 Question 1

2 out of 2 points
An organization’s _______________________ is a particular group of differently
skilled individuals who are responsible for attending to serious security
situations.
Selected
Answer:
incident response team
(IRT)
Correct
Answer:
incident response team
(IRT)
 Question 2
2 out of 2 points
It is important to conduct a nearly continuous evaluation of possible
______________ to guarantee that recovery estimates provided to
customers are accurate and maintain credibility with customers.
Selected
Answer:
downtim
es
Correct
Answer:
downtim
es
 Question 3
2 out of 2 points
___________________ are attacks that obtain access by means of remote
services, such as vendor networks, employee remote access tools, and
point-of sale (POS) devices.
Selected
Answer:
Insecure remote
access
Correct
Answer:
Insecure remote
access
 Question 4
2 out of 2 points
While the amount of data known as mission-critical depends on the
organization and industry, such data should only represent less than
____________ percent of the data population.
Selected
Answer:
1
5
 Correct
Answer:
1
5
 Question 5
2 out of 2 points
The ____________________ identifies the processes entailed in the business
continuity plan and/or the disaster recovery plan.
Selected
Answer:
disaster declaration
policy
Correct
Answer:
disaster declaration
policy
 Question 6
2 out of 2 points
The IRT report that is ultimately generated for executive management
must be certain to educate all stakeholders regarding exploited risks.
Which of the following items is not required to be addressed in the report?
Selected
Answer:
who detected the
incident
Correct
Answer:
who detected the
incident
 Question 7
2 out of 2 points
There are particular tools and techniques that the IRT utilizes to gather
forensic evidence, including ____________________, which articulates the
manner used to document and protect evidence.
Selected
Answer:
chain of
custody
Correct
Answer:
chain of
custody
 Question 8
2 out of 2 points
An important principle in information security is the concept of layers of
security, which is often referred to as layered security, or defense
in depth. Which of the following is not an example of a layer of security?
Selected
 Answer: a control
standard
Correct
Answer:
a control
standard
 Question 9
2 out of 2 points
Which the following is not one the policies concerned with LAN-to-WAN
filtering and connectivity?
Selected
Answer:
content-blocking tools configuration
standard
Correct
Answer:
content-blocking tools configuration
standard
 Question 10
2 out of 2 points
Depending on the organization, the control procedure of the Domain
Name System (DNS) might be built into the WAN standard. This standard
identifies the criteria securing a domain name. Which of the following
is not one of the types of approvals that can be used to track domains?
Selected
Answer:
an explanation of the desired market or audience for which
the Web site is intended
Correct
Answer:
an explanation of the desired market or audience for which
the Web site is intended
 Question 11
2 out of 2 points
Which of the following statements is most accurate with respect to infrastructure
security, as demonstrated by the private sector?

Selected
Answer: Even when an industry standard is applied, there is no way to predict
there will be compatibility.
Correct
Answer: Even when an industry standard is applied, there is no way to predict
there will be compatibility.
 Question 12
2 out of 2 points
Which of the following statements illustrates the importance of the LAN-to-WAN domain
to an organization’s security?
 Selected
Answer: The WAN should never have a direct connection to the organization's
private network without the traffic being heavily filtered and inspected.
Correct
Answer: The WAN should never have a direct connection to the organization's
private network without the traffic being heavily filtered and inspected.
 Question 13
2 out of 2 points
Organizations seek to create a coherent set of documents that are stable
and immune to the need for regularly adjustments. However, the types of
policy documents can differ, depending on the organization. Which of the
following is not one the reasons why these documents might vary from
one organization to the next?
Selected
Answer:
Organizations seldom have both baseline standards and
control standards; it is more common to have or one the other.
Correct
Answer:
Organizations seldom have both baseline standards and
control standards; it is more common to have or one the other.
 Question 14
2 out of 2 points
In workstation domain policies, _________________ provide the specific
technology requirements for each device. IT staff uses recorded and
published procedures to enact configurations by devices to ensure that
secure connectivity for remote devices exists, as well as virus and
malware protection and patch management capability, among several
other related functions.
