintext secret, such
as a password, that is shared between the user and the server. The user
does not send the password over the network, but instead uses it to
generate a response to the challenge. The server does the same and
compares the responses.
1
Which of the following factors contributes to the weakness of Wired
Equivalent Privacy (WEP) protocol?
A WEP uses a small range Initialization Vector (IV)
1
A user sends an e-mail request asking for read-only access to files that are
not considered sensitive. A Discretionary Access Control (DAC) methodology
is in place. Which is the MOST suitable approach that the administrator
should take?
A Administrator should request data owner approval to the user access
1
Which of the following MUST a security professional do in order to quantify
the value of a security program to organization management?
A Report using metrics
1
Network-based logging has which advantage over host-based logging when
reviewing malicious activity about a victim machine?
C Properly handled network-based logs may be more reliable and valid
1
Which of the following is the strongest physical access control?
D Biometrics, a password, and badge reader
1
What is maintained by using write blocking devices when forensic evidence
is examined?
B integrity
1
A federal agency has hired an auditor to perform penetration testing on a
critical system as part of the mandatory, annual Federal Information
Security Management Act (FISMA) security assessments. The auditor is new
to this system but has extensive experience with all types of penetration
testing. The auditor has decided to begin with sniffing network traffic. What
type of penetration testing is the auditor conducting?
B Black box testing
1
What is the BEST method if an investigator wishes to analyze a hard drive
which may be used as evidence?
C Remove the hard drive from the system and make a copy of the hard
drive's contents using imaging hardware
1
A security engineer is required to integrate security into a software project
that is implemented by small groups test quickly, continuously, and
independently develop, test, and deploy code to the cloud. The engineer will
MOST likely integrate with which software development process
D Devops Integrated Product Team (IPT)
1
Additional padding may be added to the Encapsulating security protocol
(ESP) trailer to provide which of the following?
B Partial traffic flow confidentiality
1
Which of the following protects personally identifiable information (PII)
used by financial services organizations?
B Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act is a comprehensive piece of legislation that
modernizes the financial industry while ensuring the protection of consumer
financial information through stringent privacy and security requirements.
1
Configuring a Wireless Access Point (WAP) with the same Service Set
Identifier (SSID) as another WAP in order to have users unknowingly connect
is referred to as which of the following?
Man-in the -Middle (MITM)
1
As a security manger which of the following is the MOST effective practice
for providing value to an organization?
A Assess business risk and apply security resources accordingly
1
What is the benefit of using Network Admission Control (NAC)?
B NAC supports validation of the endpoint's security posture prior to
allowing the session to go into an authorized state
1
Which of the following is the BEST way to mitigate circumvention of access
controls?
D Multi-layer access controls with diversification of technologies
1
Which of the following is the BEST network defense against unknown types
of attacks or stealth attacks in progress?
D Network Behavior Analysis (NBA) tools
1
If an identification process using a biometric system detects a 100% match
between a presented template and a stored template, what is the
interpretation of this result?
B Suspected tampering
1
Continuity of operations is BEST supported by which of the following?
C Connectivity, reliability, and recovery
1
Users require access rights that allow them to view the average salary of
groups of employees. Which control would prevent the users from obtaining
an individual employee's salary?
A Limit access to predefined queries
1
What is the FIRST step prior to executing a test of an organisation's disaster
recovery (DR) or business continuity plan (BCP)?
D Develop clear evaluation criteria
1
Which of the following VPN configurations should be used to separate
Internet and corporate traffic?
C Split-tunnel
1
Which of the following is a characteristic of an internal audit?
D Management is responsible for reading and acting upon the internal
audit results
1
Which of the following is an appropriate source for test data?
D Production data that has been sanitized before loading into a test
environment
1
A database administrator is asked by a high-ranking member of
management to perform specific changes to the accounting system
database. The administrator is specifically instructed to not track or
evidence the change in a ticket. Which of the following is the BEST course of
action?
D Inform the audit committee or internal audit directly using the corporate
whistleblower process
1
Within the company, desktop clients receive Internet Protocol (IP) address
over Dynamic Host Configuration Protocol (DHCP). Which of the following
represents a valid measure to help protect the network against
unauthorized access?
B Implement port based security through 802.1x
1
A company wants to store data related to users on an offsite server. What
method can be deployed to protect the privacy of the user's information
while maintaining the field-level configuration of the database?
C Tokenization
1
Which of the following is the MOST important rule for digital investigations?
B Ensure original data is never modified
1
What action should be taken by a business line that is unwilling to accept
the residual risk in a system after implementing compensating controls?
B Purchase insurance to cover the residual risk
1
Which of the following actions should be undertaken prior to deciding on a
physical baseline Protection Profile (PP)?
B Conduct a site survey

1
Which of the following roles has the obligation to ensure that a third party
provider is capable of processing and handling data in a secure manner and
meeting the standards set by the organization?
B Data Owner
1
Who is accountable for the information within an Information System (IS)?
C Data owner
1
Which of the following BEST describes the responsibilities of data owner?
B Determining the impact the information has on the mission of the
organization
1
For privacy protected data, which of the following roles has the highest
authority for establishing dissemination rules for the data?
B Data Owner
7
Which of the following entities is ultimately accountable for data remanence
vulnerabilities with data replicated by a cloud service provider?
A Data owner
9
Which of the following is the FIRST requirement a data owner should
consider before implementing a data retention policy?
B Legal
20
Which of the following BEST describes the responsibilities of a data owner?
D Determining the impact the information has on the mission of
the organization
77
Organization A is adding a large collection of confidential data records that
it received when it acquired Organization B to its data store. Many of the
users and staff from Organization B are no longer available. Which of the
following MUST Organization A do to properly classify and secure the
acquired data?
A Assign data owners from Organization A to the acquired data
8
In an IDEAL encryption system, who has sole access to the decryption key?
B Data owner
15
Which of the following will have the MOST influence on the definition
and creation of data classification and data ownership policies?
D Business Impact Analysis (BIA)
67
With data labeling, which of the following MUST be the key decision
maker?
D Data owner
A data owner is a person or entity that has the authority and accountability
for the creation, collection, processing, and disposal of a set of data. A data
owner is also responsible for defining the purpose, value, and classification
of the data, as well as the security requirements and controls for the data.
The impact of the information on the mission of the organization is one of
the main criteria for data classification, which helps to establish the
appropriate level of protection and handling
Data steward ensures the quality and validation of the data through
periodic audits for ongoing data integrity is a responsibility of a
steward, who is a person or entity that oversees the quality,
consistency, and usability of the data.
Data custodian is a responsible for maintaining fundamental data
availability, including data storage and archiving as well as the
person or entity that implements and maintains the technical and
physical security of the data.
Data controller ensures accessibility to appropriate users,
maintaining appropriate levels of data security and is the person or
entity that determines the purposes and means of processing the
data.
64
Which of the following roles is responsible for ensuring that important
datasets are developed, maintained, and are accessible within their
defined specifications?
C Data Custodian (data availability, storage, physical security of the
data)
Data custodian is a responsible for maintaining fundamental data
availability, including data storage and archiving as well as the person
or entity that implements and maintains the technical and physical
security of the data.
Data processor handles the data but is not responsible for the data
31
A Chief Information Officer (CIO) has delegated responsibility of their system
security to the head of the information technology (IT) department. While
corporate policy dictates that only the CIO can make decisions on
the level of data protection required, technical implementation
decisions are done by the head of the IT department. Which of the
following BEST describes the security role filled by the head of the IT
department?
D System custodian
A system custodian is a person who is responsible for the technical
implementation and maintenance of the security controls and
procedures for a system or a network, as delegated by the system
owner or the senior management. A system custodian performs tasks
such as installing, configuring, updating, testing, monitoring, and
troubleshooting the system or the network, and ensuring its compliance
with the security policies and standards. A system custodian also reports
and escalates any security incidents or issues to the system owner or the
senior management.
9
When developing the entitlement review process, which of the
following roles is responsible for determining who has a need for the
information?
B Data Owner
49
For privacy protected data, which of the following roles has the
highest authority for establishing dissemination rules for the data?
B Data owner
74
Who in the organization is accountable for classification of data
information assets?
A Data owner
A data owner is a person or entity that has the authority and
accountability for the creation, collection, processing, and disposal
of a set of data. A data owner is also responsible for defining the
purpose, value, and classification of the data, as well as the
security requirements and controls for the data. The impact of the
information on the mission of the organization is one of the main criteria for
data classification, which helps to establish the appropriate level of
protection and handling
4
An organization has outsourced its financial transaction processing to a
Cloud Service Provider (CSP) who will provide them with Software as a
Service (SaaS). If there was a data breach who is responsible for
monetary losses?
D The data owner
C Amount of overwrites required
3
What operations role is responsible for protecting the enterprise from
corrupt or contaminated media?
B Information librarian
an information librarian is responsible for managing, maintaining, and
protecting the organization's knowledge resources, including ensuring that
media (such as hard drives, USBs, CDs) are free from corruption or
contamination to protect the enterprise's data integrity.
An information librarian is also responsible for cataloging, indexing, and
classifying the media, as well as providing access and retrieval services to
the authorized users. An information librarian may also perform backup,
recovery, and disposal of the media, as well as monitor and audit the usage
and security of the media.
1
Which of the following is a key responsibility for a data steward assigned to
manage an enterprise data lake?
A Ensure proper business definition, value, and usage of data collected
and stored within the enterprise data lake
1
When conducting a forensic criminal investigation on a computer hard drive,
what should be done PRIOR to analysis?
C Create a forensic image of the hard drive
1
What technique used for spoofing the origin of an email can successfully
conceal the sender s Internet Protocol (IP) address?
C Onion routing

1
The adoption of an enterprise-wide Business Continuity (BC) program
requires which of the following?
A Good communication throughout the organization
1
Place in order, from BEST (1) to WORST (4), the following methods to reduce
the risk of data remanence on magnetic media
Destruction: 1
Degaussing: 2
Overwriting: 3
Deleting: 4
1
An internal Service Level Agreement (SLA) covering security is signed by
senior managers and is in place. When should compliance to the SLA be
reviewed to ensure that a good security posture is being delivered?
D At regularly scheduled meetings
1
What does the Maximum Tolerable Downtime (MTD) determine?
C The estimated period of time a business can remain interrupted beyond
which it risks never recovering
1
An organization has determined that its previous waterfall approach to
software development is not keeping pace with business demands. To adapt
to the rapid changes required for product delivery, the organization has
decided to move towards an Agile software development and release cycle.
In order to ensure the success of the Agile methodology, who is MOST
critical in creating acceptance tests or acceptance criteria for each release?
D Business customers
3
Which of the following is the GREATEST security risk associated with the use
of identity as a service (IDaaS) when an organization its own software?
B Increased likelihood of confidentiality breach
Increased likelihood of confidentiality breach: Using IDaaS means that user
identities and access control information are managed by a third-party
provider. This introduces a significant risk of data breaches if the provider's
security measures are not robust enough. Confidentiality breaches could
lead to unauthorized access to sensitive information, which is a major
concern for any organization.
42
When conducting a security assessment of access controls, which activity is
part of the data analysis phase?
C Categorize and identify evidence gathered during the audit
1
Which of the following BEST describes the objectives of the Business Impact
Analysis (BIA)?
B Identifying what is important and critical based on disruptions that can
affect the organization
1
Which of the following outsourcing agreement provisions has the HIGHEST
priority from a security operations perspective?
C Escalation process for problem resolution during incidents

1
In which of the following scenarios is locking server cabinets and limiting
access to keys preferable to locking the server room to prevent
unauthorized access?
D Server cabinets share workspace with multiple projects
1
Why must all users be positively identified prior to using multi-user
computers?
B To ensure that unauthorized persons cannot access the computers
1
What is the correct order of steps in an information security assessment?
Place the information security assessment steps on the left next to the
numbered boxes on the right in the correct order
Step 1: Define the perimeter
Step 2: Identify the vulnerability
Step 3: Assess the risk
Step 4: Determine the actions
1
Which one of the following data integrity models assumes a lattice of
integrity levels?
B Biba
Biba Model: The Biba Integrity Model is designed to prevent data from being
corrupted by ensuring that data integrity is maintained. It uses a lattice of
integrity levels to enforce rules such as "no write down" (a subject
cannot write data to a lower integrity level) and "no read up" (a subject
cannot read data from a higher integrity level). This structure helps
maintain data integrity by preventing lower integrity subjects from
modifying higher integrity data.
Take-Grant Model: This model is used to analyze the distribution and
flow of access rights. It is not primarily focused on data integrity but
rather on how access rights can be transferred between subjects.
Harrison-Ruzzo-Ullman (HRU) Model: This model addresses access
control and authorization by defining how subjects (users) can
manipulate objects (files, databases) and rights. It is used to ensure that
only authorized users can perform certain operations on objects.
Bell-LaPadula Model: This model is focused on data confidentiality rather
than integrity. It uses a lattice structure to enforce security policies like
"no read up" (simple security property) and "no write down" (star property)
to prevent unauthorized access to information.
1
Which of the following is an important design feature for the outer door of a
mantrap?
D Allow it be opened when the inner door of the mantrap is also open
97
A financial services organization has employed a security consultant to
review processes used by employees across various teams. The consultant
interviewed a member of the application development practice and found
gaps in their threat model. Which of the following correctly represents a
trigger for when a threat model should be revised?
A A new data repository is added
1
A company has decided that they need to begin maintaining assets
deployed in the enterprise. What approach should be followed to determine
and maintain ownership information to bring the company into compliance?
A Enterprise asset management framework
1
Which of the following provides effective management assurance for a
Wireless Local Area Network (WLAN)?
A Maintaining an inventory of authorized Access Points (AP) and
connecting devices
1
Single Sign-On (SSO) is PRIMARILY designed to address which of the
following?
D Accountability and Assurance
1
Which element of software supply chain management has the GREATEST
security risk to organizations?
B Unsupported libraries are often used
1
When using third-party software developers, which of the following is the
MOST effective method of providing software development Quality
Assurance (QA)?
B Perform overlapping code reviews by both parties.
1
Due to system constraints, a group of system administrators must share a
high-level access set of credentials.
C A credential check-out process for a per-use basis
1
Information security metrics provide the GREATEST value to management
when based upon the security manager's knowledge of which of the
following?
B Value of information assets
1
To control the scope of a Business Continuity Management (BCM) system, a
security practitioner should identify which of the following?
A Size, nature, and complexity of the organization
74
Which of the following statements is TRUE regarding value boundary
analysis as a functional software testing technique?
C Test inputs are obtained from the derived threshold of the given
functional specifications.
Value boundary analysis is a functional software testing technique that tests
the behavior of a software system or component when it receives
inputs that are at the boundary or edge of the expected range of
values. Value boundary analysis is based on the assumption that errors are
more likely to occur at the boundary values than at the normal values. Test
inputs are obtained from the derived threshold of the given functional
specifications, such as the minimum, maximum, or just above or below the
boundary values.
37
Which Wide Area Network (WAN) technology requires the first router
in the path to determine the full path the packet will travel, removing
the need for other routers in the path to make independent
determinations?
A Multiprotocol Label Switching (MPLS)
MPLS works by adding a label to each packet at the ingress router, which
indicates the forwarding equivalence class (FEC) of the packet. The FEC is a
group of packets that share the same destination and quality of service
(QoS) requirements. The label is then used by the intermediate routers to
forward the packet along a predetermined label-switched path (LSP),
without inspecting the packet header or performing routing lookups. The
label is removed at the egress router, and the packet is delivered to the
destination. MPLS can improve the performance, scalability, and efficiency
of WAN networks, as well as support multiple protocols and services
98
Which of the following is TRUE regarding equivalence class testing?
B An entire partition can be covered by considering only one
representative value from that partition
17
Which of the following statements is TRUE regarding equivalence
class testing?
C An entire partition can be covered by considering only one
representative value from that partition
1
A software security engineer is developing a black box-based test plan that
will measure the system's reaction to incorrect or illegal inputs or
unexpected operational errors and situations. Match the functional testing
techniques on the left with the correct input parameters on the right.
Equivalence Class Analysis: Select on input that does not belong to any of
the identified partitions
State-Based Analysis: select unexpected inputs corresponding to each
known condition
Decision Table Analysis: select invalid combination of input values
Boundary Value Analysis: select inputs that are at the external limits of
domain of valid values
1
A security engineer is designing a Customer Relationship Management
(CRM) application for a third-party vendor. In which phase of the System
Development Life Cycle (SDLC) will it be MOST beneficial to conduct a data
sensitivity assessment?
B Initiation
A data sensitivity assessment is a process of identifying and classifying the
data that is involved in a system or application, based on the level of
confidentiality, integrity, and availability that is required for the data.
The initiation phase is the first phase of the SDLC, where the scope,
objectives, and feasibility of the system or application are defined and
approved.
1
For a service provider, which of the following MOST effectively addresses
confidentiality concerns for customers using cloud computing?
B Data segregation
1
When designing a vulnerability test, which one of the following is likely to
give the BEST indication of what components currently operate on the
network?
B Mapping tools
1
What is the HIGHEST priority in agile development?
C Early and continuous delivery of software
1
Which of the following is the MOST secure protocol for remote command
access to the firewall?
A Secure Shell (SSH)
1
Which of the following practices provides the development of security and
identification of threats in designing software?
D Threat modeling
75
Which of the following is the MOST important output from a mobile
application threat modeling exercise according to Open Web Application
Security Project (OWASP)?
D A data flow diagram for the application and attack surface
analysis
19
Which of the following is the BEST method to identify security controls that
should be implemented for a web-based application while in development?
A Application threat modeling
24
What is the threat modeling order process for Attack simulation and threat
analysis (PASTA)?
A Application decomposition, threat analysis, vulnerability detection,
attack enumeration, risk/impact analysis
42
What testing technique enables the designer to develop mitigation
strategies for potential vulnerabilities?
C Threat modeling
56.
Which technique helps system designers consider potential security
concerns of their systems and applications?
A. Threat modeling
85
What is the BEST method to use for assessing the security impact of
acquired software?
A Threat modeling
29
Which of the following practices provides the development team with a
definition of security and identification of threats in designing
software?
C Threat modeling
39
A security professional recommends that a company integrate threat
modeling into its agile development processes. Which of the following
BEST describes the benefits of this approach?
D Potential threats are addressed earlier in the Software
Development Life Cycle (SDLC).
100
Which of the following techniques evaluates the secure by design principles
of network or software architectures?
A Threat modeling
Secure Bd is an acronym that stands for security by design, security by
default, and security by evaluation.
54
Which of the following techniques evaluates the secure design
principles of network of software architectures?
B Threat modeling
40
In order for application developers to detect potential vulnerabilities
earlier during the Software Development Life Cycle (SDLC), which of
the following safeguards should be implemented FIRST as part of a
comprehensive testing framework?
C Threat modeling
1
Which of the following is an accurate statement when an assessment results
in the discovery of vulnerabilities in a critical network component?
A The fact that every other host is sufficiently hardened does not change
the fact that the network is placed at risk of attack
1
Which of the following is used to support the concept of defense in depth
during the development phase of a software product?
D Security auditing
Polyinstantiation: This is a database security technique used to prevent
inference attacks by creating multiple instances of the same data item at
different classification levels. While useful in database security, it’s not
specifically focused on the development phase of software.
1
In what phase of the System Development Life Cycle (SDLC) should security
training for the development team begin?
B Initiation
1
Computer forensics require which of the following as MAIN steps?
C Acquire the data without altering, authenticate the recovered data, and
analyze the data
1
Which of the following vulnerabilities can be BEST detected using
automated analysis?
D Typical source code vulnerabilities

1
Which is the RECOMMENDED configuration mode for sensors for an intrusion
prevention system (IPS) if the prevention capabilities will be used?
C Inline
An IPS sensor can be configured in different modes, such as active, passive,
inline, or span. Inline mode means that the IPS sensor is placed directly in
the network traffic path, and can modify, drop, or redirect the packets as
they pass through. Inline mode enables the IPS sensor to use its prevention
capabilities effectively, as it can stop the attacks in real time, before they
reach their intended targets.
1
An employee receives a promotion that entities them to access higher-level
functions on the company's accounting system, as well as keeping their
access to the previous system that is no longer needed or applicable. What
is the name of the process that tries to remove this excess privilege?
C Access certification
Access certification is a process that involves reviewing and verifying the
access rights and the privileges that are assigned to the users, and ensuring
that they are appropriate and necessary for their roles and responsibilities.
1
What is the MOST appropriate hierarchy of documents when implementing a
security program?
A Organization principle, policy, standard, guideline

1
What type of test assesses a Disaster Recovery (DR) plan using realistic
disaster scenarios while maintaining minimal impact to business
operations?
C Simulation
A simulation test involves creating realistic disaster scenarios to evaluate
the effectiveness of the DR plan. During a simulation, the disaster scenario
is mimicked as closely as possible without actually causing disruption to the
business operations. This allows the organization to test its response,
coordination, and recovery procedures in a controlled environment,
ensuring that the DR plan is effective while minimizing the risk of impact on
actual business processes.
1
An input validation and exception handling vulnerability has been
discovered on a critical web-based system. Which of the following is MOST
suited to quickly implement a control?
A Add a new rule to the application layer firewall
1
What is a use for mandatory access control (MAC)?
D Allows for object security based on sensitivity represented by a label
1
Which of the following management process allows ONLY those services
required for users to accomplish their tasks, change default user passwords,
and set servers to retrieve antivirus updates?
A Configuration

1
Which of the following should be included in a hardware retention policy?
D A plan to retain data required only for business purposes and a
retention schedule
1
In the network design below, where is the MOST secure Local Area Network
(LAN) segment to deploy a Wireless Access Point (WAP) that provides
contractors access to the Internet and authorized enterprise services?
LAN 4
A WAP should be deployed in a secure LAN segment that can isolate the
wireless traffic from the rest of the network and apply appropriate security
controls and policies. LAN 4 is connected to the firewall that separates it
from the other LAN segments and the Internet. This firewall can provide
network segmentation, filtering, and monitoring for the WAP and the
wireless devices
1
What is the FIRST step in developing a security test and its evaluation?
C Identify all applicable security requirements
1
What form of attack could this represent?
In this case, the attacker is masquerading as the gateway router by sending
a false ARP reply to 10.102.10.2, claiming that the MAC address of
10.102.10.6 is the same as the MAC address of the gateway router. This
causes 10.102.10.2 to update its ARP cache with the wrong information and
send packets intended for 10.102.10.6 to the gateway router instead. The
attacker can then intercept, modify, or redirect the packets to 10.102.10.6
or another host.
1
Which of the following security tools will ensure authorized data is sent to
the application when implementing a cloud based application?
B Access control list (ACL)
1
To prevent inadvertent disclosure of restricted information, which of the
following would be the LEAST effective process for eliminating data prior to
the media being discarded?
C High-level formatting
1
Which of the following is the PRIMARY issue when analyzing detailed log
information?
B Timely review of the data is potentially difficult
1
Which of the following is generally indicative of a replay attack when
dealing with biometric authentication?
D Exact match
A replay attack is a type of attack or a threat that aims or intends to bypass
or to break the authentication or the verification mechanism or process of a
system or a service, by capturing or recording the authentication or the
verification data or information, such as the username, the password, or the
token, and replaying or resending the authentication or the verification data
or information to the system or the service, as if it was the legitimate or the
authentic user or device.
1
What does a Synchronous (SYN) flood attack do?
D Exceeds the limits for new Transmission Control Protocol /Internet
Protocol (TCP/IP) connections
1
Match the functional roles in an external audit to their responsibilities. Drag
each role on the left to its corresponding responsibility on the right.
Executive management: Approve audit budget and resource allocation
Audit committee: Provide audit oversight
Compliance officer: Ensure the achievement and maintenance of
organizational requirements with applicable certifications
External auditor: Develop and maintain knowledge and subject-matter
expertise relevant to the type of audit
1
Refer to the information below to answer the question. A new employee is
given a laptop computer with full administrator access. This employee does
not have a personal computer at home and has a child that uses the
computer to send and receive e-mail, search the web, and use instant
messaging. The organization's Information Technology (IT) department
discovers that a peer-to-peer program has been installed on the computer
using the employee's access. Which of the following methods is the MOST
effective way of removing the Peer-to-Peer (P2P) program from the
computer?
B Re-image the computer
1
Which of the following is the key requirement for test results when
implementing forensic procedures?
D The test results must be reproducible

1
If an employee transfers from one role to another, which of the following
actions should this trigger within the identity and access management (IAM)
lifecycle?
B User access review and adjustment
1
Which inherent password weakness does a One Time Password (OTP)
generator overcome?
D Static passwords are easily disclosed
1
As part of the security assessment plan, the security professional has been
asked to use a negative testing strategy on a new website. Which of the
following actions would be performed?
D Enter only numbers in the web form and verify that the website
prompts the user to enter a valid input
1
What is a warm site when conducting Business continuity planning (BCP)
B An area partially equipped with equipment and resources to recover
business functions
1
Unused space in a disk cluster is important in media analysis because it
may contain which of the following?
A Residual data that has not been overwritten
1
To comply with industry requirements, a security assessment on the cloud
server should identify which protocols and weaknesses are being exposed to
attackers on the Internet. Which of the following tools is the MOST
appropriate to complete the assessment?
D Use nmap and set the servers' public IPs as the targets
1
Which of the following BEST describes a rogue Access Point (AP)?
C An AP connected to the wired infrastructure but not under the
management of authorized network administrators
1
Who is ultimately responsible to ensure that information assets are
categorized and adequate measures are taken to protect them?
D Data/Information/Business Owners
1
Which of the following is the FIRST step of a penetration test plan?
C Obtaining the approval of the company's management
1
A security practitioner needs to implementation solution to verify endpoint
security protections and operating system (0S) versions. Which of the
following is the BEST solution to implement?
C Network Access Control (NAC)
1
It is MOST important to perform which of the following to minimize potential
impact when implementing a new vulnerability scanning tool in a production
environment?
A Negotiate schedule with the Information Technology (IT) operation's
team

1
Which of the below strategies would MOST comprehensively address the
risk of malicious insiders leaking sensitive information?
C Staff vetting, least privilege access, Data Loss Protection (DLP)
1
What are the PRIMARY responsibilities of security operations for handling
and reporting violations and incidents?
C Monitoring and identifying system failures, alerting key personnel, and
containing events
1
Which security action should be taken FIRST when computer personnel are
terminated from their jobs?
A Remove their computer access
1
What is the BEST way to correlate large volumes of disparate data sources
in a Security Operations Center (SOC) environment?
B Implement a Security Information and Event Management (SIEM)
system.
1
An organization is selecting a service provider to assist in the consolidation
of multiple computing sites including development, implementation and
ongoing support of various computer systems. Which of the following MUST
be verified by the Information Security Department?
C The service provider will impose controls and protections that meet or
exceed the current systems controls and produce audit logs as verification

1
A security professional is assessing the risk in an application and does not
take into account any mitigating or compensating controls. This type of risk
rating is an example of which of the following?
B Inherent risk
Inherent risk is the risk that exists in an application or a system before
applying any mitigating or compensating controls. Inherent risk represents
the worst-case scenario of the potential impact and likelihood of a threat
exploiting a vulnerability. Inherent risk is usually assessed by using
qualitative or quantitative methods, such as risk matrices, risk scales, or risk
formulas. Inherent risk helps to identify the areas that need the most
attention and resources, and to prioritize the implementation of controls.
Residual risk, which is the risk that remains after applying the controls
Transferred risk, which is the risk that is shifted to another party, such as
an insurance company or a service provider
Avoided risk, which is the risk that is eliminated by not performing an
activity or by changing the scope or objectives of the activity.
1
A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide
which of the following?
Minimization of the need for decision making during a crisis
1
When writing security assessment procedures, what is the MAIN purpose of
the test outputs and reports?
B To find areas of compromise in confidentiality and integrity
1
Which of the following is an important requirement when designing a secure
remote access system?
C Ensure that logging and audit controls are included
1
Which of the following MUST system and database administrators be aware
of and apply when configuring systems used for storing personal employee
data?
B The organization's security policies and standards
1
Which of the following security tools monitors devices and records the
information in a central database for further analysis?
D Endpoint detection and response (EDR)
1
When developing a business case for updating a security program, the
security program owner MUST do which of the following?
A Identify relevant metrics
1
Which of the following job functions MUST be separated to maintain data
and application integrity?
B Production control and data control functions
1
A company-wide penetration test result shows customers could access and
read files through a web browser. Which of the following can be used to
mitigate this vulnerability?
B Enforce the control of file directory listings.
1
When using Security Assertion markup language (SAML), it is assumed that
the principal subject
D enrolls with at least one identity provider.
1
A security professional has been assigned to assess a web application. The
assessment report recommends switching to Security Assertion Markup
Language (SAML). What is the PRIMARY security benefit in switching to
SAML?
C The users' password Is not passed during authentication.
1
An organization wants a service provider to authenticate users via the
users' organization domain credentials
A Security Assertion Markup Language (SAML)
2
Which open standard could a large corporation deploy for authorization
services for single sign-on (SSO) use across multiple internal and external
application?
B Security Assertion Markup Language (SAML)
2
An organization wants to enable users to authenticate across multiple
security domains. To accomplish this they have decided to use Federated
Identity Management (F1M). Which of the following is used behind the
scenes in a FIM deployment?
C Security Assertion Markup Language (SAML)
33
Which of the following is an open standard for exchanging authentication
and authorization data between parties?
D Security Assertion Markup Language (SAML)
64
A cloud service accepts Security Assertion Markup Language (SAML)
assertions from users to on and security However, an attacker was able to
spoof a registered account on the network and query the SAML provider.
What is the MOST common attack leverage against this flaw?
A Attacker forges requests to authenticate as a different user

73
What is a common challenge when implementing Security Assertion Markup
Language (SAML) for identity integration between on-premise environment
and an external identity provider service?
A Some users are not provisioned into the service
31
A manufacturing organization wants to establish a Federated Identity
Management (FIM) system with its 20 different supplier companies. Which of
the following is the BEST solution for the manufacturing organization?
C Security Assertion Markup language (SAML)
48
A company needs to provide employee access to travel services, which are
hosted by a third-party service provider, Employee experience is important,
and when users are already authenticated, access to the travel portal is
seamless. Which of the following methods is used to share
information and grant user access to the travel portal?
A Security Assertion Markup Language (SAML) access
SAML is a standard and protocol that enables the exchange of
authentication and authorization information between different domains or
entities, such as a service provider (SP) and an identity provider (IdP). SAML
access can provide a seamless user experience, as it allows the users to
access multiple services or resources from different domains, using a single
or federated identity, without having to re-authenticate or re-authorize each
time. SAML access can also enhance the security and privacy of the user
information, as it does not require the sharing or storing of the user
credentials or attributes between the domains, but rather relies on the
digital signatures and encryption of the SAML assertions or messages.

52
What is a common challenge when implementing Security Assertion Markup
Language (SAML) for identity integration between on premise environment
and an external identity provider service?
A Some users are not provisioned into the service
When implementing SAML for identity integration, the on-premise
environment acts as the identity provider, which authenticates the user and
issues the SAML assertion, and the external service acts as the service
provider, which receives the SAML assertion and grants access to the user.
However, if the user account or profile is not provisioned or synchronized in
the external service, the user may not be able to access the service, even if
they have a valid SAML assertion. Therefore, a common challenge when
implementing SAML for identity integration is to ensure that the user
provisioning is consistent and accurate between the on-premise
environment and the external service.
85
Which item below is a federated identity standard?
D Security Assertion Markup Language (SAML)
SAML is a standard that enables the exchange of authentication and
authorization information between different parties, such as service
providers and identity providers, using XML-based messages called
assertions. SAML can facilitate the single sign-on (SSO) process, which
allows a user to access multiple services or applications with a single login
session, without having to provide their credentials multiple times.
4
Which of the following is BEST suited for exchanging authentication
and authorization messages in a multi-party decentralized
environment?
B Security Assertion Markup Language (SAML)
7
Which of the following BEST describes the standard used to exchange
authorization information between different identity management
systems?
A Security Assertion Markup Language (SAML)
71
A security professional has been assigned to assess a web application. The
assessment report recommends switching to Security Assertion Markup
Language (SAML). What is the PRIMARY security benefit in switching
to SAML?
C The users' password is not passed during authentication.
SAML is an XML-based standard for exchanging authentication and
authorization data between different parties, such as a service provider and
an identity provider. SAML enables single sign-on (SSO) for web
applications, which means that users can access multiple services with one
set of credentials. SAML also improves security by not passing the users'
password during authentication, but instead using assertions that
contain information about the user's identity and attributes. SAML
assertions are digitally signed and encrypted to ensure their integrity
and confidentiality. SAML does not use TLS to address confidentiality,
although it can be used as an additional layer of protection.
93
Which of the following is the BEST Identity-as-a-Service (IDaaS) solution
for validating users?
B Security Assertion Markup Language (SAML)

100
Which of the following is a function of Security Assertion Markup
Language (SAML)?
D Policy enforcement
56
Which of the following is the BEST identity-as-a-service (IDaaS)
solution for validating users?
B Security Assertion Markup Language (SAML)
64
Which of the following BEST mitigates a replay attack against a system
using identity federation and Security Assertion Markup Language
(SAML) implementation?
C Timed sessions and Secure Socket Layer (SSL)
A replay attack is a type of network attack that involves capturing and
retransmitting a valid message or data to gain unauthorized access or
perform malicious actions.
1
What is the BEST first step for determining if the appropriate security
controls are in place for protecting data at rest?
b. Conduct a risk assessment
1
The PRIMARY security concern for handheld devices is the
B spread of malware during synchronization
Handheld devices are often synchronized with other devices, such as
desktops or laptops, to exchange data and update applications. This process
can introduce malware from one device to another, or vice versa, if proper
security controls are not in place
1
Which type of test would an organization perform in order to locate and
target exploitable defects?
A Penetration
1
Which of the following can be used to calculate the loss event probability?
B Number of outcomes divided by total number of possible outcomes
1
Which of the following is the BEST technique to facilitate secure software
development?
A Adhere to secure coding practices for the software application under
development
1
The Secure Shell (SSH) version 2 protocol supports
D authentication, compression, confidentiality, and integrity
1
Which of the following is a MAJOR concern when there is a need to preserve
or retain information for future retrieval?
D The technology needed to retrieve the information may not be available
in the future
1
In order for a security policy to be effective within an organization, it MUST
include
D disciplinary measures for non-compliance

1
What is the BEST control to be implemented at a login page in a web
application to mitigate the ability to enumerate users?
A Implement a generic response for a failed login attempt
User enumeration is a technique that allows an attacker to discover the
valid usernames or email addresses of the users of a web application, by
exploiting the differences in the responses or messages from the login page.
For example, if the login page displays a specific message such as "Invalid
username" or "Invalid password" when a user enters an incorrect username
or password, the attacker can use this information to guess or brute-force
the valid usernames or passwords. To prevent user enumeration, the login
page should implement a generic response for a failed login attempt, such
as "Invalid username or password", regardless of whether the username or
password is incorrect. This way, the attacker cannot distinguish between the
valid and invalid usernames or passwords, and cannot enumerate the users
of the web application
1
The PRIMARY purpose of accreditation is to:
C Allow senior management to make an informed decision regarding
whether to accept the risk of operating the system.
75
Which of the following BEST describes the purpose of performing
security certification?
B To formalize the confirmation of compliance to security policies
and standards
1
Which of the following is the MAIN reason that system re-certification and
re-accreditation are needed?
C To verify that security protection remains acceptable to the
organizational security policy
79
An organization has developed a major application that has undergone
accreditation testing. After receiving the results of the evaluation, what is
the final step before the application can be accredited?
A Acceptance of risk by the authorizing official
3
The security accreditation task of the System Development Life Cycle
(SDLC) process is completed at the end of which phase?
D System implementation
The security accreditation task is completed at the end of the system
implementation phase, which is the phase where the system is
installed, configured, integrated, and tested in the target
environment. The security accreditation task involves reviewing the security
certification results and documentation, such as the security plan, the
security assessment report, and the plan of action and milestones, and
making a risk-based decision to grant, deny, or conditionally grant the
authorization to operate (ATO) the system.
1
A Denial of Service (DoS) attack on a syslog server exploits weakness in
which of the following protocols?
B Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
1
Which of the following in the BEST way to reduce the impact of an externally
sourced flood attack?
D Have the source service provider block the address
Blocking at the Source: By having the source service provider block the
malicious address, the attack traffic is stopped as close to the origin as
possible. This prevents the flood traffic from even reaching your network,
thereby reducing the load on your infrastructure and preserving your
bandwidth and resources.
98
Which of the following is the BEST way to reduce the impact of an
externally sourced flood attack?
A Have the service provider block the source address.
1
An Intrusion Detection System (IDS) has recently been deployed in a
Demilitarized Zone (DMZ). The IDS detects a flood of malformed packets.
Which of the following BEST describes what has occurred?
A Denial of Service (DoS) attack
1
An international trading organization that holds an International
Organization for Standardization (ISO) 27001 certification is seeking to
outsource their security monitoring to a managed security service provider
(MSSP), The trading organization's security officer is tasked with drafting the
requirements that need to be included in the outsourcing contract. Which of
the following MUST be included in the contract?
D The right to audit the MSSP's security process
1
What is the most effective form of media sanitization to ensure residual
data cannot be retrieved
B Destroying
1
In a dispersed network that lacks central control, which of the following is
the PRIMARY course of action to mitigate exposure?
B Implement security policies and standards, access controls, and access
limitations

1
Which of the following is a characteristic of the independent testing of a
program?
A Independent testing increases the likelihood that a test will expose the
effect of a hidden feature
1
While classifying credit card data related to Payment Card Industry Data
Security Standards (PCI-DSS), which of the following is a PRIMARY security
requirement?
C Encryption of data
1
Which of the following threats exists within an implementation of digital
signatures?
B Substitution
Substitution is a threat that occurs when an attacker replaces a valid digital
signature with an invalid one, or a signature from another document. This
can compromise the integrity and non-repudiation of the signed document,
as the receiver cannot verify the authenticity and origin of the document.
Substitution can be prevented by using secure hash algorithms and
encryption to generate and protect the digital signatures.
1
What is the GREATEST challenge of an agent-based patch management
solution?
B Requires that software be installed, running, and managed on all
participating computers
An agent-based patch management solution is a type of patch management
solution that uses software agents or programs that run on each computer
that needs to be patched
1
In setting expectations when reviewing the results of a security test, which
of the following statements is MOST important to convey to reviewers?
B The results of the tests represent a point-in-time assessment of the
target(s)
The security architect has been assigned the responsibility of ensuring
integrity of the organization's electronic records.
1
Which of the following methods provides the strongest level of integrity?
1
An organization's information security strategic plan MUST be reviewed
C whenever there are major changes to the business
1
Which of the following would an internal technical security audit BEST
validate?
C Appropriate third-party system hardening
1
Which of the following is the MOST effective attack against cryptographic
hardware modules?
C Power analysis
1
Two companies wish to share electronic inventory and purchase orders in a
supplier and client relationship. What is the BEST security solution for them?
B Set up a Virtual Private Network (VPN) between the two companies
1
Which of the following is the PRIMARY consideration when determining the
frequency an automated control should be assessed or monitored?
C The range of values of the automated control
1
Which of the following techniques is known to be effective in spotting
resource exhaustion problems, especially with resources such as processes,
memory, and connections?
D Fuzzing
1
Which of the following entails identification of data end links to business
processes, applications, and data stores as well as assignment of ownership
responsibilities?
B Security portfolio management
Security portfolio management is the process of identifying, classifying, and
managing the data assets of an organization, as well as assigning ownership
responsibilities and defining protection requirements
1
The use of private and public encryption keys is fundamental in the
implementation of which of the following?
B. Secure Sockets Layer (SSL)
1
In which process MUST security be considered during the acquisition of new
software?
B Request for proposal (RFP)
1
Which of the following is the MOST important activity an organization
performs to ensure that security is part of the overall organization culture?
D Work with senior management to meet business goals.
1
Which of the following is a recommended alternative to an integrated email
encryption system?
C Encrypt sensitive data separately in attachments
1
If compromised, which of the following would lead to the exploitation of
multiple virtual machines?
B Virtual machine monitor (HyperVisor)
1
Which of the following is a weakness of Wired Equivalent Privacy (WEP)?
A Length of Initialization Vector (IV)
1
Which of the following assessment metrics is BEST used to understand a
system's vulnerability to potential exploits?

