Security Sample Questions 1

Q999
When assessing the audit capability of an application, which of the following activities is MOST important?
A. Determine if audit records contain sufficient information.

B. Review security plan for actions to be taken in the event of audit failure.
C. Verify if sufficient storage is allocated for audit records.
Questions and Answers 306/451
D. Identify procedures to investigate suspicious activity.
Answer: C
Q1000
A web-based application known to be susceptible to attacks is now under review by a senior developer.
The organization would like to ensure this application Is less susceptible to injection attacks specifically,
What strategy will work BEST for the organization's situation?
A. Do not store sensitive unencrypted data on the back end.

B. Whitelist input and encode or escape output before it is processed for rendering.
C. Limit privileged access or hard-coding logon credentials,
D. Store sensitive data in a buffer that retains data in operating system (OS) cache or memory.
Answer: B
Q1001
Management has decided that a core application will be used on personal cellular phones. As an
implementation requirement, regularly scheduled analysis of the security posture needs to be conducted.
Management has also directed that continuous monitoring be implemented. Which of the following is
required to accomplish management's directive?
A. Strict integration of application management, configuration management (CM), and phone

management
B. Management application installed on user phones that tracks all application events and cellular traffic
C. Enterprise-level security information and event management (SIEM) dashboard that provides full
visibility of cellular phone activity
D. Routine reports generated by the user's cellular phone provider that detail security events
Answer: B
Q1002
What is the FIRST step prior to executing a test of an organisation's disaster recovery (DR) or business
continuity plan (BCP)?
A. identify key stakeholders,

B. Develop recommendations for disaster scenarios.
C. Identify potential failure points.
D. Develop clear evaluation criteria.
Answer: D
Q1003
Which of the following security tools will ensure authorized data is sent to the application when
implementing a cloud based application?
A. Host-based intrusion prevention system (HIPS)

B. Access control list (ACL)
C. File integrity monitoring (FIM)
D. Data loss prevention (DLP)
Answer: B
Q1004
Before implementing an internet-facing router, a network administrator ensures that the equipment is
baselined/hardened according to approved configurations and settings. This action provides protection
against which of the following attacks?
A. Blind spoofing
B. Media Access Control (MAC) flooding
C. SQL injection (SQLI)
D. Ransomware
Answer: B
Q1005
A cloud service provider requires its customer organizations to enable maximum audit logging for its data
storage service and to retain the logs for the period of three months. The audit logging generates
extremely high amount of logs. What is the MOST appropriate strategy for the log retention?
A. Keep last week's logs in an online storage and the rest in a near-line storage.
B. Keep all logs in an online storage.
C. Keep all logs in an offline storage.
D. Keep last week's logs in an online storage and the rest in an offline storage.
Answer: D

Q1006
Which of the following is the MOST comprehensive Business Continuity (BC) test?
A. Full functional drill

B. Full table top
C. Full simulation
D. Full interruption
Answer: C
Q1007
The disaster recovery (DR) process should always include
A. plan maintenance.
B. periodic vendor review.
C. financial data analysis.
D. periodic inventory review.
Answer: A
Q1008
Which of the following BEST describes the purpose of software forensics?
A. To perform cyclic redundancy check (CRC) verification and detect changed applications
B. To review program code to determine the existence of backdoors
C. To analyze possible malicious intent of malware
D. To determine the author and behavior of the code
Answer: D
Q1009
The security architect has been assigned the responsibility of ensuring integrity of the organization's
electronic records. Which of the following methods provides the strongest level of integrity?
A. Time stamping
B. Encryption
C. Hashing
D. Digital signature
Answer: D
Q1010
An application is used for funds transfer between an organization and a third-party. During a security
audit, an issue with the business continuity/disaster recovery policy and procedures for this application.
Which of the following reports should the audit file with the organization?
A. Service Organization Control (SOC) 1