Selected
Answer:
baseline
standards
Correct
Answer:
baseline
standards
 Question 15
2 out of 2 points
It is important that LAN guidelines transfer technical knowledge and
experience by guiding an individual through core principles and varied
ways of considering risks. Which of the following guidelines documents
instructions on the intricacies and uses of wireless structures and types?
Selected
Answer:
Wi-Fi security
guidelines
 Correct
Answer:
Wi-Fi security
guidelines
 Question 16
2 out of 2 points
One of the processes for establishing business requirements and raising
the level of privileges is to grant elevated rights on a temporary basis.
This process is called _________________.
Selected
Answer:
firecall-
ID
Correct
Answer:
firecall-
ID
 Question 17
2 out of 2 points
Consider this scenario: A company that buys a sizeable amount of
equipment for its manufacturing process needs to accurately report such
expenditures, so it calls upon the services of financial auditors. While
financial auditors might consider how robust the data might be, the
company might also involve IT auditors to examine the technology in
place to gather the data itself. What process is this company using to
address its concerns?
Selected
Answer:
integrated
audit
Correct
Answer:
integrated
audit
 Question 18
2 out of 2 points
One of the processes designed to eradicate maximum possible security
risks is to ________________, which limits access credentials to the minimum
required to conduct any activity and ensures that access is authenticated
to particular individuals.
Selected
Answer:
harde
n
Correct
Answer:
harde
n
 Question 19
 2 out of 2 points
There are many ways that people can be manipulated to disclose
knowledge that can be used to jeopardize security. One of these ways is to
call someone under the false pretense of being from the IT department.
This is known as _________________________.
Selected
Answer:
pretexti
ng
Correct
Answer:
pretexti
ng
 Question 20
2 out of 2 points
Which of the following is not one of the types of control partners?
Selected
Answer:
software
engineers
Correct
Answer:
software
engineers
 Question 21
2 out of 2 points
Consider this scenario: After many years, an employee is promoted to a
position that has an elevated level of trust with his management. He
started with the company in an entry-level position, and then moved from
a supervisory to a managerial role. This role entails that the employee
trains other employees and has a deep understanding of how the
department functions. Which of the following actions should be taken in
regard to this employee’s levels of access during the span of time he has
worked for the company?
Selected
Answer:
This employee should have prior access removed to ensure
separation of duties and avoid future instances of security risk.
Correct
Answer:
This employee should have prior access removed to ensure
separation of duties and avoid future instances of security risk.
 Question 22
2 out of 2 points
It is important that ___________________ accounts have full and
unencumbered rights to restore data as well as to configure, install, repair,
and recover applications and networks.
 Selected
Answer:
continge
nt
Correct
Answer:
continge
nt
 Question 23
2 out of 2 points
____________________ are instituted by the executive management and are
responsible for enforcing policies by reviewing technology activity and
greenlighting new projects and activities.
Selected
Answer:
Gateway
committees
Correct
Answer:
Gateway
committees
 Question 24
0 out of 2 points
It is important that partnership exists between the ___________________,
which needs to review the standing legislation that governs their business,
and the ____________________, which needs to review all recent or
significant policy changes.
Selected
Answer:
legal department, CISO
Correct
Answer:
information security team, legal
department
 Question 25
0 out of 2 points
After management has created and agreed upon its policies, it must then
determine how these policies will be implemented. Which of the following
is not one the processes that line management will follow in order to make
the new policies operational?
Selected
Answer:
It will apply the policies in an even and consistent manner.
Correct
Answer:
It will ensure that users with the most sensitive security
access especially adhere to the policies.
 Question 26
0 out of 2 points
 Consider this scenario: A health insurer in Oklahoma settled a class-action
lawsuit after having reported that one laptop was stolen in 2008; this
laptop contained personal data of more than 1.6 million customers. Based
on the fact that the laptop was not encrypted, and that employees were
lacking in security awareness training, which of the following statements
captures the root cause of this breach?