2
What do Capability Maturity Models (CMM) serve as a benchmark for in an
organization?
d) Procedures in systems development
CMMs are used to assess and improve the maturity of an organization's
processes, particularly in systems development and software engineering.
They provide a structured framework for evaluating the effectiveness,
efficiency, and quality of an organization's processes and guide continuous
improvement. By using CMMs, organizations can identify strengths and
weaknesses in their procedures and establish a path for process
enhancement.
1
Following the completion of a network security assessment, which of the
following can BEST be demonstrated?
A The effectiveness of controls can be accurately measured
1
Which of the following is an example of a vulnerability of full-disk encryption
(FDE)?
A Data at rest has been compromised when the user has authenticated to
the device
Data at rest has been compromised when the user has authenticated to the
device: Full-disk encryption is designed to protect data when the device is
turned off or in a locked state. However, once a user has authenticated and
the disk is decrypted, the data is no longer protected by FDE. If an attacker
gains access to the system while it is unlocked, they can potentially access
sensitive data.
2
Which of the following mandates the amount and complexity of security
controls applied to a security risk?
B Risk tolerance
3
To minimize the vulnerabilities of a web-based application, which of
the following FIRST actions will lock down the system and minimize the risk
of an attack?
D Apply the latest vendor patches and updates
4
Which of the following is the FIRST step in the incident response process?
D) Investigate all symptoms to confirm the incident
5
What is the MOST important reason to configure unique user IDs?
A Supporting accountability
6
An organization has discovered that users are visiting unauthorized
websites using anonymous proxies. Which of the following is the BEST way
to prevent future occurrences?
D Block the Internet Protocol (IP) address of known anonymous proxies
7
Which of the following methods can be used to achieve confidentiality and
integrity for data in transit?
B Internet Protocol Security (IPSec)
8
In a multi-tenant cloud environment, what approach will secure logical
access to assets?
D Virtual private cloud (VPC)
10
Which of the following virtual network configuration options is BEST to
protect virtual machines (VM)?
C Data segmentation
2
Which of the following is the BEST method to gather evidence from a
computer's hard drive?
D Forensic imaging
4
Which testing method requires very limited or no information about
the network infrastructure?
C Black box
6
Vulnerability scanners may allow for the administrator to assign which of
the following in order to assist in prioritizing remediation activities?
C Asset values for networks
2
Which of the following is a correct feature of a virtual local area network
(VLAN)?
B Layer 3 routing is required to allow traffic from one VLAN to another

2
Access to which of the following is required to validate web session
management?
C Session state variables
3
Which of the following is the BEST way to verify the integrity of a software
patch?
A Cryptographic checksums
5
A company was ranked as high in the following National Institute of
Standards and Technology (NIST) functions: Protect, Detect, Respond and
Recover. However, a low maturity grade was attributed to the Identity
function. In which of the following controls categories does this company
need to improve when analyzing its processes individually?
A Asset Management, Business Environment, Governance and Risk
Assessment
6
A federal agency has hired an auditor to perform penetration testing on a
critical system as part of the mandatory, annual Federal Information
Security Management Act (FISMA) security assessments. The auditor is new
to this system but has extensive experience with all types of penetration
testing. The auditor has decided to begin with sniffing network traffic. What
type of penetration testing is the auditor conducting?
B Black box testing
Black box testing is a type of penetration testing that simulates an attack
from an external source with little or no prior knowledge of the target
system. The tester relies on publicly available information, such as network
scans, domain names, or email addresses, to discover and exploit the
vulnerabilities of the system. Black box testing mimics the perspective and
tactics of a real-world attacker, and evaluates the system's security posture,
resilience, and exposure
8
Which of the following is a process in the access provisioning lifecycle that
will MOST likely identify access aggregation issues?
C Review
10
Which of the following violates identity and access management best
practices?
B Generic accounts
11
A scan report returned multiple vulnerabilities affecting several production
servers that are mission critical. Attempts to apply the patches in the
development environment have caused the servers to crash. What is the
BEST course of action?
C Mitigate the risks with compensating controls
12
A network administrator is designing a new datacenter in a different region
that will need to communicate to the old datacenter with a secure
connection. Which of the following access methods would provide the BEST
security for this new datacenter?
D Site-to-site VPN
13
Which of the following are core categories of malicious attack against
Internet of Things (IOT) devices?
D Node capture and false data injection
14
What is the PRIMARY goal of fault tolerance?
B Elimination of single point of failure
15
Which of the following assessment metrics is BEST used to understand a
system's vulnerability to potential exploits?
C Identifying the number of security flaws within the system
16
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which
layer is responsible for negotiating and establishing a connection with
another node?
A Transport layer
17
A user has infected a computer with malware by connecting a Universal
Serial Bus (USB) storage device. Which of the following is MOST effective to
mitigate future infections?
C Implement centralized technical control of USB port connections
18
What is an advantage of Elliptic Curve Cryptography (ECC)?
C Opportunity to use shorter keys for the same level of security
19
An organization is implementing data encryption using symmetric ciphers
and the Chief Information Officer (CIO) is concerned about the risk of using
one key to protect all sensitive data, The security practitioner has been
tasked with recommending a solution to address the CIO's concerns, Which
of the following is the BEST approach to achieving the objective by
encrypting all sensitive data?
B Use a hierarchy of encryption keys
A hierarchy of encryption keys is a structure that involves using multiple
levels or layers of encryption keys, such as master keys, key encryption
keys, or data encryption keys, to encrypt and decrypt the data and the
keys.
21
When writing security assessment procedures, what is the MAIN purpose of
the test outputs and reports?
B To find areas of compromise in confidentiality and integrity
23
Which of the following is considered best practice for preventing e-mail
spoofing?
B Cryptographic signature
24
A large university needs to enable student access to university resources
from their homes. Which of the following provides the BEST option for low
maintenance and ease of deployment?
C Use Secure Sockets Layer (SSL) VPN technology
SSL VPN is a type of virtual private network that uses the SSL protocol to
provide secure and remote access to the network resources over the
internet. SSL VPN does not require the installation or configuration of any
special client software or hardware on the student's device, as it can use
the web browser as the client interface. SSL VPN can also support various
types of devices, operating systems, and applications, and can provide
granular access control and encryption for the network traffic.
25
What is the PRIMARY reason for implementing change management?
D Ensure accountability for changes to the environment
26
Which of the following is not a required components for implementing
software configuration management systems?
B User training and acceptance
The required components for implementing software configuration
management systems are audit control and signoff, rollback and
recovery processes, and regression testing and evaluation.
Audit control and signoff are the mechanisms that ensure that the
changes and versions of the software products are authorized, documented,
reviewed, and approved by the appropriate stakeholders.
Rollback and recovery processes are the procedures that enable the
restoration of the previous state or version of the software products in case
of a failure or error.
Regression testing and evaluation are the methods that verify that the
changes and versions of the software products do not introduce new defects
or affect the existing functionality or performance.
26
Where can the Open Web Application Security Project (OWASP) list of
associated vulnerabilities be found?
A OWASP Top 10 Project
27
In configuration management, what baseline configuration information
MUST be maintained for each computer system?
A Operating system and version, patch level, applications running, and
versions
28
Why is authentication by ownership stronger than authentication by
knowledge?
C It is more difficult to duplicate.
29
Assume that a computer was powered off when an information security
professional arrived at a crime scene. Which of the following actions should
be performed after the crime scene is isolated?
C Leave the computer off and prepare the computer for transportation to
the laboratory
31
Which of the following can be used to calculate the loss event probability?
B Number of outcomes divided by total number of possible outcomes
32
Which of the following is the key requirement for test results when
implementing forensic procedures?
D The test results must be reproducible
34
A Java program is being developed to read a file from computer A and write
it to computer B, using a third computer C. The program is not working as
expected. What is the MOST probable security feature of Java preventing
the program from operating as intended?
A Least privilege
In this question, the Java program is being developed to read a file from
computer A and write it to computer B, using a third computer C. This
means that the Java program needs to have the permissions to perform the
file I/O and the network communication operations, which are considered as
sensitive or risky actions by the Java security model. However, if the Java
program is running on computer C with the default or the minimal security
permissions, such as in the Java Security Sandbox, then it will not be able to
perform these operations, and the program will not work as expected.
35
Which of the following is the BEST solution to provide redundancy for
telecommunications links?
D Provide multiple links from multiple telecommunications vendors.
37
Refer to the information below to answer the question. A security
practitioner detects client-based attacks on the organization's network. A
plan will be necessary to address these concerns. What is the BEST reason
for the organization to pursue a plan to mitigate client-based attacks?
C Client-based attacks are more common and easier to exploit than
server and network based attacks.
38
The implementation of which features of an identity management system
reduces costs and administration overhead while improving audit and
accountability?
C User self-service
39
What capability would typically be included in a commercially available
software package designed for access control?
A Password encryption
41
Which of the following is MOST important when assigning ownership of an
asset to a department?
C Individual accountability should be ensured
42
Which of the following methods provides the MOST protection for
user credentials?
b) Digest authentication
Digest authentication provides more protection for user credentials
compared to the other methods listed because it uses a hashing
mechanism to securely transmit passwords over the network.
Unlike Basic authentication, which sends credentials in plain text,
Digest authentication applies a hash function to the credentials
before they are sent, making it more difficult for attackers to
intercept and reuse them.
43
Which of the following should be included in a hardware retention policy?
D A plan to retain data required only for business purposes and a
retention schedule
44
An Intrusion Detection System (IDS) is generating alarms that a user
account has over 100 failed login attempts per minute. A sniffer is placed on
the network, and a variety of passwords for that user are noted. Which of
the following is MOST likely occurring?
A A dictionary attack

45
Which of the following is the MOST important element of change
management documentation?
C Business case justification
46
Secure coding can be developed by applying which one of the following?
B Applying the industry best practice coding guidelines
47
What is the BEST method to detect the most common improper
initialization problems in programming languages?
B Use automated static analysis tools that target this type of
weakness
48
Which of the following is a web application control that should be put into
place to prevent exploitation of Operating System (OS) bugs?
B Test for the security patch level of the environment
49
A security professional needs to find a secure and efficient method of
encrypting data on an endpoint. Which solution includes a root key?
Trusted Platform Module (TPM)
50
Software Code signing is used as a method of verifying what security
concept?
A Integrity

51
The application of a security patch to a product previously validate at
Common Criteria (CC) Evaluation Assurance Level (EAL) 4 would
B require recertification
52
What is the PRIMARY benefit of relying on Security Content
Automation Protocol (SCAP)?
C Standardize specifications between software security products.
53
As a best practice, the Security Assessment Report (SAR) should include
which of the following sections?
C Remediation recommendations
54
Which of the following is MOST important when deploying digital
certificates?
B Establish a certificate life cycle management framework
55
Which of the following is a detective access control mechanism?
A Log review
56
How does an organization verify that an information system's current
hardware and software match the standard system configuration?
C By comparing the actual configuration of the system against the
baseline
57
A financial company has decided to move its main business application to
the Cloud. The legal department objects, arguing that the move of the
platform should comply with several regulatory obligations such as the
General Data Protection (GDPR) and ensure data confidentiality. The Chief
Information Security Officer (CISO) says that the cloud provider has met all
regulations requirements and even provides its own encryption solution with
internally-managed encryption keys to address data confidentiality. Did the
CISO address all the legal requirements in this situation?
A No, because the encryption solution is internal to the cloud
provider
58
Which of the below strategies would MOST comprehensively address the
risk of malicious insiders leaking sensitive information?
C Staff vetting, least privilege access, Data Loss Protection (DLP)
59
Which of the following attack types can be used to compromise the integrity
of data during transmission?
B Packet sniffing
60
Which of the following techniques is effective to detect taps in fiber optic
cables?
A Taking baseline signal level of the cable
61
What BEST describes the confidentiality, integrity, availability triad?
A A tool used to assist in understanding how to protect the
organization's data
62
Which of the following BEST describes the use of network architecture in
reducing corporate risks associated with mobile devices?
C Segmentation and demilitarized zone (DMZ) monitoring are
implemented to secure a virtual private network (VPN) access for mobile
device
63
A security professional has been requested by the Board of
Directors and Chief Information Security Officer (CISO) to perform
an internal and external penetration test. What is the BEST course
of action?
B Review corporate security policies and procedures
64
Which is the BEST control to meet the Statement on Standards for
Attestation Engagements 18 (SSAE-18) confidentiality category?
B Storage encryption
65
Which of the following actions MUST be performed when using secure
multipurpose internet mail Extension (S/MIME) before sending an encrypted
message to a recipient?
C Obtain the recipient's digital certificate
67
When conducting a security assessment of access controls , Which activity
is part of the data analysis phase?
C Categorize and Identify evidence gathered during the audit
68
Which of the following is used to support the concept of defense in depth
during the development phase of a software product?
D Security auditing
B Polyinstantiation
Polyinstantiation: This is a database security technique used to prevent
inference attacks by creating multiple instances of the same data item at
different classification levels. While useful in database security, it’s not
specifically focused on the development phase of software.
69
During testing, where are the requirements to inform parent organizations,
law enforcement, and a computer incident response team documented?
B Security assessment plan
71
What type of database attack would allow a customer service employee to
determine quarterly sales results before they are publically announced?
B Inference
Customer service employee may have some legitimate or authorized access
to some information or data from the database, such as the number of
orders, the amount of sales, or the customer feedback, and they may use
some logic, reasoning, or analysis to infer or estimate the quarterly sales
results from that information or data.
72
Which of the following is the MOST significant key management problem
due to the number of keys created?
Exponential growth when using symmetric keys
73
Which of the following will help identify the source internet protocol (IP)
address of malware being exected on a computer?
A List of open network connections
74
An advantage of link encryption in a communications network is
that it
D Encrypts all information, including headers and routing
information
76
From an asset security perspective, what is the BEST countermeasure to
prevent data theft due to data remanence when a sensitive data storage
media is no longer needed?
C Physically destroy the retired media
78
Which of the following BEST describes how access to a system is granted to
federated user accounts?
B Based on defined criteria by the Relying Party (RP)
A federated user account is a user account that is managed by an external
entity, such as an Identity Provider (IdP), and that can be used to access
multiple systems or services across different domains, such as a Relying
Party (RP).
80
Which of the following is a responsibility of the information owner?
B Defining proper access to the Information System (IS), including
privileges or access right
81
Internet protocol security (IPSec), point-to-point tunneling protocol (PPTP),
and secure sockets Layer (SSL) all use Which of the following to prevent
replay attacks?
D Randomly generated nonces
A nonce is a number that is used only once in a cryptographic
communication. It is usually sent along with the encrypted message to
ensure freshness and uniqueness. A replay attack is when an attacker
intercepts and retransmits a valid message to gain unauthorized access or
cause a denial of service. By using nonces, the protocols can detect and
reject any repeated messages that have the same nonce value.
82
The application owner of a system that handles confidential data leaves an
organization. It is anticipated that a replacement will be hired in
approximately six months. During that time, which of the following should
the organization do?
B Assign a temporary application owner to the system
84
Which evidence collecting technique would be utilized when it is
believed an attacker is employing a rootkit and a quick analysis is
needed?
D Live response
Live response is an evidence collecting technique that involves analyzing a
system while it is still running, without shutting it down or altering it.
85
Which of the following is the MOST important activity an organization
performs to ensure that security is part of the overall organization culture?
D Work with senior management to meet business goals.
Alignment with Business Goals: Integrating security into the core business
goals ensures that security is seen as a critical part of the organization’s
overall mission and strategy. When senior management prioritizes security,
it sets the tone for the entire organization, making it clear that security is a
fundamental aspect of the business.
Leadership and Commitment: Senior management involvement
demonstrates a top-down commitment to security. This leadership
commitment is essential for fostering a security-conscious culture
throughout the organization.
86
If a content management system (CMS) is implemented, which one of the
following would occur?
C Developers would no longer have access to production systems.
Separation of Environments: Implementing a CMS often includes best
practices for separation of environments, where developers work in
development and testing environments, but do not have direct access to
production. This separation helps ensure that production systems remain
stable and secure, as changes are thoroughly tested before deployment.

88
What Is the FIRST step for a digital investigator to perform when using best
practices to collect digital evidence from a potential crime scene?
D Confirm that the appropriate warrants were issued to the subject
of the investigation to eliminate illegal search claims
89
A Denial of Service (DoS) attack on a syslog server exploits weakness in
which of the following protocols?
B Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
A syslog server is a server that collects and stores log messages from
various devices on a network, such as routers, switches, firewalls, or
servers. A syslog server uses either TCP or UDP protocols to receive log
messages from the devices. A DoS attack on a syslog server can exploit the
weakness of these protocols by sending a large volume of fake or
malformed log messages to the syslog server, causing it to crash or become
unresponsive.
90
Which of the following attacks is dependent upon the compromise of a
secondary target in order to reach the primary target?
A Watering hole
A watering hole attack is a type of attack that targets a specific group of
users by compromising a website that they frequently visit. The attacker
then uses the compromised website to deliver malware or exploit code to
the visitors, hoping to infect their systems and gain access to their networks
or data.

91
Which of the following job functions MUST be separated to maintain data
and application integrity?
B Production control and data control functions
92
A technician wants to install a WAP in the center of a room that provides
service in a radius surrounding a radio. Which of the following antenna
types should the AP utilize?
A Omni
An omni antenna is a type of antenna that radiates radio signals in all
directions equally. It is also known as an omnidirectional antenna or a dipole
antenna. An omni antenna is suitable for a wireless access point (WAP) that
is installed in the center of a room that provides service in a radius
surrounding the radio, as it can cover a large area and reach multiple
devices.
93
What steps can be taken to prepare personally identifiable
information (PII) for processing by a third party?
C The personal information should be maintained separately
connected with a one-way reference
94
How does Radio-Frequency Identification (RFID) assist with asset
management?
D It transmits unique serial numbers wirelessly
95
Place the following information classification steps in sequential
order
1 Document the information assets – 2 Assign a classification level – 3
Apply the appropriate security markings (applying the appropriate
security markings or indicators to the information assets, based on
the classification level or the label of the information assets) – 4
Conduct periodic classification reviews – 5 Declassify information when
appropriate
96
In which process MUST security be considered during the acquisition of new
software?
B Request for proposal (RFP)
Security must be considered during the acquisition of new software in the
request for proposal (RFP) process, which is the process of soliciting bids
from potential vendors and evaluating their proposals based on predefined
criteria.
97
The restoration priorities of a Disaster Recovery Plan (DRP) are based on
which of the following documents?
C Business Impact Analysis (BIA)
98
Which of the following is considered a secure coding practice?
B Use checksums to verify the integrity of libraries
99
Which of the following should be included in a good defense-in-depth
strategy provided by object-oriented programming for software
deployment?
C Encapsulation
Encapsulation is a technique that provides the protection and the
abstraction of the data or the information and the methods or the functions
that are associated with an object or a class, by hiding or restricting the
access or the visibility of the data or the information and the methods or the
functions from the other objects or classes, and exposing or allowing only
the relevant or necessary data or information and the methods or the
functions to the other objects or classes.
100
Which of the following is mobile device remote fingerprinting?
C Identifying a device based on common characteristics shared by all
devices of a certain type
1
An international medical organization with headquarters in the United
States (US) and branches in France wants to test a drug in both countries.
What is the organization allowed to do with the test subject's data?
D Anonymize it and process it in the US
2
From a security perspective, which of the following is a best practice to
configure a Domain Name Service (DNS) system?
D Limit zone transfers to authorized devices.
Zone transfers are the processes of replicating the DNS data from one
server to another, usually from a primary server to a secondary server.
Zone transfers can expose sensitive information about the network
topology, hosts, and services to attackers, who can use this information to
launch further attacks.
3
Which security access policy contains fixed security attributes that are used
by the system to determine a user's access to a file or object?
A Mandatory Access Control (MAC)
4
The PRIMARY security concern for handheld devices is the
B spread of malware during synchronization
5
Which of the following authorization standards is built to handle Application
programming Interface (API) access for federated Identity management
(FIM)?
Open Authentication (OAuth) (OAuth tokens)
6
Which of the following is the PRIMARY risk with using open source software
in a commercial software construction?
B License agreements requiring release of modified code
7
Which of the following BEST describes a chosen plaintext attack?
A The cryptanalyst can generate ciphertext from arbitrary text.
A chosen plaintext attack is a scenario where the cryptanalyst has
access to the encryption function or device, and can choose any
plaintext and obtain the corresponding ciphertext. A chosen plaintext attack
can help the cryptanalyst to deduce the key or the algorithm, or to create a
codebook or a dictionary that maps the plaintext to the ciphertext.
The cryptanalyst does not examine the communication being sent back and
forth, as this would be a ciphertext-only attack, where the cryptanalyst
only has access to the ciphertext, and tries to infer the plaintext, the
key, or the algorithm from the statistical or linguistic analysis of the
ciphertext.
The cryptanalyst does not choose the key and algorithm to mount the
attack, as this would be a known plaintext attack, where the cryptanalyst
has access to some pairs of plaintext and ciphertext that are encrypted
with the same key and algorithm, and tries to find the key or the algorithm
from the correlation or pattern between the plaintext and the ciphertext.
The cryptanalyst is not presented with the ciphertext from which the
original message is determined, as this would be a decryption problem,
where the cryptanalyst has access to the ciphertext and the key or the
algorithm, and tries to recover the plaintext from the ciphertext.
5.
Using the cipher text and resultant cleartext message to derive the
monoalphabetic cipher key is an example of which method of
cryptanalytic attack?
A Known-plaintext attack
In this type of attack, the attacker has access to pairs of plaintext and
corresponding ciphertext. The attacker uses these pairs to deduce the
encryption key or algorithm used. For a monoalphabetic substitution cipher,
the attacker could create a frequency analysis of the plaintext and
ciphertext characters to deduce the mapping between them, thus deriving
the cipher key.
8
An audit of an application reveals that the current configuration does not
match the configuration of the originally implemented application. Which of
the following is the FIRST action to be taken?
B Verify the approval of the configuration change
9
Which of the following could cause a Denial of Service (DoS) against
an authentication system?
D Remote access audit logs
10
A company-wide penetration test result shows customers could access
and read files through a web browser. Which of the following can be
used to mitigate this vulnerability?
B Enforce the control of file directory listings
11
To comply with industry requirements, a security assessment on the
cloud server should identify which protocols and weaknesses are
being exposed to attackers on the Internet. Which of the following tools
is the MOST appropriate to complete the assessment?
D Use nmap and set the servers' public IPs as the targets
12
Which of the following would an internal technical security audit BEST
validate?
D Implementation of changes to a system
13
After the INITIAL input o f a user identification (ID) and password,
what is an authentication system that prompts the user for a different
response each time the user logs on?
C Challenge response
14
The World Trade Organization's (WTO) agreement on Trade-Related
Aspects of Intellectual Property Rights (TRIPS) requires authors of
computer software to be given the
A right to refuse or permit commercial rentals
The TRIPS Agreement includes provisions that grant authors of computer
software the exclusive right to authorize or prohibit the commercial rental of
their works to the public. This right is part of the broader set of intellectual
property protections aimed at ensuring that creators can control and benefit
from the commercial use of their software.
15
What Hypertext Transfer Protocol (HTTP) response header can be
used to disable the execution of inline JavaScript and the execution
of eval()-type functions?
D Content-Security-Policy
The Content-Security-Policy (CSP) header provides a way to control
resources the user agent is allowed to load for a given page.
Specifically, to disable the execution of inline JavaScript and eval()-
type functions, you can use directives such as script-src 'self' and unsafe-
eval.
16
A security compliance manager of a large enterprise wants to reduce the
time it takes to perform network, system, and application security
compliance audits while increasing quality and effectiveness of the results.
What should be implemented to BEST achieve the desired results?
A Configuration Management Database (CMDB)
17
A project manager for a large software firm has acquired a government
contract that generates large amounts of Controlled Unclassified
Information (CUI). The organization's information security manager has
received a request to transfer project-related CUI between systems of
differing security classifications. What role provides the authoritative
guidance for this transfer?
D Mission/Business Owner
18
Below are the common phases to creating a Business Continuity/Disaster
Recovery (BC/DR) plan. Drag the remaining BC\DR phases to the
appropriate corresponding location.
1 Risk Assessment – 2 Business Impact Analysis - 3 Mitigation - 4
Strategy Development – 5 BCDR Plan Development - 6 Training,
Testing & Auditing - 7 Plan Maintenance
Risk Assessment: identifying and quantifying the potential impacts of
disruptive events on the organization's critical business functions and
processes. Determining the recovery objectives, such as the recovery time
objective (RTO) and the recovery point objective (RPO), as well as the
recovery priorities, dependencies, and resources.
Business Impact Analysis: selecting and implementing the appropriate
recovery methods and solutions for the organization's critical business
functions and processes. Evaluating the costs and benefits of different
recovery options, such as backup, redundancy, alternate sites, or
outsourcing, and choosing the ones that meet the recovery objectives and
budget.
38
A security professional has just completed their organization's Business
Impact Analysis (BIA). Following Business Continuity Plan/Disaster Recovery
Plan (BCP/DRP) best practices, what would be the professional's NEXT step?
A Identify and select recovery strategies
19
Which of the following value comparisons MOST accurately reflects
the agile development approach?
D Working software over comprehensive documentation
20
To control the scope of a Business Continuity Management (BCM) system, a
security practitioner should identify:
A Size, nature, and complexity of the organization
21
When developing an organization's information security budget, it is
important that the
A Expected risk can be managed appropriately with the funds
allocated.
22
What is the FIRST step in developing a security test and its
evaluation?
C Identify all applicable security requirements
23
Why is it important that senior management clearly communicates the
formal Maximum Tolerable Downtime (MTD) decision?
A To provide each manager with precise direction on selecting an
appropriate recovery alternative

24
Which one of the following is a fundamental objective in handling an
incident?
A To restore control of the affected systems
25
In software development, developers should use which type of queries to
prevent a Structured Query Language (SQL) injection?
A Parameterised
26
Which of the following is an effective control in preventing
electronic cloning of Radio Frequency Identification (RFID) based
access cards?
D Asymmetric Card Authentication Key (CAK) challenge-response
27
An organization's information security strategic plan MUST be reviewed
C whenever there are major changes to the business.
28
Which of the following is the MOST important action regarding
authentication integrate their identity management with a trusted partner
organization. The human resources organization wants to maintain the
creation and management of the identities and may want to share with
other partners in the future. Which of the following options BEST serves
their needs?
A Federated identity
29
The adoption of an enterprise-wide business continuity program requires:
C A completed Business Impact Analysis (BIA).
30
What requirement MUST be met during internal security audits to ensure
that all information provided is expressed as an objective assessment
without risk of retaliation?
A The auditor must be independent and report directly to the management
31
A healthcare insurance organization chose a vendor to develop a software
application. Upon review of the draft contract, the information security
professional notices that software security is not addressed. What is the
BEST approach to address the issue?
C Update the contract so that the vendor is obligated to provide
security capabilities
32
The document that specifies services from the client's viewpoint is:
D Service Level Requirement (SLR).
Service Level Requirement (SLR): This document captures the specific
needs and expectations of the client regarding the services provided. It
focuses on what the client requires from the service provider in terms of
performance, availability, and other key metrics.
Service Level Agreement (SLA): This is a formal agreement between the
service provider and the client that defines the level of service expected.
While it includes the client's requirements, it is a negotiated document that
also outlines the provider's commitments and responsibilities.
34
Which of the following steps should be conducted during the FIRST phase of
software assurance in a generic acquisition process?
C Developing software requirements to be included in work
statement
35
In Business Continuity Planning (BCP), what is the importance of
documenting business processes?
D Provides an understanding of the organization's interdependencies
36
Which of the following management processes allots ONLY those services
required for users to accomplish their tasks, change default user passwords,
and set servers to retrieve antivirus updates?
B Configuration
37
While investigating a malicious event, only six days of audit logs from the
last month were available. What policy should be updated to address this
problem?
A Retention
39
Which of the following controls is the FIRST step in protecting privacy in an
information system?
B Data Minimization
40
What is the PRIMARY benefit of incident reporting and computer crime
investigations?
B Repairing the damage and preventing future occurrences
41
What is the MOST important factor in establishing an effective Information
Security Awareness Program?
A Obtain management buy-in
42
Refer to the information below to answer the question. A large,
multinational organization has decided to outsource a portion of their
Information Technology (IT) organization to a third-party provider's facility.
This provider will be responsible for the design, development, testing, and
support of several critical, customer-based applications used by the
organization. The organization should ensure that the third party's physical
security controls are in place so that they
B are able to limit access to sensitive information
43
Which of the following adds end-to-end security inside a Layer 2 Tunneling
Protocol (L2TP) Internet Protocol Security (IPSec) connection?
D Transport Layer Security (TLS)
44
At the destination host, which of the following OSI model layers will discard
a segment with a bad checksum in the UDP header?
C Transport
The transport layer also performs error detection and correction using
checksums, which are values calculated from the data and added to the
header of each segment. The checksums are verified at the destination host
to ensure the integrity of the data. If the checksum in the UDP header does
not match the expected value, the transport layer will discard the segment
as corrupted.
The transport layer is responsible for providing end-to-end data
transmission and reliability between the source and destination hosts. The
transport layer uses protocols such as TCP (transmission control protocol) or
UDP (user datagram protocol) to segment, encapsulate, and deliver the
data.
45
The security tool that monitors devices and records the information in a
central database for further analysis is:
D Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR): EDR tools are designed to
continuously monitor and collect activity data from endpoints (such as
computers, servers, and mobile devices) and then analyze this data for
potential threats. EDR solutions provide detailed visibility into endpoint
activities and store the collected data in a central database for further
analysis, allowing for threat detection, investigation, and response.
46
A network administrator is configuring a database server and would like to
ensure the database engine is listening on a certain port. Which of the
following commands should the administrator use to accomplish this goal?
B netstat –a
47
What is the BEST approach for maintaining ethics when a security
professional is unfamiliar with the culture of a country and is asked to
perform a questionable task?
B Become familiar with the means in which the code of ethics is applied
and considered.
48
Refer to the information below to answer the question. An organization
experiencing a negative financial impact is forced to reduce budgets and
the number of Information Technology (IT) operations staff performing basic
logical access security administration functions. Security processes have
been tightly integrated into normal IT operations and are not separate and
distinct roles. Which of the following will be the PRIMARY security concern as
staff is released from the organization?
B Loss of data and separation of duties
49
Why is planning in Disaster Recovery (DR) an interactive (iterative) process?
B It identifies omissions in the plan
50
Which Web Services Security (WS-Security) specification handles the
management of security tokens and the underlying policies for
granting access?
C WS-Authorization
46
Which Web Services Security (WS-Security) specification negotiates how
security tokens will be issued, renewed and validated? Click on the
correct specification in the image below
E WS-Trust
WS-Trust is a Web Services Security (WS-Security) specification that
negotiates how security tokens will be issued, renewed and validated. WS-
Trust defines a framework for establishing trust relationships between
different parties, and a protocol for requesting and issuing security tokens
that can be used to authenticate and authorize the parties.
87
Which Web Services Security (WS-Security) specification maintains a
single authenticated identity across multiple dissimilar
environments? Click on the correct specification in the image below.
B WS-Federation
88
When a flaw in Industrial control (ICS) software is discovered, what is the
GREATEST impediment to deploying a patch?
C Testing a patch in an IG may require more resources than the
organization can commit
89
Which Hyper Text Markup Language 5 (HTML5) option presents a security
challenge for network data leakage prevention and/or monitoring?
B WebSockets
WebSockets is an HTML5 option that presents a security challenge for
network data leakage prevention and/or monitoring, as it enables a
bidirectional, full-duplex communication channel between a web browser
and a server. WebSockets can bypass the traditional HTTP request-response
model and establish a persistent connection that can exchange data in real
time. This can pose a risk of data leakage, as the data transmitted over
WebSockets may not be inspected or filtered by the network security
devices, such as firewalls, proxies, or data loss prevention systems3

84
The Open Web Application Security Project's (OWASP) Software Assurance
Maturity Model (SAMM) allows organizations to implement a flexible
software security strategy to measure organizational impact based on what
risk management aspect?
A Risk tolerance
85
A company whose Information Technology (IT) services are being delivered
from a Tier 4 data center, is preparing a companywide Business Continuity
Planning (BCP). Which of the following failures should the IT manager be
concerned with?
A Application
A Tier 4 data center has an uptime rating of 99.995%, which means it can
only experience 0.4 hours of downtime per year.Therefore, the likelihood of
a power, storage, or network failure in a Tier 4 data center is very low, and
the impact of such a failure would be minimal, as the data center can
quickly switch to alternative sources or routes.
A Tier 4 data center is the highest level of data center classification,
according to the Uptime Institute. A Tier data center has the highest level of
availability, reliability, and fault tolerance, as it has multiple and
independent paths for power and cooling, and redundant and backup
components for all systems.
86
Which of the following is the MOST important consideration when
developing a Disaster Recovery Plan (DRP)?
C A recovery strategy for all business processes
87
An organization's data policy MUST include a data retention period which is
based on
D regulatory compliance
88
After acquiring the latest security updates, what must be done before
deploying to production systems?
B Install the patches on a test system
89
An organization has developed a way for customers to share information
from their wearable devices with each other. Unfortunately, the users were
not informed as to what information collected would be shared. What
technical controls should be put in place to remedy the privacy issue while
still trying to accomplish the organization's business goals?
A Default the user to not share any information.
90
What should be used immediately after a Business Continuity Plan (BCP) has
been invoked?
B Emergency procedures describing the necessary actions to be taken
following an incident jeopardizes business operations
91
Which of the following statements BEST distinguishes a stateful packet
inspection firewall from a stateless packet filter firewall?
B The SPI inspects the traffic in the context of a session.
92
When designing a business continuity plan (BCP), what is the formula to
determine the Maximum Tolerable Downtime (MTD)?
C Recovery Time Objective (RTO) + Work Recovery Time (WRT)

93
What is the process called when impact values are assigned to the
security objectives for information types?
D System security categorization
94
How can a forensic specialist exclude from examination a large percentage
of operating system files residing on a copy of the target system?
B Create a comparison database of cryptographic hashes of the files
from a system with the same operating system and patch level.
This method is also known file filtering or file signature analysis. It allows
the forensic specialist to quickly identify and eliminate the files that are part
of the standard operating system installation and focus on the files that are
unique or relevant to the investigation. This makes the process of exclusion
much faster and more accurate than manually deleting or discarding file
95
Which of the following defines the key exchange for Internet Protocol
Security (IPSec)?
B Internet Key Exchange (IKE)
Internet Key Exchange (IKE) is a protocol that defines the key exchange for
Internet Protocol Security (IPSec). IPSec is a suite of protocols that provides
security for IP-based communications, such as encryption, authentication,
and integrity. IKE establishes a secure channel between two parties,
negotiates the security parameters, and generates the cryptographic keys
for IPSec
96
What does the result of Cost-Benefit Analysis (C8A) on new security
initiatives provide?
A Quantifiable justification
97
Match the access control type to the example of the control type. Drag each
access control type to its corresponding example.
Administrative: Labeling of sensitive information (implemented via policy
and governance)
Technical: biometric authentication (implemented via hardware/software)
Logical: constrained user interface (software implemented)
Physical: Radio Frequency Identification (RFID) badge (physical
implementation
Administrative: Access control that is implemented through the policies,
procedures, and processes that govern the management and monitoring of
the access control system, such as the identification, authentication,
authorization, and accountability of the subjects and the entities, as well as
the classification, labeling, and handling of the resources, data, or
information.
Technical: Access control that is implemented through the hardware,
software, or firmware components or mechanisms that enforce and execute
the access control policies and rules, such as the encryption, decryption,
hashing, or digital signature of the data, or the biometrics, tokens, or
certificates of the subjects or the entities.
Logical: Access control that is implemented through the software or
application components or mechanisms that restrict and regulate the
access or use of the resources, data, or information, based on the logic,
function, or operation of the system or the network, such as the passwords,
usernames, roles, or permissions of the subjects or the entities, or the
firewalls, routers, or switches of the system or the network.
Physical: Access control that is implemented through the physical or
tangible components or mechanisms that prevent or deter the unauthorized
or unintended access or entry to the resources, data, or information, such
as the locks, keys, doors, or windows of the premises or the facilities, or the
badges, cards, or tags of the subjects or the entities.
98
A recent security audit is reporting several unsuccessful login attempts
being repeated at specific times during the day on an Internet facing
authentication server. No alerts have been generated by the security
information and event management (SIEM) system. What PRIMARY action
should be taken to improve SIEM performance?
D Confirm alarm thresholds
99
What is the MOST effective method of testing custom application code?
B White box testing
100
Which of the following is a common risk with fiber optical communications,
and what is the associated mitigation measure?
B Light leakage, deploying shielded cable wherever feasible
1
Which of the following is a canon of the (ISC)2 Code of Ethics?
C Provide diligent and competent service to principals (a Integrity
first, association before self, and excellence in all we do, b Perform all
professional activities and duties in accordance with all applicable laws and
the highest ethical standards, d Cooperate with others in the interchange of
knowledge and ideas for mutual security
The four canons of the (ISC)2 Code of Ethics are: 1. Protect society, the
common good, public trust and confidence, and the infrastructure. 2. Act
honorably, honestly, justly, responsibly, and legally. 3 Provide diligent
and competent service to principals. 4. Advance and protect the
profession.
2
Which of the following are the three MAIN categories of security controls?
A Administrative, technical, physical
4
What security management control is MOST often broken by collusion?
B Separation of duties
5
A security practitioner is tasked with securing the organization's Wireless
Access Points (WAP). Which of these is the MOST effective way of restricting
this environment to authorized users?
A Enable Wi-Fi Protected Access 2 (WPA2) encryption on the wireless
access point
6
Which of the following features is MOST effective in mitigating against theft
of data on a corporate mobile device which was stolen?
B Mobile Device Management (MDM) with device wipe
7
Company A is evaluating new software to replace an in-house developed
application. During the acquisition process. Company A specified the
security retirement, as well as the functional requirements. Company B
responded to the acquisition request with their flagship product that runs on
an Operating System (OS) that Company A has never used nor evaluated.
The flagship product meets all security -and functional requirements as
defined by Company A. Based upon Company B's response, what step
should Company A take?
B Conduct a security review of the OS
8
Which security approach will BEST minimize Personally Identifiable
Information (PII) loss from a data breach?
B Limited collection of individuals' confidential data
9
How does identity as a service (IDaaS) provide an easy mechanism for
integrating identity service into individual applications with minimal
development effort?
A By allowing the identification logic and storage of an identity's
attributes to be maintained externally
10
Which of the following is a PRIMARY challenge when running a penetration
test?
D Determining the depth of coverage
11
At a MINIMUM, audits of permissions to individual or group accounts should
be scheduled
D Continually
12
At which phase of the software assurance life cycle should risks associated
with software acquisition strategies be identified?
B Planning phase
13
Spyware is BEST described as
C data mining for advertising
14
Which of the following is the MOST likely cause of a non-malicious data
breach when the source of the data breach was an un-marked file cabinet
containing sensitive documents?
A Ineffective data classification
15
When using Generic Routing Encapsulation (GRE) tunneling over Internet
Protocol version 4 (IPv4), where is the GRE header inserted?
B Between the delivery header and payload
16
The security operations center (SOC) has received credible intelligence that
a threat actor is planning to attack with multiple variants of a destructive
virus. After obtaining a sample set of this virus' variants and reverse
engineering them to understand how they work, a commonality was found.
All variants are coded to write to a specific memory location. It is
determined this virus is of no threat to the organization because they had
the foresight to enable what feature on all endpoints?
C Address Space Layout Randomization (ASLR)
17
Mandatory Access Controls (MAC) are based on:
A security classification and security clearance
18
Which of the following contributes MOST to the effectiveness of a security
officer?
C Integrating security into the business strategies
20
When building a data classification scheme, which of the following is the
PRIMARY concern?
A Purpose
21
What is the MOST important consideration from a data security perspective
when an organization plans to relocate?
C Conduct a gap analysis of a new facilities against existing security
requirements
22
Which of the following would MINIMIZE the ability of an attacker to exploit a
buffer overflow?
B Code review
23
Regarding asset security and appropriate retention, which of the following
INITIAL top three areas are important to focus on?
A Security control baselines, access controls, employee awareness and
training
25
What is the MOST important reason to configure unique user IDs?
A Supporting accountability
26
Individuals have been identified and determined as having a need-to-know
for the information. Which of the following access control methods MUST
include a consistent set of rules for controlling and limiting access?
D Mandatory Access Control (MAC)
Consistent Set of Rules: Mandatory Access Control (MAC) enforces access
controls based on rules set by a system administrator or security policy
administrator. These rules are consistently applied across the system and
are not subject to user discretion.
27
When is a Business Continuity Plan (BCP) considered to be valid?
D When it has been validated by realistic exercises
28
A health care provider is considering Internet access for their employees
and patients. Which of the following is the organization's MOST secure
solution for protection of data?
A Public Key Infrastructure (PKI) and digital signatures
29
Which Radio Frequency Interference (RFI) phenomenon associated with
bundled cable runs can create information leakage?
D Cross-talk
Cross-talk is a type of Radio Frequency Interference (RFI) phenomenon that
occurs when signals from one cable or circuit interfere with signals from
another cable or circuit. Cross-talk can create information leakage by
allowing an attacker to eavesdrop on or modify the transmitted data.
30
Which of the following is established to collect security information readily
available in part through implemented security controls?
C Information Security Continuous Monitoring (ISCM
31
Which of the following is the MOST difficult to enforce when using cloud
computing?
D Data disposal
33
Which of the following command line tools can be used in the reconnaisance
phase of a network vulnerability assessment?
A did
34
The first step prior to executing a test of an organization's disaster recovery
(DR) or business continuity plan (BCP) is:
A Identify key stakeholders
35
Which of the following is the PRIMARY reason to perform regular
vulnerability scanning of an organization network?
D Remediate known vulnerabilities
36
An organization implements a Remote Access Server (RAS). Once users
connect to the server, digital certificates are used to authenticate their
identity. What type of Extensible Authentication Protocol (EAP) would the
organization use during this authentication?
A Transport layer security (TLS)
37
Security Software Development Life Cycle (SDLC) expects application code
to be written in a consistent manner to allow ease of auditing and which of
the following?
D Enhancing
38
Which of the following controls is the most appropriate for a system
identified as critical in terms of data and function to the organization
A Preventive controls
39
At a MINIMUM, a formal review of any Disaster Recovery Plan (DRP) should
be conducted
C annually
40
Additional padding may be added to to Encapsulating Security Protocol
(ESP) b trailer to provide which of the following?
B partial traffic flow confidentiality
ESP can provide partial traffic flow confidentiality by padding the payload to
hide the actual length of the data. Padding can also be used to align the
payload with the encryption algorithm's block size
41
An organization operates a legacy Industrial Control System (ICS)
to support its core business service, which carrot be replaced. Its
management MUST be performed remotely through an
administrative console software, which in tum depends on an old
version of the Java Runtime Environment (JPE) known to be
vulnerable to a number of attacks, How is this risk BEST managed?
B Air-gap and harden the host used for management purpose
Air-gapping means disconnecting the host from any network or internet
connection, so that it can only be accessed physically. Hardening means
applying security patches, disabling unnecessary services, and configuring
security settings to reduce the attack surface of the host. This way, the risk
of remote exploitation of the JRE vulnerability is minimized, and the host is
protected from other potential threats.
43
What is the PRIMARY objective of business continuity planning?
D Ensuring timely recovery of mission-critical business processes
44
Which of the following is the PRIMARY risk associated with Extensible
Markup Language (XML) applications?
D Potential sensitive data leakage
XML applications may pose a risk of sensitive data leakage, as XML data
may contain confidential or personal information, such as names,
addresses, passwords, or credit card numbers.
45
An organization decides to implement a partial Public Key Infrastructure
(PKI) with only the servers having digital certificates. What is the security
benefit of this implementation?
D Servers can authenticate themselves to the client
46
An organization can implement a partial PKI with only the servers having
digital certificates, which means that only the servers can prove their
identity to the clients, but not vice versa. The security benefit of this
implementation is that servers can authenticate themselves to the client,
which can prevent impersonation, spoofing, or man-in-the-middle attacks by
malicious servers.
C A system developer has a requirement for an application to check for a
secure digital signature before the application is accessed on a user's
laptop. Which security mechanism addresses this requirement?
C Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a hardware device that securely stores
cryptographic keys, such as the private key for digital signatures. A TPM can
also perform cryptographic operations, such as generating, signing, and
verifying digital signatures. A TPM can prevent unauthorized access or
tampering with the keys and the application that uses them. A TPM can also
provide attestation, which is the ability to prove that the application has not
been modified or compromised.
47
A cybersecurity engineer has been tasked to research and implement an
ultra-secure communications channel to protect the organization's most
valuable intellectual property (IP). The primary directive in this initiative is
to ensure there is no possible way the communications can be
intercepted without detection. Which of the following Is the only way to
ensure this
D Quantum Key Distribution
48
Which of the following is an essential step before performing Structured
Query Language (SQL) penetration tests on a production system?
C Validate target systems have been backed up.
49
During a penetration test, what are the three PRIMARY objectives of the
planning phase?
C Identify rules of engagement, finalize management approval,
and determine testing goals
50
Which of the following PRIMARILY contributes to security incidents in web-
based applications?
D Improper stress testing and application interfaces
51
Which of the following is used to ensure that data mining activities Will NOT
reveal sensitive data?
B Encrypt data at the field level and tightly control encryption keys
52
Which of the following is the BEST way to protect privileged accounts?
D Multi-factor authentication (MFA)
53
Which of the following BEST describes the purpose of Border Gateway
Protocol (BGP)?
D Maintain a list of efficient network paths between autonomous systems
BGP is a type of routing protocol that is used to exchange routing and
reachability information among different networks or autonomous systems
on the internet. An autonomous system is a collection of networks or routers
that are under the same administrative control or authority, and that share
a common routing policy. BGP maintains a list of efficient network paths
between autonomous systems, by selecting the best routes based on
various factors, such as the number of hops, the bandwidth, the latency, or
the policy preferences.
54
The security team plans on using automated account reconciliation in the
corporate user access review process. Which of the following must be
implemented for the BEST results with fewest errors when running the
audit?
C Clear provisioning policies
Clear provisioning policies define the rules and criteria for creating,
modifying, deleting, and reviewing user accounts and access rights, and
they provide a baseline for the automated account reconciliation
process.
55
A security professional is assessing the risk in an application and does not
take into account any mitigating or compensating controls. This type of risk
rating is an example of which of the following?
B Inherent risk
Inherent risk is the risk that exists in an application or a system before
applying any mitigating or compensating controls. Inherent risk represents
the worst-case scenario of the potential impact and likelihood of a threat
exploiting a vulnerability. Inherent risk is usually assessed by using
qualitative or quantitative methods, such as risk matrices, risk scales, or risk
formulas. Inherent risk helps to identify the areas that need the most
attention and resources, and to prioritize the implementation of controls.
Inherent risk is different from residual risk, which is the risk that remains
after applying the controls, and from transferred risk, which is the risk that
is shifted to another party
56
The 802.1x standard provides a framework for what?
B Network authentication for wired and wireless networks
57
A security professional has been asked to evaluate the options for the
location of a new data center within a multifloor building. Concerns for the
data center include emanations and physical access controls. Which of the
following is the BEST location?
C In the core of the building
58
An organization discovers that its secure file transfer protocol (SFTP) server
has been accessed by an unauthorized person to download an unreleased
game. A recent security audit found weaknesses in some of the
organization's general information technology (IT) controls, specifically
pertaining to software change control and security patch management, but
not in other control areas. Which of the following is the MOST probable
attack vector used in the security breach?
A Buffer overflow
59
In a financial institution, who has the responsibility for assigning the
classification to a piece of information?
C Originator or nominated owner of the information
60
What is the FIRST step in reducing the exposure of a network to Internet
Control Message Protocol (ICMP) based attacks?
B Implement network access control lists (ACL)
61
In which of the following system life cycle processes should security
requirements be developed?
D System analysis
62
A company wants to implement two-factor authentication (2FA) to protect
their computers from unauthorized users. Which solution provides the MOST
secure means of authentication and meets the criteria they have set?
D Hardware token and password
63
Which of the following is TRUE for an organization that is using a third-party
federated identity service?
B The organization establishes a trust relationship with the other
organizations
65
When determining data and information asset handling, regardless of the
specific toolset being used, which of the following is one of the common
components of big data?
C Distributed data collection
66
Discretionary Access Control (DAC) is based on which of the following?
B Identification of subjects and objects
67
Which of the following explains why classifying data is an important step in
performing a Risk assessment?
D To help determine the appropriate level of data security controls
68
When determining who can accept the risk associated with a vulnerability,
which of the following is the MOST important?
D Information ownership
69
Which of the following types of devices can provide content filtering and
threat protection, and manage multiple IPSec site-to-site connections?
C Next-generation firewall
70
Contingency plan exercises are intended to do which of the following?
A Train personnel in roles and responsibilities
71
In a multi-tenant cloud environment, what approach will secure logical
access to assets?
D Virtual private cloud
A VPC is a segment of a public cloud that is isolated and dedicated to a
specific customer or tenant. A VPC enables the customer to have more
control and security over their cloud resources, such as compute, storage,
or network. A VPC can also be connected to the customer's on-premises
network or other VPCs through a secure VPN tunnel or a dedicated
connection.
72
Which of the following is the PRIMARY purpose of due diligence when an
organization embarks on a merger or acquisition?
A Assess the business risks
74
A disadvantage of an application filtering firewall is that it can lead to
B performance degradation due to the rules applied
75
How does Encapsulating Security Payload (ESP) in transport mode affect the
Internet Protocol (IP)?
B Encrypts and optionally authenticates the IP payload, but not the IP
header
76
What does electronic vaulting accomplish?
A It protects critical files
77
A financial services organization has employed a security consultant to
review processes used by employees across various teams. The consultant
interviewed a member of the application development practice and found
gaps in their threat model. Which of the following correctly represents a
trigger for when a threat model should be revised?
A A new data repository is added
78
A small office is running WiFi 4 APs, and neighboring offices do not want to
increase the throughput to associated devices. Which of the following is the
MOST cost-efficient way for the office to increase network performance?
B Disable the 2.4GHz radios
The 2.4GHz band is often crowded, not only due to other WiFi networks but
also because of interference from other devices such as microwaves,
cordless phones, and Bluetooth devices. Disabling the 2.4GHz radios can
reduce this congestion and interference, potentially improving performance
on the 5GHz band.
79
Activity to baseline, tailor, and scope security controls takes place during
which National Institute of Standards and Technology (NIST) Risk
Management Framework (RMF) step?
D Select security controls
The NIST RMF is a framework that provides a structured and flexible process
for managing the security and risk of information systems. The NIST RMF
consists of six steps: categorize IS, select security controls, implement
security controls, assess security controls, authorize IS, and monitor security
controls. The select security controls step is the step where the appropriate
security controls are identified and applied to the information system, based
on the security categorization, the risk assessment, and the organizational
policies. The select security controls step involves activities such as
baselining, tailoring, and scoping the security controls.
80
Which of the following is considered the last line defense in regard to a
Governance, Risk managements, and compliance (GRC) program?
A Internal audit
81
An organization with divisions in the United States (US) and the United
Kingdom (UK) processes data comprised of personal information belonging
to subjects living in the European Union (EU) and in the US. Which data
MUST be handled according to the privacy protections of General Data
Protection Regulation (GDPR)?
B Only the EU residents' data
GDPR applies to any organization that processes the personal data of the EU
residents, regardless of the location, citizenship, or nationality of the data
subjects, or the organization.
82
Which of the following is ensured when hashing files during chain of custody
handling?
C Integrity
83
What would be the MOST cost effective solution for a Disaster Recovery
(DR) site given that the organization's systems cannot be unavailable for
more than 24 hours?
A Warm site
84
A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide
which of the following?
B Minimization of the need for decision making during a crisis
85
Which of the following is an example of two-factor authentication?
B Fingerprint and a smart card
86
A security manager has noticed an inconsistent application of server
security controls resulting in vulnerabilities on critical systems. What is the
MOST likely cause of this issue?
A A lack of baseline standards
87
When assessing an organization's security policy according to standards
established by the International Organization for Standardization (ISO)
27001 and 27002, when can management responsibilities be defined?
B Only when standards are defined
88
Which of the following is a characteristic of an internal audit?
D Management is responsible for reading and acting upon the internal
audit results
89
A recent information security risk assessment identified weak system
access controls on mobile devices as a high me In order to address this risk
and ensure only authorized staff access company information, which of the
following should the organization implement?
B Multi-factor authentication (MFA)
90
In general, servers that are facing the Internet should be placed in a
demilitarized zone (DMZ). What is MAIN purpose of the DMZ?
A Reduced risk to internal systems
91
Why MUST a Kerberos server be well protected from unauthorized access?
Kerberos is a network authentication protocol that uses symmetric
cryptography and a trusted third party, called the Key Distribution Center
(KDC), to provide secure and mutual authentication between clients and
servers2. The KDC consists of two components: the Authentication Server
(AS) and the Ticket Granting Server (TGS). The AS issues a Ticket Granting
Ticket (TGT) to the client after verifying its identity and password. The TGS
issues a service ticket to the client after validating its TGT and the
requested service. The client then uses the service ticket to access the
service. The KDC stores the keys of all clients and services in its database,
and uses them to encrypt and decrypt the tickets.
93
Which of the following are Systems Engineering Life Cycle (SELC)
Technical Processes?
B Stakeholder Requirements Definition, Architectural Design,
Implementation, Verification, Operation
94
A large organization uses biometrics to allow access to its facilities. It
adjusts the biometric value for incorrectly granting or denying access so
that the two numbers are the same. What is this value called?
C Equal error rate
Equal error rate is the value of the biometric system's threshold that results
in the same false rejection rate (FRR) and false acceptance rate (FAR). FRR
is the probability that the biometric system will reject a legitimate user,
while FAR is the probability that the biometric system will accept an
impostor. Equal error rate is used to measure the accuracy and
performance of the biometric system, as it represents the point where the
system is neither too strict nor too lenient. A lower equal error rate indicates
a more reliable and secure biometric system.
95
Which of the following implementations will achieve high availability in a
website
D Multiple geographically dispersed web servers that are configured for
failover
96
Which of the following does the security design process ensure within the
System Development Life Cycle (SDLC)?
A Proper security controls, security goals, and fault mitigation are properly
conducted
97
During an audit of system management, auditors find that the system
administrator has not been trained. What actions need to be taken at once
to ensure the integrity of systems?
D A review of all systems by an experienced administrator
98
Who would be the BEST person to approve an organizations information
security policy
D Chief Executive Officer (CEO)
99
Host-Based Intrusion Protection (HIPS) systems are often deployed in
monitoring or learning mode during their initial implementation. What is the
objective of starting in this mode?
D Build a baseline of normal or safe system events for review
100
What principle requires that changes to the plaintext affect many parts of
the ciphertext?
A Diffusion
Diffusion is a property of a good encryption algorithm that aims to spread
the influence of each plaintext bit over many ciphertext bits, so that a small
change in the plaintext results in a large change in the ciphertext
1
An organization has a short-term agreement with a public Cloud Service
Provider (CSP). Which of the following BEST protects sensitive data once the
agreement expires and the assets are reused?
C Use a contractual agreement to ensure the CSP wipes the data from the
storage environment
2
An organization's retail website provides its only source of revenue, so the
disaster recovery plan (DRP) must document an estimated time for each
step in the plan. Which of the following steps in the DRP will list the
GREATEST duration of time for the service to be fully operational?
B Update Domain Name System (DNS) server addresses with domain
registrar
3
Which of the following types of hosts should be operating in the
demilitarized zone (DMZ)?
A Hosts intended to provide limited access to public resources
5
The BEST method of demonstrating a company's security level to potential
customers is
A A report from an external auditor
6
A security practitioner has been tasked with establishing organizational
asset handling procedures. What should be considered that would have the
GRFATEST impact to the development of these procedures?
D Information classification scheme
9
Which of the following is the MOST effective countermeasure against data
remanence?
A Destruction
10
Which of the following actions should be taken by a security professional
when a mission critical computer network attack is suspected?
C Prioritize, report, and investigate the occurrence
12
Which of the following threats exists within an implementation of digital
signatures?
B Substitution
Substitution is a threat that occurs when an attacker replaces a valid digital
signature with an invalid one, or a signature from another document. This
can compromise the integrity and non-repudiation of the signed document,
as the receiver cannot verify the authenticity and origin of the document.
Substitution can be prevented by using secure hash algorithms and
encryption to generate and protect the digital signatures.
13
In which of the following programs is it MOST important to include the
collection of security process data?
B Security continuous monitoring
14
How can an attacker exploit overflow to execute arbitrary code?
A Modify a function's return address
15
When telephones in a city are connected by a single exchange, the caller
can only connect with the switchboard operator. The operator then
manually connects the call. This is an example of which type of network
topology?
A Star
16
Which of the following protects personally identifiable information (PII) used
by financial services organizations?
B Gramm-Leach-Bliley Act (GLBA)
17
Which of the following is considered the PRIMARY security issue associated
with encrypted e-mail messages?
A Key distribution
18
Refer to the information below to answer the question. During the
investigation of a security incident, it is determined that an unauthorized
individual accessed a system which hosts a database containing financial
information. If the intrusion causes the system processes to hang, which of
the following has been affected?
B System availability
19
Which of the following would need to be configured to ensure a device with
a specific MAC address is always assigned the same IP address from DHCP?
B Reservation
20
Which of the fallowing statements is MOST accurate regarding information
assets?
B Information assets include any information that is valuable to the
organization
21
Why would a security architect specify that a default route pointing to a
sinkhole be injected into internal networks?
B To detect the traffic destined to non-existent network destinations
A sinkhole is a device or system that attracts and redirects unwanted or
malicious traffic to a dead end, where it can be analyzed or discarded. A
default route is a route that is used when no other route matches the
destination address of a packet. A security architect may specify that a
default route pointing to a sinkhole be injected into internal networks to
detect the traffic destined to non-existent network destinations.
22
Which of the following MUST be considered when developing business rules
for a data loss prevention (DLP) solution?
B Data sensitivity
23
What does a Synchronous (SYN) flood attack do?
D Exceeds the limits for new Transmission Control Protocol /Internet
Protocol (TCP/IP) connections
24
As users switch roles within an organization, their accounts are given
additional permissions to perform the duties of their new position. After a
recent audit, it was discovered that many of these accounts maintained
their old permissions as well. The obsolete permissions identified by the
audit have been remediated and accounts have only the appropriate
permissions to complete their jobs. Which of the following is the BEST way
to prevent access privilege creep?
D Trigger-based review and certification