B. Statement on Auditing Standards (SAS) 70
C. Service Organization Control (SOC) 2
D. Statement on Auditing Standards (SAS) 70-1
Answer: C
Q1011
An organization purchased a commercial off-the-shelf (COTS) software several years ago. The
information technology (IT) Director has decided to migrate the application into the cloud, but is
concerned about the application security of the software in the organization's dedicated environment with
a cloud service provider. What is the BEST way to prevent and correct the software's security weal
A. Implement a dedicated COTS sandbox environment

B. Follow the software end-of-life schedule
C. Transfer the risk to the cloud service provider
D. Examine the software updating and patching process
Answer: A
Q1012
Which reporting type requires a service organization to describe its system and define its control
objectives and controls that are relevant to users internal control over financial reporting?
A. Statement on Auditing Standards (SAS)70

B. Service Organization Control 1 (SOC1)
C. Service Organization Control 2 (SOC2)
D. Service Organization Control 3 (SOC3)
Answer: B

Q1013
The Chief Information Security Officer (CISO) is concerned about business application availability. The
organization was recently subject to a ransomware attack that resulted in the unavailability of applications
and services for 10 working days that required paper-based running of all main business processes.
There are now aggressive plans to enhance the Recovery Time Objective (RTO) and cater for more
frequent data captures. Which of the following solutions should be implemented to fully comply to the new
business requirements?
A. Virtualization
B. Antivirus
C. Process isolation
D. Host-based intrusion prevention system (HIPS)
Answer: A
Q1014
Which of the following is the GREATEST risk of relying only on Capability Maturity Models (CMM) for
software to guide process improvement and assess capabilities of acquired software?
A. Organizations can only reach a maturity level 3 when using CMMs

B. CMMs do not explicitly address safety and security
C. CMMs can only be used for software developed in-house
D. CMMs are vendor specific and may be biased
Answer: B
Q1015
Which of the following should exist in order to perform a security audit?
A. Industry framework to audit against

B. External (third-party) auditor
C. Internal certified auditor
D. Neutrality of the auditor
Answer: D
Q1016
Which of the following encryption technologies has the ability to function as a stream cipher?
A. Cipher Feedback (CFB)

B. Feistel cipher
C. Cipher Block Chaining (CBC) with error propagation
D. Electronic Code Book (ECB)
Answer: A
Q1017
An attack utilizing social engineering and a malicious Uniform Resource Locator (URL) link to take
advantage of a victim's existing browser session with a web application is an example of which of the
following types of attack?
A. Cross-Site Scripting (XSS)

B. Cross-site request forgery (CSRF)
C. Injection
D. Click jacking
Answer: B
Q1018
Which of the following is the BEST method to identify security controls that should be implemented for a
web-based application while in development?
A. Application threat modeling

B. Secure software development.
C. Agile software development
D. Penetration testing
Answer: A
Q1019
A security professional has reviewed a recent site assessment and has noted that a server room on the
second floor of a building has Heating, Ventilation, and Air Conditioning (HVAC) intakes on the ground
level that have ultraviolet light filters installed, Aero-K Fire suppression in the server room, and pre-action
fire suppression on floors above the server room. Which of the following changes can the security
professional recommend to reduce risk associated with these conditions?
A. Remove the ultraviolet light filters on the HVAC intake and replace the fire suppression system on the
upper floors with a dry system
B. Add additional ultraviolet light filters to the HVAC intake supply and return ducts and change server
room fire suppression to FM-200
C. Apply additional physical security around the HVAC intakes and update upper floor fire suppression to
FM-200.
D. Elevate the HVAC intake by constructing a plenum or external shaft over it and convert the server
room fire suppression to a pre-action system
Answer: C
Q1020
An organization is setting a security assessment scope with the goal of developing a Security
Management Program (SMP). The next step is to select an approach for conducting the risk assessment.
Which of the following approaches is MOST effective for the SMP?
A. Data driven risk assessment with a focus on data

B. Security controls driven assessment that focuses on controls management
C. Business processes based risk assessment with a focus on business goals
D. Asset driven risk assessment with a focus on the assets
Answer: A
Q1021
Which combination of cryptographic algorithms are compliant with Federal Information Processing
Standard (FIPS) Publication 140-2 for non-legacy systems?
A. Diffie-hellman (DH) key exchange: DH (>=2048 bits)

Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Rivest-Shamir-
Adleman (RSA) (1024 bits)
B. Diffie-hellman (DH) key exchange: DH (>=2048 bits)
Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Digital Signature
Algorithm (DSA) (>=2048 bits)
C. Diffie-hellman (DH) key exchange: DH (<= 1024 bits)
Symmetric Key: Blowfish
Digital Signature: Rivest-Shamir-Adleman (RSA) (>=2048 bits)
D. Diffie-hellman (DH) key exchange: DH (>=2048 bits)
Symmetric Key: Advanced Encryption Standard (AES) < 128 bits Digital Signature: Elliptic Curve Digital
Signature Algorithm (ECDSA) (>=256 bits)
Answer: C

Q1022
An international trading organization that holds an International Organization for Standardization (ISO)
27001 certification is seeking to outsource their security monitoring to a managed security service
provider (MSSP), The trading organization's security officer is tasked with drafting the requirements that
need to be included in the outsourcing contract. Which of the following MUST be included in the contract?
A. A detailed overview of all equipment involved in the outsourcing contract

B. The MSSP having an executive manager responsible for information security
C. The right to perform security compliance tests on the MSSP's equipment
D. The right to audit the MSSP's security process
Answer: C
Q1023
Which of the following is the MOST effective measure for dealing with rootkit attacks?
A. Turing off unauthorized services and rebooting the system

B. Finding and replacing the altered binaries with legitimate ones
C. Restoring the system from the last backup
D. Reinstalling the system from trusted sources
Answer: D
Q1024
While classifying credit card data related to Payment Card Industry Data Security Standards (PCI-DSS),
which of the following is a PRIMARY security requirement?
A. Processor agreements with card holders

B. Three-year retention of data
C. Encryption of data
D. Specific card disposal methodology
Answer: C
Q1025
Write Once, Read Many (WORM) data storage devices are designed to BEST support which of the
following core security concepts?
A. lntegrity
B. Scalability
C. Availability
D. Confidentiality
Answer: A
Q1026
What is the MOST important factor in establishing an effective Information Security Awareness Program?
A. Obtain management buy-in.
B. Conduct an annual security awareness event.
C. Mandate security training.
D. Hang information security posters on the walls,
Answer: C
Q1027
Which of the following events prompts a review of the disaster recovery plan (DRP)?
A. New members added to the steering committee

B. Completion of the security policy review
C. Change in senior management
D. Organizational merger
Answer: D
Q1028
An organization plans to acquire @ commercial off-the-shelf (COTS) system to replace their aging home-
built reporting system. When should the organization's security team FIRST get involved in this
acquisition's life cycle?
A. When the system is being designed, purchased, programmed, developed, or otherwise constructed
B. When the system is verified and validated
C. When the system is deployed into production
D. When the need for a system is expressed and the purpose of the system Is documented
Answer: D

Q1029
A developer begins employment with an information technology (IT) organization. On the first day, the
developer works through the list of assigned projects and finds that some files within those projects aren't
accessible, Other developers working on the same project have no trouble locating and working on the.
What is the MOST likely for the discrepancy in access?
A. The IT administrator had failed to grant the developer privileged access to the servers.
B. The project files were inadvertently deleted.
C. The new developer's computer had not been added to an access control list (ACL).
D. The new developer's user account was not associated with the right roles needed for the projects.
Answer: A
Q1030
Which of the following measures serves as the BEST means for protecting data on computers,
smartphones, and external storage devices when traveling to high-risk countries?
A. Review applicable destination country laws, forensically clean devices prior to travel, and only
download sensitive data over a virtual private network (VPN) upon arriving at the destination.
B. Keep laptops, external storage devices, and smartphones in the hotel room when not in use.
C. Leverage a Secure Socket Layer (SSL) connection over a virtual private network (VPN) to download
sensitive data upon arriving at the destination.
D. Use multi-factor authentication (MFA) to gain access to data stored on laptops or external storage
devices and biometric fingerprint access control isms to unlock smartphones.
Answer: D
Q1031
Which of the following implementations will achieve high availability in a website?
A. Multiple Domain Name System (DNS) entries resolving to the same web server and large amounts of
bandwidth
B. Disk mirroring of the web server with redundant disk drives in a hardened data center
C. Disk striping of the web server hard drives and large amounts of bandwidth
D. Multiple geographically dispersed web servers that are configured for failover
Answer: D

