Quiz Submissions - Pre-Course Assessment

Muhammad Rashid Sattar (username:

rashid.sattar@nr3c.gov.pk)
Attempt 1
Written: Dec 5, 2022 1:05 AM - Dec 5, 2022 2:34 AM
Submission View
Your quiz has been submitted successfully.
1 / 1 point
In risk management concepts, a(n) _________ is something a
security practitioner might need to protect. (D1, L1.2.1)
Question options:

A) Vulnerability

B) Asset

C) Threat

D) Likelihood

View
question
1
feedback
1 / 1 point
Triffid Corporation has a rule that all employees working with
sensitive hardcopy documents must put the documents into a
safe at the end of the workday, where they are locked up until
the following workday. What kind of control is the process of
putting the documents into the safe? (D1, L1.3.1)
Question options:

A) Administrative
 B) Tangential

C) Physical

D) Technical

View
question
2
feedback
1 / 1 point
Preenka works at an airport. There are red lines painted on
the ground next to the runway; Preenka has been instructed
that nobody can step or drive across a red line unless they
request, and get specific permission from, the control tower.
This is an example of a(n)______ control. (D1, L1.3.1)
Question options:

A) Physical

B) Administrative

C) Critical

D) Technical

View
question
3
feedback
1 / 1 point
Sophia is visiting Las Vegas and decides to put a bet on a
particular number on a roulette wheel. This is an example of
_________. (D1, L1.2.2)
Question options:
 A) Acceptance

B) Avoidance

C) Mitigation

D) Transference

View
question
4
feedback
1 / 1 point
The city of Grampon wants to ensure that all of its citizens are
protected from malware, so the city council creates a rule that
anyone caught creating and launching malware within the city
limits will receive a fine and go to jail. What kind of rule is
this? (D1, L1.4.1)
Question options:

A) Policy

B) Procedure

C) Standard

D) Law

View
question
5
feedback
0 / 1 point
The senior leadership of Triffid Corporation decides that the
best way to minimize liability for the company is to
demonstrate the company's commitment to adopting best
practices recognized throughout the industry. Triffid
management issues a document that explains that Triffid will
follow the best practices published by SANS, an industry body
that addresses computer and information security.

The Triffid document is a ______, and the SANS documents

are ________. (D1, L1.4.2)
Question options:

A) Law, policy

B) Policy, standard

C) Policy, law

D) Procedure, procedure

View
question
6
feedback
1 / 1 point
A software firewall is an application that runs on a device and
prevents specific types of traffic from entering that device.
This is a type of ________ control. (D1, L1.3.1)
Question options:

A) Physical

B) Administrative

C) Passive

D) Technical
View
question
7
feedback
1 / 1 point
Zarma is an (ISC)² member and a security analyst for Triffid
Corporation. One of Zarma's colleagues is interested in
getting an (ISC)2  certification and asks Zarma what the test
questions are like. What should Zarma do? (D1, L1.5.1)
Question options:

A) Inform (ISC)²

B) Explain the style and format of the questions, but no detail

C) Inform the colleague's supervisor

D) Nothing

View
question
8
feedback
1 / 1 point
A bollard is a post set securely in the ground in order to
prevent a vehicle from entering an area or driving past a
certain point. Bollards are an example of ______ controls. (D1,
L1.3.1)
Question options:

A) Physical

B) Administrative

C) Drastic
 D) Technical

View
question
9
feedback
1 / 1 point
Jengi is setting up security for a home network. Jengi decides
to configure MAC address filtering on the router, so that only
specific devices will be allowed to join the network. This is an
example of a(n)_______ control. (D1, L1.3.1)
Question options:

A) Physical

B) Administrative

C) Substantial

D) Technical

View
question
10
feedback
1 / 1 point
Phrenal is selling a used laptop in an online auction. Phrenal
has estimated the value of the laptop to be $100, but has
seen other laptops of similar type and quality sell for both
more and less than that amount. Phrenal hopes that the
laptop will sell for $100 or more, but is prepared to take less
for it if nobody bids that amount. This is an example of
___________. (D1, L1.2.2)
Question options:
 A) Risk tolerance