25
Refer to the information below to answer the question. During the
investigation of a security incident, it is determined that an unauthorized
individual accessed a system which hosts a database containing financial
information. Aside from the potential records which may have been viewed,
which of the following should be the PRIMARY concern regarding the
database information?
A Unauthorized database changes
26
Which of the following methods of suppressing a fire is environmentally
friendly and the MOST appropriate for a data center?
A Inert gas fire suppression system
27
Which of the following provides the GREATEST level of data security for a
Virtual Private Network (VPN) connection?
B Internet Protocol Security (IPSec)
28
Match the name of access control model with its associated restriction. Drag
each access control model to its appropriate restriction access on the right
Mandatory Access Control: End user cannot set controls
Discretionary Access Control (DAC): Subject has total control over
objects
Role Based Access Control (RBAC): Dynamically assigns permissions to
particular duties based on job function
Rule based access control: Dynamically assigns roles to subjects based on
criteria assigned by a custodian
29
A systems engineer is designing a wide area network (WAN) environment
for a new organization. The WAN will connect sites holding information at
various levels of sensitivity, from publicly available to highly confidential.
The organization requires a high degree of interconnectedness to support
existing business processes. What is the BEST design approach to securing
this environment?
D Align risk across all interconnected elements to ensure critical
threats are detected and handled
30
Intellectual property rights are PRIMARY concerned with which of the
following?
A Owner's ability to realize financial gain
32
What should happen when an emergency change to a system must be
performed?
C The change must be performed immediately and then submitted to
the change board
34
Which of the following is the MOST efficient mechanism to account for all
staff during a speedy nonemergency evacuation from a large security
facility?
B Radio Frequency Identification (RFID) sensors worn by each employee
scanned by sensors at each exitdoor
35
For network-based evidence, which of the following contains traffic details of
all network sessions in order to detect anomalies?
D Statistical data
36
By allowing storage communications to run on top of Transmission Control
Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the
B opportunity to sniff network traffic exists
37
A system has been scanned for vulnerabilities and has been found to
contain a number of communication ports that have been opened without
authority. To which of the following might this system have been subjected?
A Trojan horse
38
Which of the following is the BEST example of weak management
commitment to the protection of security assets and resources?
A poor governance over security processes and procedures
39
Which of the following is required to determine classification and
ownership?
A System and data resources are properly identified
40
The PRIMARY outcome of a certification process is that it provides
documented
D security analyses needed to make a risk-based decision
41
Discretionary Access Control (DAC) restricts access according to
C authorizations granted to the user
43
The FIRST step in building a firewall is to
D perform a risk analysis to identify issues to be addressed
44
Which of the following processes has the PRIMARY purpose of identifying
outdated software versions, missing patches, and lapsed system updates?
B Vulnerability management
45
An application is used for funds transfer between an organization and a
third-party. During a security audit, an issue with the business
continuity/disaster recovery policy and procedures for this application.
Which of the following reports should the audit file with the organization?
C Service Organization Control (SOC) 2
46
The Rivest-Shamir-Adleman (RSA) algorithm is BEST suited for
which of the following operations?
C Secure key exchange for symmetric cryptography (RSA is
asymmetric but can be used in key exchange)
47
Which of the following is a PRIMARY security weakness in the design of
Domain Name System (DNS)?
B A DNS server does not authenticate source of information
48
Which of the following MUST be part of a contract to support electronic
discovery of data stored in a cloud environment?
D Identification of data location
50
What is the MAIN objective of risk analysis in Disaster Recovery (DR)
planning?
C Identify potential threats to business availability
51
Which of the following is the MOST important goal of information asset
valuation?
C Assigning a financial value to an organization's information assets
52
If virus infection is suspected, which of the following is the FIRST step for the
user to take?
C Report the incident to service desk
53
An organization outgrew its internal data center and is evaluating third-
party hosting facilities. In this evaluation, which of the following is a
PRIMARY factor for selection?
A Facility provides an acceptable level of risk
54
Which of the following types of data would be MOST difficult to detect by a
forensic examiner?
B Steganographic data
Steganography is a technique that hides data or information within another
data or information, such as an image, audio, video, or text file.
Steganography can help to conceal the existence, source, or content of the
data or information, and to avoid the detection, analysis, or interception of
the data or information by unauthorized parties
55
A company is planning to implement a private cloud infrastructure. Which of
the following recommendations will support the move to a cloud
infrastructure?
B Implement software-defined networking (SDN) to provide the ability for
the network infrastructure to be integrated with the control and data planes.

CISSP PRACTICE TEST

EXAMTOPICS
1.
Physical assets defined in an organization's business impact analysis
(BIA) could include which of the following?
D. Supplies kept off-site IN a remote facility
2.
When assessing the audit capability of an application, which of the
following activities is MOST important?
B. Determine if audit records contain sufficient information.
3.
An organization would like to implement an authorization mechanism
that would simplify the assignment of various system access permissions
for many users with similar job responsibilities. Which type of
authorization mechanism would be the BEST choice for the organization to
implement?
A. Role-based access control (RBAC)
4.
What is the PRIMARY reason for criminal law being difficult to enforce
when dealing with cybercrime?
A. Jurisdiction is hard to define.
6.
Which part of an operating system (OS) is responsible for providing
security interfaces among the hardware, OS, and other parts of the
computing system?
D. Security kernel
7.
What process facilitates the balance of operational and economic costs
of protective measures with gains in mission capability?
D. Risk management
8.
Clothing retailer employees are provisioned with user accounts that
provide access to resources at partner businesses. All partner
businesses use common identity and access management (IAM)
protocols and differing technologies. Under the Extended Identity principle,
what is the process flow between partner businesses to allow this IAM
action?
B Clothing retailer acts as identity provider (IdP), confirms identity of
user using industry standards, then sends credentials to partner
businesses that act as a Service Provider and allows access to services.
9.
Which of the following statements BEST describes least privilege
principle in a cloud environment?
A. A single cloud administrator is configured to access core functions.
10.
An organization has been collecting a large amount of redundant and
unusable data and filling up the storage area network (SAN). Management
has requested the identification of a solution that will address ongoing
storage problems. Which is the BEST technical solution?
B Deduplication
Deduplication is a specialized data compression technique for
eliminating duplicate copies of repeating data. It improves storage
utilization by keeping only one unique instance of the data and
referring to that instance whenever the same data needs to be
stored or transmitted. This is particularly effective for reducing
redundant data and can significantly decrease the amount of storage space
needed.
11.
Which Wide Area Network (WAN) technology requires the first router
in the path to determine the full path the packet will travel, removing
the need for other routers in the path to make independent determinations?
B Multiprotocol Label Switching (MPLS)
Multiprotocol Label Switching (MPLS): MPLS is a technique used to improve
the speed and control of network traffic flow. In MPLS, the first router (the
ingress router) assigns a label to each packet. Subsequent routers (label
switch routers) use this label to make forwarding decisions, rather than
examining the packet's IP header. This label-based forwarding means that
the path through the network is predetermined by the ingress router, and
intermediate routers do not need to perform complex routing decisions
independently.
12.
Which of the following would an information security professional use to
recognize changes to content, particularly unauthorized changes?
A File Integrity Checker
13.
Which of the following is included in change management?
A User Acceptance Testing (UAT) before implementation
User Acceptance Testing (UAT) is a critical component of the change
management process. It involves testing the changes or new system
features by the end-users to ensure that they meet the required business
needs and specifications before the changes are implemented into the
production environment.
13
The change management role responsible for the overall success of the
project and supporting the change throughout the organization is:
C Program sponsor
14.
A company is enrolled in a hard drive reuse program where
decommissioned equipment is sold back to the vendor when it is no
longer needed. The vendor pays more money for functioning drives than
equipment that is no longer operational. Which method of data sanitization
would provide the most secure means of preventing unauthorized data loss,
while also receiving the most money from the vendor?
A Multi-pass wipes
15.
When reviewing vendor certifications for handling and processing of
company data, which of the following is the BEST Service Organization
Controls (SOC) certification for the vendor to possess?
A. SOC 2 Type 2
16.
Which application type is considered high risk and provides a common way
for malware and viruses to enter a network?
B. Peer-to-Peer (P2P) file sharing applications
17.
An organization is looking to include mobile devices in its asset
management system for better tracking. In which system tier of the
reference architecture would mobile devices be tracked?
A 0
Tier 0: This is the physical layer where the actual assets (such as mobile
devices, sensors, and other equipment) are located. It includes all the
physical entities that need to be tracked and managed.
Tier 1: This layer often includes controllers and gateways that connect the
physical devices to the network. It might consist of PLCs (Programmable
Logic Controllers) or other types of control systems.
Tier 2: This is typically the network layer where data from the physical
devices is transmitted. It can include switches, routers, and other network
infrastructure components.
Tier 3: This is the application layer where data is processed, analyzed, and
presented. It includes systems like asset management software, databases,
and user interfaces.
18.
Which of the following is the BEST way to protect an organization's data
assets?
B. Monitor and enforce adherence to security policies.
19.
Within a large organization, what business unit is BEST positioned to
initiate provisioning and deprovisioning of user accounts?
C. Human resources
20.
Which of the following is the PRIMARY purpose of installing a mantrap within
a facility?
C. Prevent piggybacking
21.
In the "Do" phase of the Plan-Do-Check-Act model, which of the
following is performed?
C. Ensure the business continuity policy, controls, processes, and
procedures have been implemented.
22.
What industry-recognized document could be used as a baseline reference
that is related to data security and business operations or conducting a
security assessment?
C Service Organization Control (SOC) 2 Type 2
23.
A criminal organization is planning an attack on a government network.
Which of the following scenarios presents the HIGHEST risk to the
organization?
A. Organization loses control of their network devices.
24.
Which reporting type requires a service organization to describe its
system and define its control objectives and controls that are relevant to
users' internal control over financial reporting?
B Service Organization Control 1 (SOC1)
25.
Which of the following is the BEST method to validate secure coding
techniques against injection and overflow attacks?
B Using automated programs to test for the latest known
vulnerability patterns
26.
When resolving ethical conflicts, the information security professional
MUST consider many factors. In what order should the considerations be
prioritized?
C Public safety, duties to principals, duties to individuals, and duties to
the profession
Treat all members fairly. In resolving conflicts, consider public safety and
duties to principals, individuals, and the profession in that order.
27.
Which service management process BEST helps information technology
(IT) organizations with reducing cost, mitigating risk, and improving
customer service?
C Information Technology Infrastructure Library (ITIL)
27.
A company is attempting to enhance the security of its user
authentication processes. After evaluating several options, the company
has decided to utilize Identity as a Service (IDaaS). Which of the
following factors leads the company to choose an IDaaS as their
solution?
A. In-house team lacks resources to support an on-premise solution.
28.
An organization recently suffered from a web-application attack that
resulted in stolen user session cookie information. The attacker was able
to obtain the information when a user's browser executed a script upon
visiting a compromised website. What type of attack MOST likely
occurred?
B Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS): XSS attacks occur when an attacker injects
malicious scripts (typically JavaScript) into a web application. These scripts
are then executed in the context of the victim's browser, allowing the
attacker to steal session cookies, perform actions on behalf of the user, or
modify the web page content. In this case, the compromised website
executed a script that stole user session cookie information, which is
characteristic of an XSS attack.
Cross-Site Request Forgery (CSRF): CSRF attacks trick a user into
unknowingly executing actions on a web application where they are
authenticated. They do not involve executing scripts in the victim's browser
to steal session cookies
29.
An attack utilizing social engineering and a malicious Uniform Resource
Locator (URL) link to take advantage of a victim's existing browser
session with a web application is an example of which of the following
types of attack?
B Cross-site request forgery (CSRF)
30.
Which of the following encryption technologies has the ability to function
as a stream cipher?
B Cipher Feedback (CFB)
31.
In a disaster recovery (DR) test, which of the following would be a trait of
crisis management?
D Strategic
Crisis management often requires a broad perspective to handle complex
situations and manage various aspects simultaneously. During a DR test,
this would involve coordinating multiple teams, ensuring communication
channels are open, and managing resources effectively.
32.
Which of the following BEST describes the purpose of the reference
monitor when defining access control to enforce the security model?
A Policies to validate organization rules
The reference monitor is responsible for enforcing the security policies
and rules defined by the organization's security model. It validates
access requests against these policies to ensure that only authorized
access is granted.
33.
Which of the following is security control volatility?
A A reference to the likelihood of change in the security control.
Volatility relates to how likely a security control is to change over time due
to updates, modifications, or external factors.
34.
When auditing the Software Development Life Cycle (SDLC) which of the
following is one of the high-level audit phases?
B Risk assessment
This is a crucial high-level audit phase where the auditor identifies and
evaluates risks associated with the SDLC. Risk assessment helps determine
the areas that need more detailed examination and prioritizes audit
activities based on the level of risk.
35.
What is the term used to define where data is geographically stored in
the cloud?
B. Data sovereignty
36.
Which of the following does the security design process ensure within the
System Development Life Cycle (SDLC)?
A Proper security controls, security objectives, and security goals
are properly initiated.
37.
Which of the following is MOST important to follow when developing
information security controls for an organization?
B Exercise due diligence with regard to all risk management
information to tailor appropriate controls.
This approach ensures that security controls are based on a thorough
understanding of the organization’s specific risks and needs. By exercising
due diligence in risk management, you can tailor controls to effectively
mitigate identified risks, which makes them more relevant and effective.
40.
Which of the following is the BEST option to reduce the network attack
surface of a system?
A Disabling unnecessary ports and services
41.
The security architect is designing and implementing an internal
certification authority to generate digital certificates for all employees.
Which of the following is the
BEST solution to securely store the private keys?
A. Trusted Platform Module (TPM)
41
The existence of physical barriers, card and personal identification number
(PIN) access systems, cameras, alarms, and security guards BEST describes
this security approach?
C) Defense-in-depth
42.
A hospital enforces the Code of Fair Information Practices. What practice
applies to a patient requesting their medical records from a web portal?
B. Individual participation
43.
A colleague who recently left the organization asked a security professional
for a copy of the organization's confidential incident management policy.
Which of the following is the BEST response to this request?
C. Submit the request using company official channels to ensure the
policy is okay to distribute.
44.
Which of the following BEST describes when an organization should
conduct a black box security audit on a new software protect?
B When the organization is confident the final source code is
complete
This is the optimal time for a black box security audit because the software
is in its final state and ready for a comprehensive security assessment. The
audit can identify potential security issues in the software as it would be
deployed in production, ensuring all features and code are tested for
vulnerabilities.
45.
In software development, which of the following entities normally signs the
code to protect the code integrity?
A The organization developing the code
Typically, the organization that develops the code is responsible for signing
it. Code signing by the organization ensures that the software is officially
released by the organization and has not been tampered with since it was
signed. This provides assurance to users that the code is authentic and has
not been altered by a third party.
46.
Which of the following technologies can be used to monitor and
dynamically respond to potential threats on web applications?
A. Runtime application self-protection (RASP)
60
Using Address Space Layout Randomization (ASLR) reduces the
potential for which of the following attacks?
D Heap overflow
48.
In a quarterly system access review, an active privileged account was
discovered that did not exist in the prior review on the production system.
The account was created one hour after the previous access review. Which
of the following is the BEST option to reduce overall risk in addition to
quarterly access reviews?
A Implement and review risk-based alerts.
49.
A corporation does not have a formal data destruction policy. During which
phase of a criminal legal proceeding will this have the MOST impact?
A Discovery
50.
What is considered the BEST explanation when determining whether to
provide remote network access to a third-party security service?
A. Business need
51.
The acquisition of personal data being obtained by a lawful and fair
means is an example of what principle?
A Collection Limitation Principle
52.
Which of the following is the MOST appropriate control for asset data
labeling procedures?
B Logging data media to provide a physical inventory control
This control involves keeping detailed records of all data media, which
ensures that each piece of media can be tracked and accounted for. By
logging data media, you can ensure that each item is labeled correctly, and
you have a clear inventory of all assets. This helps prevent data loss and
ensures proper handling and labeling of sensitive information.
53.
What is the BEST approach to anonymizing personally identifiable
information (PII) in a test environment?
A. Randomizing data
54.
Which of the following departments initiates the request, approval, and
provisioning business process?
C Human resources (HR)
HR is usually the starting point for the process because they are responsible
for handling new hires, promotions, and other changes in employment
status. When a new employee is hired or an existing employee's role
changes, HR initiates the request for the necessary access and resources,
which then goes through the approval and provisioning process.
55.
An organization is setting a security assessment scope with the goal of
developing a Security Management Program (SMP). The next step is to
select an approach for conducting the risk assessment. Which of the
following approaches is MOST effective for the SMP?
A. Business processes based risk assessment with a focus on
business goals
57.
A security professional can BEST mitigate the risk of using a
Commercial Off-The-Shelf (COTS) solution by deploying the application
with which of the following controls in place?
B Hardened configuration
Hardening involves securing the application by configuring it in a way that
reduces its attack surface. This includes disabling unnecessary features,
applying security patches, and configuring the application to adhere to
security best practices. This control directly mitigates the risk associated
with vulnerabilities in the COTS solution.
59.
Which of the following BEST describes centralized identity
management?
A Service providers perform as both the credential and identity
provider (IdP)
This describes a scenario where a single entity provides both the credentials
(authentication) and the identity (identification).
60.
What is the MOST significant benefit of role-based access control (RBAC)?
B. Reduction in authorization administration overhead
61.
What is the MOST common security risk of a mobile device?
C. Data leakage
62.
What level of Redundant Array of Independent Disks (RAID) is configured
PRIMARILY for high-performance data reads and writes?
A. RAID-0
Striping: RAID 0 distributes data across multiple disks (at least two disks are
required), interleaving the data to increase the read and write performance.
This striping allows for parallel read and write operations across all disks
63.
What type of risk is related to the sequences of value-adding and
managerial activities undertaken in an organization?
B. Process risk
It involves potential failures, inefficiencies, or errors in the processes that
could impact the organization's ability to achieve its objectives.
64.
International bodies established a regulatory scheme that defines how
weapons are exchanged between the signatories. It also addresses
cyber weapons, including malicious software, Command and Control (C2)
software, and internet surveillance software. This is a description of which of
the following?
C. Wassenaar arrangement
The Wassenaar Arrangement on Export Controls for Conventional Arms and
Dual-Use Goods and Technologies is a multilateral export control regime. It
aims to promote transparency and responsibility in transfers of conventional
arms and dual-use goods and technologies. This includes the exchange of
cyber weapons, such as malicious software, Command and Control (C2)
software, and internet surveillance software.
65.
An organization has implemented a protection strategy to secure the
network from unauthorized external access. The new Chief Information
Security Officer (CISO) wants to increase security by better protecting the
network from unauthorized internal access. Which Network Access
Control (NAC) capability BEST meets this objective?
A. Port security
Port security allows administrators to restrict the use of physical ports on
network devices to only authorized devices or users. This prevents
unauthorized devices from gaining access to the network through physical
connections.
66.
Which section of the assessment report addresses separate
vulnerabilities, weaknesses, and gaps?
D.Key findings section
This section is specifically dedicated to summarizing the main
vulnerabilities, weaknesses, and gaps discovered during the assessment. It
provides a concise and focused list of the most critical issues identified.
67.
Why is data classification control important to an organization?
B. To ensure its integrity, confidentiality and availability
Data classification helps in applying appropriate controls to ensure that data
maintains its integrity (accuracy and reliability), confidentiality (protection
from unauthorized access), and availability (accessible and usable when
needed).
68.
To monitor the security of buried data lines inside the perimeter of a facility,
which of the following is the MOST effective control?
C. Ground sensors installed and reporting to a security event
management (SEM) system
69.
An enterprise is developing a baseline cybersecurity standard its
suppliers must meet before being awarded a contract. Which of the
following statements is TRUE about the baseline cybersecurity
standard?
c. It should be expressed in business terminology.
The baseline cybersecurity standard should be expressed as general
requirements to provide flexibility for suppliers to implement the controls in
a way that is appropriate for their specific environment and technology. This
approach allows suppliers to meet the standard using various technical
solutions and methods.
70.
Which access control method is based on users issuing access
requests on system resources, features assigned to those resources, the
operational or situational context, and a set of policies specified in terms of
those features and context?
B. Attribute Based Access Control (ABAC)
72.
What is the BEST way to restrict access to a file system on computing
systems?
A. Use least privilege at each level to restrict access.
The principle of least privilege means that each user, process, or system
component should have the minimum privileges necessary to perform its
authorized tasks. This approach ensures that users only have access to the
files and directories that they specifically need to do their job, reducing the
risk of accidental or intentional misuse of data.
73.
Which of the following is the PRIMARY reason for selecting the
appropriate level of detail for audit record generation?
B. Facilitate a root cause analysis (RCA)
74.
What is the correct order of execution for security architecture?
B Governance, strategy and program management, project
delivery, operations
75.
An international organization has decided to use a Software as a Service
(SaaS) solution to support its business operations. Which of the following
compliance standards should the organization use to assess the
international code security and data privacy of the solution?
A Service Organization Control (SOC) 2
Information Assurance Technical Framework (IATF) IS NOT a recognized
standard for assessing SaaS solutions. It is more focused on technical and
information assurance in the context of defense and military systems.
76.
An authentication system that uses challenge and response was
recently implemented on an organization's network, because the
organization conducted an annual penetration test showing that
testers were able to move laterally using authenticated credentials.
Which attack method was MOST likely used to achieve this?
 A. Pass the ticket
Pass the ticket is a technique used in Windows environments where an
attacker captures a Ticket Granting Ticket (TGT) or a Ticket Granting
Service (TGS) ticket and uses it to authenticate to other services or
systems. It allows the attacker to move laterally within the network without
needing to crack passwords or hash values.
77.
Which of the following would qualify as an exception to the "right to be
forgotten" of the General Data Protection Regulation (GDPR)?
A. For the establishment, exercise, or defense of legal claims
78.
Dumpster diving is a technique used in which stage of penetration testing
methodology?
D. Discovery
78.
The security team is notified that a device on the network is infected
with malware. Which of the following is MOST effective in enabling the
device to be quickly located and remediated?
B. Information Technology Asset Management (ITAM)
79.
Which of the following threats would be MOST likely mitigated by
monitoring assets containing open source libraries for
vulnerabilities?
B Zero-day Attack
A zero-day attack exploits a previously unknown vulnerability in
software before the software developer has an opportunity to release a fix
(patch) for the vulnerability. Open source libraries often have
vulnerabilities that are publicly known, and attackers can exploit these if
they are not patched promptly. Monitoring for vulnerabilities in open source
libraries allows organizations to identify and mitigate such vulnerabilities
before they are exploited in zero-day attacks.
80.
As a design principle, which one of the following actors is responsible
for identifying and approving data security requirement in a cloud
ecosystem?
B. Cloud consumer
81.
Which of the following is performed to determine a measure of success
of a security awareness training program designed to prevent social
engineering attacks?
B. Internal assessment of the training program's effectiveness
81.
Which of the following is the MOST effective way to ensure the endpoint
devices used by remote users are compliant with an organization's
approved policies before being allowed on the network?
B Network Access Control (NAC)
MDM focuses on managing and securing mobile devices (such as
smartphones and tablets) used within an organization. While MDM is
important for enforcing policies on mobile devices, it does not cover
non-mobile endpoint devices (like laptops and desktops) and does not
typically control network access in the same comprehensive way as NAC.
82
Which one of the following BEST protects vendor accounts that are used
for emergency maintenance?
B Vendor access should be disabled until needed
83.
Which of the following BEST describes the purpose of software
forensics?
A. To determine the author and behavior of the code
Software forensics involves analyzing software to understand its origin,
purpose, functionality, and behavior. This can include identifying the author
or group responsible for developing the software and examining the
behavior of the code to detect any malicious or unintended actions.
84.
Which event magnitude is defined as deadly, destructive, and disruptive
when a hazard interacts with human vulnerability?
D. Disaster
84.
A web developer is completing a new web application security checklist
before releasing the application to production. The task of disabling
unnecessary services is on the checklist. Which web application threat is
being mitigated by this action?
B. Security misconfiguration
86.
Which of the following ensures old log data is not overwritten?
A Log Retention
Log retention policies define how long logs are retained before they are
deleted or archived. By implementing a log retention policy, organizations
ensure that old log data is kept for a specified period, which prevents it from
being overwritten prematurely.
87.
Under the General Data Protection Regulation (GDPR), what is the
maximum amount of time allowed for reporting a personal data
breach?
C. 72 hours
88.
A financial organization that works according to agile principles has
developed a new application for their external customer base to request a
line of credit. A security analyst has been asked to assess the security
risk of the minimum viable product (MVP). Which is the MOST
important activity the analyst should assess?
D The software has been code reviewed.
89.
An application developer receives a report back from the security team
showing their automated tools were able to successfully enter
unexpected data into the organization's customer service portal,
causing the site to crash. This is an example of which type of testing?
D. Negative
90.
Which of the following is the MOST effective strategy to prevent an attacker
from disabling a network?
A Design networks with the ability to adapt, reconfigure, and fail over
This approach involves designing networks with redundancy, resilience, and
failover capabilities. It ensures that if a part of the network is compromised
or disabled, the network can automatically reconfigure itself or fail over to
alternate paths or systems. This makes it difficult for an attacker to disable
the entire network.
91.
What is the FIRST step that should be considered in a Data Loss
Prevention (DLP) program?
A. Data classification
92.
Which change management role is responsible for the overall success
of the project and supporting the change throughout the organization?
B. Program sponsor
93.
A company needs to provide shared access of sensitive data on a cloud
storage to external business partners. Which of the following identity
models is the BEST to blind identity providers (IdP) and relying
parties (RP) so that subscriber lists of other parties are not disclosed?
A Proxied federation
94.
A security professional needs to find a secure and efficient method of
encrypting data on an endpoint. Which solution includes a root key?
A. Trusted Platform Module (TPM)
96.
What is the PRIMARY purpose of creating and reporting metrics for a
security awareness, training, and education program?
A Measure the effect of the program on the organization's workforce.
97.
In a DevOps environment, which of the following actions is MOST
necessary to have confidence in the quality of the changes being
made?
A. Automate functionality testing.
In DevOps, automation is a key principle to ensure fast and reliable delivery
of software changes. Automated functionality testing ensures that every
change made to the software is tested thoroughly, including both unit tests
and integration tests. This helps in catching bugs and issues early in the
development process, before changes are deployed to production.
Automated testing provides immediate feedback on the quality of changes,
which increases confidence in the software's stability and reliability.
98.
What is the MAIN purpose of a security assessment plan?
B. Provide the objectives for the security and privacy control
assessments and a detailed roadmap of how to conduct such
assessments.
98
What is the MOST important goal of conducting security assessments?
D To discover unmitigated security vulnerabilities, and propose
paths for mitigating them

IT IS NOT: To align the security program with organizational risk appetite

99.
What documentation is produced FIRST when performing an effective
physical loss control process?
C. Inventory list
100.
Which organizational department is ultimately responsible for
information governance related to e-mail and other e-records?
A. Legal
The legal department is typically responsible for ensuring that the
organization complies with laws, regulations, and standards related to
information governance, including e-mail and other electronic records. They
oversee the policies and procedures for the creation, retention, retrieval,
and disposal of electronic records to ensure legal and regulatory
compliance.
1.
A cloud service provider requires its customer organizations to enable
maximum audit logging for its data storage service and to retain the logs for
the period of three months. The audit logging generates extremely high
amount of logs. What is the MOST appropriate strategy for the log
retention?
B. Keep last week's logs in an online storage and the rest in a
near-line storage.
2.
In Federated Identity Management (FIM), which of the following
represents the concept of federation?
C. Collection of domains that have established trust among
themselves
3.
Which of the following is an indicator that a company's new user security
awareness training module has been effective?
A. More incidents of phishing attempts are being reported.
4.
An organization is trying to secure instant messaging (IM)
communications through its network perimeter. Which of the following is the
MOST significant challenge?
B. IM clients can utilize random port numbers.
6.
When developing an organization's information security budget, it is
important that the:
A. Expected risk can be managed appropriately with the funds
allocated.
7.
A subscription service which provides power, climate control, raised flooring,
and telephone wiring but NOT the computer and peripheral equipment is
BEST described as a:
A. Cold site.
Warm site has pc but no data
8.
An international trading organization that holds an International
Organization for Standardization (ISO) 27001 certification is seeking to
outsource their security monitoring to a managed security service
provider (MSSP). The trading organization's security officer is tasked with
drafting the requirements that need to be included in the outsourcing
contract. Which of the following MUST be included in the contract?
B. The right to audit the MSSP's security process
9.
Which of the following is the PRIMARY type of cryptography required to
support non-repudiation of a digitally signed document?
D. Asymmetric
Non-repudiation is achieved through the use of asymmetric cryptography,
specifically through digital signatures. Asymmetric cryptography uses a pair
of keys: a private key and a public key. The private key is used to create a
digital signature, and the public key is used to verify the digital signature.
This ensures that only the holder of the private key (the signer) could have
created the signature, providing non-repudiation.
10.
What is the MOST effective method to enhance security of a single sign-
on (SSO) solution that interfaces with critical systems?
A. Two-factor authentication
11.
Which of the following is MOST appropriate to collect evidence of a
zero-day attack?
A. Honeypot
12.
When assessing web vulnerabilities, how can navigating the dark web add
value to a penetration test?
B. Information may be found on related breaches and hacking.
14.
The quality assurance (QA) department is short-staffed and is unable
to test all modules before the anticipated release date of an application.
What security control is MOST likely to be violated?
A. Change management
Change management is the process of controlling changes to the
application or system. Proper change management includes thorough
testing of all changes before they are deployed into production to ensure
that they do not introduce security vulnerabilities or operational issues.
When the QA department is unable to test all modules before the release
date, there is a risk that changes could be implemented without adequate
testing. This can lead to undetected vulnerabilities or defects being
introduced into the production environment, which can compromise
security.
15.
An organization has requested storage area network (SAN) disks for a new
project. What Redundant Array of Independent Disks (RAID) level
provides the BEST redundancy and fault tolerance?
D RAID level 5
RAID 5 provides a good balance between performance, redundancy, and
capacity efficiency. It stripes data across multiple disks along with parity
information. The parity information allows for recovery of data in case one
of the disks fails. RAID 5 requires at least three disks to operate effectively,
and it provides fault tolerance equivalent to the failure of one disk.
16.
What is the FIRST step when developing an Information Security
Continuous Monitoring (ISCM) program?
B. Define an ISCM strategy based on risk tolerance.
17
Which of the following is established to collect information in accordance
with pre-established metrics, utilizing information readily available in
part through implemented security controls?
D Information Security Continuous Monitoring (ISCM)
ISCM continuously gathers data from various security controls and systems
to provide real-time visibility into the security posture of an organization. It
utilizes metrics to assess and report on security status, helping
organizations to detect security incidents and vulnerabilities promptly.