Q1032
Which of the following phases in the software acquisition process does developing evaluation criteria take
place?
A. Follow-On
B. Planning
C. Contracting
D. Monitoring and Acceptance
Answer: D
Q1033
Security Software Development Life Cycle (SDLC) expects application code to be written In a consistent
manner to allow ease of auditing and which of the following?
A. Protecting
B. Executing
C. Copying
D. Enhancing
Answer: A
Q1034
In the common criteria, which of the following is a formal document that expresses an implementation-
independent set of security requirements?
A. Organizational Security Policy

B. Security Target (ST)
C. Protection Profile (PP)
D. Target of Evaluation (TOE)
Answer: C
Q1035
Which of the following is considered the FIRST step when designing an internal security control
assessment?
A. Create a plan based on recent vulnerability scans of the systems in question.

B. Create a plan based on comprehensive knowledge of known breaches.
C. Create a plan based on a recognized framework of known controls.
D. Create a plan based on reconnaissance of the organization's infrastructure.
Answer: D
Q1036
The Chief Executive Officer (CEO) wants to implement an internal audit of the company's information
security posture. The CEO wants to avoid any bias in the audit process; therefore, has assigned the
Sales Director to conduct the audit. After significant interaction over a period of weeks the audit concludes
that the company's policies and procedures are sufficient, robust and well established. The CEO then
moves on to engage an external penetration testing company in order to showcase the organization's
robust information security stance. This exercise reveals significant failings in several critical security
controls and shows that the incident response processes remain undocumented. What is the MOST likely
reason for this disparity in the results of the audit and the external penetration test?
A. The external penetration testing company used custom zero-day attacks that could not have been
predicted.
B. The information technology (IT) and governance teams have failed to disclose relevant information to
the internal audit team leading to an incomplete assessment being formulated.
C. The scope of the penetration test exercise and the internal audit were significantly different.
D. The audit team lacked the technical experience and training to make insightful and objective
assessments of the data provided to them.
Answer: C
Q1037
A small office is running WiFi 4 APs, and neighboring offices do not want to increase the throughput to
associated devices. Which of the following is the MOST cost-efficient way for the office to increase
network performance?
A. Add another AP.

B. Disable the 2.4GHz radios
C. Enable channel bonding.
D. Upgrade to WiFi 5.
Answer: C
Q1038
An engineer notices some late collisions on a half-duplex link. The engineer verifies that the devices
on both ends of the connection are configured for half duplex. Which of the following is the MOST likely
cause of this issue?
A. The link is improperly terminated

B. One of the devices is misconfigured
C. The cable length is excessive.
D. One of the devices has a hardware issue.
Answer: A
Q1039
Which of the following VPN configurations should be used to separate Internet and corporate traffic?
A. Split-tunnel
B. Remote desktop gateway
C. Site-to-site
D. Out-of-band management
Answer: A
Q1040
A technician wants to install a WAP in the center of a room that provides service in a radius surrounding a
radio. Which of the following antenna types should the AP utilize?
A. Omni
B. Directional
C. Yagi
D. Parabolic
Answer: A
Q1041
To comply with industry requirements, a security assessment on the cloud server should identify which
protocols and weaknesses are being exposed to attackers on the Internet. Which of the following tools is
the MOST appropriate to complete the assessment? A Use tcpdump and parse the output file in a
protocol analyzer.
A. Use an IP scanner and target the cloud WAN network addressing

B. Run netstat in each cloud server and retrieve the running processes.
C. Use nmap and set the servers' public IPs as the targets.
Answer: D