B) Risk inversion

C) Threat

D) Vulnerability

View
question
11
feedback
0 / 1 point
Olaf is a member of (ISC)² and a security analyst for Triffid
Corporation. During an audit, Olaf is asked whether Triffid is
currently following a particular security practice. Olaf knows
that Triffid is not adhering to that standard in that particular
situation, but that saying this to the auditors will reflect
poorly on Triffid. What should Olaf do? (D1, L1.5.1)
Question options:

A) Tell the auditors the truth

B) Ask supervisors for guidance

C) Ask (ISC)² for guidance

D) Lie to the auditors

View
question
12
feedback
1 / 1 point
(ISC)² publishes a Common Body of Knowledge (CBK) that IT
security practitioners should be familiar with; this is
recognized throughout the industry as a set of material that is
useful for practitioners to refer to. Certifications can be
issued for demonstrating expertise in this Common Body of
Knowledge. What kind of document is the Common Body of
Knowledge? (D1, L1.4.1)
Question options:

A) Policy

B) Procedure

C) Standard

D) Law

View
question
13
feedback
1 / 1 point
Grampon municipal code requires that all companies that
operate within city limits will have a set of processes to ensure
employees are safe while working with hazardous materials.
Triffid Corporation creates a checklist of activities employees
must follow while working with hazardous materials inside
Grampon city limits. The municipal code is a ______, and the
Triffid checklist is a ________. (D1, L1.4.2)
Question options:

A) Law, procedure

B) Standard, law
 C) Law, standard

D) Policy, law

View
question
14
feedback
1 / 1 point
Which of the following is an example of a "something you
know" authentication factor? (D1, L1.1.1)
Question options:

A) User ID

B) Password

C) Fingerprint

D) Iris scan

View
question
15
feedback
0 / 1 point
Within the organization, who can identify risk? (D1, L1.2.2)
Question options:

A) The security manager

B) Any security team member

C) Senior management
 D) Anyone

View
question
16
feedback
1 / 1 point
The Triffid Corporation publishes a strategic overview of the
company's intent to secure all the data the company
possesses. This document is signed by Triffid senior
management. What kind of document is this? (D1, L1.4.1)
Question options:

A) Policy

B) Procedure

C) Standard

D) Law

View
question
17
feedback
1 / 1 point
Hoshi is an (ISC)2  member who works for the Triffid
Corporation as a data manager. Triffid needs a new firewall
solution, and Hoshi is asked to recommend a product for
Triffid to acquire and implement. Hoshi's cousin works for a
firewall vendor; that vendor happens to make the best firewall
available. What should Hoshi do? (D1, L1.5.1)
Question options:

A) recommend a different vendor/product

 B) recommend the cousin's product

C) Hoshi should ask to be recused from the task

D) disclose the relationship, but recommend the vendor/product

View
question
18
feedback
1 / 1 point
Which of the following probably poses the most risk? (D1,
L1.2.1)
Question options:

A) A high-likelihood, high-impact event

B) A high-likelihood, low-impact event

C) A low-likelihood, high-impact event

D) A low-likelihood, low-impact event

View
question
19
feedback
0 / 1 point
Of the following, which would probably not be considered a
threat? (D1, L1.2.1)
Question options:

A) Natural disaster

B) Unintentional damage to the system caused by a user

 C) A laptop with sensitive data on it

D) An external attacker trying to gain unauthorized access to the environment

View
question
20
feedback
1 / 1 point
What is the goal of an incident response effort? (D2, L2.1.1)
Question options:

A) No incidents ever happen

B) Reduce the impact of incidents on operations

C) Punish wrongdoers

D) Save money

View
question
21
feedback
1 / 1 point
When should a business continuity plan (BCP) be activated?
(D2, L2.2.1)
Question options:

A) As soon as possible

B) At the very beginning of a disaster

C) When senior management decides

 D) When instructed to do so by regulators

View
question
22
feedback
0 / 1 point
Which of the following is likely to be included in the business
continuity plan? (D2, L2.2.1)
Question options:

A) Alternate work areas for personnel affected by a natural disaster

B) The organization's strategic security approach

C) Last year's budget information

D) Log data from all systems

View
question
23
feedback
1 / 1 point
What is the goal of Business Continuity efforts? (D2, L2.2.1)
Question options:

A) Save money

B) Impress customers

C) Ensure all IT systems continue to operate

D) Keep critical business functions operational

View
question
24
feedback
1 / 1 point
Who approves the incident response policy? (D2, L2.1.1)
Question options:

A) (ISC)²

B) Senior management

C) The security manager

D) Investors

View
question
25
feedback
0 / 1 point
Which of the following are not typically involved in incident
detection? (D2, L2.1.1)
Question options:

A) Users

B) Security analysts

C) Automated tools

D) Regulators

View
question
26
feedback
1 / 1 point
What is the risk associated with resuming full normal
operations too soon after a DR effort? (D2, L2.3.1)
Question options:

A) The danger posed by the disaster might still be present

B) Investors might be upset

C) Regulators might disapprove

D) The organization could save money

View
question
27
feedback
0 / 1 point
Larry and Fern both work in the data center. In order to enter
the data center to begin their workday, they must both
present their own keys (which are different) to the key reader,
before the door to the data center opens.

Which security concept is being applied in this situation? (D3,

L3.1.1)
Question options:

A) Defense in depth

B) Segregation of duties

C) Least privilege

D) Dual control
View
question
28
feedback
1 / 1 point
Which of the following is probably most useful at the
perimeter of a property? (D3, L3.2.1)
Question options:

A) A safe

B) A fence

C) A data center

D) A centralized log storage facility

View
question
29
feedback
1 / 1 point
Handel is a senior manager at Triffid, Inc., and is in charge of
implementing a new access control scheme for the company.
Handel wants to ensure that employees transferring from one
department to another, getting promoted, or cross-training to
new positions can get access to the different assets they'll
need for their new positions, in the most efficient manner.
Which method should Handel select? (D3, L3.3.1)
Question options:

A) Role-based access controls (RBAC)

B) Mandatory access controls (MAC)

 C) Discretionary access controls (DAC)

D) Barbed wire

View
question
30
feedback
0 / 1 point
At Parvi's place of work, the perimeter of the property is
surrounded by a fence; there is a gate with a guard at the
entrance. All inner doors only admit personnel with badges,
and cameras monitor the hallways. Sensitive data and media
are kept in safes when not in use. (D3, L3.1.1)

This is an example of:

Question options:

A) Two-person integrity

B) Segregation of duties

C) Defense in depth

D) Penetration testing

View
question
31
feedback
1 / 1 point
 Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi
sometimes is required to install or remove software. Which of
the following could be used to describe Gelbi's account? (D3,
L3.1.1)
Question options:

A) Privileged

B) Internal

C) External

D) User

View
question
32
feedback
1 / 1 point
Trina is a security practitioner at Triffid, Inc. Trina has been
tasked with selecting a new product to serve as a security
control in the environment. After doing some research, Trina
selects a particular product. Before that product can be
purchased, a manager must review Trina's selection and
determine whether to approve the purchase. This is a
description of: (D3, L3.1.1)
Question options:

A) Two-person integrity

B) Segregation of duties

C) Software

D) Defense in depth

View
question
33
feedback
 0 / 1 point
Bruce is the branch manager of a bank. Bruce wants to
determine which personnel at the branch can get access to
systems, and under which conditions they can get access.
Which access control methodology would allow Bruce to make
this determination? (D3, L3.3.1)
Question options:

A) MAC (mandatory access control)

B) DAC (discretionary access control)

C) RBAC (role-based access control)

D) Defense-in-depth

View
question
34
feedback
1 / 1 point
A _____ is a record of something that has occurred. (D3,
L3.2.1)
Question options:

A) Biometric

B) Law

C) Log

D) Firewall

View
question
35
feedback
1 / 1 point
A human guard monitoring a hidden camera could be
considered a ______ control. (D3, L3.2.1)
Question options:

A) Detective

B) Preventive

C) Deterrent

D) Logical

View
question
36
feedback
1 / 1 point
Prina is a database manager. Prina is allowed to add new users
to the database, remove current users and create new usage
functions for the users. Prina is not allowed to read the data in
the fields of the database itself. This is an example of: (D3,
L3.3.1)
Question options:

A) Role-based access controls (RBAC)

B) Mandatory access controls (MAC)

C) Discretionary access controls (DAC)

D) Alleviating threat access controls (ATAC)

View
question
37
feedback
1 / 1 point
Prachi works as a database administrator for Triffid, Inc.
Prachi is allowed to add or delete users, but is not allowed to
read or modify the data in the database itself. When Prachi
logs onto the system, an access control list (ACL) checks to
determine which permissions Prachi has.

In this situation, what is the ACL? (D3, L3.1.1)

Question options:

A) The subject

B) The object

C) The rule

D) The firmware

View
question
38
feedback
1 / 1 point
Suvid works at Triffid, Inc. When Suvid attempts to log in to
the production environment, a message appears stating that
Suvid has to reset the password. What may have occurred to
cause this?
Question options:

A) Suvid broke the law

 B) Suvid's password has expired

C) Suvid made the manager angry

D) Someone hacked Suvid's machine

View
question
39
feedback
0 / 1 point
Prachi works as a database administrator for Triffid, Inc.
Prachi is allowed to add or delete users, but is not allowed to
read or modify the data in the database itself. When Prachi
logs onto the system, an access control list (ACL) checks to
determine which permissions Prachi has.

In this situation, what is Prachi? (D3, L3.1.1)

Question options:

A) The subject

B) The rule

C) The file

D) The object

View
question
40
feedback
0 / 1 point
Handel is a senior manager at Triffid, Inc., and is in charge of
implementing a new access control scheme for the company.
Handel wants to ensure that operational managers have the
utmost personal choice in determining which employees get
access to which systems/data. Which method should Handel
select? (D3, L3.3.1)
Question options:

A) Role-based access controls (RBAC)

B) Mandatory access controls (MAC)

C) Discretionary access controls (DAC)

D) Security policy

View
question
41
feedback
1 / 1 point
Guillermo logs onto a system and opens a document file. In
this example, Guillermo is: (D3, L3.1.1)
Question options:

A) The subject

B) The object

C) The process

D) The software

View
question
42
feedback
1 / 1 point
Handel is a senior manager at Triffid, Inc., and is in charge of
implementing a new access control scheme for the company.
Handel wants to ensure that employees who are assigned to
new positions in the company do not retain whatever access
they had in their old positions. Which method should Handel
select? (D3, L3.3.1)
Question options:

A) Role-based access controls (RBAC)

B) Mandatory access controls (MAC)

C) Discretionary access controls (DAC)

D) Logging

View
question
43
feedback
0 / 1 point
Which of the following will have the most impact on
determining the duration of log retention? (D3, L3.2.1)
Question options:

A) Personal preference

B) Applicable laws

C) Industry standards

D) Type of storage media

View
question
44
feedback
1 / 1 point
Cyril wants to ensure all the devices on his company's internal
IT environment are properly synchronized. Which of the
following protocols would aid in this effort? (D4, L4.1.2)
Question options:

A) FTP (File Transfer Protocol)

B) NTP (Network Time Protocol)

C) SMTP (Simple Mail Transfer Protocol)

D) HTTP (Hypertext Transfer Protocol)

View
question
45
feedback
1 / 1 point
The logical address of a device connected to the network or
Internet. (D4.1 L4.1.1)
Question options:

A) Media access control (MAC) address

B) Internet Protocol (IP) address

C) Geophysical address

D) Terminal address

View
question
46
feedback
1 / 1 point
The common term for systems that ensure proper
temperature and humidity in the data center. (D4.3 L4.3.1)
Question options:

A) RBAC

B) HVAC

C) MAC

View
question
47
feedback
0 / 1 point
An IoT (Internet of Things) device is typified by its effect on or
use of the _____ environment. (D4.3 L4.3.3)
Question options:

A) Philosophical

B) Remote

C) Internal

D) Physical

View
question
48
feedback
1 / 1 point
Barry wants to upload a series of files to a web-based storage
service, so that people Barry has granted authorization can
retrieve these files. Which of the following would be Barry's
preferred communication protocol if he wanted this activity to
be efficient and secure? (D4, L4.1.2)
Question options:

A) SMTP (Simple Mail Transfer Protocol)

B) FTP (File Transfer Protocol)

C) SFTP (Secure File Transfer Protocol)

D) SNMP (Simple Network Management Protocol)

View
question
49
feedback
1 / 1 point
Which of the following would be best placed in the DMZ of an
IT environment? (D4.3 L4.3.3)
Question options:

A) User's workplace laptop

B) Mail server

C) Database engine

D) SIEM log storage

View
question
50
feedback
1 / 1 point
A tool that aggregates log data from multiple sources, and
typically analyzes it and reports potential threats. (D4.2
L4.2.2)
Question options:

A) HIDS

B) Anti-malware

C) Router

D) SIEM

View
question
51
feedback
1 / 1 point
Which type of fire-suppression system is typically the least
expensive?
(D4.3 L4.3.1)
Question options:

A) Water

B) Dirt

C) Oxygen-depletion

D) Gaseous

View
question
52
feedback
1 / 1 point
Which common cloud deployment model typically features
only a single customer's data/functionality stored on specific
systems/hardware? (D4.3 L4.3.2)
Question options:

A) Public

B) Private

C) Community

D) Hybrid

View
question
53
feedback
1 / 1 point
A device typically accessed by multiple users, often intended
for a single purpose, such as managing email or web pages.
(D4.1 L4.1.1)
Question options:

A) Router

B) Switch

C) Server

D) Laptop

View
question
54
feedback
1 / 1 point
Which common cloud service model offers the customer the
most control of the cloud environment? (D4.3 L4.3.2)
Question options:

A) Lunch as a service (LaaS)

B) Infrastructure as a service (IaaS)

C) Platform as a service (PaaS)

D) Software as a service (SaaS)

View
question
55
feedback
1 / 1 point
Which common cloud service model only offers the customer
access to a given application? (D4.3 L4.3.2)
Question options:

A) Lunch as a service (LaaS)

B) Infrastructure as a service (IaaS)

C) Platform as a service (PaaS)

D) Software as a service (SaaS)

View
question
56
feedback
1 / 1 point
Triffid, Inc., has deployed anti-malware solutions across its
internal IT environment. What is an additional task necessary
to ensure this control will function properly? (D4.2 L4.2.3)
Question options:

A) Pay all employees a bonus for allowing anti-malware solutions to be run on their systems

B) Update the anti-malware solution regularly

C) Install a monitoring solution to check the anti-malware solution

D) Alert the public that this protective measure has been taken

View
question
57
feedback
1 / 1 point
The concept that the deployment of multiple types of controls
provides better security than using a single type of
control. (D4.3 L4.3.3)
Question options:

A) VPN

B) Least privilege

C) Internet

D) Defense in depth

View
question
58
feedback
1 / 1 point
A device that filters network traffic in order to enhance overall
security/performance. (D4.1 L4.1.1)
Question options:

A) Endpoint

B) Laptop

C) MAC (media access control)

D) Firewall

View
question
59
feedback
1 / 1 point
Carol is browsing the Web. Which of the following ports is she
probably using? (D4, L4.1.2)
Question options:

A) 12

B) 80

C) 247

D) 999

View
question
60
feedback
1 / 1 point
Which of the following activities is usually part of the
configuration management process, but is also extremely
helpful in countering potential attacks? (D4.2 L4.2.3)
Question options:

A) Annual budgeting

B) Conferences with senior leadership

C) Updating and patching systems

D) The annual shareholders' meeting

View
question
61
feedback
1 / 1 point
Inbound traffic from an external source seems to indicate
much higher rates of communication than normal, to the point
where the internal systems might be overwhelmed. Which
security solution can often identify and potentially counter
this risk? (D4.2 L4.2.2)
Question options:

A) Firewall

B) Turnstile

C) Anti-malware

D) Badge system

View
question
62
feedback
0 / 1 point
Security controls on log data should reflect ________. (D5.1,
L5.1.2)
Question options:

A) The organization's commitment to customer service

B) The local culture where the log data is stored

C) The price of the storage device

D) The sensitivity of the source device

View
question
63
feedback
1 / 1 point
Archiving is typically done when _________. (D5.1, L5.1.1)
Question options:

A) Data is ready to be destroyed

B) Data has lost all value

C) Data is not needed for regular work purposes

D) Data has become illegal

View
question
64
feedback
1 / 1 point
Logs should be reviewed ______. (D5.1, L5.1.2)
Question options:

A) Every Thursday

B) Continually

C) Once per calendar year

D) Once per fiscal year

View
question
65
feedback
1 / 1 point
The organization should keep a copy of every signed
Acceptable Use Policy (AUP) on file, and issue a copy to
_______. (D5.3, L5.3.1)
Question options:

A) The user who signed it

B) The regulators overseeing that industry

C) Lawmakers

D) The Public Relations office

View
question
66
feedback
1 / 1 point
Which of the following is probably the main purpose of
configuration management? (D5.2, L5.2.1)
Question options:
 A) Keeping out intruders

B) Ensuring the organization adheres to privacy laws

C) Keeping secret material protected

D) Ensuring only authorized modifications are made to the IT environment

View
question
67
feedback
0 / 1 point
Security needs to be provided to ____ data. (D5.1, L5.1.1)
Question options:

A) Restricted

B) Illegal

C) Private

D) All

View
question
68
feedback
0 / 1 point
Triffid, Inc., wants to host streaming video files for the
company's remote users, but wants to ensure the data is
protected while it's streaming. Which of the following methods
are probably best for this purpose? (D5.1, L5.1.3)
Question options:
 A) Symmetric encryption

B) Hashing

C) Asymmetric encryption

D) VLANs

View
question
69
feedback
1 / 1 point
Data retention periods apply to ____ data. (D5.1, L5.1.1)
Question options:

A) Medical

B) Sensitive

C) All

D) Secret

View
question
70
feedback
1 / 1 point
If two people want to use symmetric encryption to conduct a
confidential conversation, how many keys do they
need? (D5.1, L5.1.3)
Question options:

A) 1
 B) 3

C) 8

D) none

View
question
71
feedback
0 / 1 point
Dieter wants to send a message to Lupa and wants to be sure
that Lupa knows the message has not been modified in
transit. What technique/tool could Dieter use to assist in this
effort? (D5.1, L5.1.3)
Question options:

A) Hashing

B) Clockwise rotation

C) Symmetric encryption

D) Asymmetric encryption

View
question
72
feedback
0 / 1 point
When Pritha started working for Triffid, Inc., Pritha had to sign
a policy that described how Pritha would be allowed to use
Triffid's IT equipment. What policy was this? (D5.3, L5.3.1)
Question options:
 A) The organizational security policy

B) The acceptable use policy (AUP)

C) The bring-your-own-device (BYOD) policy

D) The workplace attire policy

View
question
73
feedback
1 / 1 point
Hashing is often used to provide _______. (D5.1, L5.1.3)
Question options:

A) Confidentiality

B) Integrity

C) Availability

D) Value

View
question
74
feedback
1 / 1 point
Log data should be kept ______. (D5.1, L5.1.2)
Question options:

A) On the device that the log data was captured from

B) In an underground bunker
 C) In airtight containers

D) On a device other than where it was captured

View
question
75
feedback

74.67 %

74.67 %
Done