ACTUAL4TEST
1.
Which of the following is MOST important to follow when developing
information security controls for an organization?
B Exercise due diligence with regard to all risk management
information to tailor appropriate controls.
2.
While performing a security review for a new product, an information
security professional discovers that the organization's product
development team is proposing to collect government-issued
identification (ID) numbers from customers to use as unique
customer identifiers. Which of the following recommendations should be
made to the product development team?
C. Customer identifiers that do not resemble the user's
government-issued ID number should be used
3.
An information security professional is reviewing user access controls on a
customer-facing application. The application must have multi-factor
authentication (MFA) in place. The application currently requires a
username and password to login. Which of the following options would
BEST implement MFA?
D.Enter an automatically generated number from a hardware token
5.
Which of the following is a limitation of the Bell-LaPadula model?
 C. It contains no provision or policy for changing data access control
and works well only with access systems that are static in
nature.
6.
Which of the following vulnerability assessment activities BEST exemplifies
by the Examine method of assessment?
B. Ensuring that system audit logs capture all relevant data fields
required by the security controls baseline
7.
Security Software Development Life Cycle (SDLC) expects application
code to be written in a consistent manner to allow ease of auditing and
which of the following?
A. enhancing
8.
Which of the following is the best reason for writing an information
security policy.
A. To support information security governance
9.
An internet software application requires authentication before a user is
permitted to utilize the resource. Which testing scenario best validates the
functionality of the application.
C) Web session testing
11.
A vehicle of a private courier company that transports backup data for
offsite storage was robbed while in transport backup data for offsite was
robbed while in transit. The incident management team is now responsible
to estimate the robbery, which of the following would help the incident
management team to MOST effectively analyze the business impact of the
robbery?
B. Log of the transported media and its classification marking
12.
Which of the following features is MOST effective in mitigating against
theft of data on a corporate mobile device which has been stolen?
A Mobile Device Management (MDM) with device wipe
13.
A Chief Information Security Officer (CISO) of a firm which decided to
migrate to cloud has been tasked with ensuring an optimal level of
security. Which of the following would be the FIRST consideration?
A. Analyze the firm's applications and data repositories to
determine the relevant control requirements.
14.
What is the FIRST step in risk management?
A. Identify the factors that have potential to impact business.
15.
A security practitioner has been asked to model best practices for
disaster recovery (DR) and business continuity. The practitioner has
decided that a formal committee is needed to establish a business
continuity policy. Which of the following BEST describes this stage of
business continuity development?
B. Project Initiation and Management
16.
Which of the following is the BEST way to determine the success of a
patch management process?
B Auditing and assessment
17.
A global organization wants to implement hardware tokens as part of a
multifactor authentication solution for remote access. The PRIMARY
advantage of this implementation is
C it protects against unauthorized access.
18.
Utilizing a public wireless Local Area network (WLAN) to connect to a
private network should be done only in which of the following situations?
B The client machine has a personal firewall and utilizes a Virtual
Private Network (VPN) to connect to the network
19.
When selecting a disk encryption technology, which of the following
MUST also be assured to be encrypted?
D Hibernation file
Hibernation file: This file stores the contents of the system's memory (RAM)
when the computer enters hibernation mode. It can contain sensitive
information, such as open documents, encryption keys, and session data. If
the hibernation file is not encrypted, sensitive data could be exposed when
the system is in hibernation.
20.
Which of the following processes is BEST used to determine the extent
to which modifications to an information system affect the security
posture of the system?
C. Security impact analysis
21.
What part of an organization's strategic risk assessment MOST likely
includes information on items affecting the success of the
organization?
D.Key Risk Indicator (KRI)
22.
What is the PRIMARY benefit of relying on Security Content
Automation Protocol (SCAP)?
B Standardize specifications between software security products.
23
Which of the following is the MOST effective way to ensure hardware
and software remain updated throughout an organization?
B. Use an automated configuration monitoring system
24
Which of the following is an attacker MOST likely to target to gain
privileged access to a system?
A Programs that write to system resources
25
What type of wireless network attack BEST describes an
Electromagnetic Pulse (EMP) attack?
B Denial of Service (DoS) attack
26
In order to provide dual assurance in a digital signature system, the
design MUST include which of the following?
C The hash of the signed document must be present.
27
Which of the following BEST represents the concept of least privilege?
A Access to an object is denied unless access is specifically
allowed.
28
For an organization considering two-factor authentication for secure
network access, which of the following is MOST secure?
D Smart card and biometrics
30
Which of the following events prompts a review of the disaster
recovery plan (DRP)?
C. Organizational merger
31
Which of the following should be done at a disaster site before any
item is removed, repaired, or replaced?
A. Take photos of the damage
32
What is the MINIMUM standard for testing a disaster recovery plan (DRP)?
B. As often as necessary depending upon the stability of the
environment and business requirements
33
The disaster recovery (DR) process should always include:
C. plan maintenance
34
Recovery strategies of a Disaster Recovery planning (DRIP) MUST be
aligned with which of the following?
B Applications' criticality and downtime tolerance
35
Which is MOST important when negotiating an Internet service provider
(ISP) service-level agreement (SLA) by an organization that solely
provides Voice over Internet Protocol (VoIP) services?
B Quality of Service (QoS) between applications
36
What should be used immediately after a Business Continuity Plan (BCP)
has been invoked?
B Emergency procedures describing the necessary actions to be
taken following an incident jeopardizes business operations
37
In systems security engineering, what does the security principle of
modularity provide?
B Isolated functions and data
38
Which of the following is an important design feature for the outer door
of a mantrap?
D Allow it be opened when the inner door of the mantrap is also open
39
Which of the following has the responsibility of information technology
(IT) governance?
C Board of Directors
40
When network management is outsourced to third parties, which of the
following is the MOST effective method of protecting critical data
assets?
C Employ strong access controls
41
What is the MOST effective countermeasure to a malicious code
attack against a mobile system?
A Sandbox
42
Drag the following Security Engineering terms on the left to the BEST
definition on the right.
Security Risk Treatment: The method used to identify feasible
security risk mitigation options and plans.
Risk: A measure of the extent to which an entity is threatened by a
potential circumstance or event, the adverse impacts that would arise
if the circumstance or event occurs, and the likelihood of occurrence.
Threat Assessment: The method used to identify and characterize the
dangers anticipated throughout the life cycle of the system.
Protection Needs: The method used to identify the confidentiality,
integrity, and availability requirements for organizational and system
assets and to characterize the adverse impact or consequences
should the asset be lost, modified, degraded, disrupted,
compromised, or become unavailable.
44
Internet Protocol (IP) source address spoofing is used to defeat
A address-based authentication
45
Upon commencement of an audit within an organization, which of the
following actions is MOST important for the auditor(s) to take?
C Meet with stakeholders to review methodology, people to be
interviewed, and audit scope.
46
An organization's internal audit team performed a security audit on the
company's system and reported that the manufacturing application is rarely
updated along with other issues categorized as minor. Six months later, an
external audit team reviewed the same system with the same scope, but
identified severe weaknesses in the manufacturing application's security
controls. What is MOST likely to be the root cause of the internal
audit team's failure in detecting these security issues?
A Inadequate test coverage analysis
47
Which of the following BEST avoids data reminisce disclosure for cloud
hosted resources?
B Strong encryption and deletion of the virtual host after data is
deleted.
48
When should an application invoke re-authentication in addition to initial
user authentication?
C After a period of inactivity
49
For a service provider, which of the following MOST effectively
addresses confidentiality concerns for customers using cloud computing?
B Data segregation
51
Which event magnitude is defined as deadly, destructive, and disruptive
when a hazard interacts with human vulnerability?
A Disaster
52
Which of the following provides the MOST secure method for Network
Access Control (NAC)?
B 802.1X authentication
53
Which of the following actions MUST be taken if a vulnerability is
discovered during the maintenance stage in a System Development Life
Cycle (SDLC)?
C Make changes following principle and design guidelines
54
Who would be the BEST person to approve an organizations
information security policy?
D Chief Executive Officer (CEO)
55
A security practitioner needs implementation solution to verify endpoint
security protections and operating system (0S) versions. Which of
the following is the BEST solution to implement?
C Network Access Control (NAC)
56
The core component of Role Based Access control (RBAC) must be
constructed of defined data elements
C Roles, accounts, permissions, and protected objects
57
Even though a particular digital watermark is difficult to detect, which
of the following represents a way it might still be inadvertently removed?
A Truncating parts of the data
58
What Is the FIRST step in establishing an information security program?
A Establish an information security policy.
59
A Virtual Machine (VM) environment has five guest Operating Systems
(OS) and provides strong isolation. What MUST an administrator review
to audit a user's access to data files?
D Guest OS audit logs
61
The development team has been tasked with collecting data from
biometric devices. The application will support a variety of collection data
streams. During the testing phase, the team utilizes data from an old
production database in a secure testing environment. What principle
has the team taken into consideration?
D Biometric data must be protected from disclosure.
62
Which of the following is PRIMARILY adopted for ensuring the integrity
of information is preserved?
B Transport Layer Security (TLS)
63
Which of the following is critical for establishing an initial baseline for
software components in the operation and maintenance of
applications?
B Configuration control procedures
64
Which of the following is the GREATEST risk of relying only on
Capability Maturity Models (CMM) for software to guide process
improvement and assess capabilities of acquired software?
B CMMs do not explicitly address safety and security
The idea behind the SW- CMM is that the quality of software depends on the
quality of its development process. SW- CMM does not explicitly address
security, but it is the responsibility of cybersecurity professionals and
software developers to ensure that security requirements are integrated
into the software
65
Which security modes is MOST commonly used in a commercial
environment because it protects the integrity of financial and
accounting data?
C Clark-Wilson

66
In a High Availability (HA) environment, what is the PRIMARY goal of
working with a virtual router address as the gateway to a network?
C The first of two routers fails and is reinstalled, while the second
handles the traffic flawlessly.

67
Which of the following is a covert channel type?
A Storage (or Timing)
A covert channel is a method used to transfer information in a way that
violates the system's security policy. Covert channels are typically hidden
and not intended for information transfer by design. They exploit certain
properties of the system to transmit data in a way that is not allowed by the
system's security mechanisms.
The two main types of covert channels are storage covert channels and
timing covert channels:
Storage Covert Channel:
This type of covert channel involves one process writing data to a storage
location that another process can read. This storage location can be a file,
database, or any other medium where data can be stored and later
retrieved by another process.
Example: A high-security process writes to a shared file that a low-security
process reads. The file might not be intended for communication, but by
changing certain values, the high-security process can signal information to
the low-security process.
Timing Covert Channel:
This type of covert channel involves one process modulating its use of
system resources (such as CPU time, network bandwidth, or system clock)
in a way that affects the response time of another process, which can then
interpret this modulation as data.
Example: A process might vary the timing of its requests or responses in a
network communication to encode data. Another process observing these
variations can decode the information based on the timing differences.
69
Which of the following are all elements of a disaster recovery plan
(DRP)?
B Document the actual location of the DRP, developing an incident
notification procedure, establishing recovery locations
70
In which order, from MOST to LEAST impacted, does user awareness
training reduce the occurrence of the events below?
 1. User-instigated
2. Virus infiltrations (malicious code, such as a virus, worm, or Trojan)
3. Disloyal employees
4. Targeted infiltration (These are security events that are carried out
by sophisticated and persistent attackers who aim to compromise a
specific system or network, such as a nation-state, a competitor, or a
hacker group.)
71
According to best practice, which of the following groups is the MOST
effective in performing an information security compliance audit?
D External consultants
72
Which of the following is the BEST definition of Cross-Site Request
Forgery (CSRF)?
A An attack which forces an end user to execute unwanted actions on
a web application in which they are currently authenticated
73
Which of the following minimizes damage to information technology
(IT) equipment stored in a data center when a false fire alarm event
occurs?
A A pre-action system is installed.
74
What is the PRIMARY consideration when testing industrial control
systems (ICS) for security weaknesses?
D ICS are often sensitive to unexpected traffic.
ICS may also have strict timing or performance requirements that could be
disrupted by network scanning, penetration testing, or other security
activities.
76
What technique BEST describes antivirus software that detects
viruses by watching anomalous behavior?
D Heuristic
77
With what frequency should monitoring of a control occur when
implementing Information Security Continuous Monitoring (ISCM)
solutions?
C At a rate concurrent with the volatility of the security control
78
What is the FIRST step required in establishing a records retention
program?
C Identify and inventory all records.
NOT; classify records based on sensitivity (this is the 2 nd step)
79
While impersonating an Information Security Officer (ISO), an attacker
obtains information from company employees about their User IDs and
passwords. Which method of information gathering has the attacker used?
C Social engineering
80
A software developer wishes to write code that will execute safely and
only as intended. Which of the following programming language types
is MOST likely to achieve this goal
C Strongly typed
A strongly typed language also supports features such as type inference,
type checking, and type safety, which enhance the readability,
maintainability, and security of the code. Examples of strongly typed
languages are Java, C#, and Python
A weakly typed language may also have features such as dynamic typing,
duck typing, or polymorphism, which enable the code to handle different
types of data or objects at run time. Examples of weakly typed languages
are JavaScript, PHP, and Perl
81
Which of the following is the MOST secure protocol for remote
command access to the firewall?
A Secure Shell (SSH)
82
Why is planning in Disaster Recovery (DR) an interactive process?
B It identifies omissions in the plan
83
When constructing an Information Protection Policy (IPP), it is
important that the stated rules are necessary, adequate, and
D Achievable
84
While inventorying storage equipment, it is found that there are unlabeled,
disconnected, and powered off devices. Which of the following is
the correct procedure for handling such equipment?
C They should be inspected and sanitized following the organizational
policy
85
Which of the following is the PRIMARY reason for selecting the
appropriate level of detail for audit record generation?
B Facilitate a root cause analysis (RCA)
86
To minimize the vulnerabilities of a web-based application, which of
the following FIRST actions will lock down the system and minimize the
risk of an attack?
D Apply the latest vendor patches and updates
87
Which type of test would an organization perform in order to locate
and target exploitable defects?
A Penetration
88
In Disaster Recovery (DR) and business continuity training, which BEST
describes a functional drill?
B A specific test by response teams of individual emergency response
functions
89
An engineer in a software company has created a virus creation tool. The
tool can generate thousands of polymorphic viruses. The engineer is
planning to use the tool in a controlled environment to test the company's
next generation virus scanning software. Which would BEST describe the
behavior of the engineer and why?
D The behavior is not ethical because such a tool could be leaked on
the Internet.
90
A security professional has reviewed a recent site assessment and has
noted that a server room on the second floor of a building has Heating,
Ventilation, and Air Conditioning (HVAC) intakes on the ground level that
have ultraviolet light filters installed, Aero-K Fire suppression in the
server room, and pre-action fire suppression on floors above the server
room. Which of the following changes can the security professional
recommend to reduce risk associated with these conditions?
D Elevate the HVAC intake by constructing a plenum or external
shaft over it and convert the server room fire suppression to a pre-
action system
92
Which of the following is a common term for log reviews, synthetic
transactions, and code reviews?
A Security control testing
93
A security practitioner detects client-based attacks on the organization's
network. A plan will be necessary to address these concerns. What MUST
the plan include in order to reduce client-side exploitation?
D Employee education
94
Which of the following is the PRIMARY reason for employing physical
security personnel at entry points in facilities where card access is in
operation?
D To provide a safe environment for employees.
95
A security architect is responsible for the protection of a new home banking
system. Which of the following solutions can BEST improve the
confidentiality and integrity of this external system?
C One-time Password (OTP) token
96
Which of the following is the MOST beneficial to review when performing
an IT audit?
B Security log
97
The Chief Information Security Officer (CISO) of a small organization is
making a case for building a security operations center (SOC). While
debating between an in-house, fully outsourced, or a hybrid capability,
which of the following would be the MAIN consideration, regardless of the
model?
D Scope and service catalog
The scope and service catalog define the objectives, functions, and
deliverables of the SOC, such as monitoring, detection, analysis, response,
and reporting of security incidents and events. The scope and service
catalog also specify the roles and responsibilities, processes and
procedures, standards and metrics, and tools and technologies that the SOC
will use to perform its tasks. The scope and service catalog should align with
the organization's security policies and strategies, and meet the
expectations and requirements of the stakeholders and customers.
99
Which of the following threats would be MOST likely mitigated by
monitoring assets containing open source libraries for vulnerabilities?
B Zero-day attack
A zero-day attack is a type of attack that exploits a previously unknown or
undisclosed vulnerability in a system or application, before the vendor or
developer can release a patch or a fix for the vulnerability.
1
The quality assurance (QA) department is short-staffed and is unable to
test all modules before the anticipated release date of an
application. What security control is MOST likely to be violated?
D Change management
2
The stringency of an Information Technology (IT) security assessment
will be determined by the
B sensitivity of the system's data
3
Which is the PRIMARY mechanism for providing the workforce with the
information needed to protect an agency's vital information resources?
A Incorporating security awareness and training as part of the
overall information security program
4
By carefully aligning the pins in the lock, which of the following defines
the opening of a mechanical lock without the proper key?
B Lock picking
5
Which of the following is the MOST important action regarding
authentication?
B Enrolling in the system
6
A criminal organization is planning an attack on a government network.
Which of the following scenarios presents the HIGHEST risk to the
organization?
B Organization loses control of their network devices
7
Which of the following is the MOST significant benefit to implementing a
third-party federated identity architecture?
D Enable business objectives so departments can focus on mission
rather than the business of identity management
8
The Industrial Control System (ICS) Computer Emergency Response Team
(CERT) has released an alert regarding ICS-focused malware
specifically propagating through Windows-based business networks.
Technicians at a local water utility note that their dams, canals, and locks
controlled by an internal Supervisory Control and Data Acquisition (SCADA)
system have been malfunctioning. A digital forensics professional is
consulted in the Incident Response (IR) and recovery. Which of the
following is the MOST challenging aspect of this investigation?
C Volatility of data
10
Transport Layer Security (TLS) provides which of the following capabilities
for a remote access server?
C Peer identity authentication
11
The BEST example of the concept of "something that a user has" when
providing an authorized user access to a computing system is
B A credential stored in a token.
12
Point-to-Point Protocol (PPP) was designed to specifically address
what issue?
D The security of dial-up connections to remote networks
13
An organization recently suffered from a web-application attack that
resulted in stolen user session cookie information. The attacker was
able to obtain the information when a user's browser executed a
script upon visiting a compromised website. What type of attack MOST
likely occurred?
A Cross-Site Scripting
14.
In which of the following system life cycle processes should security
requirements be developed?
D System analysis
15
In the common criteria, which of the following is a formal document
that expresses an implementation-independent set of security
requirements?
C Protection Profile
In the common criteria, a Protection Profile (PP) is a formal document that
expresses an implementation-independent set of security
requirements for a category of products or systems that share a
common security problem or objective. A PP defines the security
problem, the security objectives, the security functional requirements,
and the security assurance requirements for the intended products or
systems.
16
Which one of the following is an advantage of an effective release
control strategy from a configuration control standpoint?
A Ensures that a trace for all deliverables is maintained and
auditable
17
Which of the following is a network intrusion detection technique?
A Statistical anomaly
18
Which of the following methods MOST efficiently manages user
accounts when using a third-party cloud-based application and
directory solution
B Directory synchronization
19
As one component of a physical security system, an Electronic Access
Control (EAC) token is BEST known for its ability to
A Overcome the problems of key assignments
20
Which of the following MUST an organization do to effectively
communicate its security strategy to all affected parties?
D Remove potential communication barriers
21
The personal laptop of an organization executive is stolen from the office,
complete with personnel and project records. Which of the following should
be done FIRST to mitigate future occurrences?
C Create policies addressing critical information on personal
laptops.
22
Which of the following is the MOST important consideration when
developing a Disaster Recovery Plan
C A recovery strategy for all business processes
23
Which of the following provides the minimum set of privileges required
to perform a job function and restricts the user to a domain with the
required privileges?
B Access based on user's role
24
What is the FIRST step that should be considered in a Data Loss
Prevention (DLP) program?
D Data classification
25
The adoption of an enterprise-wide business continuity program
requires which of the following?
B Good communication throughout the organization
26
Which would result in the GREATEST impact following a breach to a
cloud environment?
A The hypervisor host is poorly secured
27
Why is a system's criticality classification important in large
organizations?
A It provides for proper prioritization and scheduling of security and
maintenance tasks.
28
Which of the following represents the GREATEST risk to data
confidentiality?
C Backup tapes are generated unencrypted
29
Which of the following is an advantage of on premise Credential
Management Systems?
B Control over system configuration
31
An internal audit for an organization recently identified malicious actions
by a user account. Upon further investigation, it was determined the
offending user account was used by multiple people at multiple
locations simultaneously for various services and applications. What is
the BEST method to prevent this problem in the future?
C Ensure each user has their OWN UNIQUE ACCOUNT
32
What is the MAIN feature that onion routing networks offer?
C Anonymity
33
Which of the following explains why record destruction requirements
are included in a data retention policy?
A To comply with legal and business requirements
34
Which of the following approaches is the MOST effective way to dispose of
data on multiple hard drives?
D Perform multiple passes on each drive using approved formatting
methods.
DON’T USE Degaussing BECAUSE IT MAY damage the hard drive
components and render them unusable.
35
What is the PRIMARY advantage of using automated application
security testing tools?
B Large amounts of code can be tested using fewer resources.
36
Which of the following is the best practice for testing a Business Continuity
Plan (BCP)?
B Test when environment changes
37
An Intrusion Detection System (IDS) is based on the general hypothesis that
a security violation is associated with a pattern of system usage which can
be
A differentiated from a normal usage pattern.
38
Which of the following are mandatory canons for the (ISC)* Code of Ethics?
B Perform honestly, fairly, responsibly, and lawfully for the organization.
39
Which of the following is the MOST important consideration when
storing and processing Personally Identifiable Information (PII)?
D Adherence to collection limitation laws and regulations.
41
Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
only provides which of the following?
C User authentication
EAP-MD5 is considered insecure and vulnerable to various attacks, such as
offline dictionary attacks, man-in-the-middle attacks, or replay attacks, and
should not be used in modern networks.
5.
Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of
assurance that their data will remain protected by using which
protocol?
 A. Extensible Authentication Protocol (EAP)
Given these choices, A. Extensible Authentication Protocol (EAP) is the most
relevant because it is a part of the WPA2 framework used during the
authentication phase, even though it is not the encryption protocol
used to protect the data (which is AES).
10.
When configuring Extensible Authentication Protocol (EAP) in a
Voice over Internet Protocol (VoIP) network, which of the following
authentication types is the MOST secure?
A. EAP-Transport Layer Security (TLS)
EAP TLS at the transport layer is more secure than tunneled, PEAP it is used
in tunnel
42
Which of the following criteria ensures information is protected
relative to its importance to the organization?
B Legal requirements, value, criticality, and sensitivity to unauthorized
disclosure or modification
43
An organization is found lacking the ability to properly establish
performance indicators for its Web hosting solution during an audit. What
would be the MOST probable cause?
D Insufficient Service Level Agreement (SLA)
44
Which type of control recognizes that a transaction amount is
excessive in accordance with corporate policy?
A Detection
45
Which of the following is TRUE about Disaster Recovery Plan (DRP)
testing?
B Testing should continue even if components of the test fail.
46
Computer forensics require which of the following as MAIN steps?
C Acquire the data without altering, authenticate the recovered data,
and analyze the data
47
Why are mobile devices something difficult to investigate in a forensic
examination?
C They may contain cryptographic protection.
48
A security analyst for a large financial institution is reviewing network traffic
related to an incident. The analyst determines the traffic is irrelevant to the
investigation but in the process of the review, the analyst also finds that an
applications data, which included full credit card cardholder data, is
transferred in clear text between the server and users’ desktop. The
analyst knows this violates the Payment Card Industry Data Security
Standard (PCI-DSS). Which of the following is the analyst's next step?
C Follow organizational processes to alert the proper teams to
address the issue.
49
Which of the following types of technologies would be the MOST cost-
effective method to provide a reactive control for protecting personnel
in public areas?
C Supply a duress alarm for personnel exposed to the public
50
Which of the following would be the BEST guideline to follow when
attempting to avoid the exposure of sensitive data?
A Store sensitive data only when necessary.
51
Which of the following describes the concept of a Single Sign-On (SSO)
system?
C Users are authenticated to multiple systems with one login.
52
What is the correct order of steps in an information security
assessment? Place the information security assessment steps on the left
next to the numbered boxes on the right in the correct order
Step 1: Define the perimeter (scope)
Step 2: Identify the vulnerability (vulnerability assessment)
Step 3: Assess the risk (risk assessment)
Step 4: Determine the actions (remediation)
53
Which of the following BEST describes when an organization should
conduct a black box security audit on a new software product?
D When the organization is confident the final source code is complete
54
Which media sanitization methods should be used for data with a high
security categorization?
D Purge or destroy
55
What is the MOST important element when considering the effectiveness of
a training program for Business Continuity (BC) and Disaster Recovery (DR)?
A Management support
56
A company developed a web application which is sold as a Software as
a Service (SaaS) solution to the customer. The application is hosted by a
web server running on a 'specific operating system (OS) on a virtual
machine (VM). During the transition phase of the service, it is determined
that the support team will need access to the application logs. Which
of the following privileges would be the MOST suitable?
B Administrative privileges on the web server
57
The Chief Information Security Officer (CISO) is concerned about
business application availability. The organization was recently subject
to a ransomware attack that resulted in the unavailability of applications
and services for 10 working days that required paper-based running of all
main business processes. There are now aggressive plans to enhance the
Recovery Time Objective (RTO) and cater for more frequent data captures.
Which of the following solutions should be implemented to fully comply with
the new business requirements?
A Virtualization
13
A security architect is reviewing plans for an application with a Recovery
Point Objective (RPO) of 15 minutes. The current design has all of the
application infrastructure located within one co-location data center. Which
security principle is the architect currently assessing?
B Availability
Recovery Time Objective (RTO) (max allowed system downtime):
The maximum acceptable length of time that a system, application, or
process can be down after a failure or disaster occurs.
Purpose: RTO determines how quickly you need to restore your systems
and services to avoid unacceptable consequences.
Recovery Point Objective (RPO) (Max allowed data loss): The
maximum acceptable amount of data loss measured in time. It defines the
point in time to which data must be restored to resume business operations
after a disaster.
Purpose: RPO determines how frequently data backups or
replications need to be made to minimize data loss.
82
A security architect is reviewing plans for an application with a Recovery
Point Objective (RPO) of 15 minutes. The current design has all of the
application infrastructure located within one co-location data center.
Which security principle is the architect currently assessing?
A Availability
Availability is one of the three components of the CIA triad, along with
confidentiality and integrity. A security architect is assessing the availability
of an application by reviewing its Recovery Point Objective (RPO), which
is the maximum amount of data loss that is acceptable in the event of
a disaster or disruption. The RPO determines how frequently the data
should be backed up or replicated.
Disaster recovery (DR) is the process of restoring the normal operations
of an organization after a disaster or disruption. DR involves the
implementation of a DR plan, which defines the roles, responsibilities,
procedures, and resources for recovering the critical functions and systems
of the organization.
Business continuity (BC) is the process of ensuring the continuity of the
essential functions and operations of an organization during and after a
disaster or disruption. BC involves the implementation of a BC plan, which
defines the scope, objectives, strategies, and actions for maintaining the
business processes and services of the organization.
65
During the risk assessment phase of the project the CISO discovered that a
college within the University is collecting Protected Health Information (PHI)
data via an application that was developed in-house. The college collecting
this data is fully aware of the regulations for Health Insurance Portability
and Accountability Act (HIPAA) and is fully compliant. What is the best
approach for the CISO?
D Notate the information and move on
68
Which of the following BEST describes Recovery Time Objective
(RTO)?
C Time of application resumption after disaster
The Recovery Time Objective (RTO) is a key concept in business continuity
and disaster recovery planning. It represents the maximum acceptable
amount of time that an IT service, application, system, or process
38.
When recovering from an outage, what is the Recovery Point Objective
(RPO), in terms of data recovery?
A The RPO is the maximum amount of time for which loss of data is
acceptable.
59
When auditing the Software Development Life Cycle (SDLC) which of the
following is one of the high-level audit phases?
D Planning
The planning phase also involves conducting the preliminary risk
assessment, the background research, and the stakeholder analysis of the
audit entity, and developing the audit plan, the audit checklist, and the
audit schedule
60
Which of the following is the BEST way to protect an organization's
data assets?
B Encrypt data in transit and at rest using up-to-date cryptographic
algorithms.
62
What are the roles within a scrum methodology?
D Product owner, scrum master, and scrum team
63
If virus infection is suspected, which of the following is the FIRST step for the
user to take?
C Report the incident to service desk
65
Which of the following is the MOST significant key management problem
due to the number of keys created?
D Exponential growth when using symmetric keys
When using symmetric encryption, the number of keys created grows
exponentially with the number of users or devices involved. For example, if
there are n users or devices that need to communicate securely with each
other, then each user or device needs to have a unique key for each other
user or device.
66
A client has reviewed a vulnerability assessment report and has
stated it is inaccurate. The client states that the vulnerabilities listed
are not valid because the host's Operating System (OS) was not properly
detected. Where in the vulnerability assessment process did the error
MOST likely occur?
A Detection
67
The use of private and public encryption keys is fundamental in the
implementation of which of the following?
B Secure Sockets Layer (SSL)
68
Without proper signal protection, embedded systems may be prone to
which type of attack?
C Information disclosure
69
Which of the following security objectives for industrial control
systems (ICS) can be adapted to securing any Internet of Things
(IoT) system?
D Protect individual components from exploitation
70
What is the second step in the identity and access provisioning lifecycle?
B Review
71
Which of the following is a common measure within a Local Area Network
(LAN) to provide an additional level of security through segmentation?
A building virtual local area networks (VLAN)
72
For a federated identity solution, a third-party Identity Provider (IdP) is
PRIMARILY responsible for which of the following?
C Authentication
A federated identity solution is a system that allows users to access
multiple services or applications across different domains or organizations
using a single identity and credential. A federated identity solution involves
two main parties: the Identity Provider (IdP) and the Service Provider
(SP). The IdP is the party that verifies/authenticates the identity and
credential of the user and issues a security token or assertion to the user.
The SP is the party that provides access control, account management,
authorization and the service or application that the user wants to access
and relies on the security token or assertion from the IdP.
73
What is the MAIN reason for testing a Disaster Recovery Plan (DRP)?
C To find out what does not work and fix it
75
Which of the following findings would MOST likely indicate a high risk in a
vulnerability assessment report?
D End of life system detected
76
Retaining system logs for six months or longer can be valuable for what
activities?
B Forensics and incident response
77
Which of the following standards/guidelines requires an Information
Security Management System (ISMS) to be defined?
A International Organization for Standardization (ISO) 27000 family
78
Which of the following MUST a system and database administrators be
aware of and apply when configuring systems used for storing personal
employee data?
B The organization's security policies and standards
79
Which of the following is the MOST effective strategy to prevent an attacker
from disabling a network?
B Design networks with the ability to adapt, reconfigure, and fail over.
80
An access control list (ACL) on a router is a feature MOST similar to
which type of firewall?
A Packet filtering firewall.

81
A client server infrastructure that provides user-to-server
authentication describes which one of the following?
B Kerberos
Kerberos is a client server infrastructure that provides user-to-server
authentication, as well as mutual authentication, ticket-based
authentication, and symmetric key encryption. Kerberos is based on the
concept of a trusted third party, called the Key Distribution Center (KDC)
that issues tickets to clients and servers to authenticate each other and
establish a secure session.
82
Which of the following disaster recovery test plans will be MOST effective
while providing minimal risk?
B Parallel
83
Compared with hardware cryptography, software cryptography is
generally
A less expensive and slower
84
Why should Open Web Application Security Project (OWASP) Application
Security Verification standards (ASVS) Level 1 be considered a MINIMUM
level of protection for any web application?
B Opportunistic attackers will look for any easily exploitable
vulnerable applications.
85
Which type of disaster recovery plan (DRP) testing carries the MOST
operational risk?
A Cutover
86
Mandatory Access Controls (MAC) are based on:
A security classification and security clearance
87
Which of the following is a common characteristic of privacy?
B Notice to the subject of the existence of a database containing
relevant credit card data
88
Which of the following is the MOST common cause of system or
security failures?
C Lack of Change Control
89
The security organization is looking for a solution that could help them
determine with a strong level of confidence that attackers have breached
their network. Which solution is MOST effective at discovering a successful
network breach?
A Deploying a honeypot
A honeypot is a decoy system that is designed to attract and trap attackers
who attempt to breach a network. A honeypot can provide a high level of
confidence that attackers have breached the network, as it can record their
activities, techniques, tools, and motives.
90
A development operations team would like to start building new applications
delegating the cybersecurity responsibility as much as possible to
the service provider. Which of the following environments BEST fits their
need?
B Cloud application container within a Virtual Machine (VM)
91
In addition to protection of LIFE, which of the following elements is MOST
important when planning a data center site?
A Data and hardware
When planning a data center site, the protection of life is always the most
important element, as human safety and well-being should always be
prioritized over any other asset or resource. However, in addition to life, the
protection of data and hardware is also very important, as they are the core
components of a data center that enable the storage, processing, and
transmission of information.
92
What is the MOST effective way to protect privacy?
A Eliminate or reduce collection of personal information.
93
What would be the PRIMARY concern when designing and coordinating a
security assessment for an Automatic Teller Machine (ATM) system?
A Physical access to the electronic hardware
95
Which of the following is the MOST appropriate technique for destroying
magnetic platter style hard disk drives (HDD) containing data with a "HIGH"
security categorization?
B Mechanically shred the entire HDD
96
Identify the component that MOST likely lacks digital accountability
related to information access. Click on the correct device in the image
below.
Laptop
Storage Area Network (SAN)
Backup Media
Backup Server
Database Server
Web Server
Laptop
97
Who has the PRIMARY responsibility to ensure that security objectives
are aligned with organization goals?
A senior management
99
A thorough review of an organization's audit logs finds that a disgruntled
network administrator has intercepted emails meant for the Chief Executive
Officer (CEO) and changed them before forwarding them to their intended
recipient. What type of attack has MOST likely occurred?
C Man-in-the-middle
100
What is the purpose of code signing?
B The vendor certifies the software being loaded is free of malicious
code and that it was originated by the signer.
1
A malicious user gains access to unprotected directories on a web
server. Which of the following is MOST likely the cause for this
information disclosure?
A Security misconfiguration
Security misconfiguration is a type of vulnerability that occurs when a
web server or an application is not properly configured or secured, and
exposes sensitive or unnecessary information or functionality to
unauthorized or malicious users. It can allow a malicious user to gain access
to unprotected directories, files, or databases on a web server, and to view,
modify, or steal the data stored or transmitted by the web server or the
application.
Broken authentication management is a type of vulnerability that occurs
when a web-based application does not properly implement or protect the
authentication or session management mechanisms, such as passwords,
tokens, or cookies, and allows a malicious user to compromise or
impersonate the identity or the session of a legitimate user.
2
A company hired an external vendor to perform a penetration test of a new
payroll system. The company's internal test team had already performed an
in-depth application and security test of the system and determined that it
met security requirements. However, the external vendor uncovered
significant security weaknesses where sensitive personal data was
being sent unencrypted to the tax processing systems. What is the
MOST likely cause of the security issues?
A Failure to perform interface testing
Interface testing is a type of testing that verifies the functionality and
security of the interactions and communications between different
components or systems. Interface testing can detect and prevent errors,
defects, or vulnerabilities that may occur due to the integration or
interoperability of the components or systems.
3.
An auditor carrying out a compliance audit requests passwords that
are encrypted in the system to verify that the passwords are compliant
with policy. Which of the following is the BEST response to the
auditor?
C Demonstrate that non-compliant passwords cannot be created in the
system.
5
Which of the following is a critical factor for implementing a successful
data classification program?
A Executive sponsorship
6
From a cryptographic perspective, the service of non-repudiation
includes which of the following features?
D Proof of integrity of the message
NOT Validity of digital certificates
7
What is the BEST location in a network to place Virtual Private Network
(VPN) devices when an internal review reveals network design flaws in
remote access?
A In a dedicated Demilitarized Zone (DMZ)
8
Which of the following is a common feature of an Identity as a Service
(IDaaS) solution?
A Single Sign-On (SSO) authentication support
9
An attack utilizing social engineering and a malicious Uniform
Resource Locator (URL) link to take advantage of a victim's existing
browser session with a web application is an example of which of the
following types of attack?
B Cross-site request forgery
A CSRF attack typically involves the following steps: The attacker crafts a
malicious URL or HTML code that contains a forged request to a web
application that the victim is likely to use, such as a banking, shopping, or
social media site. The attacker delivers the malicious URL or HTML code to
the victim, using social engineering techniques, such as phishing emails,
instant messages, or web pages. The victim clicks on the malicious URL or
HTML code, which is executed by the victim's web browser. The victim's
web browser sends the forged request to the web application, along with
the victim's session cookie or token, which authenticates or authorizes the
victim to the web application. The web application receives the forged
request and executes it, as if it was initiated by the victim. The web
application performs the unwanted action, such as transferring funds,
changing passwords, or deleting accounts, on behalf of the victim.
XSS is a type of web-based attack that exploits the vulnerability of a web
application, by injecting malicious scripts into the web pages that are
viewed by other users. Injection is a type of web-based attack that exploits
the vulnerability of a web application, by injecting malicious commands or
queries into the user input, such as forms, fields, or URLs. Click jacking is
a type of web-based attack that exploits the vulnerability of a web browser,
by overlaying a transparent or hidden layer on top of a legitimate web page,
and tricking the user into clicking on the hidden layer, which performs an
unwanted action on the underlying web page.