Q1042
Which of the following uses the destination IP address to forward packets?
A. A bridge
B. A Layer 2 switch
C. A router
D. A repeater
Answer: C
Q1043
Which of the following would need to be configured to ensure a device with a specific MAC address is
always assigned the same IP address from DHCP?
A. Scope options
B. Reservation
C. Dynamic assignment
D. Exclusion
E. Static assignment
Answer: B
Q1044
Wireless users are reporting intermittent Internet connectivity. Connectivity is restored when the users
disconnect and reconnect, utilizing the web authentication process each time. The network administrator
can see the devices connected to the APs at all times. Which of the following steps will MOST likely
determine the cause of the issue?
A. Verify the session time-out configuration on the captive portal settings

B. Check for encryption protocol mismatch on the client's wireless settings.
C. Confirm that a valid passphrase is being used during the web authentication.
D. Investigate for a client's disassociation caused by an evil twin AP
Answer: A
Q1045
A fiber link connecting two campus networks is broken. Which of the following tools should an engineer
use to detect the exact break point of the fiber link? Questions and Answers 320/451
A. OTDR
B. Tone generator
C. Fusion splicer
D. Cable tester
E. PoE injector
Answer: A
Q1046
Two remote offices need to be connected securely over an untrustworthy MAN. Each office needs to
access network shares at the other site. Which of the following will BEST provide this functionality?
A. Client-to-site VPN
B. Third-party VPN service
C. Site-to-site VPN
D. Split-tunnel VPN
Answer: C
Q1047
An IT technician suspects a break in one of the uplinks that provides connectivity to the core switch.
Which of the following command-line tools should the technician use to determine where the incident is
occurring?
A. nslookup
B. show config
C. netstat
D. show interface
E. show counters
Answer: D
Q1048
Which of the following needs to be tested to achieve a Cat 6a certification for a company's data cabling?
A. RJ11
B. LC ports
C. Patch panel
D. F-type connector
Answer: C
Q1049
A technician is troubleshooting a client's report about poor wireless performance. Using a client monitor,
the technician notes the following information:
Which of the following is MOST likely the cause of the issue?
A. Channel overlap
B. Poor signal
C. Incorrect power settings
D. Wrong antenna type
Answer: A
Q1050
Which of the following types of devices can provide content filtering and threat protection, and manage
multiple IPSec site-to-site connections?
A. Layer 3 switch
B. VPN headend
C. Next-generation firewall
D. Proxy server
E. Intrusion prevention
Answer: C
Q1051
A network administrator is designing a new datacenter in a different region that will need to communicate
to the old datacenter with a secure connection. Which of the following access methods would provide the
BEST security for this new datacenter? Questions and Answers 322/451
A. Virtual network computing

B. Secure Socket Shell
C. in-band connection
D. Site-to-site VPN
Answer: D
Q1052
Which of the following types of datacenter architectures will MOST likely be used in a large SDN and can
be extended beyond the datacenter?
A. iSCSI
B. FCoE
C. Three-tiered network
D. Spine and leaf
E Top-of-rack switching
Answer: B
Q1053
At the destination host, which of the following OSI model layers will discard a segment with a bad
checksum in the UDP header?
A. Network
B. Data link
C. Transport
D. Session
Answer: C
Q1054
A network administrator is configuring a database server and would like to ensure the database engine is
listening on a certain port. Which of the following commands should the administrator use to accomplish
this goal?
A. nslookup
B. netstat -a
C. ipeonfig /a
D. arp -a
Answer: B
Q1055
Which of the following routing protocols is used to exchange route information between public
autonomous systems?
A. OSPF
B. BGP
C. EIGRP
D. RIP
Answer: B
Q1056
Where can the Open Web Application Security Project (OWASP) list of associated vulnerabilities be
found?
A. OWASP Top 10 Project

B. OWASP Software Assurance Maturity Model (SAMM) Project
C. OWASP Guide Project
D. OWASP Mobile Project
Answer: A
Q1057
What is the BEST approach to anonymizing personally identifiable information (PII) in a test environment?
A. Randomizing data
B. Swapping data
C. Encrypting data
D. Encoding data
Answer: C
Q1058
A customer continues to experience attacks on their email, web, and File Transfer Protocol (FTP) servers.
These attacks are impacting their business operations. Which of the following is the BEST Questions and
Answers 324/451
recommendation to make?
A. Configure an intrusion detection system (IDS).