Selected
Answer:
The HIPAA regulations were unclear and difficult to implement.
Correct
Answer:
The thorough implementation of security policies was not
something that the executive management prioritized.
 Question 27
2 out of 2 points
The information security organization performs a significant role in the
implementation of solutions that mitigate risk and control solutions.
Because the security organization institutes the procedures and policies to
be executed, they occupy role of ____________________.
Selected
Answer:
subject matter expert
(SME)
Correct
Answer:
subject matter expert
(SME)
 Question 28
2 out of 2 points
While there are many valid reasons to monitor users’ computer activities,
which of the following is an invalid reason?
Selected
Answer:
detecting whether employees are listening to music that is
inappropriate for the workplace
Correct
Answer:
detecting whether employees are listening to music that is
inappropriate for the workplace
 Question 29
2 out of 2 points
Which of the following committees is responsible for the review of
concepts, testing phases, and designs of new initiatives as well as
determining when a project can enter the production phase?
Selected
Answer:
the project
committee
 Correct
Answer:
the project
committee
 Question 30
2 out of 2 points
Because risk management is a both a governance process and a model that seeks
consistent improvement, there is a series of steps to be followed every time a new risk
emerges. Which of the following is not one of these steps?
Selected
Answer: Identify the prior risks; it is not necessary to determine
the cause.
Correct
Answer: Identify the prior risks; it is not necessary to determine
the cause.
 Question 31
0 out of 2 points
There must be security policies in place to set core standards and requirements when it
comes to encrypted data. Which of the following is not one of these standards and
requirements?
Selected
Answer: Encryption keys must be located in isolation from encrypted
data.
Correct
Answer: Encryption keys must be located in the same server as the
encryption data.
 Question 32
2 out of 2 points
While it would not be possible to classify all data in an organization, there
has nonetheless been an increase in the amount of unstructured data
retained in recent years, which has included data and logs. There are
many different ways to make the time-consuming and expensive process
of retaining data less challenging. Which of the following is not one these
approaches?
Selected
Answer:
Classify all forms of data no matter the risk to the
organization.
Correct
Answer:
Classify all forms of data no matter the risk to the
organization.
 Question 33
2 out of 2 points
A ______________________ is an apparatus for risk management that enables
the organization to comprehend its risks and how those risks might impact
the business.
 Selected
Answer:
risk and control self-assessment
(RCSA)
Correct
Answer:
risk and control self-assessment
(RCSA)
 Question 34
2 out of 2 points
The National Security Information document EO 12356 explains the U.S.
military classification scheme of top secret, secret data, confidential,
sensitive but unclassified, and unclassified. Which of the following data
can be reasonably expected to create serious damage to national security
in the event that it was subject to unauthorized disclosure?
Selected
Answer:
secr
et
Correct
Answer:
secr
et
 Question 35
2 out of 2 points
It is necessary to retain information for two significant reasons: legal
obligation and business needs. Data that occupies the class of
________________ is comprised of records that are required to support
operations; the data included might be customer and vendor records.
Selected
Answer:
busine
ss
Correct
Answer:
busine
ss
 Question 36
2 out of 2 points
Of the risk management strategies, _________________ refers to the act of
not engaging in actions that lead to risk, whereas
____________________refers to acquiescence in regard to the risks of
particular actions as well as their potential results .
Selected
Answer:
risk avoidance, risk
acceptance
Correct
 Answer: risk avoidance, risk
acceptance
 Question 37
2 out of 2 points
A ________________________ is a string of data associated with a file that
provides added security, authentication, and nonrepudiation.
Selected
Answer:
digital
signature
Correct
Answer:
digital
signature
 Question 38
2 out of 2 points
A security _____________identifies a group of fundamental configurations
designed to accomplish particular security objectives.
Selected
Answer:
baseli
ne
Correct
Answer:
baseli
ne
 Question 39
2 out of 2 points
Even though SNMP is a part of the TCP/IP suite of protocols, it has
undergone a series of improvements since its first version. Which of the
following is not one of the improvements offered in version 3?