10
Which of the following examples is BEST to minimize the attack
surface for a customer's private information?
B Collection limitation
11
An organization is setting a security assessment scope with the goal of
developing a Security Management Program (SMP). The next step is
to select an approach for conducting the risk assessment. Which of
the following approaches is MOST effective for the SMP?
B Business processes based risk assessment with a focus on
business goals
12
Which of the following information MUST be provided for user account
provisioning?
B Unique identifier
13
Which type of test suite should be run for fast feedback during
application development?
C Smoke
A smoke test suite is a subset of test cases that covers the most
important and basic functionality of the application, such as loading,
navigation, and input/output. A smoke test suite is designed to be
executed quickly and frequently, usually before more comprehensive
testing, to verify that the application is stable and ready for further
testing.
14
Which of the following is a correct feature of a virtual local area
network (VLAN)?
B Layer 3 routing is required to allow traffic from one VLAN to
another.
16
When performing an investigation with the potential for legal action,
what should be the analyst's FIRST consideration?
B Authorization to collect
17
Which of the following BEST obtains an objective audit of security
controls?
C The security audit is performed by an independent third-party.
18
How does security in a distributed file system using mutual
authentication differ from file security in a multi-user host?
B Access control cannot rely on the Operating System (OS), and
eavesdropping is possible.
In a distributed file system, access control cannot rely on the OS, because
the OS may not have the same security policies or mechanisms as the
remote server. Therefore, access control must be implemented at the
application layer, using protocols such as Kerberos or SSL/TLS.
Eavesdropping is also possible in a distributed file system, because the
network traffic may be intercepted or modified by malicious parties.
Therefore, encryption and integrity checks must be used to protect the data
in transit.
In a multi-user host, access control can rely on the OS, because the OS can
enforce security policies and mechanisms such as permissions, groups, and
roles. Eavesdropping is less likely in a multi-user host, because the network
traffic is confined to the local server.
19
What is the PRIMARY objective of an application security
assessment?
D Identify vulnerabilities.
20
In an organization where Network Access Control (NAC) has been deployed,
a device trying to connect to the network is being placed into an isolated
domain. What could be done on this device in order to obtain proper
connectivity?
B Apply remediation's according to security requirements
21
Which of the following is an essential element of a privileged identity
lifecycle management?
A Regularly perform account re-validation and approval
22
In an environment where there is not full administrative control over
all network connected endpoints, such as a university where non-corporate
devices are used, what is the BEST way to restrict access to the
network?
D Use a clientless Network Access Control (NAC) solution
23
What is the FINAL step in the waterfall method for contingency planning?
A Maintenance
Contingency planning can follow various methods, models, or frameworks,
such as the waterfall method, the agile method, or the spiral method, that
can define, structure, or guide the contingency planning process, by using
various phases, stages, or steps, such as initiation, planning, testing,
implementation, or review. The final step in the waterfall method for
contingency planning is maintenance, which means to monitor, update, or
improve the contingency plan, actions, measures, or solutions, that are
taken or implemented
24
Which attack defines a piece of code that is inserted into software to
trigger a malicious function?
D Logic bomb
A logic bomb is a piece of code that is inserted into software to trigger a
malicious function when a certain condition is met, such as a specific date,
time, or event.
Phishing is a type of social engineering attack that uses fraudulent emails
or websites to trick users into revealing their personal or financial
information, or installing malware on their devices. Salami is a type of
fraud that involves stealing small amounts of money or data from multiple
sources over time, hoping that the theft will go unnoticed or be ignored.
Back door is a type of covert access that bypasses the normal
authentication or authorization mechanisms of a system or network,
allowing unauthorized users or attackers to gain access or control
25
Which one of the following can be used to detect an anomaly in a system by
keeping track of the state of files that do not normally change?
C Integrity checker
An anomaly is a deviation or abnormality from the normal or expected
behavior or state of a system, network, or resource, which may indicate a
potential security problem or issue, such as a malware infection, a
configuration error, or a data corruption. An anomaly can be detected or
identified by using various methods or techniques, such as statistical
analysis, behavioral analysis, or signature analysis, that can compare or
contrast the actual or current behavior or state of the system, network, or
resource, with the expected or baseline behavior
26
Which of the following is the BEST method to reduce the effectiveness of
phishing attacks?
A User awareness
27
What is the BEST way to establish identity over the internet?
C Remote Authentication Dial-In User Service (RADIUS) server with
hardware tokens
29
Which one of the following transmission media is MOST effective in
preventing data interception?
C Fiber optic
30
What maintenance activity is responsible for defining, implementing,
and testing updates to application systems?
A Program change control
31
Which of the following assures that rules are followed in an identity
management architecture?
D Policy enforcement point
32
A security consultant has been asked to research an organization's
legal obligations to protect privacy-related information. What kind of
reading material is MOST relevant to this project?
B Privacy-related regulations enforced by governing bodies
applicable to the organization
33
Which of the following is the MOST effective measure for dealing with rootkit
attacks?
D Reinstalling the system from trusted sources
A rootkit is a type of malicious software that hides itself and other malware
from detection and removal, by modifying the operating system or the
firmware of the system. A rootkit can gain root or administrator access to
the system, and can control or manipulate the system's functions,
processes, or files. A rootkit can also create backdoors, key loggers, or
network sniffers, to steal or transmit sensitive data, or to launch further
attacks.
34
Which one of the following describes granularity?
D Fineness to which an access control system can be adjusted
35
What is the FIRST step when developing an Information Security
Continuous Monitoring (ISCM) program?
D Define an ISCM strategy based on risk tolerance.
35
A continuous information security-monitoring program can BEST
reduce risk through which of the following?
A Collecting security events and correlating them to identify
anomalies
36
When using third-party software developers, which of the following is
the MOST effective method of providing software development
Quality Assurance (QA)?
B Perform overlapping code reviews by both parties
38
Which of the following techniques BEST prevents buffer overflows?
C Code auditing
A buffer overflow is a type of software vulnerability that occurs when a
program or an application writes more data to a buffer than the buffer can
hold, causing the excess data to overwrite the adjacent memory locations.
47.
A security architect is developing an information system for a client. One of
the requirements is to deliver a platform that mitigates against common
vulnerabilities and attacks. What is the MOST efficient option used to
prevent buffer overflow attacks?
A Address Space Layout Randomization (ASLR)
40
What is the benefit of an operating system (OS) feature that is
designed to prevent an application from executing code from a non-
executable memory region?
D Helps prevent certain exploits that store code in buffers
40
Which of the following factors should be considered characteristics of
Attribute Based Access Control (ABAC) in terms of the attributes used?
D Role Based Access Control (RBAC) and Access Control List (ACL)
RBAC Integration: Attribute-Based Access Control (ABAC) can be integrated
with RBAC. User roles (from RBAC) can become one of the many attributes
considered by an ABAC system when making access decisions.
ACL Refinement: ABAC can leverage and refine the use of ACLs. With ABAC,
permissions on an ACL can be granted or denied based on various attributes
rather than solely on user identities or roles.
41
Before implementing an internet-facing router, a network
administrator ensures that the equipment is baselined/hardened
according to approved configurations and settings. This action
provides protection against which of the following attacks?
A Blind spoofing
Blind spoofing is a type of network attack that involves sending packets with
a forged source IP address to a target system, without knowing the
sequence number or acknowledgment number expected by the target
system. The attacker hopes to guess the correct numbers and establish a
connection with the target system, or cause a denial-of-service (DoS) attack
by exhausting the target system's resources.
42
Asymmetric algorithms are used for which of the following when using
Secure Sockets Layer/Transport Layer Security (SSL/TLS) for implementing
network security?
A Peer authentication
Asymmetric algorithms are used for peer authentication in SSL/TLS, which is
the process of verifying the identity and trustworthiness of the client and
the server. Peer authentication is done by exchanging digital certificates,
which are electronic documents that contain the public key and other
information of the owner, and are signed by a trusted third party, such as a
certificate authority. The client and the server validate each other's
certificates using asymmetric algorithms, and establish a secure connection
if the certificates are valid.
43
Why is data classification control important to an organization?
A To ensure its integrity, confidentiality, and availability.
44
What is the BEST reason to include supply chain risks in a corporate
risk register?
B Risk registers classify and categorize risk and allow risks to be
compared to corporate risk appetite
45
Clothing retailer employees are provisioned with user accounts that provide
access to resources at partner businesses. All partner businesses use
common identity and access management (IAM) protocols and differing
technologies. Under the Extended Identity principle, what is the process
flow between partner businesses to allow this IAM action?
A Clothing retailer acts as identity provider (IdP), confirms identity
of user using industry standards, then sends credentials (access token)
to partner businesses that act as a Service Provider and allows
access to services
46
Which of the following is a limitation of the Common Vulnerability
Scoring System (CVSS) as it relates to conducting code review?
C It aims to calculate the risk of published vulnerabilities
28
Which of the following frameworks provides vulnerability metrics and
characteristics to support the National Vulnerability Database
(NVD)?
D Common Vulnerability Scoring System (CVSS)
CVSS provides vulnerability metrics and characteristics, such as the base
score, the temporal score, and the environmental score, that are based on
the various factors or attributes of the vulnerabilities, such as the
exploitability, the scope, the impact, the remediation, or the confidence.
CVSS supports the NVD, which is a repository or a database that collects
and maintains the information or the data about the publicly known or
reported vulnerabilities or weaknesses that are identified by the Common
Vulnerabilities and Exposures (CVE) identifiers. CVSS supports the NVD,
because it can provide a common and uniform language or
terminology for describing and defining the vulnerabilities or
weaknesses that are included in the NVD
21
Which component of the Security Content Automation Protocol (SCAP)
specification contains the data required to estimate the severity of
vulnerabilities identified by automated vulnerability assessments?
B Common Vulnerability Scoring System (CVSS)
47
Which of the following is used by the Point-to-Point Protocol (PPP) to
determine packet formats?
B Link Control Protocol (LCP)
LCP negotiates and agrees on various options and parameters for the PPP
link, such as the maximum transmission unit (MTU), the authentication
method, the compression method, the error detection method, and the
packet format
48
Refer to the information below to answer the question. An organization
experiencing a negative financial impact is forced to reduce budgets
and the number of Information Technology (IT) operations staff
performing basic logical access security administration functions.
Security processes have been tightly integrated into normal IT
operations and are not separate and distinct roles. Which of the
following will MOST likely allow the organization to keep risk at an
acceptable level?
D Separating the security function into distinct roles
52
Refer to the information below to answer the question. An organization
experiencing a negative financial impact is forced to reduce
budgets and the number of Information Technology (IT) operations staff
performing basic logical access security administration functions. Security
processes have been tightly integrated into normal IT operations and are
not separate and distinct roles. When determining appropriate
resource allocation, which of the following is MOST important to
monitor?
A Number of system compromises
6
Refer to the information below to answer the question. An organization
experiencing a negative financial impact is forced to reduce budgets and
the number of Information Technology (IT) operations staff performing basic
logical access security administration functions. Security processes have
been tightly integrated into normal IT operations and are not separate and
distinct roles. Which of the following will indicate where the IT
budget is BEST allocated during this time?
C Metrics
49
Which of the following is a process within a Systems Engineering Life
Cycle (SELC) stage?
A Requirements Analysis
The Systems Engineering Life Cycle (SELC) is a structured approach to
developing systems, encompassing various stages to ensure thorough
planning, development, and maintenance. The SELC stages typically
include: Concept Development, Requirements Analysis, Design,
Implementation, Integration and Test Deployment, Operations and
Maintenance, Disposition
50
What is the BEST approach to addressing security issues in legacy web
applications?
B Migrate to newer, supported applications where possible
51
Which of the following vulnerability assessment activities BEST
exemplifies the examine method of assessment?
B Ensuring that system audit logs capture all relevant data fields required
by the security controls baseline
Examine: This method is “the process of reviewing, inspecting, observing,
studying, or analyzing one or more assessment objects (i.e., specifications,
mechanisms, or activities). The purpose of the examine method is to
facilitate assessor understanding, achieve clarification, or obtain evidence.”
Assessors often begin an SCA by requesting a list of artifacts or evidence
(such as security policies, configuration files, etc.) that they can examine to
form an initial perspective.
Interview: This method is “the process of holding discussions with
individuals or groups of individuals within an organization to once again,
facilitate assessor understanding, achieve clarification, or obtain evidence.”
After reviewing any evidence provided during the examine phase, assessors
meet with key stakeholders to gain additional clarity on what security
controls are in place and how they work.
Test: This method is “the process of exercising one or more assessment
objects (i.e., activities or mechanisms) under specified conditions to
compare actual with expected behavior.” In this stage, an auditor or
assessor is seeking to confirm that security controls are implemented as
they are documented and that they are operating effectively and as
intended.
53
The goal of a Business Impact Analysis (BIA) is to determine which of
the following?
C Resource priorities for recovery and Maximum Tolerable
Downtime (MTD)
54
An organization is planning a penetration test that simulates the
malicious actions of a former network administrator. What kind of
penetration test is needed?
C Grey box
A grey box penetration test is one that simulates the actions of an attacker
who has some knowledge of the target system, such as a former network
administrator. A grey box test is more realistic than a white box test,
which assumes complete knowledge of the system, and more
efficient than a black box test, which assumes no knowledge of the
system.
55
In order to assure authenticity, which of the following are required?
C Authentication and non-repudiation
C Authentication and non-repudiation
56
Which of the following is a security feature of Global Systems for
Mobile Communications (GSM)?
A It uses a Subscriber Identity Module (SIM) for authentication.
79
Which of the following is included in the Global System for Mobile
Communications (GSM) security framework?
B Symmetric key cryptography
The GSM security framework includes various components, such as the
Subscriber Identity Module (SIM), the Authentication Center (AuC), the
Equipment Identity Register (EIR), or the ciphering algorithms. The
component that is included in the GSM security framework is symmetric key
cryptography, which is a type of cryptography that uses the same key or a
pair of keys that are mathematically related for both encryption and
decryption of data or information. Symmetric key cryptography is used in
the GSM security framework for various purposes, such as encrypting the
communication between the mobile station and the base station, generating
the authentication and ciphering keys, or deriving the session keys.
57
During an audit, the auditor finds evidence of potentially illegal activity.
Which of the following is the MOST appropriate action to take?
D Work with the client to report the activity to the appropriate authority
59
A network scan found 50% of the systems with one or more critical
vulnerabilities. Which of the following represents the BEST action?
B Assess vulnerability risk and business impact.
60
What is the MOST effective method for gaining unauthorized access to a file
protected with a long complex password?
C Social engineering
61
Which of the following BEST ensures the integrity of transactions to
intended recipients?
A Public key infrastructure (PKI) (asymmetric encryption)
62
What method could be used to prevent passive attacks against secure
voice communications between an organization and its vendor?
A Encryption in transit
64
What is the MOST efficient way to secure a production program and
its data?
B Harden the application and encrypt the data
65
Which of the following is the MOST effective corrective control to
minimize the effects of a physical intrusion?
B Rapid response by guards or police to apprehend a possible
intruder
66
When evaluating third-party applications, which of the following is the
GREATEST responsibility of Information Security?
C Quantify the risk to the business for product selection.
67
Which of the following wraps the decryption key of a full disk
encryption implementation and ties the hard disk drive to a
particular device?
A Trusted Platform Module (TPM)
A TPM is a secure cryptoprocessor that generates, stores, and protects
cryptographic keys and other sensitive data. A TPM can be used to
implement full disk encryption, which is a technique that encrypts the entire
contents of a hard disk drive, making it unreadable without the correct
decryption key. A TPM can wrap the decryption key, which means that it
encrypts the key with another key that is stored in the TPM and can only be
accessed by authorized software. A TPM can also tie the hard disk drive
to a particular device.
68
Which of the following is the PRIMARY security concern associated with
the implementation of smart cards?
C The cards can be misplaced
69
Which of the following is the BEST method to prevent malware from
being introduced into a production environment?
D Test all new software in a segregated environment
70
In the common criteria (CC) for information technology (IT) security
evaluation, increasing Evaluation Assurance Levels (EAL) results in
which of the following?
C Increase in resource requirement
26
Changes to a Trusted Computing Base (TCB) system that could
impact the security posture of that system and trigger a
recertification activity are documented in the
A Security impact analysis.
A TCB system is a system that consists of the hardware, software, and
firmware components that enforce the security policy and protect the
security-relevant information of the system. A TCB system is usually
certified or accredited to meet certain security standards or
criteria, such as the Common Criteria or the Trusted Computer
System Evaluation Criteria (TCSEC).
A security impact analysis is a document that describes the changes
made to a TCB system, such as adding, modifying, or removing
components or functions, and analyzes the potential effects of the changes
on the security of the system, such as introducing new vulnerabilities, risks,
or threats.
25
Which of the following BEST describes a Protection Profile (PP)?
A A document that expresses an implementation independent set
of security requirements for an IT product that meets specific
consumer needs.
A PP is based on the Common Criteria (CC) framework, which is an
international standard for evaluating the security of IT products and
systems. A PP defines the security objectives, threats, assumptions, and
functional and assurance requirements for a product or a category of
products.
75
Which security evaluation model assesses a product's Security
Assurance Level (SAL) in comparison to similar solutions?
B Common criteria (CC)
91
Match the level of evaluation to the correct common criteria (CC)
assurance level
Level of evaluation Assuranc
e Level
Functionally tested 1
Structurally tested 2
Methodically tested and 3
checked
Methodically designed, tested 4
and reviewed
Semiformally designed and 5
tested
Semiformally verified design 6
and tested
Formally verified design and 7
tested

The Common Criteria (CC) is an international standard for evaluating the

security and assurance of information technology products and systems.
The CC defines seven levels of evaluation assurance levels (EALs), ranging
from EAL1 (the lowest) to EAL7 (the highest), that indicate the degree of
confidence and rigor in the evaluation process.
50
Which of the following BEST describes the purpose of the security
functional requirements of Common Criteria?
C Security behavior expected of a TOE
The security functional requirements of Common Criteria are meant to
describe the expected security behavior of a Target of Evaluation (TOE).
These requirements are detailed and are used to evaluate the security
functions that a TOE claims to implement
74
Which of the following is a security weakness in the evaluation of
common criteria (CC) products?
A The manufacturer can state what configuration of the product is to
be evaluated.
Common criteria (CC) is an international standard that defines a framework
for the evaluation, certification, or validation of the security, functionality, or
performance of the products, systems, or components, that are used or
applied in the information technology (IT) or information security (IS)
domains, such as software, hardware, or firmware.
CC can follow various methods, models, or frameworks, such as the
Evaluation Assurance Level (EAL), the Protection Profile (PP), or the Security
Target (ST), that can define, structure, or guide the evaluation, certification,
or validation process, by using various criteria, requirements, or
specifications, such as the functional requirements, the assurance
requirements, or the security objectives, that can describe, represent, or
demonstrate the security, functionality, or performance of the products,
systems, or components. The security weakness in the evaluation of
common criteria (CC) products is that the manufacturer can state what
configuration of the product is to be evaluated, which means that the
manufacturer can select, determine, or specify the features, settings, or
parameters, of the product, that are to be assessed, measured, or
compared, during the evaluation, certification, or validation process.
72
The Hardware Abstraction Layer (HAL) is implemented in the
A System software.
The system software is the software that controls and manages the basic
operations and functions of the computer system, such as the operating
system, the device drivers, the firmware, and the BIOS. The HAL is a
component of the system software that provides a common interface
between the hardware and the software layers of the system.
73
The BEST way to check for good security programming practices, as
well as auditing for possible backdoors, is to conduct
B Code reviews

74
Recently, an unknown event has disrupted a single Layer-2 network
that spans between two geographically diverse data centers. The
network engineers have asked for assistance in identifying the root cause of
the event. Which of the following is the MOST likely cause?
C Broadcast domain too large
75
Which of the following is the MOST comprehensive Business Continuity (BC)
test?
D Full interruption
A full interruption test is a type of BC test that involves shutting down the
primary site or system and activating the alternate site or system, as if a
real disaster has occurred.
A full functional drill is a type of BC test that involves performing the
actual recovery procedures and tasks at the alternate site or system,
without shutting down the primary site or system.
A full table top is a type of BC test that involves discussing and reviewing
the BC plan and procedures with the BC team and stakeholders, using a
simulated disaster scenario.
A full simulation is a type of BC test that involves simulating the
recovery environment and activities at the alternate site or system, using a
computer model or a virtual machine, without shutting down the primary
site or system.
76
Which of the following is a reason to use manual patch installation
instead of automated patch management?
C The likelihood of system or application incompatibilities will be
decreased.
77
Which area of embedded devices are most commonly attacked?
B Firmware
78
How is it possible to extract private keys securely stored on a
cryptographic smartcard?
B Focused ion-beam
Focused ion-beam, which is a type of physical attack or technique that uses
a beam of ions, such as gallium or helium, to modify or manipulate the
structure or circuitry of the smartcard. Focused ion-beam can be used to
extract private keys securely stored on a cryptographic smartcard, by using
the beam of ions to cut, drill, or etch the smartcard, and to access or read
the memory or the microprocessor of the smartcard, where the private keys
are stored. Focused ion-beam can also be used to bypass or disable the
security features or mechanisms of the smartcard, such as the sensors,
fuses, or shields that are designed to prevent or detect the physical
tampering or modification of the smartcard.
79
How can lessons learned from business continuity training and actual
recovery incidents BEST be used?
A As a means for improvement
80
Information security practitioners are in the midst of implementing a
new firewall. Which of the following failure methods would BEST
prioritize security in the event of `failure?
A Fail-Closed
Fail-closed is also known as fail-secure or fail-safe, as it prevents
unauthorized or malicious access and preserves the confidentiality and
integrity of the system or the data. Fail-closed is suitable for systems or
components that handle sensitive or critical information or operations, and
where security is more important than availability.
Fail-open is a failure mode that allows or grants all access when a system or
a component fails or malfunctions. Fail-open is also known as fail-insecure
or fail-soft, as it enables authorized or legitimate access and preserves the
availability and functionality of the system or the data.
81
What is the PRIMARY purpose of auditing, as it relates to the security
review cycle?
A To ensure the organization's controls and polies are working as
intended
82
In a change-controlled environment, which of the following is MOST
likely to lead to unauthorized changes to production programs?
B Promoting programs to production without approval
83
An organization is implementing security review as part of system
development. Which of the following is the BEST technique to follow?
C Perform incremental assessments.
84
Which of the following is most helpful in applying the principle of LEAST
privilege?
C Monitoring and reviewing privileged sessions
84
The acquisition of personal data being obtained by a lawful and fair means
is an example of what principle?
D Collection Limitation Principle
84
Which of the following is a method of attacking internet (IP) v6 Layer 3
and Layer 4?
C Internet Control Message Protocol (IOP) flooding
ICMP flooding can affect both IPv4 and IPv6 networks, but IPv6 networks are
more vulnerable, as IPv6 requires ICMP for essential functions, such as
neighbor discovery, path MTU discovery, and multicast listener discovery.
Therefore, ICMP flooding can disrupt the normal operation and
communication of IPv6 hosts and routers, and cause network congestion,
packet loss, or service degradation.
85
Which of the following is the PRIMARY type of cryptography required to
support non-repudiation of a digitally signed document?
B Asymmetric
Digital signatures rely on asymmetric cryptography, also known as
public key cryptography.
While hashing is vital for creating a unique representation of the document,
asymmetric cryptography is essential for the non-repudiation aspect
because it binds the hash value to the sender's private key. This binding
ensures that only the sender could have created the digital signature,
thereby providing non-repudiation.
So, the correct choice for the PRIMARY type of cryptography required to
support non-repudiation is still:
86
Which of the following is true of Service Organization Control (SOC) reports?
B SOC 2 Type 2 reports include information of interest to the service
organization's management
There are three types of SOC reports: SOC 1, SOC 2, and SOC 3. Each type
of SOC report has two subtypes: Type 1 and Type 2. Type 1 reports
describe the design and suitability of the controls at a point in time,
while Type 2 reports also include the operating effectiveness of the
controls over a period of time.
SOC 1 reports focus on the internal controls over financial reporting,
and are intended for the auditors of the user entities.
SOC 2 reports focus on the security, availability, processing
integrity, confidentiality, and privacy of the service organization's
systems and services, and are intended for the stakeholders of the user
entities.
SOC 3 reports are similar to SOC 2 reports, but are less detailed and
more general, and are intended for the general public.
SOC 2 Type 2 reports include information of interest to the service
organization's management, such as the description of the system, the
assertion of the management, the opinion of the auditor, and the results of
the tests of controls.
87
What is the BEST way to encrypt web application communications?
D Transport Layer Security (TLS)
TLS is the successor to SSL and is considered to be the best option for
encrypting web application communications. It provides secure
communication between web browsers and servers, ensuring data integrity,
confidentiality, and authentication.
88
Refer to the information below to answer the question. Desktop
computers in an organization were sanitized for re-use in an
equivalent security environment. The data was destroyed in accordance
with organizational policy and all marking and other external indications of
the sensitivity of the data that was formerly stored on the magnetic drives
were removed. Organizational policy requires the deletion of user data from
Personal Digital Assistant (PDA) devices before disposal. It may not be
possible to delete the user data if the device is malfunctioning. Which
destruction method below provides the BEST assurance that the data has
been removed?
C Shredding
89
All hosts on the network are sending logs via syslog-ng to the log
collector. The log collector is behind its own firewall, the security
professional wants to make sure not to put extra load on the firewall
due to the amount of traffic that is passing through it. Which of the following
types of filtering would MOST likely be used?
D Static Packet Filtering
Static packet filtering is a type of filtering that examines the header of
each packet and allows or denies it based on a set of predefined rules or
criteria, such as the source and destination IP addresses, ports,
protocols, or flags.
Static packet filtering is simple, fast, and stateless, meaning that it does
not keep track of the state or the context of the packets or the connections.
Uniform Resource Locator (URL) filtering is a type of filtering that
blocks or allows access to specific websites or web pages based on their
URLs or keywords. Web traffic filtering is a type of filtering that analyzes
the content or the behavior of the web traffic and blocks or allows it based
on a set of predefined rules or criteria, such as the type, the size, the origin,
or the destination of the web traffic. Dynamic packet filtering is a type of
filtering that examines the header and the payload of each packet and
allows or denies it based on a set of predefined rules or criteria, as well as
the state or the context of the packets or the connections. Dynamic
packet filtering is more complex, slower, and stateful, meaning that it
keeps track of the state or the context of the packets
90
When assessing web vulnerabilities, how can navigating the dark web add
value to a penetration test?
B Information may be found on related breaches and hacking
91
In a large company, a system administrator needs to assign users access to
files using Role Based Access Control (RBAC). Which option is an example
of RBAC?
A Moving users access to files based on their group membership
92
Which of the following is the MOST important reason for timely
installation of software patches?
C Attackers reverse engineer the exploit from the patch.
Attackers reverse engineer the exploit from the patch, meaning that they
analyze the patch to understand what vulnerability it fixes, and then create
or modify an exploit to target that vulnerability. Attackers can use the
exploit to attack the software or system that has not been patched yet, or
that has been patched but not properly configured or tested.
94
Following a penetration test, what should an organization do FIRST?
D Evaluate the problems identified in the test result
95
In a basic SYN flood attack, what is the attacker attempting to achieve?
A Exceed the threshold limit of the connection queue for a given
service
A SYN flood attack is a type of denial-of-service attack that exploits the TCP
three-way handshake process. The attacker sends a large number of SYN
packets to the target server, often with spoofed IP addresses, and does not
complete the handshake by sending the final ACK packet. This causes the
server to allocate resources for half-open connections, which eventually
consume all the available ports and prevent legitimate traffic from reaching
the server
96
In the area of disaster planning and recovery, what strategy entails
the presentation of information about the plan?
A Communication
97
Which of the following is the MOST effective countermeasure against
Man-in-the Middle (MITM) attacks while using online banking?
A Transport Layer Security (TLS)
TLS can help to protect the user and the bank website from MITM attacks
by authenticating each other using certificates, encrypting the data
using a symmetric key, and ensuring the integrity of the data using a
message authentication code (MAC)
98
What physical characteristic does a retinal scan biometric device measure?
C The pattern of blood vessels at the back of the eye
A retinal scan biometric device measures the unique pattern of blood
vessels in the retina, which is the thin layer of tissue at the back of the eye.
The retinal pattern is highly distinctive for each individual, making retinal
scans one of the most accurate forms of biometric identification.
1
Which security service is served by the process of encryption
plaintext with the sender's private key and decrypting cipher text
with the sender's public key?
C Integrity (Non-repudiation)
2
What is the FIRST step in developing a patch management plan?
C Inventory the hardware and software used.
3
A large manufacturing organization arranges to buy an industrial machine
system to produce a new line of products. The system includes software
provided to the vendor by a third-party organization. The financial risk to
the manufacturing organization starting production is high. What
step should the manufacturing organization take to minimize its financial
risk in the new venture prior to the purchase?
D Require that the software be thoroughly tested by an accredited
independent software testing company.
4
A practice that permits the owner of a data object to grant other
users access to that object would usually provide
D Discretionary Access Control (DAC).
5
Which of the following is the MOST effective preventative method to
identify security flaws in software?
B Perform a structured code review.
6
Which of the following is an important requirement when designing a
secure remote access system?
C Ensure that logging and audit controls are included.
7
If the wide area network (WAN) is supporting converged applications
like Voice over Internet Protocol (VoIP), which of the following becomes
even MORE essential to the assurance of network
B Deterministic routing
Deterministic routing is a routing technique that ensures that the packets
are always sent along the same path or route between the source and
destination devices. Deterministic routing can provide the following benefits
for the WAN that supports VoIP:
It can improve the quality and reliability of the voice communications, as
the packets are always delivered in the same order and with the same
delay, avoiding issues such as packet loss, jitter, or latency.
It can enhance the security and privacy of the voice communications, as the
packets are always routed through the same trusted and secure devices,
avoiding the exposure or interception by unauthorized or malicious devices.
It can simplify the management and troubleshooting of the network, as the
network administrators can easily monitor and control the network traffic
and performance, and identify and resolve any problems or errors.
8
Limiting the processor, memory, and Input/output (I/O) capabilities
of mobile code is known as
C Sandboxing.
Mobile code is a term that refers to any code that can be transferred from
one system to another and executed on the target system, such as Java
applets, ActiveX controls, or JavaScript scripts, without user input.
Sandboxing is a security technique that isolates the mobile code from the
rest of the system and restricts its access to the system resources, such as
files, network, or registry. Sandboxing can prevent the mobile code from
causing harm or damage to the system, such as installing malware, stealing
data, or modifying settings.
9
An organization implements Network Access Control (NAC) By Institute
of Electrical and Electronics Engineers (IEEE) 802.1x and discovers the
printers do not support the IEEE 802.1x standard. Which of the following
is the BEST resolution?
D Install an IEEE 802. 1x bridge for the printers
An IEEE 802.1x bridge is a device that acts as a proxy for the printers and
performs the IEEE 802.1x port-based authentication on their behalf. The
bridge can also isolate the printers from the rest of the network and apply
security policies to them.
11
An organization is considering partnering with a third-party supplier of cloud
services. The organization will only be providing the data and the
third-party supplier will be providing the security controls. Which of
the following BEST describes this service offering?
C Software as a Service (SaaS)
12
When building a data center, site location and construction factors that
increase the level of vulnerability to physical threats include
D Proximity to high crime areas of the city.
13
Using the cipher text and resultant clear text message to derive the
non-alphabetic cipher key is an example of which method of cryptanalytic
attack?
D Known-plaintext attack
A known-plaintext attack is a type of cryptanalytic attack where the attacker
has access to both the ciphertext and the corresponding plaintext, and
tries to derive the key or the algorithm used to encrypt the message
A frequency analysis attack is a type of cryptanalytic attack where the
attacker analyzes the frequency of letters or symbols in the
ciphertext and compares them with the expected frequency of the
language of the plaintext.
A ciphertext-only attack is a type of cryptanalytic attack where the attacker
only has access to the ciphertext and tries to guess the plaintext or the
key by using statistical methods, brute force, or other techniques.
A probable-plaintext attack is a type of cryptanalytic attack where the
attacker has access to the ciphertext and some information about the
probable plaintext, such as the format, the length, or some common
words or phrases, and tries to recover the key or the algorithm used to
encrypt the message.
14
The goal of software assurance in application development is to
C Prevent the creation of vulnerable applications.
15
Which of the following is a Key Performance Indicator (KPI) for a
security training and awareness program?
B The number of attendees at security training events
16
An Information Technology (IT) professional attends a cybersecurity
seminar on current incident response methodologies. What code of ethics
canon is being observed?
C Advance and protect the profession
17
When would an organization review a Business Continuity
Management (BCM) system?
D At planned intervals
18
The PRIMARY characteristic of a Distributed Denial of Service (DDoS)
attack is that it
C looks like normal network activity.
19
Which of the following sets of controls should allow an investigation if
an attack is not blocked by preventive controls or detected by
monitoring?
A Logging and audit trail controls to enable forensic analysis
20
Data remanence is the biggest threat in which of the following
scenarios?
D A flash drive has been overwritten and released to a third party for
destruction.
Electrically Erasable Programmable Read-Only Memory (EEPROM) is a type
of flash memory that stores data using floating-gate transistors. EEPROM
has a high level of data remanence, as the data can persist for years
after erasure, and can be recovered using invasive or non-invasive
methods, such as microprobing or power analysis.
Flash memory is a type of solid-state memory that stores data using
electrically programmable cells. Flash memory has a high level of data
remanence, as the data can remain for a long time after erasure,
and can be recovered using physical or logical methods, such as
chip-off analysis or wear-leveling bypass.
21
Which one of the following is a common risk with network
configuration management?
D Network diagrams are not up to date
22
When developing a business case for updating a security program, the
security program owner MUST do which of the following?
A Identify relevant metrics
23
An application developer is deciding on the amount of idle session
time that the application allows before a timeout. The BEST reason for
determining the session timeout requirement is
A organization policy
24
Which of the following is the BEST countermeasure to brute force login
attacks?
D Introducing a delay after failed system access attempts
25
Which of the following is the BEST reason for the use of security
metrics?
D They quantify the effectiveness of security processes
27
What access control scheme uses fine-grained rules to specify the
conditions under which access to each data item or applications is
granted?
D Attribute Based Access Control (ABAC)
ABAC is a type of access control that grants or denies access to a system or
a resource based on the attributes of the subject, the object, the
environment, and the action. Attributes are the characteristics or the
properties that describe the entities involved in the access request, such as
the identity, the role, the location, the time, the device, the sensitivity, or
the purpose.
28
What is one way to mitigate the risk of security flaws in custom
software
B Include security assurance clauses in the Service Level
Agreement (SLA)
29
An external attacker has compromised an organization's network security
perimeter and installed a sniffer onto an inside computer. Which of the
following is the MOST effective layer of security the organization could
have implemented to mitigate the attacker's ability to gain further
information?
D Implement logical network segmentation at the switches
30
Which of the following will an organization's network vulnerability
testing process BEST enhance?
C Server hardening processes
Network vulnerability testing is a process of identifying and assessing the
security risks of a network. It can help an organization to enhance its server
hardening processes, which are the measures taken to reduce the
attack surface and improve the security posture of a server. Server
hardening can include applying patches, disabling unnecessary
services, configuring firewall rules, enforcing strong passwords, and
implementing encryption.
31
Refer to the information below to answer the question. A large
organization uses unique identifiers and requires them at the start of
every system session. Application access is based on job classification. The
organization is subject to periodic independent reviews of access controls
and violations. The organization uses wired and wireless networks and
remote access. The organization also uses secure connections to branch
offices and secure backup and recovery strategies for selected information
and processes.
A Time of the access
32
A software development company found odd behavior in some recently
developed software, creating a need for a more thorough code review.
What is the MOST effective argument for a more thorough code
review?
D it will reduce the potential for vulnerabilities.
33
When implementing controls in a heterogeneous end-point network for
an organization, it is critical that
C Common software security components be implemented across all
hosts
34
Why is planning the MOST critical phase of a Role Based Access Control
(RBAC) implementation?
C Role mining to define common access patterns is performed
Role mining is a technique that involves analyzing the existing user
accounts and their access rights, and identifying the common access
patterns or the similarities among them. Role mining can help define
the roles and the role hierarchies that are suitable for the organization, and
that can simplify and optimize the access management process. Role
mining can also help reduce the complexity and the redundancy of
the access rights, and improve the security and the efficiency of the
RBAC system. Role mining is performed in the planning phase of the
RBAC implementation, which is the phase where the objectives, the
scope, the requirements, and the resources for the RBAC system
are defined and established. Role mining is the most critical task in this
phase
35
Individual access to a network is BEST determined based on
C Business need
36
The FIRST step in building a firewall is to
D perform a risk analysis to identify issues to be addressed
37
When implementing a secure wireless network, which of the following
supports authentication and authorization for individual client
endpoints.
C Wi-Fi Protected Access 2 (WPA2) Enterprise
38
Which of the following BEST describes the purpose of the reference
monitor when defining access control to enforce the security model?
B Policies to validate organization rules
The reference monitor is a key concept in computer security that enforces
access control policies. It acts as a mediator between subjects (users
or processes) and objects (resources or data) to ensure that access
requests comply with the organization’s security policies.
Enforcement of Access Control Policies: The reference monitor ensures that
all access to data and resources is authorized according to predefined
security policies. It validates every access request against these policies,
ensuring that only authorized subjects can access or modify objects.
39
A business has implemented Payment Card Industry Data Security Standard
(PCI-DSS) compliant handheld credit card processing on their Wireless Local
Area Network (WLAN) topology. The network team partitioned the WLAN to
create a private segment for credit card processing using a firewall to
control device access and route traffic to the card processor on the Internet.
What components are in the scope of PCI-DSS?
C The end devices, wireless access points, WLAN, switches,
management console, and firewall
40
Which of the following MUST be done before a digital forensics
investigator may acquire digital evidence?
C Verify that the investigator has the appropriate legal authority to
proceed
41
Which of the following types of security testing is the MOST effective in
providing a better indication of the everyday security challenges of
an organization when performing a security risk assessment?
C Internal
42
Who should perform the design review to uncover security design
flaws as part of the Software Development Life Cycle (SDLC)?
B Security subject matter expert (SME)
43
In a disaster recovery (DR) test, which of the following would be a trait
of crisis management
B Strategic
45
When designing a Cyber-Physical System (CPS), which of the following
should be a security practitioner's first consideration?
C Risk assessment of the system
A Cyber-Physical System (CPS) is a system that integrates physical
processes, computational capabilities, and communication networks. A CPS
can have various applications, such as smart grids, autonomous
vehicles, or industrial control systems. When designing a CPS, the first
consideration for a security practitioner should be the risk assessment of
the system, which is the process of identifying, analyzing, and evaluating
the potential threats, vulnerabilities, and impacts that could affect the
system.
46
Which of the following provides the MOST protection against data theft
of sensitive information when a laptop is stolen?
D Encrypt the entire disk and delete contents after a set number of
failed access attempts
47
Which of the following is critical if an employee is dismissed due to
violation of an organization's Acceptable Use Policy (ALP)?
D Appropriate documentation
49
What should be the INITIAL response to Intrusion Detection
System/Intrusion Prevention System (IDS/IPS) alerts?
D Verify the threat and determine the scope of the attack
50
Which of the following media is least problematic with data remanence?
C Dynamic Random Access Memory (DRAM)
DRAM has a very low level of data remanence, as the data is quickly erased
or decayed when the power supply is removed.
Magnetic disk is a type of magnetic storage media that stores data using
magnetized regions on a rotating platter. Magnetic disk has a
moderate level of data remanence, as the data can be partially
recovered after one or more overwrites, using magnetic force microscopy or
other techniques.
Electrically Erasable Programmable Read-Only Memory (EEPROM) is
a type of flash memory that stores data using floating-gate transistors.
EEPROM has a high level of data remanence, as the data can persist
for years after erasure, and can be recovered using invasive or non-invasive
methods, such as microprobing or power analysis.
Flash memory is a type of solid-state memory that stores data using
electrically programmable cells. Flash memory has a high level of data
remanence, as the data can remain for a long time after erasure, and can
be recovered using physical or logical methods, such as chip-off analysis or
wear-leveling bypass.
51
A manager identified two conflicting sensitive user functions that
were assigned to a single user account that had the potential to result in
financial and regulatory risk to the company. The manager MOST likely
discovered this during which of the following?
B Separation of duties analysis
52
Which of the following is the MOST challenging issue in apprehending
cyber criminals?
C The crime is often committed from a different jurisdiction
53
Which of the following statements is TRUE for point-to-point microwave
transmissions?
D They are subject to interception by an antenna within proximity
55
Which of the following problems is not addressed by using OAuth (Open
Standard to Authorization) 2.0 to integrate a third-party identity
provider for a service?
A Resource Servers are required to use passwords to authenticate
end users
OAuth 2.0 is a framework that enables a third-party application to obtain
limited access to a protected resource on behalf of a resource owner,
without exposing the resource owner's credentials to the third-party
application. OAuth 2.0 relies on an authorization server that acts as an
identity provider and issues access tokens to the third-party
application, based on the resource owner's consent and the scope of the
access request. OAuth 2.0 does not address the authentication of the
resource owner or the end user by the resource server, which is the
server that hosts the protected resource.
56
Which of the following is the MOST common method of memory protection?
B Segmentation
Segmentation is a technique that divides the memory space into logical
segments, such as code, data, stack, and heap. Each segment has its
own attributes, such as size, location, access rights, and protection level.
Segmentation can help to isolate and protect the memory segments from
unauthorized or unintended access, modification, or execution, as well as to
prevent memory corruption, overflow, or leakage.
57
Which of the following is a method used to prevent Structured Query
Language (SQL) injection attacks?
D Data validation
Data validation involves checking the input data for any illegal or
unexpected characters, such as quotes, semicolons, or keywords,
and rejecting or sanitizing them before passing them to the database
11
Which of the following is the BEST way to protect against Structured
Query language (SQL) injection?
D Use stored procedures
The best way to protect against SQL injection is to use stored procedures,
which are precompiled and parameterized SQL statements that are
stored on the database server. Stored procedures prevent SQL injection
by separating the user input from the SQL code, and by validating
and sanitizing the user input before executing the SQL statement.
Stored procedures also improve the performance and maintainability of the
web application, as they reduce the network traffic and the code
complexity. Other ways to protect against SQL injection are to enforce
boundary checking, which limits the length and format of the user
input, to restrict the use of SELECT command, which retrieves data from the
database, and to restrict the HyperText Markup Language (HTML) source
code, which displays the web page content
44
When reviewing the security logs, the password shown for an
administrative login event was ' OR ' '1'='1' --. This is an example of
which of the following kinds of attack?
B Structured Query Language (SQL) Injection
63
The Structured Query Language (SQL) implements Discretionary
Access Controls (DAC) using
B GRANT and REVOKE
DAC is a type of access control that allows the owner or creator of an object,
such as a table, view, or procedure, to grant or revoke permissions to other
users or roles.
44
During an investigation of database theft from an organization's web
site, it was determined that the Structured Query Language (SQL)
injection technique was used despite input validation with client-
side scripting. Which of the following provides the GREATEST protection
against the same attack occurring again?
C Implement server-side filtering
Server-side filtering is the process of validating and sanitizing the user
input on the server side, before passing it to the database or application.
Server-side filtering can prevent SQL injection attacks, which are the attacks
that exploit the vulnerability of the database or application to execute
malicious SQL commands or queries.
58
Which of the following are effective countermeasures against passive
network-layer attacks?
C Encryption and security enabled applications
Passive network-layer attacks involve eavesdropping or sniffing
network traffic to capture data without altering it. The goal of these attacks
is to intercept sensitive information, such as passwords, credit card
numbers, and confidential communications, as it travels over the network.
Encryption: Encrypting data in transit ensures that even if an attacker
intercepts the traffic
Security-Enabled Applications: Applications that incorporate security
measures such as end-to-end encryption (E2EE) ensure that data is
encrypted before it leaves the sender’s device and decrypted only after it
reaches the receiver's device. This provides strong protection against
eavesdropping.
59
Refer to the information below to answer the question. A security
practitioner detects client-based attacks on the organization's network. A
plan will be necessary to address these concerns. In the plan, what is the
BEST approach to mitigate future internal client-based attacks?
D Harden the client image before deployment
Hardening the client image means to apply the security configurations
and measures to the client operating system and applications, such as
disabling unnecessary services, installing patches and updates,
enforcing strong passwords, and enabling encryption and firewall.
Hardening the client image can help to reduce the attack surface and the
vulnerabilities of the client, and to prevent or resist the client-based attacks,
such as web exploits, malware, or phishing.
60
Which of the following is part of a Trusted Platform Module (TPM)?
C A secure processor tasked at managing digital keys and
accelerating digital signing
A TPM is a cryptoprocessor chip that is embedded on a motherboard or a
device, and that provides a secure and trustworthy environment for the
execution and the storage of cryptographic operations and keys. A TPM can
perform various functions, such as: Generating and storing digital keys,
such as asymmetric keys, symmetric keys, or hash keys, in a non-
volatile and tamper-resistant storage. A TPM can also protect the keys from
being exported or copied, and can use them for encryption, decryption,
signing, or verification purposes.
61
An internal Service Level Agreement (SLA) covering security is signed by
senior managers and is in place
D At regularly scheduled meetings
62
What is a characteristic of Secure Socket Layer (SSL) and Transport Layer
Security (TLS)
SSL and TLS provide a generic channel security mechanism on top of
Transmission Control Protocol (TCP)
SSL and TLS DOES NOT provide nonrepudiation by default
SSL and TLS provides security for most routed protocols
SSL and TLS DOES NOT provide header encapsulation over HyperText
Transfer Protocol (HTTP)
63
Which of the following mechanisms will BEST prevent a Cross-Site
Request Forgery (CSRF) attack?
B Synchronized session tokens
A CSRF attack occurs when a malicious site, email, or link tricks a user's
browser into sending a forged request to a vulnerable site, where the
user is already authenticated. The vulnerable site cannot distinguish
between the legitimate and the forged requests, and may perform an
unwanted action on behalf of the user, such as changing a password,
transferring funds, or deleting data.
Synchronized session tokens are a technique to prevent CSRF attacks by
adding a random and unique value to each request that is generated by
the server and verified by the server before processing the request.
The token is usually stored in a hidden form field or a custom HTTP header,
and is tied to the user's session. The token ensures that the request
originates from the same site that issued it, and not from a malicious site.
Synchronized session tokens are also known as CSRF tokens, anti-
CSRF tokens, or state tokens.
Parameterized database queries ensure that the user input is treated
as data and not as part of the SQL command.
Whitelist input values are a technique to prevent input validation attacks
by allowing only a predefined set of values or characters for user input,
instead of rejecting or filtering out unwanted or malicious values or
characters. Whitelist input values ensure that the user input conforms to the
expected format and type.
Use strong ciphers are a technique to prevent encryption attacks by using
cryptographic algorithms and keys that are resistant to brute force,
cryptanalysis, or other attacks.
65
Order the below steps to create an effective vulnerability management
process.
1 IDENTIFY ASSETS
2 IDENTIFY RISK
3 IMPLEMENT CHANGE MGT
4 IMPLEMENT PATCH MGT
5 IMPLEMENT RECURRING SCANNING SCHEDULE
66
Which is the second phase of public key Infrastructure (pk1)
key/certificate life-cycle management?
A Issued Phase
1 Initialization Phase 2 Issued Phase 3 Maintenance Phase 4
Revocation Phase
Can be down after a failure or disaster before there are significant
adverse impacts on the organization.
69
What MUST each information owner do when a system contains data
from multiple information owners?
A Provide input to the Information System (IS) owner regarding the
security requirements of the data
When a system contains data from multiple information owners, each
information owner must provide input to the IS owner regarding the security
requirements of the data, such as the classification, sensitivity, retention,
and disposal of the data.
70
In the last 15 years a company has experienced three electrical
failures. The cost associated with each failure is listed below. Which of the
following would be a reasonable annual loss expectation?
B 3500
The total loss DUE TO THE three electrical failures over 15 years is
52,500.
The reasonable annual loss expectation for the company is calculated
by multiplying the annualized rate of occurrence (ARO) of the threat or
risk by the single loss expectancy (SLE) of the asset.
The ARO is the frequency or probability of the threat or risk occurring in a
year (number of time it can happen in a year) = number of incidents /
number of years during the period under consideration = 3 (three
electrical failures) / 15 (number of years) = 0.2 (times per year)
The SLE is the cost or impact of the threat or risk on the asset. Which is the
average cost of each failure = total cost during the period under
consideration / number of incidents (fires) = 52,500/3 = 17500
Therefore, the annual loss expectation = ARO X SLE = 0.2 x 17,500 =
3,500. 34
71
Which of the following is a remote access protocol that uses a static
authentication? (Static authentication method means that the username
and password are sent in clear text)
C Password Authentication Protocol (PAP)
Password Authentication Protocol (PAP) is a remote access protocol that
uses a static authentication method, which means that the
username and password are sent in clear text over the network. PAP is
considered insecure and vulnerable to eavesdropping and replay attacks.
PAP is supported by Point-to-Point Protocol (PPP), which is a common
protocol for establishing remote connections over dial-up, broadband, or
wireless networks. PAP is usually used as a fallback option when
more secure protocols, such as Challenge Handshake Authentication
Protocol (CHAP) or Extensible Authentication Protocol (EAP), are not
available or compatible.
72
Which of the following is an advantage of' Secure Shell (SSH)?
B It encrypts transmitted User ID and passwords.
SSH encrypts the User ID and passwords using a symmetric key, which
is generated and exchanged using a public key cryptography
algorithm, such as RSA or DSA. SSH can also encrypt the entire
communication using the same symmetric key, which provides additional
security and privacy for the data.
73
A security consultant has been hired by a company to establish its
vulnerability management program. The consultant is now in the
deployment phase. Which of the following tasks is part of this
process?
A Select and procure supporting technologies.
74
Application of which of the following Institute of Electrical and Electronics
Engineers (IEEE) standards will prevent an unauthorized wireless
device from being attached to a network?
D IEEE 802.1X
IEEE 802.1X is a standard for port-based Network Access Control
(PNAC). It provides an authentication mechanism to devices (E. G.
VOIP) wishing to attach to a LAN or WLAN, preventing unauthorized
devices from gaining network access.
IEEE 802.1F is not a valid IEEE standard
IEEE 802.1H is a standard for transparent interconnection of lots of
links (TRILL), which is a protocol for routing at the data link layer.
IEEE 802.1Q is a standard for virtual LANs (VLANs), which is a technique
for logically segmenting a network