B. Create a demilitarized zone (DMZ).
C. Deploy a bastion host.
D. Setup a network firewall.
Answer: C
Q1059
Which security feature fully encrypts code and data as it passes to the servers and only decrypts below
the hypervisor layer?
A. File-system level encryption

B. Transport Layer Security (TLS)
C. Key management service
D. Trusted execution environments
Answer: D
Q1060
Which of the following techniques evaluates the secure Bet principles of network or software
architectures?
A. Threat modeling
B. Risk modeling
C. Waterfall method
D. Fuzzing
Answer: A
Q1061
Which of the following is security control volatility?
A. A reference to the stability of the security control.

B. A reference to how unpredictable the security control is.
C. A reference to the impact of the security control.
D. A reference to the likelihood of change in the security control.
Answer: D

Q1062
When performing an investigation with the potential for legal action, what should be the analyst's FIRST
consideration?
A. Chain-of-custody
B. Authorization to collect
C. Court admissibility
D. Data decryption
Answer: A
Q1063
Which of the following does the security design process ensure within the System Development Life
Cycle (SDLC)?
A. Proper security controls, security goals, and fault mitigation are properly conducted.
B. Proper security controls, security objectives, and security goals are properly initiated.
C. Security goals, proper security controls, and validation are properly initiated.
D. Security objectives, security goals, and system test are properly conducted.
Answer: B
Q1064
An organization needs a general purpose document to prove that its internal controls properly address
security, availability, processing integrity, confidentiality or privacy risks. Which of the following reports is
required?
A. A Service Organization Control (SOC) 3 report

B. The Statement on Standards for Attestation Engagements No. 18 (SSAE 18)
C. A Service Organization Control (SOC) 2 report
D. The International Organization for Standardization (ISO) 27001
Answer: C
Q1065
What is the BEST design for securing physical perimeter protection? Questions and Answers 326/451
A. Crime Prevention through Environmental Design (CPTED)

B. Barriers, fences, gates, and walls
C. Business continuity planning (BCP)
D. Closed-circuit television (CCTV)
Answer: B
Q1066
Two computers, each with a single connection on the same physical 10 gigabit Ethernet network
segment, need to communicate with each other. The first machine has a single Internet Protocol (IP)
Classless Inter-Domain Routing (CIDR) address of 192.168.1.3/30 and the second machine has an
IP/CIDR address 192.168.1.6/30. Which of the following is correct?
A. Since each computer is on a different layer 3 network, traffic between the computers must be
processed by a network bridge in order to communicate.
B. Since each computer is on the same layer 3 network, traffic between the computers may be processed
by a network bridge in order to communicate.
C. Since each computer is on the same layer 3 network, traffic between the computers may be processed
by a network router in order to communicate.
D. Since each computer is on a different layer 3 network, traffic between the computers must be
processed by a network router in order to communicate.
Answer: B
Q1067
The security team is notified that a device on the network is infected with malware. Which of the following
is MOST effective in enabling the device to be quickly located and remediated?
A. Data loss protection (DLP)
B. Intrusion detection
C. Vulnerability scanner
D. Information Technology Asset Management (ITAM)
Answer: D
Q1068
A corporation does not have a formal data destruction policy. During which phase of a criminal legal
proceeding will this have the MOST impact?
A. Arraignment
B. Trial
C. Sentencing
D. Discovery
Answer: D
Q1069
Which of the following is the MOST common use of the Online Certificate Status Protocol (OCSP)?
A. To obtain the expiration date of an X.509 digital certificate

B. To obtain the revocation status of an X.509 digital certificate
C. To obtain the author name of an X.509 digital certificate
D. To verify the validity of an X.509 digital certificate
Answer: D
Q1070
Why would a system be structured to isolate different classes of information from one another and
segregate them by user jurisdiction?
A. The organization can avoid e-discovery processes in the event of litigation.