Selected
Answer:
HP SCAP Scanner by HP is now implemented, which
enhances overall security.
Correct
Answer:
HP SCAP Scanner by HP is now implemented, which
enhances overall security.
 Question 40
2 out of 2 points
One of the methods that an organization can use to determine compliance
is to perform _______________.
Selected
Answer:
random
audits
 Correct
Answer:
random
audits
 Question 41
2 out of 2 points
A __________________________ is a term that refers to the original image that
is duplicated for deployment. Using this image saves times by eradicating
the need for repeated changes to configuration and tweaks to
performance.
Selected
Answer:
gold
master
Correct
Answer:
gold
master
 Question 42
2 out of 2 points
Because not all automated tools have the same functions, it is important
to run tests on their effectiveness before making a financial or resource
allocation investment. For example, if an organization is interested
in discovery, which of the follow questions is important to ask?
Selected
Answer:
Can the system accurately locate systems on
the network?
Correct
Answer:
Can the system accurately locate systems on
the network?
 Question 43
2 out of 2 points
It can be challenging for personnel in organizations to accept when
significant changes are implemented. Consider this scenario: An
organization implements a baseline of security systems that has caused
certain applications that had previously worked well to suddenly fail.
Which of the following steps will require time, patience, and an
environment of cooperation that will best address the problem?
Selected
Answer:
The department could seek out an alternative method that
doesn’t bypass the initial baseline settings and permits the
application to work.
Correct
Answer:
The department could seek out an alternative method that
 doesn’t bypass the initial baseline settings and permits the
application to work.
 Question 44
2 out of 2 points
A major defense corporation rolls out a campaign to manage persistent
threats to its infrastructure. The corporation decides to institute a
___________________ to identify and evaluate the knowledge gaps that can
be addressed through additional training for all employees, even
administrators and management.
Selected
Answer:
needs
assessment
Correct
Answer:
needs
assessment
 Question 45
2 out of 2 points
Of the many tools that can be used in training to connect with an
audience of employees, _______________ can inspire a sense of fun that
leads to community and commitment.
Selected
Answer:
humo
r
Correct
Answer:
humo
r
 Question 46
2 out of 2 points
In order to enhance the training experience and emphasize the core
security goals and mission, it is recommended that the executives
_______________________.
Selected
Answer:
video record a message from one the leaders in a senior role
to share with new employees
Correct
Answer:
video record a message from one the leaders in a senior role
to share with new employees
 Question 47
2 out of 2 points
The goal of employee awareness and training is to ensure that individuals
are equipped with the tools necessary for the implementation of security
policies. Which of the following is one of the other benefits of a
 successfully enacted training and awareness program?
Selected
Answer:
instituting chances for employees to gather new skills, which
can foster enhanced job satisfaction
Correct
Answer:
instituting chances for employees to gather new skills, which
can foster enhanced job satisfaction
 Question 48
2 out of 2 points
The scope of security awareness training must be customized based on
the type of user assigned to each role in an organization. For instance, it is
important that ________________ receives training in security basic
requirement, regulatory and legal requirement, detail policy review, and
reporting suspicious activity.
Selected
Answer:
middle
management
Correct
Answer:
middle
management
 Question 49
2 out of 2 points
While there are many ways that policy objectives and goals can be
described, some techniques are more effective than others for persuading
an organization to implement them. Which of the following is not one of
the effective techniques for persuading people to follow policy objectives
and goals?
Selected
Answer:
explaining the careful process of design and approval that
went into creating the polices
Correct
Answer:
explaining the careful process of design and approval that
went into creating the polices
 Question 50
2 out of 2 points
Many organizations have a(n) ________________________, which is comprised
of end user devices (including tablets, laptops, and smartphones) on a
shared network and that use distributed system software; this enables
these devices to function simultaneously, regardless of location.
Selected
Answer:
distributed
 infrastructure
Correct
Answer:
distributed
infrastructure