75
Which security audit standard provides the BEST way for an
organization to understand a vendor's Information Systems (IS) in
relation to confidentiality, integrity, and availability?
B Service Organization Control (SOC) 2
76
What security principle addresses the issue of "Security by Obscurity"?
A Open design
Open design is a principle that states that the security of a system or
network should not depend on the secrecy or obscurity of its design,
implementation, or configuration. Instead, the security of a system or
network should rely on the strength and effectiveness of its security
mechanisms, such as encryption, authentication, or access control.
77
Which type of fire alarm system sensor is intended to detect fire at its
earliest stage?
A Ionization
Ionization sensors use a small amount of radioactive material to ionize the
air inside a chamber. When smoke enters the chamber, it disrupts the
ionization process and reduces the current flow, which triggers the alarm.
Ionization sensors are more sensitive to small particles of smoke, such as
those produced by flaming fires, than other types of sensors, such as
photoelectric or thermal sensors.
78
An organization is planning to have an it audit of its as a Service (SaaS)
application to demonstrate to external parties that the security controls
around availability are designed. The audit report must also cover a certain
period of time to show the operational effectiveness of the controls. Which
Service Organization Control (SOC) report would BEST fit their needs?
SOC 2 Type 2
Type 1 (point in time)
Type 2 (period of time)
A SOC 2 Type 1 report is similar to a SOC 2 Type 2 report, except that it
evaluates the design of the controls at a point in time, and does not include
the tests of controls and the results. A SOC 2 Type 1 report may not provide
sufficient assurance about the operational effectiveness of the controls over
a period of time.
A SOC 3 report is a short form (watered version of SOC 2), general use
report that gives users (general public) and interested parties a report about
controls at a service organization related to the trust service categories. A
SOC 3 report does not include the description of tests of controls and
results, which limits its usability and detail.
A SOC 1 report is for organizations whose internal security controls can
impact a customer's financial statements, and it is based on the SSAE 18
standard
79
What is the ultimate objective of information classification?
B To ensure that information assets receive an appropriate level of
protection
80
Which technology is a prerequisite for populating the cloud-based directory
in a federated identity solution?
D Synchronization tool
A federated identity solution is a system that allows users to access multiple
applications and domains using a single set of credentials. A cloud-based
directory is a centralized repository of user identities and attributes that can
be accessed by different service providers over the internet. A
synchronization tool is a technology that enables the transfer and update of
user data between the cloud-based directory and the local or on-premises
directory.
81
The MAIN reason an organization conducts a security authorization
process is to
A force the organization to make conscious risk decisions.
The security authorization process forces the organization to make
conscious risk decisions, as it requires the organization to identify, analyze,
and evaluate the risks associated with the information system or product,
and to decide whether to accept, reject, mitigate, or transfer the risks.
A security authorization process is a process that evaluates and approves
the security of an information system or a product before it is deployed or
used. A security authorization process involves three steps: security
categorization, security assessment, and security authorization.
Security categorization is the step of determining the impact level of the
information system or product on the confidentiality, integrity, and
availability of the information and assets. Security assessment is the step of
testing and verifying the security controls and measures implemented on
the information system or product. Security authorization is the step of
granting or denying the permission to operate or use the information
system or product based on the security assessment results and the risk
acceptance criteria.
82
A security professional should consider the protection of which of the
following elements FIRST when developing a defense-in-depth
strategy for a mobile workforce?
D End-user devices
83
Which is the MOST effective countermeasure to prevent
electromagnetic emanations on unshielded data cable?
B Encase exposed cable runs in metal conduit
Electromagnetic emanations are the unintentional radiation of
electromagnetic signals from electronic devices, such as computers,
monitors, or cables. These signals can be intercepted and analyzed by
attackers to obtain sensitive information.
84
Which of the following is a strategy of grouping requirements in
developing a Security Test and Evaluation
B Management, operational, and technical
ST&E is the process of verifying and validating the security posture and
effectiveness of a system, network, or application, by conducting various
tests and evaluations on the security controls and mechanisms that are
implemented on them.
The requirements for ST&E are the criteria and standards that define the
scope, objectives, methods, and deliverables of the ST&E process, as well as
the roles and responsibilities of the stakeholders involved. The
requirements for ST&E can be grouped into three categories:
management, operational, and technical
86
An organization publishes and periodically updates its employee
policies in a file on their intranet. Which of the following is a PRIMARY
security concern?
C Integrity
87
Which of the following is a term used to describe maintaining ongoing
awareness of information security, vulnerabilities, and threats to
support organizational risk management decisions?
D Information Security Continuous Monitoring (ISCM)
88
What protocol is often used between gateway hosts on the Internet?
B Border Gateway Protocol (BGP)
89
Logical access control programs are MOST effective when they are
D made part of the operating system
1
What are the first two components of logical access control?
B Authentication and identification
14
Which of the following is the PRIMARY goal of logical access controls?
A Restrict access to an information asset (software based
restriction, not physical)
90
Copyright provides protection for which of the following?
C A particular expression of an idea
Copyright law protects the expression of ideas in literary, artistic,
musical, and other creative works. It covers original works of authorship
fixed in any tangible medium of expression, such as books, writings, music,
artwork, software code, and more. It does not protect ideas themselves
(which are generally considered to be in the public domain) or the
underlying facts or concepts, but rather the specific way those ideas are
expressed.
91
Which of the following BEST describes botnets?
D Groups of computers that are used to launch destructive attacks
92
Which of the following will accomplish Multi-Factor Authentication
(MFA)?
D Issuing a smart card and a One Time Password (OTP) token
93
A security professional determines that a number of outsourcing contracts
inherited from a previous merger do not adhere to the current security
requirements. Which of the following BEST minimizes the risk of this
happening again?
C Verify all contracts before a merger occurs
93
Which of the following is the BEST statement for a professional to include
as part of business continuity (BC) procedure?
C full data backup must be done based on the needs of the business
94
Which audit type is MOST appropriate for evaluating the effectiveness
of a security program?
B Assessment
It is NOT Validation because Validation is a type of audit that verifies the
accuracy, completeness, or correctness of a system or an organization, and
that confirms that it meets the requirements, specifications, or
expectations.
95
Determining outage costs caused by a disaster can BEST be measured
by the
C overall long-term impact of the outage
96
Which of the following is the MOST crucial for a successful audit plan?
A Defining the scope of the audit to be performed
97
What does the term "100-year floodplain" mean to emergency
preparedness officials?
B The odds of a flood at this level are 1 in 100 in any given year
A 100-year floodplain is a floodplain that has a 1% chance of being flooded
by a flood that has a magnitude or intensity that is expected to occur once
in 100 years, or that has a return period of 100 years.
98
What is the term commonly used to refer to a technique of
authenticating one machine to another by forging packets from a
trusted source?
D Spoofing
100
An organization is considering outsourcing applications and data to a Cloud
Service Provider (CSP). Which of the following is the MOST important
concern regarding privacy?
D The CSP may not be subject to the organization's country
legislation.
1
Which is the MOST critical aspect of computer-generated evidence?
B Integrity
2
A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide
which of the following?
B Minimization of the need for decision-making during a crisis
3
The BEST method to mitigate the risk of a dictionary attack on a
system is to
B use complex passphrases
5
What is the MOST effective way to determine a mission critical asset in
an organization?
B business process analysis
7
Which of the following is the MAIN benefit of off-site storage?
D Data availability
8
Which of the following is the BEST approach to implement multiple
servers on a virtual system?
C Implement one primary function per virtual server and apply
individual security configuration for each virtual server.
9
What is the PRIMARY goal for using Domain Name System Security
Extensions (DNSSEC) to sign records?
A Integrity
DNSSEC is designed or intended to provide the security or the protection for
the DNS protocol, by using the digital signatures or the cryptographic
keys to sign or to verify the DNS records or the DNS data, such as the A
records, the AAAA records, or the MX records. The primary goal for using
DNSSEC is to sign records is integrity, which means that DNSSEC
aims to ensure or to confirm that the DNS records or the DNS data
are authentic, accurate, or reliable, and that they have not been modified,
altered, or corrupted by the third parties or the attackers who intercept or
manipulate the DNS queries or the DNS responses over the network
11
Which of the following can BEST prevent security flaws occurring in
outsourced software development?
A Contractual requirements for code quality
12
An organization is selecting a service provider to assist in the
consolidation of multiple computing sites including development,
implementation and ongoing support of various computer systems. Which
of the following MUST be verified by the Information Security
Department?
C The service provider will impose controls and protections that
meet or exceed the current systems controls and produce audit logs as
verification
13
Which of the following is the FIRST step an organization's security
professional performs when defining a cyber-security program
based upon industry standards?
B Define the organization's objectives regarding security and risk
mitigation
14
Digital certificates used in Transport Layer Security (TLS) support which of
the following?
B Non-repudiation controls and data encryption
15
Which of the following was developed to support multiple protocols as well
as provide login, password, and error correction capabilities?
B Point-to-Point Protocol (PPP)
16
A vulnerability in which of the following components would be MOST
difficult to detect?
C Hardware
19
Which of the following activities should a forensic examiner perform
FIRST when determining the priority of digital evidence collection at a
crime scene?
B Establish order of volatility.
20
Which of the following is the MOST secure password technique?
B One-time password
21
Knowing the language in which an encrypted message was originally
produced might help a cryptanalyst to perform a
C frequency analysis
Knowing the language in which an encrypted message was originally
produced might help a cryptanalyst to perform frequency analysis, as
different languages have different letter frequencies, digraphs, and word
lengths. For example, in English, the letter "e" is the most common, while in
French, it is the letter "a". By comparing the frequency distribution of the
ciphertext with the expected frequency distribution of the plaintext
language, a cryptanalyst can make educated guesses about the encryption
key or algorithm
22
Which of the following is the FIRST step for defining Service Level
Requirements (SLR)?
D Capturing and documenting the requirements of the customer
23
A security architect plans to reference a Mandatory Access Control (MAC)
model for implementation. This indicates that which of the following
properties are being prioritized?
A Confidentiality
A MAC model is a type of access control model that grants or denies access
to an object based on the security labels of the subject and the object, and
the security policy enforced by the system. A security label is a tag or a
marker that indicates the classification, sensitivity, or clearance of the
subject or the object, such as top secret, secret, or confidential.
24
What is the PRIMARY role of a scrum master in agile development?
C To match the software requirements to the delivery plan
A scrum master is a facilitator who helps the development team and the
product owner to collaborate and deliver the software product incrementally
and iteratively, following the agile principles and practices. A scrum master
is responsible for ensuring that the team follows the scrum framework,
which includes defining the product backlog, planning the sprints,
conducting the daily stand-ups, reviewing the deliverables, and reflecting on
the process.
25
Which of the following is the top barrier for companies to adopt cloud
technology?
D Security
26
The key benefits of a signed and encrypted e-mail include
B confidentiality, non-repudiation, and authentication
27
A Chief Information Security Officer (CISO) of a firm which decided to
migrate to cloud has been tasked with ensuring an optimal level of
security. Which of the following would be the FIRST consideration?
C Analyze the firm's applications and data repositories to
determine the relevant control requirements
28
What is the MAIN goal of information security awareness and
training?
B To inform users of information assurance responsibilities
29
Multi-Factor Authentication (MFA) is necessary in many systems given
common types of password attacks. Which of the following is a correct list of
password attacks?
B Brute force, dictionary, phishing, keylogger
A salami slicing attack is a type of cyber fraud where an attacker steals or
manipulates data or resources in very small increments, often unnoticed by
the victim, but cumulatively resulting in a significant gain for the attacker.
30
Wireless users are reporting intermittent Internet connectivity.
Connectivity is restored when the users disconnect and reconnect,
utilizing the web authentication process each time. The network
administrator can see the devices connected to the APs at all times. Which
of the following steps will MOST likely determine the cause of the
issue?
A Verify the session time-out configuration on the captive portal
settings
31
The European Union (EU) General Data Protection Regulation
(GDPR) requires organizations to implement appropriate technical
and organizational measures to ensure a level of security appropriate to
the risk. The Data Owner should therefore consider which of the
following requirements?
A Data masking and encryption of personal data
32
A software development company has a short timeline in which to deliver a
software product. The software development team decides to use
open-source software libraries to reduce the development time. What
concern should software developers consider when using open-
source software libraries?
A Open source libraries contain known vulnerabilities, and
adversaries regularly exploit those vulnerabilities in the wild.
33
When designing on Occupant Emergency plan (OEP) for United
States (US) Federal government facilities, what factor must be
considered?
C Geographical location and structural design of building
34
What does an organization FIRST review to assure compliance with privacy
requirements?
C Legal and regulatory mandates
The first thing that an organization reviews to assure compliance with
privacy requirements is the legal and regulatory mandates that apply to its
business operations and data processing activities. Legal and regulatory
mandates are the laws, regulations, standards, and contracts that govern
how an organization must protect the privacy of personal information and
the rights of data subjects.
35
Which of the following provides the MOST comprehensive filtering of
Peer-to-Peer (P2P) traffic?
A Application proxy
An application proxy can inspect the content and the behavior of the
network traffic, and apply granular filtering rules based on the specific
application protocol, such as HTTP, FTP, or SMTP. An application proxy can
also perform authentication, encryption, caching, and logging functions. An
application proxy can provide the most comprehensive filtering of P2P
traffic, as it can identify and block the P2P applications and protocols,
regardless of the port number or the payload.
37
Attack trees are MOST useful for which of the following?
C Enumerating threats
Attack trees are graphical models that represent the possible ways that an
attacker can exploit a system or achieve a goal. Attack trees consist of
nodes that represent the attacker's actions or conditions, and branches that
represent the logical relationships between the nodes. Attack trees can help
to enumerate the threats that the system faces, as well as to analyze the
likelihood, impact, and countermeasures of each threat.
38
Which one of the following would cause an immediate review and
possible change to the security policies of an organization?
A Change to organization goals
39
A large organization's human resources and security teams are planning on
implementing technology to eliminate manual user access reviews and
improve compliance. Which of the following options is MOST likely to
resolve the issues associated with user access?
B Implement identity and access management (IAM) platform
40
What is the PRIMARY reason that a bit-level copy is more desirable
than a file-level copy when replicating a hard drive's contents for an
e-discovery investigation?
A Files that have been deleted will be transferred
Bit-level copy preserves the data in the unallocated space and the slack
space of the drive, which may contain deleted files or fragments of files that
are relevant to the investigation. A file-level copy only copies the data that
is accessible by the file system, and may miss important evidence.
41
During a Disaster Recovery (DR) assessment, additional coverage for
assurance is required. What should an assessor do?
B Conduct a comprehensive examination of the Disaster Recovery
Plan (DRP)
If a DR assessment requires additional coverage for assurance, the assessor
should conduct a comprehensive examination of the DRP, which means that
the assessor should review the entire DRP in detail and verify that it covers
all the essential elements, such as the DR objectives, scope, assumptions,
roles and responsibilities, recovery strategies, procedures, testing,
maintenance, and documentation.
42
Which of the following activities is MOST likely to be performed during
a vulnerability assessment?
B Analyze the environment by conducting interview sessions with
relevant parties
43
When resolving ethical conflicts, the information security
professional MUST consider many factors. In what order should these
considerations be prioritized?
C Public safety, duties to principals, duties to individuals, and duties to
the profession
Treat all members fairly. In resolving conflicts, consider public safety and
duties to principals, individuals, and the profession in that order.
44
Secure real-time transport protocol (SRTP) provides security for
which of the following?
B Voice communication
44
Which of the following secure transport protocols is often used to
secure Voice over Internet Protocol (VoIP) communications on a
network from end to end?
C Secure Real-time Transport Protocol (SRTP)
SRTP is a protocol that extends the Real-time Transport Protocol (RTP) to
provide confidentiality, integrity, and authentication for voice and video
data over IP networks. SRTP can encrypt and authenticate the RTP packets,
as well as prevent replay attacks and protect against traffic analysis. SRTP
can be used for applications such as Voice over IP (VoIP), video
conferencing, or streaming media.
45
The security architect has been mandated to assess the security of
various brands of mobile devices. At what phase of the product
lifecycle would this be MOST likely to occur?
B Implementation
The product lifecycle consists of four phases: development,
implementation, operations and maintenance, and disposal. The
security architect has been mandated to assess the security of various
brands of mobile devices, which are products that have already been
developed and are ready to be deployed. Therefore, the most likely phase of
the product lifecycle for this task is the implementation phase, where the
products are installed, configured, tested, and integrated into the existing
environment.
46
Which of the following is a risk matrix?
C A two-dimensional picture of risk for organizations, products,
projects, or other items of interest.
A risk matrix is a graphical tool that helps visualize and prioritize
the risks associated with a specific context, such as an organization, a
product, a project, or an activity. A risk matrix typically plots the
likelihood of a risk occurring on one axis and the impact of the risk
on the other axis. The resulting matrix is divided into cells that indicate
the level of risk for each combination of likelihood and impact. The level of
risk can be color-coded or labeled as low, medium, high, or extreme.
47
A control to protect from a Denial-of-Service (DoS) attack has been
determined to stop 50% of attacks, and additionally reduces the impact of
an attack by 50%. What is the residual risk?
A 25%
The residual risk can be calculated by multiplying the probability risk and
the impact of the remaining risk.
Probability risk = the probability that an attack will occur, since the control
has stopped/prevented 50% of the attack so the probability risk of another
attack = total risk (100%) – stopped/prevented attack (50%) = 50% = 0.50
Impact of the remaining risk = total risk impact (100%) – reduced impact of
an attack (50%) = 50% = 0.50
Residual risk = probability risk of an attack X The potential impact of the
remaining risk = 0.5 X 0.5 = 0.25 = 25%
48
Which of the following MOST influences the design of the
organization's electronic monitoring policies?
A Workplace privacy laws
49
Including a Trusted Platform Module (TPM) in the design of a
computer system is an example of a technique to what?
D Establish a secure initial state
51
Which of the following is the FIRST step during digital identity
provisioning?
D Creating the entity record with the correct attributes
53
Which of the following access management procedures would
minimize the possibility of an organization's employees retaining
access to secure work areas after they change roles?
A User access modification
54
Which programming methodology allows a programmer to use pre-
determined blocks of code end consequently reducing development
time and programming costs?
B Object oriented
55
An employee's home address should be categorized according to
which of the following references?
B The organization's data classification model
An employee's home address is a type of personal data that may be subject
to privacy laws and regulations, such as the General Data Protection
Regulation (GDPR). Therefore, an organization should classify an employee's
home address according to its data classification model and assign
appropriate controls and safeguards.
56
An IT technician suspects a break in one of the uplinks that
provides connectivity to the core switch. Which of the following
command-line tools should the technician use to determine where the
incident is occurring?
D show interface
58
For the purpose of classification, which of the following is used to
divide trust domain and trust boundaries?
A Network architecture
59
The initial security categorization should be done early in the
system life cycle and should be reviewed periodically. Why is it
important for this to be done correctly?
A It determines the security requirements
61
During the Security Assessment and Authorization process, what is
the PRIMARY purpose for conducting a hardware and software
inventory?
D Define the boundaries of the information system
62
Which of the following is included in change management?
B User Acceptance Testing (UAT) before implementation
63
The core component of Role Based Access Control (RBAC) must be
constructed of defined data elements. Which elements are required?
C Roles, accounts, permissions, and protected object
65
Unused space in a disk cluster is important in media analysis
because it may contain which of the following?
A Residual data that has not been overwritten
66
Which of the following is the PRIMARY mechanism used to limit the
range of objects available to a given subject within different
execution domains?
A Process isolation
67
An attacker has intruded into the source code management system
and is able to download but not modify the code. Which of the
following aspects of the code theft has the HIGHEST security
impact?
D Administrative credentials or keys hard-coded within the stolen
code could be used to access sensitive data
99
An organization recently conducted a review of the security of its network
applications. One of the vulnerabilities found was that the session key
used in encrypting sensitive information to a third party server had
been hard-coded in the client and server applications. Which of the
following would be MOST effective in mitigating this vulnerability?
A Diffle-Hellman (DH) algorithm
The DH algorithm is a key exchange protocol that allows two parties to
establish a shared secret key over an insecure channel, without revealing
the key to anyone else.
DSA algorithm can provide authentication, integrity, and non-repudiation,
but it does not provide encryption or key exchange, and it does not
directly address the issue of hard-coded session keys.
RSA algorithm is a type of public key cryptography (asymmetric) that is
used for encryption, decryption, or digital signatures. Can provide
confidentiality, authentication, integrity, and non-repudiation, but it does
not directly address the issue of hard-coded session keys.
95.
Which combination of cryptographic algorithms are compliant with
Federal Information Processing Standard (FIPS) Publication 140-2
for non-legacy systems?
A. Diffie-hellman (DH) key exchange: DH (>=2048 bits)
Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital
Signature: Digital Signature Algorithm (DSA) (>=2048 bits)
RSA, DH or DSA >= 2048 bits, AES > 128 bits
69
Which algorithm gets its security from the difficulty of calculating discrete
logarithms in a finite field and is used to distribute keys, but cannot
be used to encrypt or decrypt messages?
A Diffie-Hellman
Diffie-Hellman is an algorithm that gets its security from the difficulty of
calculating discrete logarithms in a finite field and is used to distribute keys,
but cannot be used to encrypt or decrypt messages. Diffie-Hellman is a key
exchange protocol that allows two parties to establish a shared secret key
over an insecure channel, without any prior knowledge or communication.
The shared secret key can then be used for symmetric encryption or
authentication.
68
When dealing with compliance with the Payment Card Industry-
Data Security Standard (PCI-DSS), an organization that shares card
holder information with a service provider MUST do which of the
following?
B Validate the service provider's PCI-DSS compliance status on a
regular basis
69
Which of the following MUST be in place to recognize a system attack?
C Log analysis
70
What is the MAIN reason to ensure the appropriate retention periods
are enforced for data stored on electronic media?
D To reduce the risk of loss, unauthorized access, use,
modification, and disclosure
71
What is the MAIN purpose of a change management policy?
C To verify that changes to the Information Technology (IT)
infrastructure are approved
The main purpose of a change management policy is to ensure that all
changes made to the IT infrastructure are approved, documented, and
communicated effectively across the organization.
72
Which one of the following affects the classification of data?
D Passage of time
Data classification helps to determine the appropriate security controls and
handling procedures for the data. However, data classification is not static,
but dynamic, meaning that it can change over time depending on various
factors. One of these factors is the passage of time, which can affect the
relevance, usefulness, or sensitivity of the data. For example, data that is
classified as confidential or secret at one point in time may become
obsolete, outdated, or declassified at a later point in time, and thus require
a lower level of protection
73
A minimal implementation of endpoint security includes which of the
following?
B Host-based firewalls

74
After a breach incident, investigators narrowed the attack to a specific
network administrator's credentials. However, there was no evidence to
determine how the hackers obtained the credentials. Which of the following
actions could have BEST avoided the above breach per the investigation
described above?
C A periodic review of all privileged accounts actions
76
Which of the following is a BEST practice when traveling internationally with
laptops containing Personally Identifiable Information (PII)?
B Do not take unnecessary information, including sensitive information
77
The security architect is designing and implementing an internal
certification authority to generate digital certificates for all employees.
Which of the following is the BEST solution to securely store the private
keys?
Trusted Platform Module (TPM)
78
A company is moving from the V model to Agile development. How can the
information security department BEST ensure that secure design
principles are implemented in the new methodology?
D Information security requirements are captured in mandatory
user stories
79
Which of the following is the MOST important security goal when
performing application interface testing?
D Examine error conditions related to external interfaces to prevent
application details leakage
80
What should be the FIRST action to protect the chain of evidence when a
desktop computer is involved?
B Make a copy of the hard drive
83
Which of the following could elicit a Denial of Service (DoS) attack
against a credential management system?
B Modification of Certificate Revocation List
84
Which of the following is the BEST defense against password guessing?
B Disable the account after a limited number of unsuccessful attempts.
85
Which of the following is the BEST method a security practitioner can
use to ensure that systems and sub-systems gracefully handle
invalid input?
C Negative testing
57
An application team is running tests to ensure that user entry fields
will not accept invalid input of any length. What type of negative
testing is this an example of
C Allowed number of characters
Negative testing is a type of software testing that aims to verify the
behavior and the performance of the software when it encounters invalid,
unexpected, or erroneous input or conditions.
Allowed number of characters is a type of negative testing that checks the
user entry fields for the maximum or the minimum number of characters
that they can accept or reject.
86
What is considered a compensating control for not having electrical
surge protectors installed?
D Having network equipment in active-active clusters at the site
87
Which of the following media sanitization techniques is MOST likely to
be effective for an organization using public cloud services?
C Cryptographic erasure
88
What is the PRIMARY objective of the post-incident phase of the
incident response process in the security operations center (SOC)?
A Improve the IR process
89
What is the PRIMARY difference between security policies and security
procedures?
D Policies are generic in nature, and procedures contain operational
details
90
Which of the following countermeasures is the MOST effective in defending
against a social engineering attack?
B Changing individual behavior
91
Which of the following is the final phase of the identity and access
provisioning lifecycle?
B Revocation
92
Which factors MUST be considered when classifying information and
supporting assets for risk management, legal discovery, and
compliance?
B Data stewardship roles, data handling and storage standards,
data lifecycle requirements
93
Which of the following types of business continuity tests includes
assessment of resilience to internal and external risks without
endangering live operations?
B Simulation
94
Which of the following presents the PRIMARY concern to an
organization when setting up a federated single sign-on (SSO)
solution with another
C Defining the identity mapping scheme
95
Which of the following is applicable to a publicly held company
concerned about information handling and storage requirement
specific to the financial reporting?
C Sarbanes-Oxley (SOX) Act of 2002
SOX is a federal law that aims to protect investors from fraudulent
accounting activities by corporations. SOX requires public companies to
establish and maintain internal controls over their financial reporting
processes, and to have their financial statements audited by an
independent auditor. SOX also mandates that public companies retain their
financial records and related audit documents for at least five years, and
that they implement proper security measures to protect the confidentiality,
integrity, and availability of their financial information.
96
What is a common mistake in records retention?
D Adopting a retention policy with the longest requirement period
97
Proven application security principles include which of the following?
A Minimizing attack surface area
98
A Distributed Denial of Service (DDoS) attack was carried out using malware
called Mirai to create a large-scale command and control system to launch a
botnet. Which of the following devices were the PRIMARY sources used to
generate the attack traffic?
A Internet of Things (IoT) devices
Mirai is a malware that infects and hijacks IoT devices, such as cameras,
routers, or printers, and turns them into a botnet, which is a network of
compromised devices that are controlled by a central command and control
server. Mirai malware scans the internet for vulnerable IoT devices that use
default or weak credentials, and infects them with malicious code that
allows the attacker to remotely control them. Mirai malware was used to
launch a massive DDoS attack in 2016, targeting several high-profile
websites and services, such as Twitter, Netflix, or Amazon, and causing
widespread internet disruption.
99
While performing a security review for a new product, an information
security professional discovers that the organization's product development
team is proposing to collect government-issued identification (ID) numbers
from customers to use as unique customer identifiers. Which of the
following recommendations should be made to the product development
team?
B Customer identifiers that do not resemble the user's government-
issued ID number should be used.
100
Which of the following is a PRIMARY benefit of using a formalized
security testing report format and structure?
D Technical and management teams will better understand the
testing objectives, results of each test phase, and potential impact
levels
1
If a content management system (CMS) is implemented, which one of the
following would occur?
D The test and production systems would be running the same
software
A CMS is a software application that is used to create, manage, and deliver
digital content, such as web pages, blogs, or documents. A CMS typically
consists of two components: the content management application (CMA)
and the content delivery application (CDA).The CMA is the front-end
interface that allows users to create, edit, and organize the content. The
CDA is the back-end component that stores, processes, and delivers the
content to the end-users. A CMS can simplify and streamline the content
creation and delivery process, by providing a consistent and standardized
platform for both the test and production systems.
2
Which of the following is the BEST metric to obtain when gaining
support for an Identity and Access Management (IAM) solution?
D Help desk costs required to support password reset requests
4
Which of the following MUST be done when promoting a security
awareness program to senior management?
A Show the need for security; identify the message and the audience
5
Which of the following is the weakest form of protection for an
application that handles Personally Identifiable Information (PII)?
B Ron Rivest Cipher 4 (RC4) encryption
Ron Rivest Cipher 4 (RC4) encryption is the weakest form of protection for
an application that handles Personally Identifiable Information (PII). RC4 is a
stream cipher that uses a variable-length key to generate a
pseudorandom keystream that is XORed with the plaintext. RC4 has been
found to have several vulnerabilities, such as biases in the
keystream, weak keys, and plaintext recovery attacks. RC4 is no longer
considered secure and has been deprecated by many standards and
protocols, such as TLS and WPA.
6
Which access control method is based on users issuing access
requests on system resources, features assigned to those resources, the
operational or situational context, and a set of policies specified in
terms of those features and context?
D Attribute Based Access Control (ABAC)
ABAC allows for fine-grained, dynamic, and flexible access control that can
accommodate complex and changing scenarios and requirements.
Mandatory Access Control (MAC) is an access control method that is
based on security labels assigned to users and resources, and a set of
rules that determine the access permissions based on the comparison of
those labels. MAC is rigid, static, and centralized, and it enforces a
strict need-to-know policy.
Role Based Access Control (RBAC) is an access control method that is based
on roles assigned to users and permissions assigned to roles, and a
set of rules that determine the access permissions based on the user's role
membership. RBAC is simple, scalable, and decentralized, and it
enforces the principle of least privilege.
Discretionary Access Control (DAC) is an access control method that is
based on the identity of users and the ownership of resources, and a
set of rules that determine the access permissions based on the user's
identity or the owner's discretion. DAC is flexible, user-controlled,
and individualized, but it can also be inconsistent, insecure, and difficult
to manage.
8
What do you think is the best way to secure a camera?
C Verify the security camera requires authentication to log into the
management console
9
Which of the following models uses unique groups contained in unique
conflict classes?
A Chinese Wall (Brewer-Nash model)
The Chinese Wall model is a type of security model that is designed to
prevent the conflict of interest or the leakage of sensitive information in a
multi-level and multi-client environment, such as a consulting firm or a law
firm.
A unique group is a collection of information or clients that belong to
the same type or category, such as the same industry or sector. A
unique conflict class is a collection of unique groups that have a
conflict with each other, such as the competitors or rivals in the same
industry or sector. The Chinese wall model uses a dynamic and context-
based access control mechanism to enforce the security policy and rules
based on the unique groups and conflict classes. The access control
mechanism allows a subject to access any object that belongs to any unique
group, as long as the subject has not accessed any object that belongs to
another unique group in the same conflict class. Once the subject has
accessed an object that belongs to a unique group, the subject is restricted
to access only the objects that belong to the same unique group, and is
prohibited to access any object that belongs to another unique group in the
same conflict class. The access control mechanism can help to prevent the
subject from accessing or disclosing the information or clients that may
have a conflict of interest or a competitive advantage with the information
or clients that the subject has already accessed or represented.
10
Which of the following BEST represents a defense in depth concept?
C Endpoint security management, network intrusion detection system
(NIDS), Network Access Control (NAC), Privileged Access Management
(PAM), security information and event management (SIEM)
The answer choice C represents a defense in depth concept, because it
includes security controls at different levels, such as endpoint security
management (host level), network intrusion detection system (network
level), Network Access Control (network level), Privileged Access
Management (user level), and security information and event
management (data level).
12
Which of the following methods protects Personally Identifiable
Information (PII) by use of a full replacement of the data element?
D Data tokenization
Data tokenization is a method of protecting PII by replacing the sensitive
data element with a non-sensitive equivalent, called a token that has no
extrinsic or exploitable meaning or value1. The token is then mapped back
to the original data element in a secure database.
Data tokenization is different from encryption, which transforms the data
element into a ciphertext that can be decrypted with a key. Data
tokenization does not require a key, and the token cannot be reversed to
reveal the original data element
13
What is the MAIN purpose of conducting a business impact analysis
(BIA)?
B To determine the effect of mission-critical information system
failures on core business processes
A BIA is a process that identifies and evaluates the critical business
functions and their dependencies, and determines the impact of a
disruption on them. A BIA helps to quantify the potential loss of revenue,
reputation, productivity, or customer satisfaction due to an information
system failure, as well as the recovery time and resources needed to
resume the normal operations
15
An organization has hired a security services firm to conduct a
penetration test. Which of the following will the organization provide to
the tester?
A Limits and scope of the testing
16
Which of the following BEST provides for non-repudiation of user
account actions?
D Centralized logging system
17
Which of the following technologies would provide the BEST alternative to
anti-malware software?
B Application whitelisting
18
What is the PRIMARY purpose for an organization to conduct a security
audit?
B To ensure the organization is applying security controls to
mitigate identified risks
19
What documentation is produced FIRST when performing an effective
physical loss control process?
C inventory list
20
Which one of the following activities would present a significant security
risk to organizations when employing a Virtual Private Network (VPN)
solution?
B Simultaneous connection to other networks
VPN also introduces some security risks and challenges, such as
configuration errors, authentication issues, malware infections, or data
leakage. One of the security risks of a VPN is simultaneous connection to
other networks, which occurs when a VPN user connects to the
organization's private network and another network at the same time, such
as a home network, a public Wi-Fi network, or a malicious network. This
creates a potential vulnerability or backdoor for the attackers to access or
compromise the organization's private network, by exploiting the weaker
security or lower trust of the other network. Therefore, the organization
should implement and enforce policies and controls to prevent or restrict
the simultaneous connection to other networks when using a VPN
solution.
22
Refer to the information below to answer the question. A large,
multinational organization has decided to outsource a portion of their
Information Technology (IT) organization to a third-party provider's facility.
This provider will be responsible for the design, development, testing, and
support of several critical, customer-based applications used by the
organization. The third party needs to have
D Access to the skill sets consistent with the programming
languages used by the organization
Having the right skill sets ensures that the third party can effectively
manage, develop, and support the critical applications, meeting the
organization's needs and maintaining operational continuity.
23
What is the term used to define where data is geographically stored in the
cloud?
D Data sovereignty
24
Alternate encoding such as hexadecimal representations is MOST
often observed in which of the following forms of attack?
D Cross site scripting (XSS)
Alternate encoding is a technique that is used by attackers to bypass input
validation or filtering mechanisms, and to conceal or obfuscate the
malicious code or script. Alternate encoding can use hexadecimal, decimal,
octal, binary, or Unicode representations of the characters or symbols in the
code or script
25
What is the MOST common component of a vulnerability management
framework?
B Patch management
A vulnerability management framework is a set of policies and procedures
that aim to identify, assess, and mitigate the vulnerabilities that may affect
the organization's information systems and assets.
Patch management can help prevent or reduce the impact of potential
attacks that exploit the vulnerabilities, and improve the performance and
stability of the systems or applications.
25
A security practitioner has been asked to model best practices for
disaster recovery (DR) and business continuity. The practitioner has
decided that a formal committee is needed to establish a business
continuity policy. Which of the following BEST describes this stage of
business continuity development?
A Project Initiation and Management
26
An analysis finds unusual activity coming from a computer that was thrown
away several months prior, which of the following steps ensure the proper
removal of the system?
B Decommission
27
After following the processes defined within the change management plan,
a super user has upgraded a device within an Information system. What
step would be taken to ensure that the upgrade did NOT affect the
network security posture?
B Conduct a security impact analysis
A security impact analysis is a process of assessing the potential effects
of a change on the security posture of a system. It helps to identify and
mitigate any security risks that may arise from the change, such as new
vulnerabilities, configuration errors, or compliance issues.
28
Given a file containing ordered number, i.e. "123456789," match each of
the following redundant Array of independent Disks (RAID) levels to the
corresponding visual representation visual representation
RAID 1 is a RAID level that uses mirroring to create an exact copy of the
data on another disk. RAID 1 requires at least two disks, and it provides high
reliability and availability, as the data can be accessed from either disk if
one fails. However, RAID 1 does not provide any performance
improvement, and it has a high storage overhead, as it duplicates the
data. In the diagram, RAID 1 is represented by two disks with identical data
(123456789).
RAID 0 is a RAID level that uses striping to divide the data into blocks and
spread them across multiple disks. RAID 0 requires at least two disks, and it
provides high performance and speed, as the data can be read or
written in parallel from multiple disks. However, RAID 0 does not provide
any fault tolerance or redundancy, and it has a high risk of data loss, as
the failure of any disk will result in the loss of the entire data. In the
diagram, RAID 0 is represented by two disks with data split between them
(123 and 456789).
RAID 5 is a RAID level that uses striping with single parity to distribute the
data and the parity information across multiple disks. RAID 5 requires at
least three disks, and it provides a balance of performance, reliability, and
capacity, as the data can be read or written in parallel from multiple disks,
and the data can be recovered from the parity information if one disk fails.
However, RAID 5 has a performance penalty for write operations, as it
requires extra calculations and disk operations to update the parity
information. In the diagram, RAID 5 is represented by three disks where
data is striped across two disks (123 and 789), and the third disk contains
parity information (P(456+789) and P(123+456)).
RAID 10 is a RAID level that combines RAID 1 and RAID 0, meaning that it
uses mirroring and striping to create a nested array of disks. RAID 10
requires at least four disks, and it provides high performance,
reliability, and availability, as the data can be read or written in parallel
from multiple mirrored disks, and the data can be accessed from either disk
if one fails. However, RAID 10 has a high storage overhead, as it duplicates
the data, and it requires more disks and controllers to implement. In the
diagram, RAID 10 is represented by four disks combining both mirroring and
striping techniques (123 and 123, 456789 and 456789)
29
A post-implementation review has identified that the Voice Over Internet
Protocol (VoIP) system was designed to have gratuitous Address
Resolution Protocol (ARP) disabled. Why did the network architect
likely design the VoIP system with gratuitous ARP disabled?
D Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM)
attack
Gratuitous ARP is a special type of ARP message that a sender device
broadcasts on the network without any other device requesting it. It can
be useful for updating the ARP table, changing the address of an
interface, or informing the network of the sender's own MAC address.
However, it also introduces the risk of a Man-in-the-Middle (MITM) attack,
where an attacker can send a spoofed gratuitous ARP message to
trick other devices into associating a legitimate IP address with a
malicious MAC address. This way, the attacker can intercept, modify, or
redirect the traffic intended for the legitimate device.
30
The process of mutual authentication involves a computer system
authenticating a user and authenticating the
B Computer system to the user
31
What is the FIRST step in developing a security test and its
evaluation?
C Identify all applicable security requirements
32
Which of the following types of web-based attack is happening when an
attacker is able to send a well-crafted, malicious request to an
authenticated user without the user realizing it?
B Cross-Site request forgery (CSRF)
CSRF exploits the trust between a web browser and a web server, and
forces the web browser to perform an unwanted or malicious action on
behalf of the web server, such as transferring funds, changing passwords, or
updating profiles. CSRF works by embedding a malicious link or script
in an email, a website, or an advertisement that the user clicks or views,
and that triggers the request to the web server. The web server then
executes the request as if it came from the legitimate user, and performs
the action without the user's consent or knowledge.
XSS is a type of attack that injects malicious scripts into a web page or
an application that the user views or interacts with, and that executes in the
user's web browser, and may steal the user's cookies, session tokens,
or personal information.
Cross injection is a type of attack that combines two or more injection
techniques, such as SQL injection, LDAP injection, or command injection, to
compromise a web-based application or a system.
Broken authentication and session management is a type of vulnerability
that occurs when a web-based application does not properly
implement or protect the authentication or session management
mechanisms, such as passwords, tokens, or cookies, and allows an attacker
to compromise or impersonate the identity or the session of a legitimate
user.
33
Which methodology is recommended for penetration testing to be
effective in the development phase of the life-cycle process?
A White-box testing
34
Given the various means to protect physical and logical assets, match the
access management area to the technology.
Facilities – Window
Devices – Firewall
Systems – Authentication
Information – Encryption
35
While reviewing the financial reporting risks of a third-party application,
which of the following Service Organization Control (SOC) reports will be the
MOST useful?
A SOC1 (ISisOC1)
ISIsOC 1 reports are based on the Statement on Standards for Attestation
Engagements (SSAE) No. 18, and can be either Type 1 or Type 2, depending
on whether they provide a point-in-time Type 1 or a period-of-time Type 2
evaluation of the controls. SOC 2, SOC 3, and SOC for cybersecurity reports
are based on the Trust Services Criteria, and cover different aspects of the
service organization's security, availability, confidentiality, processing
integrity, and privacy.
36
When dealing with shared, privileged accounts, especially those for
emergencies, what is the BEST way to assure non-repudiation of logs?
B Implement a password vaulting solution.
A password vaulting solution can provide the following benefits: it can
enforce strong password policies, such as complexity, length, and
expiration;
It can audit and log the password usage and activities; and it can provide
accountability and traceability for the shared or privileged accounts. A
password vaulting solution can help to prevent the misuse or compromise of
the shared or privileged accounts, and ensure the non-repudiation of logs
 It can generate random and unique passwords for each account; it can
encrypt and protect the passwords from unauthorized access; it can
automate the password rotation and synchronization; it can grant or revoke
the access to the passwords based on roles, rules, or workflows

37
The best way to secure wireless access points (APs)
B Token-based authentication
Token-based authentication is a method that uses a physical or logical
token, such as a smart card, a USB device, or a one-time password, to
authenticate the devices that want to access the wireless network.
38
An organization has doubled in size due to a rapid market share increase.
The size of the Information Technology (IT) staff has maintained pace with
this growth. The organization hires several contractors whose onsite time is
limited. The IT department has pushed its limits building servers and rolling
out workstations and has a backlog of account management requests.
Which contract is BEST in offloading the task from the IT staff?
B Identity as a Service (IDaaS)
39
Management has decided that a core application will be used on personal
cellular phones. As an implementation requirement, regularly scheduled
analysis of the security posture needs to be conducted. Management has
also directed that continuous monitoring be implemented. Which of the
following is required to accomplish management's directive?
C Enterprise-level security information and event management
(SIEM) dashboard that provides full visibility of cellular phone activity
40
A security engineer is assigned to work with the patch and vulnerability
management group. The deployment of a new patch has been approved
and needs to be applied. The research is complete, and the security
engineer has provided recommendations. Where should the patch be
applied FIRST?
C Lower environment
41
Assuming an individual has taken all of the steps to keep their internet
connection private, which of the following is the BEST way to browse
the web privately?
C Prevent information about browsing activities from being
stored on the personal device.
42
Which of the following is the reason that transposition ciphers are
easily recognizable?
D Character
43
A new Chief Information Officer (CIO) created a group to write a data
retention policy based on applicable laws. Which of the following is the
PRIMARY motivation for the policy?
B To dispose of data in order to limit liability
The primary motivation for writing a data retention policy based on
applicable laws is to dispose of data in order to limit liability. A data
retention policy is a document that defines the rules and guidelines for
retaining and disposing of the data that is created, received, or maintained
by an organization. A data retention policy is based on various factors, such
as the business needs, the legal requirements, the regulatory compliance,
and the security risks of the data.
45
Which of the following should exist in order to perform a security
audit?
A Industry framework to audit against
47
Which of the following is a characteristic of covert security testing?
B Tests staff knowledge and Implementation of the organization's
security policy
Covert security testing is a type of security testing that is performed
without the knowledge or consent of the staff or the system owners,
except for a few authorized personnel. Covert security testing simulates
a real-world attack scenario, where the attackers try to exploit the
vulnerabilities and weaknesses of the system or the staff. Covert security
testing can test staff knowledge and implementation of the organization's
security policy, by assessing how they react to the simulated attack, how
they follow the security procedures and guidelines, and how they report and
respond to the incident.