B. The organization's infrastructure is clearly arranged and scope of responsibility is simplified.
C. The organization can vary its system policies to comply with conflicting national laws.
D. The organization is required to provide different services to various third-party organizations.
Answer: C
Q1071
A security professional needs to find a secure and efficient method of encrypting data on an endpoint.
Which solution includes a root key?
A. Bitlocker
B. Trusted Platform Module (TPM)
C. Virtual storage array network (VSAN)
D. Hardware security module (HSM)
Answer: D
Q1072
What method could be used to prevent passive attacks against secure voice communications between an
organization and its vendor?
A. Encryption in transit
B. Configure a virtual private network (VPN)
C. Configure a dedicated connection
D. Encryption at rest
Answer: A
Q1073
What is the MOST effective response to a hacker who has already gained access to a network and will
attempt to pivot to other resources?
A. Reset all passwords.

B. Shut down the network.
C. Warn users of a breach.
D. Segment the network.
Answer: D
Q1074
A Chief Information Officer (CIO) has delegated responsibility of their system security to the head of the
information technology (IT) department. While corporate policy dictates that only the CIO can make
decisions on the level of data protection required, technical implementation decisions are done by the
head of the IT department. Which of the following BEST describes the security role filled by the head of
the IT department?
A. System analyst
B. System security officer
C. System processor
D. System custodian
Answer: D
Q1075
Which of the following is a term used to describe maintaining ongoing awareness of information security,
vulnerabilities, and threats to support organizational risk management decisions? Questions and Answers
329/451
A. Information Security Management System (ISMS)

B. Information Sharing & Analysis Centers (ISAC)
C. Risk Management Framework (RMF)
D. Information Security Continuous Monitoring (ISCM)
Answer: D
Q1076
Which of the following is a secure design principle for a new product?
A. Build in appropriate levels of fault tolerance.

B. Utilize obfuscation whenever possible.
C. Do not rely on previously used code.
D. Restrict the use of modularization.
Answer: A
Q1077
An application developer receives a report back from the security team showing their automated tools
were able to successfully enter unexpected data into the organization's customer service portal, causing
the site to crash. This is an example of which type of testing?
A. Non-functional
B. Positive
C. Performance
D. Negative
Answer: D
Q1078
An organization has determined that its previous waterfall approach to software development is not
keeping pace with business demands. To adapt to the rapid changes required for product delivery, the
organization has decided to move towards an Agile software development and release cycle. In order to
ensure the success of the Agile methodology, who is MOST critical in creating acceptance tests or
acceptance criteria for each release?
A. Project managers
B. Software developers
C. Independent testers
D. Business customers
Answer: D
Q1079
A hospital enforces the Code of Fair Information Practices. What practice applies to a patient requesting
their medical records from a web portal?
A. Use limitation
B. Individual participation
C. Purpose specification
D. Collection limitation
Answer: D
Q1080
When designing a new Voice over Internet Protocol (VoIP) network, an organization's top concern is
preventing unauthorized users accessing the VoIP network. Which of the following will BEST help secure
the VoIP network?
A. Transport Layer Security (TLS)

B. 802.1x
C. 802.119
D. Web application firewall (WAF)
Answer: A
Q1081
What is the PRIMARY objective of the post-incident phase of the incident response process in the
security operations center (SOC)?
A. improve the IR process.

B. Communicate the IR details to the stakeholders.
C. Validate the integrity of the IR.
D. Finalize the IR.
Answer: A
Q1082
An international organization has decided to use a Software as a Service (SaaS) solution to support its
business operations. Which of the following compliance standards should the organization use to assess
the international code security and data privacy of the solution?
A. Health Insurance Portability and Accountability Act (HIPAA)

B. Service Organization Control (SOC) 2
C. Payment Card Industry (PCI)
D. Information Assurance Technical Framework (IATF)
Answer: B
Q1083
Which of the following actions should be undertaken prior to deciding on a physical baseline Protection
Profile (PP)?
A. Check the technical design.