48
Which of the following prevents improper aggregation of privileges in
Role Based Access Control (RBAC)?
B Dynamic separation of duties
Dynamic separation of duties is a method that prevents improper
aggregation of privileges in RBAC, by enforcing rules or constraints
that limit or restrict the roles or the permissions that a user or a
device can have or use at any given time or situation.
49
Which of the following is needed to securely distribute symmetric
cryptographic Keys?
B Officially approved and compliant key management technology
and processes
50
A breach investigation showed that a website was exploited
through an open sourced component. The Process that could have
prevented this breach?
C Vulnerability remediation
51
What is the FIRST step for an organization to take before allowing
personnel to access social media from a corporate device or user
account?
B Publish an acceptable usage policy
52
A fiber link connecting two campus networks is broken. Which of the
following tools should an engineer use to detect the exact break
point of the fiber link?
A OTDR
An OTDR (optical time domain reflectometer) is a tool that can be used to
detect the exact break point of a fiber link. An OTDR works by sending a
pulse of light into the fiber and measuring the time and intensity of the
reflected light that comes back. By analyzing the reflected light, the OTDR
can determine the distance, location, and severity of any faults or breaks in
the fiber link. An OTDR can also provide information about the attenuation,
splice loss, and connector loss of the fiber link.
53
During a recent assessment an organization has discovered that the
wireless signal can be detected outside the campus area. What logical
control should be implemented in order to BEST protect the
confidentiality of information traveling on wireless transmission
media?
B Configure the Access Points (AP) to use Wi-Fi Protected Access
2 (WPA2) encryption
54
Are companies legally required to report all data breaches?
A No, different jurisdictions have different rules.
55
In supervisory control and data acquisition (SCADA) systems, which
of the following controls can be used to reduce device exposure to
malware?
B Disallowing untested code in the execution space of the SCADA
device
SCADA is an acronym for supervisory control and data acquisition, which is
a system that monitors and controls industrial processes, such as power
generation, water distribution, or oil refining. SCADA consists of different
devices, such as sensors, controllers, or actuators, that communicate with
each other and with a central server, using various protocols, such as
Modbus, DNP3, or IEC 60870-5-104.
Disallowing untested code in the execution space of the SCADA device is a
control that can reduce device exposure to malware, by preventing or
blocking the execution of any code that has not been verified or validated
by the SCADA device or the SCADA administrator.
39.
Which of the following attacks, if successful, could give an intruder
complete control of a software-defined networking (SDN) architecture?
A A brute force password attack on the Secure Shell (SSH) port of the
controller
The SDN controller is the central component in an SDN architecture,
responsible for managing the network's behavior by sending control
instructions to network devices. If an attacker gains access to the controller,
especially through a brute force attack on the SSH port, they can potentially
gain administrative privileges. This would allow them to take complete
control of the SDN architecture, including modifying network configurations,
redirecting traffic, and disrupting network operations.
71.
What is a security concern when considering implementing software-defined
networking (SDN)?
A. It increases the attack footprint.
SDN centralizes network management and control, potentially increasing
the attack surface compared to traditional networking. Attackers could
target the centralized controller, switches, or the communication channels
between them.
91
Which software defined networking (SDN) architectural component is
responsible for translating network requirements?
C SDN Controller
56
Building blocks for software-defined networks (SDN) require which of
the following?
B The SDN is composed entirely of client-server pairs.
The client-server pair is the basic unit of the SDN, and it consists of a client
device that requests a network service or resource, and a server
device that provides the network service or resource. The client-
server pair communicates with each other through the data plane, and
with the software controller through the control plane. The software
controller acts as the intermediary between the client-server pairs, and it
dynamically configures and optimizes the network according to the policies
and requirements of the client-server pairs.
SDN is a network architecture that decouples the network control plane
from the data plane, and that enables the network to be programmatically
configured and managed by a centralized software controller. The control
plane is the part of the network that makes the decisions about how to
route and forward the network traffic, and that communicates with the
network devices, such as the switches and routers. The data plane is the
part of the network that carries the network traffic, and that executes the
instructions from the control plane, such as the forwarding tables and rules.
11
What determines the level of security of a combination lock?
B Amount of time it takes to brute force the combination
12
What are the three key benefits that application developers should
derive from the northbound application-programming interface (API) of
software-defined networking (SDN)?
D Familiar syntax, abstraction of network topology, and abstraction
of network protocols
A northbound API is an API that enables the communication and interaction
between the SDN controller and the applications or services that run on the
network.
17
Compared to a traditional network, which of the following is a security-
related benefit that software-defined networking (SDN) provides?
B Centralized network administrator control
10
Which of the following determines how traffic should flow based on the
status of the infrastructure layer?
D Control plane
The control plane is responsible for the configuration and management
(routing and forwarding instructions) of the network devices, such as
routers, switches, or firewalls, and the routing protocols, such as EIGRP,
MPLS, OSPF, BGP, or RIP, that control the path selection and forwarding
of the network traffic.
Role: The control plane is responsible for making decisions about where
traffic should be sent. It manages the routing and switching protocols,
creating a network topology and forwarding tables that dictate how
data packets travel through the network.
Functionality: It collects information about network status, such as link
states, device statuses, and network policies. It uses this information to
make decisions about the best paths for traffic and updates the forwarding
tables accordingly.
Data Plane (Forwarding Plane): The data plane is responsible for the
actual forwarding of packets based on the decisions made by the
control plane.
Functionality: It handles the packet forwarding, switching, and filtering
according to the rules established by the control plane. The data plane is
responsible for the processing and forwarding of the network
packets, such as IP, TCP, or UDP, that encapsulate the data. The
data plane communicates with the control plane to receive the routing and
forwarding instructions.
Data Plane (Forwarding Plane):
Role: The data plane is responsible for the actual forwarding of packets
based on the decisions made by the control plane.
Functionality: It handles the packet forwarding, switching, and filtering
according to the rules established by the control plane.
Management Plane:
Role: The management plane is responsible for network management
functions such as monitoring, configuration, and logging.
Functionality: It provides interfaces for network administrators to manage
the network devices, such as through SNMP, SSH, or web interfaces.
The management plane is responsible for the administration and
maintenance of the network devices, such as configuration, backup,
update, or troubleshooting, and the network services, such as SNMP, SSH,
or Telnet, that enable the remote access
57
Backup information that is critical to the organization is identified
through a
C Business Impact Analysis (BIA)
58
A large bank deploys hardware tokens to all customers that use their online
banking system. The token generates and displays a six digit numeric
password every 60 seconds. The customers must log into their bank
accounts using this numeric password. This is an example of
D synchronous token
A synchronous token is a hardware device that generates and displays a
one-time password (OTP) that changes at fixed intervals, usually based on a
clock or a counter. The OTP is synchronized with the authentication server,
and the user must enter the OTP within a certain time window to log in.
Synchronous tokens generate codes based on time synchronization or a
counter between the token and the authentication server. The scenario
describes a token that generates a new code every 60 seconds, which
matches the definition of a synchronous token.
59
A vulnerability test on an Information System (IS) is conducted to
C Evaluate the effectiveness of security controls
60
What is the foundation of cryptographic functions?
D Entropy
Entropy is a measure of the randomness or unpredictability of a system or a
process. Entropy is essential for cryptographic functions, such as
encryption, decryption, hashing, or key generation, as it provides the
security and the strength of the cryptographic algorithms and keys. Entropy
can be derived from various sources, such as physical phenomena, user
input, or software applications.
61
What component of a web application that stores the session state
in a cookie an attacker can bypass?
D An authorization check
An authorization check verifies that the user has the appropriate
permissions to access the requested resources or perform the desired
actions. However, if the session state is stored in a cookie, an attacker can
manipulate the cookie to change the user's role or privileges, and bypass
the authorization check.
62
Sensitive customer data is going to be added to a database. What is
the MOST effective implementation for ensuring data privacy?
C Data link encryption
Data link encryption is a type of encryption or a protection technique or
mechanism that encrypts or protects the data or the information that is
transmitted or communicated over the data link layer or the second layer of
the Open Systems Interconnection (OSI) model, which is the layer or the
level that provides or offers the reliable or the error-free transmission or
communication of the data or the information between the nodes or the
devices that are connected or linked by the physical layer or the first layer
of the OSI model, such as the switches, the bridges, or the wireless access
points.
63
Drag the following Security Engineering terms on the left to the BEST
definition on the right.
Risk: A measure of the extent to which an entity is threatened by a
potential circumstance or event, the adverse impacts that would arise if
the circumstance or event occurs, and the likelihood of occurrence. Risk
is also defined as the combination of the probability of an event and its
consequence. Risk can be assessed, analyzed, and managed using various
methods and techniques, such as risk identification, risk evaluation, risk
treatment, and risk monitoring.
Protection Needs Assessment: The method used to identify the
confidentiality, integrity, and availability requirements for
organizational and system assets and to characterize the adverse
impact or consequences should the asset be lost, modified, degraded,
disrupted, compromised, or become unavailable. Protection needs
assessment is also known as threat assessment, threat analysis, or threat
modeling, and it is part of the security engineering process. Protection
needs assessment can help to identify the potential sources, methods, and
objectives of the attackers, as well as the vulnerabilities and weaknesses of
the system. Protection needs assessment can also help to prioritize the
protection needs and countermeasures for the system.
Security Risk Treatment: The method used to identify feasible security
risk mitigation options and plans.
Security risk treatment is also known as security risk analysis, security
risk assessment, or security impact analysis, and it is part of the
security certification and accreditation (C &A) process. Security risk
treatment can help to determine the security categorization, security
controls, and security assurance level for the assets and the system.
Threat Assessment: The method used to identify and characterize
the dangers anticipated throughout the life cycle of the system.
Threat assessment is also known as risk mitigation, risk response, or risk
treatment, and it is part of the risk management process. Threat
assessment can help to select and implement the appropriate security
controls and strategies to reduce the risk to an acceptable level, or to
transfer, avoid, or accept the risk. Threat assessment can also help to
monitor and evaluate the effectiveness and performance of the security
controls and strategies
64
Which of the following is the MOST effective method to mitigate Cross-Site
Scripting (XSS) attacks?
B Whitelist input validation
XSS (similar to sql inject attacks) occur when an attacker injects malicious
code, usually in the form of a script, into a web application that is then
executed by the browser of an unsuspecting user.
Whitelist input validation is a technique that checks the user input against a
predefined set of acceptable values or characters, and rejects any input that
does not match the whitelist. Whitelist input validation can prevent XSS
attacks by filtering out any malicious or unexpected input that may contain
harmful scripts. Whitelist input validation should be applied at the point of
entry of the user input, and should be combined with output encoding
or sanitization to ensure that any input that is displayed back to the user
is safe and harmless.
65
Which one of the following is an advantage of an effective release
control strategy from a configuration control standpoint?
D Ensures that a trace for all deliverables is maintained and
auditable
Release control is a process that manages the distribution and installation of
software releases into the operational environment. Configuration control is
a process that maintains the integrity and consistency of the software
configuration items throughout the software development life cycle. An
effective release control strategy can help to ensure that a trace for all
deliverables is maintained and auditable, which means that the origin,
history, and status of each software release can be tracked and verified.
65
Which of the following is the MOST important consideration in selecting
a security testing method based on different Radio-Frequency
Identification (RFID) vulnerability types?
C An understanding of the attack surface
Different types of RFID vulnerabilities may affect different parts of the
system, such as the tags, the readers, the middleware, or the backend
database. Therefore, the most important consideration in selecting a
security testing method based on different RFID vulnerability types is to
have an understanding of the attack surface and the potential threats and
risks associated with each part of the system.
66
Refer to the information below to answer the question. Desktop computers
in an organization were sanitized for re-use in an equivalent security
environment. The data was destroyed in accordance with organizational
policy and all marking and other external indications of the sensitivity of the
data that was formerly stored on the magnetic drives were removed. After
magnetic drives were degaussed twice according to the product
manufacturer's directions, what is the MOST LIKELY security issue with
degaussing?
B Degausser products may not be properly maintained and
operated.
Degaussing can be effective in destroying the data, but it requires that the
degausser products are calibrated, tested, and used according to the
manufacturer's specifications and instructions. If the degausser products
are not properly maintained and operated, they may not generate a
sufficient magnetic force to erase the data completely, or they may damage
the media or the device.
67
Which of the following needs to be tested to achieve a Cat 6a
certification for a company's data cabling?
C Patch panel
68
Which of the following objects should be removed FIRST prior to uploading
code to public code repositories?
A Security credentials
69
When conducting a forensic criminal investigation on a computer hard
drive, what should be done PRIOR to analysis?
C Create a forensic image of the hard drive
70
What technique used for spoofing the origin of an email can
successfully conceal the sender’s Internet Protocol (IP) address?
C Onion routing
Onion routing is a method of anonymous communication that encrypts and
routes the messages through multiple layers of intermediate nodes, called
onion routers, before reaching the final destination. Each onion router only
knows the previous and next hop of the message, but not the entire route or
the origin and destination of the message.
72
An organization has requested storage area network (SAN) disks for a new
project. What Redundant Array of Independent Disks (RAID) level provides
the BEST redundancy and fault tolerance?
D RAID level 5
73
What is the difference between media marking and media labeling?
B Media labeling refers to the use of human-readable security
attributes, while media marking refers to the use of security attributes
in internal data structures
74
Which of the (ISC)? Code of Ethics canons is MOST reflected when
preserving the value of systems, applications, and entrusted information
while avoiding conflicts of interest?
A Act honorably, honestly, justly, responsibly, and legally.
75
Why is lexical obfuscation in software development discouraged by
many organizations?
B Problems recovering systems after disaster
Lexical obfuscation is a software development technique that involves
changing the names of variables, functions, classes, or other identifiers in
the source code to make them obscure or meaningless, such as using
random letters or numbers. Lexical obfuscation is often used to protect the
intellectual property of the software, or to prevent reverse engineering or
tampering by attackers. However, lexical obfuscation is discouraged by
many organizations because it can cause problems recovering systems after
disaster. Lexical obfuscation can make the source code unreadable and
incomprehensible, which can hamper the debugging, testing, maintenance,
and documentation of the software. Lexical obfuscation can also make the
recovery of the software more difficult and time-consuming, especially if the
original names of the identifiers are lost or unavailable.

76
Which of the following elements MUST a compliant EU-US Safe Harbor
Privacy Policy contain?
B An explanation of who can be contacted at the organization
collecting the information if corrections are required by the data
subject
77
A developer is creating an application that requires secure logging of
all user activity. What is the BEST permission the developer should
assign to the log file to ensure requirements are met?
D APPEND
78
Which of the following describes the order in which a digital forensic
process is usually conducted?
A Ascertain legal authority, agree upon examination strategy,
conduct examination, and report results
79
Which of the following is MOST effective in detecting information
hiding in Transmission Control Protocol/internet Protocol (TCP/IP)
traffic?
B Application-level firewall
Information hiding is a technique that conceals data or messages within
other data or messages, such as using steganography, covert channels, or
encryption. An application-level firewall is a type of firewall that operates at
the application layer of the OSI model, and inspects the content and context
of the network packets, such as the headers, payloads, or protocols. An
application-level firewall can help to detect information hiding in TCP/IP
traffic, as it can analyze the data for any anomalies, inconsistencies, or
violations of the expected format or behavior.
80
Which of the following BEST describes why software assurance is
critical in helping prevent an increase in business and mission risk
for an organization?
A Software that does not perform as intended may be exploitable which
makes it vulnerable to attack.
81
A software architect has been asked to build a platform to distribute music
to thousands of users on a global scale. The architect has been reading
about content delivery networks (CDN). Which of the following is a
principal task to undertake?
B Establish a media caching methodology
82
Which of the following is the BEST method a security practitioner can
use to ensure that systems and sub-system gracefully handle
invalid input?
A Negative testing
Negative testing is a method of software testing that involves providing
invalid, unexpected, or erroneous input to the system or sub-system and
verifying that it can handle it gracefully, without crashing, freezing, or
producing incorrect results. Negative testing helps to identify the boundary
conditions, error handling, and exception handling of the system or sub-
system, and to ensure its robustness, reliability, and security.
Integration testing is a method of software testing that involves combining
two or more components or modules of the system and verifying that
they work together as expected. Integration testing helps to identify the
interface, compatibility, and communication issues between the
components or modules, and to ensure their functionality, performance, and
quality.
Unit testing is a method of software testing that involves testing each
individual component or module of the system in isolation and
verifying that it performs its intended function. Unit testing helps to identify
the logic, syntax, and functionality errors of the component or module,
and to ensure its correctness, completeness, and efficiency.
Acceptance testing is a method of software testing that involves testing
the system or sub-system by the end users or customers and verifying
that it meets their requirements and expectations.
83
An organization has implemented a password complexity and an account
lockout policy enforcing five incorrect logins tries within ten minutes.
Network users have reported significantly increased account lockouts.
Which of the following security principles is this company affecting?
A Availability
84
Which of the following secures web transactions at the Transport
Layer?
B Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is the only option that secures web transactions
at the transport layer of the OSI model. SSL is a protocol or a standard that
provides security and privacy for the data or the messages exchanged
between a web browser and a web server, or between any two applications
that use the TCP/IP protocol. SSL uses cryptographic techniques, such as
encryption, decryption, hashing, and digital signatures, to protect the
confidentiality, integrity, and authenticity of the data or the messages. SSL
also uses certificates and public key infrastructure (PKI) to establish the
identity and the trustworthiness of the parties involved in the web
transactions.
Secure HyperText Transfer Protocol (S-http) is a protocol or standard that
secures web transactions at the application layer of the OSI model. S-
HTTP is a protocol or a standard that provides security and privacy for the
individual messages or requests within a web transaction, such as a web
page, a form, or a file, by using cryptographic techniques, such as
encryption, decryption, hashing, and digital signatures. S-HTTP is not
widely used, and it is not compatible with SSL or its successor,
Transport Layer Security (TLS)
Socket Security (socks) is a standard that enables web transactions
across different network protocols or architectures, by using a proxy
server. SOCKS is a protocol or a standard that allows applications to
communicate with other applications on a different network, without
requiring any changes to the applications or the networks. SOCKS can
provide some security features, such as authentication or encryption, but it
is not designed to secure web transactions.
Secure Shell (SSH) is a protocol or a standard that secures remote access
or administration of a system or a network, by using a secure channel.
SSH is a protocol or a standard that provides security and privacy for the
commands or the data exchanged between a client and a server, or
between two systems or networks, by using cryptographic techniques, such
as encryption, decryption, hashing, and digital signatures. SSH also uses
public key authentication and key exchange to establish the identity and
the trustworthiness of the parties involved in the remote access or
administration.
85
Which of the following actions will reduce risk to a laptop before traveling to
a high risk area?
C Purge or re-image the hard disk drive
86
In a dispersed network that lacks central control, which of the
following is The PRIMARY course of action to mitigate exposure?
B Implement security policies and standards, access controls, and
access limitations
87
An organization has decided to contract with a cloud-based service provider
to leverage their identity as a service offering. They will use Open
Authentication (OAuth) 2.0 to authenticate external users to the
organization's services. As part of the authentication process, which of
the following must the end user provide?
A An access token
OAuth 2.0 is an authorization framework that enables a third-party
application (e.g. Gmail or LinkedIn account to access resources on another
site on the internet) to obtain limited access to an HTTP service, either on
behalf of a resource owner or by allowing the third-party application to
obtain access on its own behalf. The end user must provide an access token
to the service provider, which is issued by an authorization server after the
user grants permission to the third-party application. The access token
represents the user's identity and the scope of access granted by the user.
The service provider can then use the access token to authenticate the user
and provide the requested service. A username and password are not
required by OAuth 2.0, as they are only used to authenticate the user to the
authorization server, not the service provider.
88
Which of the following is a secure design principle for a new product?
A Build in appropriate levels of fault tolerance
89
A Certified Information Systems Security Professional (CISSP) with identity
and access management (IAM) responsibilities is asked by the Chief
Information Security Officer (CISO) to perform a vulnerability assessment on
a web application to pass a Payment Card Industry (PCI) audit. The CISSP
has never performed this before. According to the (ISC)? Code of
Professional Ethics, which of the following should the CISSP do?
C Inform the CISO that they are unable to perform the task because
they should render only those services for which they are fully
competent and qualified
90
While dealing with the consequences of a security incident, which of
the following security controls are MOST appropriate?
B Corrective and recovery controls
91
What are the steps of a risk assessment?
A Identification, analysis, evaluation
92
When are security requirements the LEAST expensive to implement?
D When built into application design
94
The ability to send malicious code, generally in the form of a client
side script, to a different end user is categorized as which type of
vulnerability?
C Cross-Site Scripting (XSS)
95
An organization is designing a large enterprise-wide document
repository system. They plan to have several different classification
level areas with increasing levels of controls. The BEST way to ensure
document confidentiality in the repository is to
A Encrypt the contents of the repository and document any
exceptions to that requirement
96
Which of the following alarm systems is recommended to detect
intrusions through windows in a high-noise, occupied environment?
C Shock sensor
98
An organization has discovered that organizational data is posted by
employees to data storage accessible to the general public. What is the
PRIMARY step an organization must take to ensure data is properly
protected from public release?
A Implement a data classification policy
99
An information technology (IT) employee who travels frequently to
various site remotely of an organization' to troubleshoot which of the
following solutions BEST serves as a secure control mechanism to meet
the organization's requirements?
D Install a bastion host in the demilitarized zone (DMZ) and allow
multi-factor authentication (MFA) access
A bastion host is a hardened server that is placed in the demilitarized zone
(DMZ), a network segment that is exposed to the internet and separated
from the internal network by firewalls. A bastion host provides a secure and
controlled access point for remote users or administrators who need to
connect to the internal network or systems. A bastion host can also act as a
proxy server, a VPN gateway, or a jump server, depending on the
configuration and the purpose. A bastion host should be protected by
multiple layers of security, such as multi-factor authentication (MFA),
encryption, logging, monitoring, and patching. A bastion host is the best
solution to allow an IT employee who travels frequently to various locations
to troubleshoot problems remotely, as it minimizes the exposure and the
risk of unauthorized access.
1
A retail company is looking to start a development project that will utilize
open source components in its code for the first time. The development
team has already acquired several open source components and utilized
them in proof of concept (POC) code. The team recognizes that the
legal and operational risks are outweighed by the benefits of open-
source software use. What MUST the organization do next?
C Establish an open-source compliance policy
2
What is a risk of using commercial off-the-shelf (COTS) products?
A COTS products may not map directly to an organization's security
requirements.
3
Which of the following technologies can be used to monitor and
dynamically respond to potential threats on web applications?
C Runtime application self-protection (RASP)
Runtime application self-protection (RASP) is a technology that can be used
to monitor and dynamically respond to potential threats on web
applications. RASP is a software component that is integrated into the web
application or the runtime environment, and it analyzes the behavior and
the context of the application and the requests. RASP can detect and
prevent attacks such as SQL injection, cross-site scripting, or buffer
overflow, by blocking or modifying the malicious requests or responses
6
Which of the following is BEST achieved through the use of eXtensible
Access Markup Language (XACML)?
B Manage resource privileges
XACML is an XML-based language for specifying access control
policies. It defines a declarative, fine-grained, attribute-based access
control policy language, an architecture, and a processing model
describing how to evaluate access requests according to the rules defined in
policies. XACML is best suited for managing resource privileges, as it allows
for flexible and dynamic authorization decisions based on various
attributes of the subject, resource, action, and environment.
7
Which of the following is MOST appropriate for protecting confidentially
of data stored on a hard drive?
B Advanced Encryption Standard (AES)
8
Which of the following needs to be taken into account when assessing
vulnerability?
A Risk identification and validation
Risk Identification and Validation: This involves identifying potential risks
associated with identified vulnerabilities and validating these risks to
understand their potential impact. During vulnerability assessment, it is
essential to not only identify the vulnerabilities but also to understand the
risks they pose. This includes determining the likelihood of exploitation and
the potential consequences if the vulnerability is exploited. By validating
these risks, an organization can prioritize which vulnerabilities need to be
addressed most urgently.
9
Which section of the assessment report addresses separate
vulnerabilities, weaknesses, and gaps?
A Key findings section
10
An organization purchased a commercial off-the-shelf (COTS) software
several years ago. The information technology (IT) Director has decided to
migrate the application into the cloud, but is concerned about the
application security of the software in the organization's dedicated
environment with a cloud service provider. What is the BEST way to
prevent and correct the software's security weakness?
D Examine the software updating and patching process
14
Which of the following MOST applies to session initiation protocol
(SIP) security?
C It reuses security mechanisms derived from existing protocols
SIP reuses security mechanisms derived from existing protocols, such as
Transport Layer Security (TLS), Secure Real-time Transport Protocol
(SRTP), and Internet Protocol Security (IPsec).
15
Which of the following entails identification of data end links to
business processes, applications, and data stores as well as
assignment of ownership responsibilities?
A Security portfolio management (Security governance)
16
An input validation and exception handling vulnerability has been
discovered on a critical web-based system.
A Add a new rule to the application layer firewall
18
What is an important characteristic of Role Based Access Control (RBAC)?
B Simplifies the management of access rights
19
What is static analysis intended to do when analyzing an executable
file?
D Disassemble the file to gather information about the executable
file's function.
Static analysis is a technique of examining the code or structure of a file or
program without executing it. Static analysis can be used to identify
potential vulnerabilities, errors, or malicious code in a file or program. One
of the methods of static analysis is disassembly, which is the process of
converting the binary code of an executable file into a human-
readable assembly language. Disassembly can reveal information about
the executable file's function, such as the instructions, variables, registers,
memory addresses, and system calls. Disassembly can also help to reverse
engineer the logic and algorithm of the executable file.
20
Which of the following needs to be included in order for High
Availability (HA) to continue operations during planned system
outages?
D Clustering, load balancing, and fault-tolerant options
21
What is the MOST critical factor to achieve the goals of a security
program?
B Executive management support
22
Which of the following is held accountable for the risk to
organizational systems and data that result from outsourcing
Information Technology (IT) systems and services?
A The acquiring organization
23
Which of the following regulations dictates how data breaches are
handled?
D General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulation that dictates
how data breaches are handled, among other data protection and privacy
requirements. The GDPR applies to any organization that processes the
personal data of individuals in the European Union (EU), regardless of the
location of the organization. The GDPR defines a personal data breach as "a
breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed". The GDPR requires the
organization to notify the supervisory authority of the data breach within
72 hours of becoming aware of it, unless the breach is unlikely to result in
a risk to the rights and freedoms of the individuals. The GDPR also requires
the organization to notify the affected individuals of the data breach
without undue delay, if the breach is likely to result in a high risk to their
rights and freedoms
24
The organization would like to deploy an authorization mechanism for an
Information Technology (IT) infrastructure project with high employee
turnover. Which access control mechanism would be preferred?
D Role-Based Access Control (RBAC)
RBAC can be preferred for an IT infrastructure project with high employee
turnover because it can simplify the management and the administration of
the user accounts and access rights. RBAC can reduce the administrative
overhead and ensure the consistency and accuracy of the user accounts
and access rights, by using predefined roles or groups that have defined
privileges. RBAC can also facilitate the identity lifecycle management
activities, such as provisioning, review, or revocation, by adding or
removing users from the roles or groups based on their current jobs.
25
A customer continues to experience attacks on their email, web, and
File Transfer Protocol (FTP) servers. These attacks are impacting their
business operations. Which of the following is the BEST
recommendation to make?
B Create a demilitarized zone (DMZ)
The cloud DMZ serves as a buffer zone that segregates internal network
traffic from external traffic. It hosts internet-facing services while providing
a controlled gateway to the internal network. Such as Web Servers: Hosts
for web applications and services that need to be accessible from the
internet. Application Gateways: Proxies or gateways that facilitate secure
communication between external clients and internal applications. Intrusion
Detection and Prevention Systems (IDPS): Systems that monitor for and
respond to suspicious activities or potential threats within the DMZ.
26
What is the PRIMARY reason for ethics awareness and related policy
implementation?
B It affects the reputation of an organization
27
Before allowing a web application into the production environment, the
security practitioner performs multiple types of tests to confirm that the
web application performs as expected. To test the username field, the
security practitioner creates a test that enters more characters into the
field than is allowed. Which of the following BEST describes the type of
test performed.
A Misuse case testing
28
Which of the following is the PRIMARY reason a sniffer operating on a
network is collecting packets only from its own host?
B The network is connected using switches
29
All of the following items should be included in a Business Impact Analysis
(BIA) questionnaire EXCEPT questions that
A Determine the risk of a business interruption occurring
30
Which of the following MUST be scalable to address security concerns
raised by the integration of third-party identity services?
B Enterprise security architecture
31
What security risk does the role-based access approach mitigate
MOST effectively?
A Excessive access rights to systems and data
32
What should be the FIRST action for a security administrator who
detects an intrusion on the network based on precursors and other
indicators?
A Isolate and contain the intrusion
Documenting and verifying the intrusion is essential for understanding the
incident and improving future response strategies. However, this should
follow the immediate containment actions. Ensuring that the threat is
contained takes precedence to prevent further damage and ensure a
controlled environment for subsequent investigation.
33
Which Identity and Access Management (IAM) process can be used to
maintain the principle of least privilege?
D user access review
34
An online retail company has formulated a record retention schedule for
customer transactions. Which of the following is a valid reason a
customer transaction is kept beyond the retention schedule?
A Pending legal hold
35
What is the overall goal of software security testing?
C Reducing vulnerabilities within a software system
36
Which of the following is the BEST network defense against unknown
types of attacks or stealth attacks in progress?
D Network Behavior Analysis (NBA) tools
37
Refer to the information below to answer the question. A large,
multinational organization has decided to outsource a portion of their
Information Technology (IT) organization to a third-party provider's facility.
This provider will be responsible for the design, development, testing,
and support of several critical, customer-based applications used by the
organization. What additional considerations are there if the third
party is located in a different country?
C The effects of transborder data flows and customer expectations
regarding the storage or processing of their data
38
What is the MINIMUM standard for testing a disaster recovery plan
(DRP)?
D As often as necessary depending upon the stability of the
environment and business requirements
39
What type of investigation applies when malicious behavior is
suspected between two organizations?
C Civil
40
Which of the following is MOST important when determining
appropriate countermeasures for an identified risk?
C Organizational risk tolerance
41
Which of the following steps is performed during the forensic data
analysis phase?
B Searching for relevant strings
The forensic data analysis phase involves examining and interpreting the
data to find relevant facts and artifacts that support the investigation.
Searching for relevant strings is one of the steps performed during
the forensic data analysis phase. Strings are sequences of printable
characters that may contain useful information, such as passwords,
usernames, email addresses, file names, and commands. Searching for
strings can help to identify and extract evidence from the data collected
during the forensic acquisition phase. Collecting known system files,
creating file lists, and recovering deleted data are steps performed
during the forensic acquisition phase, not the forensic data analysis
phase. The forensic acquisition phase involves creating a bit-by-bit
copy of the original data source, verifying its integrity, and
preserving its chain of custody.
42
What are the essential elements of a Risk Assessment Report (RAR)?
D Executive summary, body of the report, and appendices
A RAR is a document that summarizes the findings and recommendations of
a risk assessment, which is a process of identifying, analyzing, and
evaluating the risks that affect an organization's assets, objectives, or
operations. A RAR typically consists of three main parts: executive
summary, body of the report, and appendices. The executive summary
provides a brief overview of the purpose, scope, methodology, results, and
conclusions of the risk assessment. The body of the report provides a
detailed description of the risk assessment process, including the risk
identification, risk analysis, risk evaluation, risk treatment, and risk
monitoring and review. The appendices provide any additional or supporting
information, such as data sources, risk matrices, risk registers, risk
treatment plans, or references.
43
Assessing a third party's risk by counting bugs in the code may not be the
best measure of an attack surface within the supply chain. Which of the
following is LEAST associated with the attack surface?
C Error messages (a Input protocol b Target processes d Access rights)
44
How can a security engineer maintain network separation from a
secure environment while allowing remote users to work in the
secure environment?
B Implement a bastion host

45
Which of the following system components enforces access controls on
an object?
D Reference monitor
A reference monitor is an abstract concept that represents the mechanism
that mediates the access requests from the subjects to the objects, and that
enforces the access control policies on the objects. A reference monitor can
be implemented as a hardware component, a software component, or a
combination of both, and it can be integrated into the operating system, the
application, or the device.
A reference monitor has three properties: It is tamper-proof, which means
that it cannot be modified, bypassed, or disabled, it is always invoked,
which means that it is always active, It is verifiable, which means that it
can be tested and validated
An object is a passive entity that contains or receives information, such as a
file, a folder, a database, or a message. Access control is the process of
granting or denying access to an object based on the identity, role, or
attributes of the subject that requests access, and the rules or policies that
define the access rights and permissions of the subject to the object. A
subject is an active entity that requests access to an object, such as a user,
a process, or a device.
47
Dumpster diving is a technique used in which stage of penetration testing
methodology?
B Discovery
Penetration testing is a type of security testing that simulates a real-world
attack on a system or a network, to identify and evaluate the security
vulnerabilities and issues, and to provide recommendations and solutions
for the security improvement. Penetration testing follows a methodology
that consists of several stages, such as planning, discovery, attack,
reporting, and follow-up. Discovery is the stage of penetration testing
methodology that involves gathering information and intelligence about the
target system or network, such as the topology, configuration, services, or
users, using various techniques, such as scanning, enumeration, or
dumpster diving. Dumpster diving is a technique that involves searching
through the trash or the discarded items of the target organization, to find
any valuable or sensitive information, such as documents, credentials, or
devices.
48
Which of the following is the MOST important consideration that must be
taken into account when deploying an enterprise patching solution
that includes mobile devices?
D Feasibility of downloads due to available bandwidth
49
A vulnerability assessment report has been submitted to a client. The
client indicates that one third of the hosts that were in scope are
missing from the report. In which phase of the assessment was this error
MOST likely made?
D Discovery
The discovery phase of a vulnerability assessment is the process of
identifying and enumerating the hosts, services, and applications that are in
scope of the assessment. This phase involves techniques such as
network scanning, port scanning, service scanning, and banner
grabbing.
50
Which technique can be used to make an encryption scheme more
resistant to a known plaintext attack?
D Compressing the data before encryption
Compression removes redundancy from the data, making it more difficult
for attackers to exploit patterns in the plaintext when performing
cryptographic analysis. When data is compressed before encryption, the
plaintext becomes more random, thus reducing the predictability that an
attacker might rely on.
A known plaintext attack is a type of cryptanalysis where the attacker has
access to some pairs of plaintext and ciphertext encrypted with the
same key, and tries to recover the key or decrypt other ciphertexts. A
known plaintext attack can exploit the statistical properties or patterns of
the plaintext or the ciphertext to reduce the search space or guess the key.
51
An organization adopts a new firewall hardening standard. How can the
security professional verify that the technical staff correctly
implemented the new standard?
A Perform a compliance review
A compliance review is a process of checking whether the systems and
processes meet the established standards, policies, and regulations. A
compliance review can help to verify that the technical staff has correctly
implemented the new firewall hardening standard, as well as to identify and
correct any deviations or violations.
52
Which of the following is a potential risk when a program runs in
privileged mode?
D It may allow malicious code to be inserted
Privileged mode, also known as kernel mode or supervisor mode, is a
mode of operation that grants the program full access and control over
the hardware and software resources of the system, such as memory, disk,
CPU, and devices. A program that runs in privileged mode can perform any
action or instruction without any restriction or protection. This can be
exploited by an attacker who can inject malicious code into the program,
such as a rootkit, a backdoor, or a keylogger, and gain unauthorized access
or control over the system
53
Which combination of cryptographic algorithms are compliant with Federal
Information Processing Standard (FIPS) Publication 140-2 for non-legacy
systems?
B Diffie-hellman (DH) key exchange: DH (>=2048 bits)
Symmetric Key: Advanced Encryption Standard (AES) >=128 bits
Digital Signature: Digital Signature Algorithm (DSA) (>=2048 bits)
54
What is the PRIMARY benefit of analyzing the partition layout of a hard
disk volume when performing forensic analysis?
C Partition tables which are not completely utilized may contain
data that was purposely hidden
A partition is a logical division of a hard disk volume that can contain a file
system, an operating system, or other data. A partition table is a data
structure that stores information about the partitions, such as their size,
location, type, and status. By analyzing the partition table, a forensic
examiner can identify the partitions that are active, inactive, hidden, or
deleted, and recover data from them. Sometimes, malicious users or
attackers may hide data in partitions that are not completely utilized, such
as slack space, free space, or unpartitioned space, to avoid detection or
deletion.
55
Which one of the following documentation should be included in a
Disaster Recovery (DR) package?
C Hardware configuration instructions, hardware configuration
software, an operating system image, a data restoration option, media
retrieval instructions
A Disaster Recovery (DR) package is a set of documents, tools, and
resources that are needed to restore the normal operations of a system or
network after a disaster. A DR package should include the following
documentation: hardware configuration instructions, hardware
configuration software, an operating system image, a data restoration
option, media retrieval instructions, backup and recovery
procedures, contact lists, and emergency response plans. These
documents can help to rebuild the system or network from scratch, restore
the data from backups, and resume the business functions as quickly as
possible.
56
How does a Host Based Intrusion Detection System (HIDS) identify a
potential attack?
A Examines log messages or other indications on the system
A HIDS can examine various sources of data on the host, such as system
logs, audit trails, registry entries, file system changes, network connections,
and so on.
57
Which of the following protection is provided when using a Virtual
Private Network (VPN) with Authentication Header (AH)?
C Sender non-repudiation
AH is one of the protocols used by IPsec, which is a suite of protocols for
securing IP traffic. AH provides integrity, authentication, and anti-replay
protection for the entire IP packet, including the header and the payload.
AH does not provide payload encryption or sender confidentiality,
which are provided by another IPsec protocol called Encapsulating
Security Payload (ESP) (payload encryption or sender
confidentiality)
58
What is an effective practice when returning electronic storage media to
third parties for repair?
D Establishing a contract with the third party regarding the secure
handling of the media.
59
What does secure authentication with logging provide?
B Access accountability
60
What is the MOST common security risk of a mobile device?
B Data leakage
61
An attacker that is able to remain indefinitely logged into a web service, is
exploiting the?
C Session management
62
Passive Infrared Sensors (PIR) used in a non-climate controlled
environment should
C Automatically compensate for variance in background
temperature
Passive Infrared Sensors (PIR) are devices that detect motion by sensing the
infrared radiation emitted by objects. In a non-climate controlled
environment, the background temperature may vary due to weather,
seasons, or other factors. This may affect the sensitivity and accuracy of the
PIR sensors, as they may not be able to distinguish between the object and
the background. Therefore, the PIR sensors should have a feature that
automatically adjusts the threshold or baseline of the background
temperature to avoid false alarms or missed detections.
63
Why must all users be positively identified prior to using multi-user
computers
C To ensure that unauthorized persons cannot access the
computers
64
A Business Continuity Plan (BCP) is based on
C a review of the business processes and procedures
66
What would be the BEST action to take in a situation where collected
evidence was left unattended overnight in an unlocked vehicle?
D Immediately report the matter to the case supervisor
67
Which of the following is the BIGGEST weakness when using native
Lightweight Directory Access Protocol (LDAP) for authentication?
D Passwords are passed in clear text
The biggest weakness when using native Lightweight Directory Access
Protocol (LDAP) for authentication is that passwords are passed in clear text
over the network, exposing them to eavesdropping and interception
attacks. To mitigate this risk, LDAP should be used with encryption
protocols, such as Secure Sockets Layer (SSL) or Transport Layer Security
(TLS), or with authentication protocols, such as Kerberos or Simple
Authentication and Security Layer (SASL).
68
Which reporting type requires a service organization to describe its
system and define its control objectives and controls that are relevant to
user’s internal control over financial reporting?
B Service Organization Control 1 (SOC1)
70
A security professional should ensure that clients support which
secondary algorithm for digital signatures when a Secure
Multipurpose Internet Mail Extension (S/MIME) is used?
D Rivest-Shamir-Adieman (RSA)
S/MIME supports several algorithms for digital signatures, but the most
common ones are RSA and DSA. RSA is a more versatile algorithm that can
be used for both encryption and digital signatures, while DSA is
designed only for digital signatures. RSA is also more widely supported
by email clients and servers than DSA.
Therefore, a security professional should ensure that clients support RSA as
a secondary algorithm for digital signatures when S/MIME is used, in case
the primary algorithm is not available or compatible.
71
Which one of the following considerations has the LEAST impact when
considering transmission security?
C Network bandwidth
72
Which of the following protocols will allow the encrypted transfer of
content on the Internet?
B Secure copy
Secure copy (SCP) is a protocol that allows the encrypted transfer of content
on the Internet. SCP uses Secure Shell (SSH) to provide authentication
and encryption for the data transfer. SCP can be used to copy files
between local and remote hosts, or between two remote hosts.
73
An organization plans to acquire a commercial off-the-shelf (COTS)
system to replace their aging home-built reporting system. When
should the organization's security team FIRST get involved in this
acquisition's life cycle?
A When the system is being designed, purchased, programmed,
developed, or otherwise constructed
75
The disaster recovery (DR) process should always include
A Plan maintenance

76
A hacker can use a lockout capability to start which of the following attacks?
DoD attack
77
An organization allows ping traffic into and out of their network. An
attacker has installed a program on the network that uses the
payload portion of the ping packet to move data into and out of the
network. What type of attack has the organization experienced?
D Covert channel
The organization has experienced a covert channel attack, which is a
technique of hiding or transferring data within a communication channel
that is not intended for that purpose. In this case, the attacker has used the
payload portion of the ping packet, which is normally used to carry
diagnostic data, to move data into and out of the network.
78
If an attacker in a SYN flood attack uses someone else's valid host address
as the source address, the system under attack will send a large number of
Synchronize/Acknowledge (SYN/ACK) packets to the
D specified source address
79
Which of the following services can be deployed via a cloud service or
on-premises to integrate with Identity as a Service (IDaaS) as the
authoritative source of user identities?
A Directory
80
The MAIN task of promoting security for Personal Computers (PC) is
D Making users understand the risks to the machines and data, so
they will take appropriate steps to project them
81
Which of the following is the PRIMARY concern when using an Internet
browser to access a cloud-based service?
D Vulnerabilities within protocols that can expose confidential data
82
An organization needs a general purpose document to prove that its
internal controls properly address security, availability, processing
integrity, confidentiality or privacy risks. Which of the following reports
is required?
C A Service Organization Control (SOC) 2 report
83
An organization regularly conducts its own penetration tests. Which of the
following scenarios MUST be covered for the test to be effective?
B System administrator access compromised
84
A company receives an email threat informing of an Imminent Distributed
Denial of Service (DDoS) attack targeting its web application, unless ransom
is paid. Which of the following techniques BEST addresses that threat?
D Coordinate with and utilize capabilities within Internet Service
Provider (ISP)
85
When defining a set of security controls to mitigate a risk, which of
the following actions MUST occur?
C The control set must adequately mitigate the risk
86
A software scanner identifies a region within a binary image having
high entropy. What does this MOST likely indicate?
A Encryption routines
High Entropy: High entropy in a binary image suggests a high degree of
randomness in the data. This characteristic is often associated with
encrypted data because encryption algorithms transform plaintext into
ciphertext that appears random to ensure confidentiality.

88
Match the objectives to the assessment questions in the
governance domain of Software Assurance Maturity Model (SAMM)
Secure Architecture - Do you advertise shared security services with
guidance for project teams?
Education & Guidance - Are most people tested to ensure a baseline skill-set
for secure development practices?
Strategy & Metrics - Does most of the organization know about what's
required based on risk ratings?
Vulnerability Management - Are most project teams aware of their security
point(s) of contact and response team(s)
89
A security professional was tasked with rebuilding a company's wireless
infrastructure. Which of the following are the MOST important factors to
consider while making a decision on which wireless spectrum to deploy?
B Performance, geographic location, and radio signal interference
90
Which of the following is required to verify the authenticity of a
digitally signed document?
C Sender's public key
A digital signature is created by applying a hash function to the document
and then encrypting the hash value with the sender's private key. To verify
the authenticity of a digitally signed document, the recipient needs to
decrypt the signature with the sender's public key, which can be obtained
from a trusted source, such as a digital certificate. The recipient also needs
to apply the same hash function to the document and compare the resulting
hash value with the decrypted signature. If they match, the document is
authentic and has not been altered. The digital hash of the signed
document, the sender's private key, and the agreed upon shared secret are
not required for verification, and may not be available or secure.

91
Which of the following initiates the system recovery phase of a disaster
recovery plan?
D Activating the organization's hot site
92
Which of the following is the MAIN reason for using configuration
management?
D To provide consistency in security controls
Configuration management is the process of identifying, documenting,
controlling, and verifying the characteristics and settings of the hardware,
software, data, and network components of a system. Configuration
management helps to ensure that the system is configured and maintained
according to the security policies, standards, and baselines, and that any
changes to the system are authorized, recorded, and tracked. Configuration
management also helps to prevent or detect unauthorized or unintended
changes to the system, which may introduce vulnerabilities, errors, or
inconsistencies.
93
An important principle of defense in depth is that achieving
information security requires a balanced focus on which PRIMARY
elements?
C People, technology, and operations
94
An organization wants to share data securely with their partners via
the Internet. Which standard port is typically used to meet this
requirement?
C Setup a server on Transmission Control Protocol (TCP) port 22
(Secure Shell (SSH))
The standard port that is typically used to share data securely with partners
via the Internet is Transmission Control Protocol (TCP) port 22. TCP port 22
is the default port for Secure Shell (SSH), a protocol that provides
encrypted and authenticated communication between systems over an
unsecured network. SSH can be used to securely transfer files, execute
commands, or tunnel other protocols. SSH uses public key cryptography to
authenticate the systems and users, and symmetric cryptography to
encrypt the data. SSH can also compress the data to reduce the bandwidth
usage and improve the performance.
95
A security professional is asked to provide a solution that restricts a bank
teller to only perform a savings deposit transaction but allows a supervisor
to perform corrections after the transaction. Which of the following is the
MOST effective solution?
C Access is based on user's role
96
Which of the following security testing strategies is BEST suited for
companies with low to moderate security maturity?
C Black-box testing
97
Which of the following is the MOST effective way to ensure the endpoint
devices used by remote users are compliant with an organization's
approved policies before being allowed on the network?
B Network Access Control (NAC)
MDM focuses on managing and securing mobile devices (such as
smartphones and tablets) used within an organization. While MDM is
important for enforcing policies on mobile devices, it does not cover
non-mobile endpoint devices (like laptops and desktops) and does not
typically control network access in the same comprehensive way as NAC.
98
What is the BEST design for securing physical perimeter protection?
A Crime Prevention through Environmental Design (CPTED)
99
Which of the following is a direct monetary cost of a security incident?
C Equipment
100
Which of the following is fundamentally required to address potential
security issues when initiating software development?
C Add information security objectives into development.
1
A Simple Power Analysis (SPA) attack against a device directly observes
which of the following?
B Consumption
SPA is a type of side channel attack that exploits the variations in the power
consumption of a device, such as a smart card or a cryptographic module,
to infer information about the operations or data processed by the device.
SPA can reveal the type, length, or sequence of instructions executed by the
device, or the value of the secret key or data used by the device.
2
Which of the following trust services principles refers to the
accessibility of information used by the systems, products, or services
offered to a third-party provider's customers?
D Availability
3
What is the MOST important step during forensic analysis when trying
to learn the purpose of an unknown application?
D Isolate the system from the network
Disabling all unnecessary services is a step that should be done after
isolating the system from the network, because it can ensure that the
system is optimized and simplified for the forensic analysis, and that the
system resources and functions are not consumed or affected by any
irrelevant or redundant services.
4
The overall goal of a penetration test is to determine a system's
A Ability to withstand an attack
5
Which of the following statements is TRUE about Secure Shell (SSH)?
B SSH supports port forwarding, which can be used to protect less
secured protocols.
SSH supports port forwarding, which is a technique that allows the user to
redirect or tunnel the network traffic from one port or system to another
port or system, through the SSH connection. Port forwarding can be used to
protect less secured protocols, such as Telnet, FTP, or HTTP, by encrypting
and securing the network traffic that uses those protocols, and preventing
any interception, modification, or eavesdropping of the data or the
information. The other statements are not true about SSH. SSH does
protect against man-in-the-middle (MITM) attacks, which are attacks
where an attacker intercepts, modifies, or relays the communication or the
connection between two systems or devices, without their knowledge or
consent. SSH protects against MITM attacks by using public key
cryptography and digital signatures, which ensure the identity and the
authenticity of the systems or devices, and prevent any tampering or
spoofing of the data or the information. SSH cannot be used with almost any
application, because it is not concerned with maintaining a circuit, but
rather with establishing a session. A circuit is a physical or logical path or
connection between two systems or devices, and it can be used by various
applications or protocols, such as TCP or UDP. A session is a logical or virtual
connection between two systems or devices, and it is used by a specific
application or protocol, such as SSH or Telnet. SSH is not easy to deploy,
because it does not require a web browser only, but rather a client and a
server software, and a pair of public and private keys. A web browser is a
software application that allows the user to access and view the web pages
or the websites on the internet, and it uses the HTTP or HTTPS protocol, not
the SSH protocol.
6
Multi-threaded applications are more at risk than single-threaded
applications to
A Race conditions.
A race condition is a type of concurrency error that occurs when two or
more threads access or modify the same shared resource without
proper synchronization or coordination. This may result in inconsistent,
unpredictable, or erroneous outcomes, as the final result depends on the
timing and order of the thread execution. Race conditions can compromise
the security, reliability, and functionality of the application, and can lead to
data corruption, memory leaks, deadlock, or privilege escalation
7
Which of the following mobile code security models relies only on trust?
A Code signing
Code signing is a mobile code security model that relies only on trust, which
means that the security of the mobile code depends on the reputation and
credibility of the code provider. Code signing works as follows: The code
provider has a pair of public and private keys, and obtains a digital
certificate from a trusted third party, such as a certificate authority (CA),
that binds the public key to the identity of the code provider.
Mobile code is a type of software that can be transferred from one system
to another and executed without installation or compilation. Mobile
code can be used for various purposes, such as web applications, applets,
scripts, macros, etc. Mobile code can also pose various security risks, such
as malicious code, unauthorized access, data leakage, etc. Mobile code
security models are the techniques that are used to protect the systems
and users from the threats of mobile code.
8
A chemical plan wants to upgrade the Industrial Control System (ICS) to
transmit data using Ethernet instead of RS422. The project manager wants
to simplify administration and maintenance by utilizing the office
network infrastructure and staff to implement this upgrade. Which of the
following is the GREATEST impact on security for the network?
B The ICS is now accessible from the office network
9
Employee training, risk management, and data handling procedures
and policies could be characterized as which type of security measure?
D Administrative
10
The use of strong authentication, the encryption of Personally
Identifiable Information (PII) on database servers, application
security reviews, and the encryption of data transmitted across
networks provide
B Defense in depth
12
Which of the following open source software issues pose the MOST risk
to an application?
C The software has multiple Common Vulnerabilities and Exposures
(CVE) and only some are remediated.
13
Which of the following are the BEST characteristics of security metrics?
D They are consistently measured and quantitatively expressed
15
An employee of a retail company has been granted an extended leave of
absence by Human Resources (HR). This information has been formally
communicated to the access provisioning team. Which of the following is
the BEST action to take?
A Revoke access temporarily
16
What are the roles within a scrum methodology?
B Product owner, scrum master, and scrum team
17
A developer begins employment with an information technology (IT)
organization. On the first day, the developer works through the list of
assigned projects and finds that some files within those projects aren't
accessible, Other developers working on the same project have no trouble
locating and working on the. What is the MOST likely explanation for the
discrepancy in access?
D The new developer's user account was not associated with the
right roles needed for the projects.
18
Which of the following is the MOST important reason for using a chain of
custody form?
A To document those who were in possession of the evidence at
every point in time
19
In Identity Management (IdM), when is the verification stage
performed?
B Before creation of the identity
In Identity Management (IdM), the verification stage is performed before
creation of the identity, which is the process of establishing and
assigning a unique and persistent identifier to a subject, such as a
person, a device, or an application, that wants to access a system or a
resource. The verification stage is the process of confirming the validity and
accuracy of the attributes and credentials of the subject, such as the name,
the address, the e-mail, the password, or the biometrics, that are provided
during the registration or enrollment stage. The verification stage ensures
that the subject is who they claim to be, and that they are authorized and
eligible to obtain an identity. The verification stage may involve various
methods, such as checking the subject's identity documents, contacting the
subject's references, or performing a background check. The verification
stage is different from the authentication stage, which is
performed as part of system sign-on, and which is the process of
verifying the identity of the subject that wants to access a system
or a resource, by comparing the credentials provided by the subject with the
credentials stored in the system.
20
Which of the following measures serves as the BEST means for protecting
data on computers, smartphones, and external storage devices when
traveling to high-risk countries?
A Review applicable destination country laws, forensically clean
devices prior to travel, and only download sensitive data over a
virtual private network (VPN) upon arriving at the destination
21
Data remanence refers to which of the following?
D The residual information left on magnetic storage media after a
deletion or erasure
22
A risk assessment report recommends upgrading all perimeter firewalls to
mitigate a particular finding. Which of the following BEST supports this
recommendation?
C The expected loss from the risk exceeds mitigation costs
24
Which of the following is the GREATEST benefit of implementing a Role
Based Access Control (RBAC) system?
D A considerably simpler provisioning process
25
Which of the following would be the FIRST step to take when
implementing a patch management program?
D Create a system inventory
26
The design review for an application has been completed and is
ready for release. What technique should an organization use to
assure application integrity?
C Digital signing
The technique that an organization should use to assure application
integrity is digital signing. Digital signing is a technique that uses
cryptography to generate a digital signature for a message or a
document, such as an application. The digital signature is a value that is
derived from the message and the sender's private key, and it can be
verified by the receiver using the sender's public key.
27
Physical Access Control Systems (PACS) allow authorized security
personnel to manage and monitor access control for subjects through
which function?
B Personal Identity Verification (PIV)
Physical Access Control Systems (PACS) are systems that control and
monitor the physical access of subjects (such as people, vehicles, or
objects) to a facility or an area. PACS use various methods to authenticate
and authorize subjects, such as biometrics, smart cards, PINs, passwords,
or tokens. One of the functions of PACS is Personal Identity Verification
(PIV), which is a standard for verifying the identity of federal employees and
contractors in the United States. PIV cards are issued by the federal
government and contain a photo, a fingerprint, a cryptographic certificate,
and a personal identification number (PIN).
28
The application of which of the following standards would BEST reduce
the potential for data breaches?
D ISO 27001
ISO 27001 is an international standard that specifies the requirements and
the guidelines for establishing, implementing, maintaining, and improving
an information security management system (ISMS) within an
organization. An ISMS is a systematic approach to managing the information
security of the organization, by applying the principles of plan-do-check-
act (PDCA) cycle, and by following the best practices of risk assessment,
risk treatment, security controls, monitoring, review, and improvement. ISO
27001 can help reduce the potential for data breaches, as it can provide a
framework and a methodology for the organization to identify, protect,
detect, respond, and recover from the information security incidents or
events that could compromise the confidentiality, integrity, or availability of
the data or the information.
29
Which of the following adds end-to-end security inside a Layer 2
Tunneling Protocol (L2TP) for Internet Protocol Security (IPSec)
connection?
D Transport Layer Security (TLS)
11
The MAIN use of Layer 2 Tunneling Protocol (L2TP) is to tunnel data
C in the Point-to-Point Protocol (PPP)
L2TP is a tunneling protocol that operates at the data link layer (Layer 2)
of the OSI model, and is used to support virtual private networks (VPNs) or
as part of the delivery of services by ISPs. L2TP does not provide
encryption or authentication by itself, but it can be combined with
IPsec to provide security and confidentiality for the tunneled data.
L2TP is commonly used to tunnel PPP sessions over an IP network, such
as the Internet.
30
An engineer notices some late collisions on a half-duplex link. The
engineer verifies that the devices on both ends of the connection are
configured for half duplex. Which of the following is the MOST likely cause
of this issue?
C The cable length is excessive.
A half-duplex link is a communication channel that allows data
transmission in one direction at a time. A collision occurs when two
devices try to transmit data at the same time on the same channel,
resulting in corrupted or lost data. A late collision occurs when a
collision is detected after the first 64 bytes of the frame have been
transmitted, indicating a problem with the physical layer of the network.
One possible cause of late collisions is that the cable length is too long,
exceeding the maximum distance allowed by the network standard. This
can cause signal degradation, propagation delay, and synchronization
issues, leading to late collisions.
32
Reciprocal backup site agreements are considered to be
C Easy to implement for similar types of organizations
A reciprocal backup site agreement is a type of backup site agreement that
is established between two or more organizations that have similar types or
levels of backup sites, and that agree to provide or share their backup sites
with each other in the event of a disaster that affects one or more of the
organizations.
33
What high Availability (HA) option of database allows multiple clients
to access multiple database servers simultaneously?
D Replicated database
A replicated database is a database that is copied and distributed
across multiple servers, usually in different locations. Replication ensures
that the data is consistent and synchronized across all servers, and
provides fault tolerance, load balancing, and improved performance.
34
Which of the following is a benefit in implementing an enterprise
Identity and Access Management (IAM) solution?
B Risk associated with orphan accounts is reduced.
An orphan account is an account that belongs to a user who has left the
organization or changed roles, but the account has not been deactivated or
deleted. An orphan account poses a security risk, as it can be exploited by
unauthorized users or attackers to gain access to the system or data.
35
Digital non-repudiation requires which of the following?
A A trusted third-party
Digital non-repudiation requires a trusted third-party, which is a
person or entity that is independent, impartial, and reliable, and
that provides a service or function that facilitates or supports the
digital non-repudiation process.
Digital signatures are created using asymmetric encryption (public-
private key pairs), are fundamental to non-repudiation.
Symmetric encryption uses the same key for both encryption and
decryption, making it unsuitable for non-repudiation purposes.
36
What should an auditor do when conducting a periodic audit on media
retention?
A Check electronic storage media to ensure records are not
retained past their destruction date
A The process will require too many resources
38
When designing a new Voice over Internet Protocol (VoIP) network, an
organization's top concern is preventing unauthorized users
accessing the VoIP network. Which of the following will BEST help
secure the VoIP network?
B 802.1x
802.1x is a protocol that provides port-based network access control,
which means that it controls the access to a network port based on the
authentication and authorization of the device or the user that is trying
to connect to the port. 802.1x can be used to secure the VoIP network by
preventing unauthorized devices or users from accessing the network ports
that are used for VoIP communication, such as the ports on the switches,
routers, or phones.
39
While classifying credit card data related to Payment Card Industry
Data Security Standards (PCI-DSS), which of the following is a
PRIMARY security requirement?
C Encryption of data
41
An organization plan on purchasing a custom software product
developed by a small vendor to support its business model. Which
unique consideration should be made part of the contractual
agreement potential long-term risks associated with creating this
dependency?
A A source code escrow clause
A source code escrow clause is a provision that requires the vendor to
deposit the source code of the software product with a trusted third
party, who will release it to the customer under certain conditions, such
as the vendor's bankruptcy, insolvency, or failure to provide
maintenance or support. A source code escrow clause can help to mitigate
the potential long-term risks associated with creating a dependency on a
small vendor, such as losing access to the software product, being unable to
fix bugs or vulnerabilities, or being unable to modify or update the software
product.
42
Which of the following is a security limitation of File Transfer Protocol
(FTP)?
D Authentication is not encrypted
43
A company needs to provide shared access of sensitive data on a
cloud storage to external business partners. Which of the following
identity models is the BEST to blind identity providers (IdP) and relying
parties (RP) so that subscriber lists of other parties are not disclosed?
B Proxied federation
In proxied federation, a third-party entity, called the proxy, acts as an
intermediary between the identity providers and relying parties, and
handles the authentication and authorization requests and responses
on their behalf. The proxy does not disclose the subscriber lists of the
identity providers or relying parties to each other, and only shares the
necessary attributes or claims to enable the access. The proxy also provides
a single point of management, auditing, and policy enforcement for the
federation
45
A client has reviewed a vulnerability assessment report and has stated it is
inaccurate. The client states that the vulnerabilities listed are not
valid because the host's Operating system (OS) was not properly
detected. Where in the vulnerability assessment process did the error
MOST likely occur?
D Discovery
46
A firm within the defense industry has been directed to comply with
contractual requirements for encryption of a government client's
Controlled Unclassified Information (CUI). What encryption strategy
represents how to protect data at rest in the MOST efficient and cost-
effective manner?
B Perform logical separation of program information, using virtualized
storage solutions with built-in encryption at the virtualization layer
47
During the procurement of a new information system, it was determined
that some of the security requirements were not addressed in the
system specification. Which of the following is the MOST likely reason
for this?
D The description of the security requirements was insufficient
48
Which of the following would present the highest annualized loss
expectancy (ALE)?
A Fire

EVENT LOSS EXPECTANCY ANNUALIZED RATE INSURANCE

OF OCCURRENCE COVERAGE
FIRE $1,000,000 0.1 80%
FOOD $250,000 0.2 50%
WINDSTORM $50,000 0.5 80%
EARTHQUAKE $800,000 0.02 NONE
Annualized loss expectancy = single loss expectancy (SLE) x
annualized rate of occurrence (ARO)
ALE is a metric that measures the expected loss per year due to a specific
risk or threat. ALE is calculated by multiplying the single loss expectancy
(SLE), which is the estimated cost of a single occurrence of the risk or
threat, by the annualized rate of occurrence (ARO), which is the estimated
frequency of the risk or threat occurring in a year.
Fire: $1,000,000 x 0.1 = $100,000 (FIRE HAS THE HIGHEST ALE)
Flood: $250,000 x 0.2 = $50,000
Windstorm: $50,000 x 0.5 = $25,000
Earthquake: $800,000 x 0.02 = $16,000
50
Which of the following BEST describes an access control method
utilizing cryptographic keys derived from a smart card private key
that is embedded within mobile devices?
A derived credential
A smart card may not be compatible or convenient for mobile devices, such
as smartphones or tablets, that do not have a smart card reader or a USB
port. To address this issue, a derived credential is a solution that allows the
user to use a mobile device as an alternative to a smart card for
authentication and encryption. A derived credential is a cryptographic key
and a certificate that are derived from the smart card private key and
certificate, and that are stored on the mobile device.
51
Which of the following is the MOST important first step in preparing for
a security audit?
B Define the scope
52
Refer to the information below to answer the question. A large organization
uses unique identifiers and requires them at the start of every system
session. Application access is based on job classification. The organization is
subject to periodic independent reviews of access controls and violations.
The organization uses wired and wireless networks and remote access. The
organization also uses secure connections to branch offices and secure
backup and recovery strategies for selected information and processes.
Following best practice, where should the permitted access for each
department and job classification combination be specified?
B Security standards
53
According to the Capability Maturity Model Integration (CMMI),
which of the following levels is identified by a managed process that
is tailored from the organization's set of standard processes
according to the organization's tailoring guidelines?
Level 3: Defined
The Capability Maturity Model Integration (CMMI) is a framework that
defines the best practices and standards for improving the performance,
quality, and efficiency of an organization's processes. The CMMI consists of
five maturity levels that represent the degree of maturity and capability of
the organization's processes, from level 1 (lowest) to level 5 (highest)
Level 3: Defined means that the organization has a well-defined and
consistent process that is based on the standard processes, but that can be
tailored to meet the specific requirements and objectives of each project or
situation. Level 3: Defined can help to improve the effectiveness,
predictability, and repeatability of the organization's processes, as
well as to enable the continuous improvement of the processes. Level
0: Incomplete, level 1: Performed, or level 2: Managed are not the maturity
levels that are identified by a managed process that is tailored from the
organization's set of standard processes according to the organization's
tailoring guidelines, as they are either lower or non-existent levels of
maturity and capability of the organization's processes.
54
A database server for a financial application is scheduled for production
deployment. Which of the following controls will BEST prevent
tampering?
B Data validation (SQL injection)
55
What term is commonly used to describe hardware and software
assets that are stored in a configuration management database
(CMDB)?
D Configuration item
A configuration item is a term commonly used to describe hardware and
software assets that are stored in a configuration management database
(CMDB). A configuration item is an identifiable and manageable component
of a system or service that has a defined lifecycle and configuration. A
CMDB is a repository that contains information about the
configuration items and their relationships. A configuration element,
an asset register, and a ledger item are not terms that are used to describe
hardware and software assets in a CMDB.
58
Which of the following is a unique feature of attribute-based access control
(ABAC)?
C A user is granted access to a system at a particular time of day
59
Rank the Hypertext Transfer protocol (HTTP) authentication types shown
below in order of relative strength. Drag the authentication type on the
correct positions on the right according to strength from weakest to
strongest
Http authentication Strength
Digest Weakest
integrated windows authentication Weak
Basic strong
client certificate strongest

60
An organization is required to comply with the Payment Card Industry
Data Security Standard (PCI-DSS), what is the MOST effective
approach to safeguard digital and paper media that contains cardholder
data?
C Mandate encryption of cardholder data
61
Which of the following would be considered an incident if reported by a
security information and event management (SIEM) system?
B A log source has stopped sending data
A SIEM system relies on the data from the log sources to provide a
comprehensive and accurate view of the security posture and events of the
organization. A web resource reporting a 404 error would not be considered
an incident, as this is a common and benign error that indicates that the
requested resource was not found on the server.
62
A user is allowed to access the file labeled "Financial Forecast," but only
between 9:00 a.m. and 5:00 p.m., Monday through Friday. Which type
of access mechanism should be used to accomplish this?
B Rule-based access control
Rule-based access control is a type of access mechanism that uses
predefined rules or policies to grant or deny access to resources based on
certain conditions or criteria. The rule-based access control system can
evaluate the attributes of the user, the file, and the environment, such as
the identity, role, location, time, or date, and compare them with the rules
or policies that specify the access conditions.
63
Which of the following is a document that identifies each item seized in
an investigation, including date and time seized, full name and signature
or initials of the person who seized the item, and a detailed description of
the item?
B Chain of custody form
65
A hospital's building controls system monitors and operates the
environmental equipment to maintain a safe and comfortable environment.
Which of the following could be used to minimize the risk of utility
supply interruption?
D Digital protection and control devices capable of minimizing the
adverse impact to critical utility
66
An organization wants to define its physical perimeter. What primary
device should be used to accomplish this objective if the organization's
perimeter MUST cost-efficiently deter casual trespassers?
D Fences six to seven feet high with a painted gate
68
Which of the following activities BEST identifies operational problems,
security misconfigurations, and malicious attacks?
C Periodic log reviews
69
Refer to the information below to answer the question. A security
practitioner detects client-based attacks on the organization's network.
A plan will be necessary to address these concerns. In addition to web
browsers, what PRIMARY areas need to be addressed concerning
mobile code used for malicious purposes?
D Email, media players, and instant messaging applications
Mobile code is a type of code that can be transferred or executed over a
network, such as the internet, without the user's knowledge or consent, and
that can perform various functions or tasks on the user's system, such as
displaying advertisements, collecting information, or installing malware.
Mobile code can be embedded or attached in various types of applications
or files, such as web browsers, email, media players, or instant messaging
applications
70
Write Once, Read Many (WORM) data storage devices are designed to BEST
support which of the following core security concepts?
A lntegrity
73
Which of the following is the primary advantage of segmenting Virtual
Machines (VM) using physical networks?
A Simplicity of network configuration and network monitoring
75
In the "Do" phase of the Plan-Do-Check-Act model, which of the
following is performed?
C Ensure the business continuity policy, controls, processes, and
procedures have been implemented
76
The security organization is looking for a solution that could help them
determine with a strong level of confident that attackers have breached
their network. Which solution is MOST effective at discovering successful
network breach?
B Deploying a honeypot
77
Which of the following will help prevent improper session handling?
B Ensure that tokens are sufficiently long, complex, and pseudo-
random
Session handling is a process of managing the state and interaction of a
user with a web application or service. Session handling typically involves
creating, maintaining, and terminating a session, which is a temporary
and unique identifier that links the user to the web application or service. A
session token is a value that is generated and assigned to the user when
the user authenticates to the web application or service, and it is used to
track and validate the user's requests and responses. A session token is
usually stored in a cookie, a hidden field, or a URL parameter, and it is sent
along with each request and response. Improper session handling is a
security risk that occurs when the session token is exposed,
intercepted, guessed, or stolen by an attacker, who can then use it to
impersonate or hijack the user's session, and gain unauthorized access or
privileges to the web application or service.
78
Which of the following would an attacker BEST be able to accomplish
through the use of Remote Access Tools (RAT)?
D Maintain and expand control

80
A cloud service provider requires its customer organizations to enable
maximum audit logging for its data storage service and to retain the logs
for the period of three months. The audit logging generates extremely high
amount of logs. What is the MOST appropriate strategy for the log
retention?
A Keep last week's logs in an online storage and the rest in a near-
line storage
81
Which of the following is the MAIN difference between a network-based
firewall and a host-based firewall?
B A network-based firewall controls traffic passing through the
device, while a host-based firewall controls traffic destined for the
device.
A network-based firewall is a type of firewall that is deployed at the network
perimeter or the network segment, and that controls the traffic that passes
through the device, such as the traffic that enters or exits the network, or
the traffic that moves between different network zones or subnets. A host-
based firewall is a type of firewall that is installed on a specific host or
system, such as a server, a workstation, or a mobile device, and that
controls the traffic that is destined for the device, such as the traffic that
originates from or terminates at the device, or the traffic that is related to
the applications or processes running on the device.
81
Two computers, each with a single connection on the same physical 10
gigabit Ethernet network segment, need to communicate with each other.
The first machine has a single Internet Protocol (IP) Classless Inter-Domain
Routing (CIDR) address of 192.168.1.3/30 and the second machine has an
IP/CIDR address 192.168.1.6/30. Which of the following is correct?
D Since each computer is on a different layer 3 network, traffic
between the computers must be processed by a network router in
order to communicate.
82
When planning a penetration test, the tester will be MOST interested
in which information?
D Exploits that can attack weaknesses
Exploits are the techniques or tools that take advantage of the
vulnerabilities to compromise the security or functionality of the system or
network. The tester will use the exploits to simulate a real attack and test
the effectiveness of the security controls and defenses.
83
Which of the following actions should be performed when
implementing a change to a database schema in a production system?
D Change in development, perform user acceptance testing,
develop a back-out strategy, and implement change
84
Which of the following would an information security professional use to
recognize changes to content, particularly unauthorized changes?
A File Integrity Checker
A File Integrity Checker is a type of security tool that monitors and verifies
the integrity and authenticity of the files or content, by comparing the
current state or version of the files or content with a known or trusted
baseline or reference, using various methods, such as checksums, hashes,
or signatures. A File Integrity Checker can recognize changes to content,
particularly unauthorized changes, by detecting and reporting any
discrepancies or anomalies between the current state or version and the
baseline or reference, such as the addition, deletion, modification, or
corruption of the files or content.
85
What is the MOST common cause of Remote Desktop Protocol (RDP)
compromise?
B Brute force attack
86
What is the expected outcome of security awareness in support of a
security awareness program?
D Awareness is not training. The purpose of awareness presentation
is simply to focus attention on security
Awareness does involve activities, such as presentations, newsletters, and
posters, to keep security at the forefront of employees' minds. It is not just
a state of persistence.
87
When testing password strength, which of the following is the BEST
method for brute forcing passwords?
A Conduct an offline attack on the hashed password information
88
Which of the following addresses requirements of security
assessments during software acquisition?
D Software assurance policy
89
In the Software Development Life Cycle (SDLC), maintaining accurate
hardware and software inventories is a critical part of
D Change management
90
What can happen when an Intrusion Detection System (IDS) is
installed inside a firewall-protected internal network?
A The IDS can detect failed administrator logon attempts from
servers
NOT firewall can detect failed
An IDS can be installed inside a firewall-protected internal network to
monitor the traffic within the network and identify any potential threats or
anomalies. One of the scenarios that an IDS can detect is failed
administrator logon attempts from servers. This could indicate that an
attacker has compromised a server and is trying to escalate privileges or
access sensitive data.
92
Of the following, which BEST provides non- repudiation with regards to
access to a server room?
C Biometric readers
93
When reviewing vendor certifications for handling and processing of
company data, which of the following is the BEST Service Organization
Controls (SOC) certification for the vendor to possess?
C SOC 2 Type 2
94
The birthday attack is MOST effective against which one of the
following cipher technologies?
C Cryptographic hash (digest)
A cryptographic hash is a function that takes an input of any size and
produces an output of a fixed size, called a hash or a digest that
represents the input. A cryptographic hash has several properties, such as
being one-way, collision-resistant, and deterministic3. A birthday attack is
a type of brute-force attack that exploits the mathematical
phenomenon known as the birthday paradox, which states that in a set of
randomly chosen elements, there is a high probability that some pair of
elements will have the same value.
A birthday attack can be used to find collisions in a cryptographic hash,
which means finding two different inputs that produce the same hash.
Finding collisions can compromise the integrity or the security of the hash,
as it can allow an attacker to forge or modify the input without changing the
hash.
95
From a security perspective, which of the following assumptions MUST be
made about input to an application?
D It is untrusted
96
Which of the following combinations would MOST negatively affect
availability?
A Denial of Service (DoS) attacks and outdated hardware
98
What is the MOST significant benefit of role-based access control
(RBAC)?
A Reduction in authorization administration overhead
100 (821)
An organization recently upgraded to a Voice over Internet Protocol (VoIP)
phone system. Management is concerned with unauthorized phone
usage. Security consultant is responsible for putting together a plan to
secure these phones. Administrators have assigned unique personal
identification number codes for each person in the organization. What is the
BEST solution?
A Use phone locking software to enforce usage and PIN policies
Phone locking software can restrict the access to the phone features and
functions based on the user's PIN, role, or location. Phone locking software
can also enforce policies such as PIN expiration, PIN complexity, PIN history,
and PIN lockout. Phone locking software can also generate logs and reports
of the phone usage and activity.
1
Who is essential for developing effective test scenarios for disaster
recovery (DR) test plans?
A Business line management and IT staff members
2
Which of the following is MOST critical in a contract for data disposal
on a hard drive with a third party?
4
A corporation does not have a formal data destruction policy. During
which phase of a criminal legal proceeding will this have the MOST
impact?
D Discovery
Discovery is the phase where the parties involved in the litigation exchange
information and evidence relevant to the case, such as documents, records,
emails, and other data. The lack of a formal data destruction policy can
create challenges and risks for the organization, such as: The organization
may not be able to comply with the legal requests or obligations to produce
or preserve the data, which can result in sanctions, penalties, or adverse
judgments.
5
Which of the following statements is TRUE of black box testing
A Only the functional specifications are known to the test planner
6
Which of the following access control models is MOST restrictive?
B Mandatory Access Control (MAC)
The most restrictive access control model is Mandatory Access Control
(MAC), which is a model that assigns a security label (such as a
classification or a clearance level) to each subject and object, and allows
access only if the subject's security label matches or dominates the object's
security label. MAC is enforced by the system or the network, and cannot be
modified by the subjects or the owners of the objects. MAC provides strong
security and confidentiality for the objects, as it prevents unauthorized or
unintended access by the subjects. Discretionary Access Control (DAC) is
not the most restrictive access control model, as it is a model that allows
the subjects or the owners of the objects to grant or revoke access rights
and permissions to the objects, based on their discretion.
7
Which of the following is used to detect steganography?
B Statistical analysis
Steganography is the technique of hiding information within another
information, such as embedding a secret message in an image,
audio, or video file. Statistical analysis is a method of examining the
characteristics and patterns of the data, such as the frequency, distribution,
and correlation of the values. Statistical analysis can reveal anomalies or
deviations from the expected or normal behavior of the data, which may
indicate the presence of hidden information.
For example, statistical analysis can compare the histogram of an image file
with and without steganography, and detect any significant changes in the
color or brightness values.
9
What is the GREATEST challenge to identifying data leaks?
B Documented asset classification policy and clear labeling of
assets.
10
A mobile device application that restricts the storage of user information
to just that which is needed to accomplish lawful business goals
adheres to what privacy principle?
B Collection Limitation
11
A company is attempting to enhance the security of its user authentication
processes. After evaluating several options, the company has decided to
utilize Identity as a Service (IDaaS). Which of the following factors leads the
company to choose an IDaaS as their solution?
B In-house team lacks resources to support an on-premise solution
12
A colleague who recently left the organization asked a security professional
for a copy of the organization's confidential incident management policy.
Which of the following is the BEST response to this request?
D Submit the request using company official channels to ensure the policy
is okay to distribute
13
What is the MOST significant benefit of an application upgrade that
replaces randomly generated session keys with certificate based
encryption for communications with backend servers?
A Non-repudiation
Digital certificates are issued by a trusted certificate authority (CA), and
contain the public key and other information of the owner. Certificate based
encryption can provide non-repudiation by using the public key and the
private key of the parties to perform encryption and decryption, and by
using digital signatures to verify the identity and the integrity of the data.
14
A technician is troubleshooting a client's report about poor wireless
performance. Using a client monitor, the technician notes the following
information
The image shows that there are four WAPs with the same SSID (Corporate)
using channels 9, 10, 11, and 6. These channels are too close to each other
and overlap in the 2.4GHz band, resulting in poor wireless performance.
The issue can be resolved by changing the channels of the WAPs to
non-overlapping ones, such as 1, 6, and 11.
A Channel overlap
15
In a quarterly system access review, an active privileged account was
discovered that did not exist in the prior review on the production system.
The account was created one hour after the previous access review. Which
of the following is the BEST option to reduce overall risk in addition to
quarterly access reviews
D Implement and review risk-based alerts
A risk-based alert could be generated when a privileged account is created,
modified, or deleted, or when a privileged account performs an unusual or
unauthorized activity.
16
What should be used to determine the risks associated with using
Software as a Service (SaaS) for collaboration and email?
D Common Security Framework (CSF)
The Common Security Framework (CSF) is a set of security standards,
best practices, and tools developed by the Health Information Trust
Alliance (HITRUST) to help organizations manage the risks and
compliance requirements associated with using cloud services,
such as Software as a Service (SaaS). The CSF covers 19 domains of
security controls, such as access control, audit logging, encryption, incident
management, and vulnerability management. The CSF also provides a
certification program and a self-assessment tool for organizations to
measure and demonstrate their adherence to the CSF requirements.
17
How should the retention period for an organization's social media
content be defined?
B By the records retention policy of the organization
18
Which of the following is the MOST important part of an awareness and
training plan to prepare employees for emergency situations?
C Designing business continuity and disaster recovery training
programs for different audiences
19
Which of the following is MOST important to follow when developing
information security controls for an organization?
A Exercise due diligence with regard to all risk management
information to tailor appropriate controls
20
What type of risk is related to the sequences of value-adding and
managerial activities undertaken in an organization?
B Process risk
21
Which of the following is a characteristic of the initialization vector when
using Data Encryption Standard (DES)?
B It can be transmitted in the clear as a random number
An initialization vector (IV) is a value or a parameter that is used to
initialize or modify the encryption or decryption process, such as the cipher
block chaining (CBC) mode of operation. An IV is used to provide an
additional layer of security and randomness to the encryption or decryption
process, as it prevents the same plaintext from producing the same
ciphertext, and vice versa. An IV can be transmitted in the clear as
a random number, as it does not contain any sensitive or
confidential information, and as it changes with each session or
transaction, making it difficult for the attackers to predict or manipulate the
encrypted or decrypted data patterns.
22
Who determines the required level of independence for security
control Assessors (SCA)?
B Authorizing Official (AO)
23
Which of the following is the PRIMARY security consideration for how
an organization should handle Information Technology (IT) assets?
D The classification of the data on the asset
24
When developing an external facing web-based system, which of the
following would be the MAIN focus of the security assessment prior to
implementation and production?
C Ensuring that input validation is enforced
25
As a design principle, which one of the following actors is responsible for
identifying and approving data security requirements in a cloud
ecosystem?
C Cloud consumer
26
In software development, which of the following entities normally signs the
code to protect the code integrity?
D The developer
27
Which of the following is the BEST approach for a forensic examiner to
obtain the greatest amount of relevant information form malicious
software?
A Analyze the behavior of the program
28
An organization is outsourcing its payroll system and is requesting to
conduct a full audit on the third-party information technology (IT) systems.
During the due diligence process, the third party provides previous audit
report on its IT system. Which of the following MUST be considered by the
organization in order for the audit reports to be acceptable?
A The audit assessment has been conducted by an independent
assessor.
29
The three PRIMARY requirements for a penetration test are
A A defined goal, limited time period, and approval of management
30
Which of the following encryption technologies has the ability to
function as a stream cipher?
A Cipher Feedback (CFB)
A stream cipher is a type of symmetric encryption that encrypts or decrypts
one bit or byte of plaintext or ciphertext at a time, using a keystream that is
derived from a secret key and an initialization vector. CFB is a mode of
operation that converts a block cipher, such as AES or DES, into a stream
cipher, by feeding the output of the block cipher back into its input, and
XORing it with the plaintext or ciphertext.
31
An organization would like to ensure that all new users have a predefined
departmental access template applied upon creation. The
organization would also like additional access for users to be granted
on a per-project basis. What type of user access administration is BEST
suited to meet the organization's needs?
A Hybrid
Centralized: The access rights or permissions of the users or the roles are
controlled and managed by a single authority or entity, such as a central
server or a database, and are applied uniformly and consistently across the
system or the network.
Decentralized: The access rights or permissions of the users or the roles are
controlled and managed by multiple authorities or entities, such as local
servers or databases, and are applied differently and independently across
the system or the network.
Federated: The access rights or permissions of the users or the roles are
controlled and managed by different authorities or entities, such as different
organizations or domains, and are shared and exchanged across the system
or the network, using a common standard or protocol, such as SAML or
OAuth.
Hybrid: The access rights or permissions of the users or the roles are
controlled and managed by a combination of the above types, such as
centralized and decentralized, or federated and decentralized, and are
applied flexibly and adaptively across the system or the network.
32
Which of the following goals represents a modern shift in risk
management according to National Institute of Standards and
Technology (NIST)?
A Focus on operating environments that are changing, evolving, and full of
emerging threats
33
Which of the following questions can be answered using user and
group entitlement reporting?
D where does a particular user have access within the network
User and group entitlement reporting is a process of collecting and
analyzing the access rights and permissions of users and groups
across the network. It can help answer questions such as where does a
particular user have access within the network, what resources are
accessible by a particular group, and who has access to a particular
resource. User and group entitlement reporting can also help identify and
remediate excessive or inappropriate access rights, enforce the principle of
least privilege, and comply with security policies and regulations.
34
Which of the following is the BEST option to reduce the network attack
surface of a system?
C Disabling unnecessary ports and services

35
Which of the following MUST the administrator of a security information
and event management (SIEM) system ensure?
C All sources are synchronized with a common time reference.
36
Which of the following is the MOST effective practice in managing user
accounts when an employee is terminated?
A Implement processes for automated removal of access for terminated
employees
37
Which one of the following is the MOST important in designing a
biometric access system if it is essential that no one other than
authorized individuals are admitted?
A False Acceptance Rate (FAR)
FAR is the probability that a biometric system will incorrectly accept an
unauthorized user or reject an authorized user2. FAR is a measure of the
security or accuracy of the biometric system, and it should be as low as
possible to prevent unauthorized access. False Rejection Rate (FRR),
Crossover Error Rate (CER), and Rejection Error Rate are not as important as
FAR, as they are related to the usability or convenience of the biometric
system, rather than the security.
38
Which of the following is an initial consideration when developing an
information security management system?
B Understand the value of the information assets
61
Refer to the information below to answer the question. A new employee is
given a laptop computer with full administrator access. This employee does
not have a personal computer at home and has a child that uses the
computer to send and receive e-mail, search the web, and use instant
messaging. The organization's Information Technology (IT) department
discovers that a peer-to-peer program has been installed on the computer
using the employee's access. Which of the following solutions would have
MOST likely detected the use of peer-to-peer programs when the
computer was connected to the office network?
B Intrusion Prevention System (IPS)
39
A new employee is given a laptop computer with full administrator access.
This employee does not have a personal computer at home and has a child
that uses the computer to send and receive e-mail, search the web, and use
instant messaging. The organization's Information Technology (IT)
department discovers that a peer-to-peer program has been installed on the
computer using the employee's access. Which of the following
documents explains the proper use of the organization's assets?
B Acceptable use policy
10
Refer to the information below to answer the question. A new employee is
given a laptop computer with full administrator access. This employee does
not have a personal computer at home and has a child that uses the
computer to send and receive e-mail, search the web, and use instant
messaging. The organization's Information Technology (IT) department
discovers that a peer-to-peer program has been installed on the computer
using the employee's access. Which of the following could have MOST
likely prevented the Peer-to-Peer (P2P) program from being
installed on the computer?
A Removing employee's full access to the computer
40
Which of the following is the BEST way to protect privileged accounts?
D Multi-factor authentication (MFA)
41
What is the BEST approach to anonymizing personally identifiable
information (PII) in a test environment?
A Randomizing data
42
Which of the following poses the GREATEST privacy risk to personally
identifiable information (PII) when disposing of an office printer or
copier?
C A hard disk drive (HDD) in the device could contain PII
44
Which type of access control includes a system that allows only users that
are type=managers and department=sales to access employee
records?
D Attribute-based access control (ABAC)
Attribute-based access control (ABAC) is a type of access control that
includes a system that allows only users that are type=managers and
department=sales to access employee records. ABAC is a flexible and
granular access control model that uses attributes to define access rules
and policies, and to make access decisions. Attributes are characteristics or
properties of entities, such as users, resources, actions, or environments.
For example, a user attribute can be the role, department, clearance, or
location of the user. A resource attribute can be the type, classification,
owner, or location of the resource. An action attribute can be the read,
write, execute, or delete operation on the resource. An environment
attribute can be the time, date, network address, or device of the access
request. ABAC evaluates the attributes of the subject (user), the object
(resource), the requested action, and the environment, and compares them
with the predefined rules and policies to grant or deny access.
45
An organization lacks a data retention policy. Of the following, who is
the BEST person to consult for such requirement?
C privacy officer,
Privacy officer is responsible for ensuring that the organization complies
with the applicable privacy laws, regulations, and standards. A data
retention policy defines the criteria and procedures for retaining, storing,
and disposing of data, especially personal data, in accordance with the legal
and business requirements.
46
Why do certificate Authorities (CA) add value to the security of
electronic commerce transactions?
A They maintain the certificate revocation list
A certificate authority (CA) is a trusted third party that issues and manages
digital certificates for electronic commerce transactions. A digital certificate
is a data structure that binds a public key to an identity, such as a person,
organization, or device. A certificate revocation list (CRL) is a list of
certificates that have been revoked by the CA before their expiration date,
due to reasons such as compromise, loss, or theft. A CA adds value to the
security of electronic commerce transactions by maintaining the CRL and
distributing it to the transaction parties, so that they can verify the validity
and authenticity of the certificates and avoid using revoked ones.
47
How long should the records on a project be retained?
B Until they are no longer useful or required by policy
48
What is the best way for mutual authentication of devices belonging
to the same organization?
B Certificates
Mutual authentication is a process that involves verifying the identity and
the legitimacy of both parties involved in a communication or a transaction,
and ensuring that they are authorized and trusted to access or exchange
the information or the resources. Certificates are the digital documents that
contain the identity and the public key of a device, a user, or an entity, and
that are issued and signed by a trusted authority, such as a Certificate
Authority (CA). Certificates can be used for mutual authentication of devices
belonging to the same organization, as they can provide a secure and
reliable way of verifying and exchanging the public keys of the devices, and
of encrypting and decrypting the data or the messages that are transmitted
between the devices.
49
Which of the following initiates the systems recovery phase of a
disaster recovery plan?
B Activating the organization's hot site
The systems recovery phase is initiated by activating the organization's hot
site. A hot site is a fully equipped and operational alternative site that can
be used to resume the business functions within a short time after a
disaster. A hot site typically has the same hardware, software, network, and
data as the original site, and can be switched to quickly and seamlessly. A
hot site can ensure the continuity and availability of the organization's
systems and services during a disaster recovery situation.
50
Which of the following are important criteria when designing
procedures and acceptance criteria for acquired software?
A Code quality, security, and origin
Code quality refers to the degree to which the software meets the functional
and nonfunctional requirements, as well as the standards and best practices
for coding. Security refers to the degree to which the software protects the
confidentiality, integrity, and availability of the data and the system. Origin
refers to the source and ownership of the software, as well as the licensing
and warranty terms.
51 (875)
A large corporation is looking for a solution to automate access based on
where on request is coming from, who the user is, what device they
are connecting with, and what time of day they are attempting this
access. What type of solution would suit their needs?
D Network Access Control (NAC)
NAC is a solution that enables the enforcement of security policies and rules
on the network level, by controlling the access of devices and users to the
network resources. NAC can automate access based on various factors,
such as the location, identity, role, device type, device health, or time of the
request. NAC can also perform functions such as authentication,
authorization, auditing, remediation, or quarantine of the devices and users
that attempt to access the network.