B. Conduct a site survey.
C. Categorize assets.
D. Choose a suitable location.
Answer: A
Q1084
A criminal organization is planning an attack on a government network. Which of the following scenarios
presents the HIGHEST risk to the organization?
A. Network is flooded with communication traffic by the attacker.

B. Organization loses control of their network devices.
C. Network management communications is disrupted.
D. Attacker accesses sensitive information regarding the network topology.
Answer: B
Q1085
A Certified Information Systems Security Professional (CISSP) with identity and access management
(IAM) responsibilities is asked by the Chief Information Security Officer (CISO) to4 perform a vulnerability
assessment on a web application to pass a Payment Card Industry (PCI) audit. The CISSP has never
performed this before. According to the (ISC)? Code of Professional Ethics, which of the following should
the CISSP do?
A. Review the CISSP guidelines for performing a vulnerability assessment before proceeding to complete
it
B. Review the PCI requirements before performing the vulnerability assessment
C. Inform the CISO that they are unable to perform the task because they should render only those
services for which they are fully competent and qualified
D. Since they are CISSP certified, they have enough knowledge to assist with the request, but will need
assistance in order to complete it in a timely manner
Answer: C
Q1086
A large organization's human resources and security teams are planning on implementing technology to
eliminate manual user access reviews and improve compliance. Which of the following options is MOST
likely to resolve the issues associated with user access?
A. Implement a role-based access control (RBAC) system.

B. Implement identity and access management (IAM) platform.
C. Implement a Privileged Access Management (PAM) system.
D. Implement a single sign-on (SSO) platform.
Answer: B
Q1087
A healthcare insurance organization chose a vendor to develop a software application. Upon review of the
draft contract, the information security professional notices that software security is not addressed. What
is the BEST approach to address the issue?
A. Update the service level agreement (SLA) to provide the organization the right to audit the vendor.
B. Update the service level agreement (SLA) to require the vendor to provide security capabilities.
C. Update the contract so that the vendor is obligated to provide security capabilities.
D. Update the contract to require the vendor to perform security code reviews.
Answer: C
Q1088
Which of the following is MOST important to follow when developing information security controls for an
organization?
A. Exercise due diligence with regard to all risk management information to tailor appropriate controls.
B. Perform a risk assessment and choose a standard that addresses existing gaps.
C. Use industry standard best practices for security controls in the organization.
D. Review all local and international standards and choose the most stringent based on location.
Answer: C
Q1089
Which of the following is the MAIN difference between a network-based firewall and a host-based
firewall?
A. A network-based firewall is stateful, while a host-based firewall is stateless.

B. A network-based firewall controls traffic passing through the device, while a host-based firewall controls
traffic destined for the device.
C. A network-based firewall verifies network traffic, while a host-based firewall verifies processes and
applications.
D. A network-based firewall blocks network intrusions, while a host-based firewall blocks malware.
Answer: B
Q1090
Which of the following system components enforces access controls on an object?
A. Security perimeter
B. Access control matrix
C. Trusted domain
D. Reference monitor
Answer: B
Q1091
Building blocks for software-defined networks (SDN) require which of the following?
A. The SDN is mostly composed of virtual machines (VM).

B. The SDN is composed entirely of client-server pairs.
C. Virtual memory is used in preference to random-access memory (RAM).
D. Random-access memory (RAM) is used in preference to virtual memory.
Answer: C

Q1092
An organization outgrew its internal data center and is evaluating third-party hosting facilities. In this
evaluation, which of the following is a PRIMARY factor for selection?
A. Facility provides an acceptable level of risk

B. Facility provides disaster recovery (DR) services
C. Facility provides the most cost-effective solution
D. Facility has physical access protection measures
Answer: C
Q1093
A company is planning to implement a private cloud infrastructure. Which of the following
recommendations will support the move to a cloud infrastructure?
A. Implement a virtual local area network (VLAN) for each department and create a separate subnet for
each VLAN.
B. Implement software-defined networking (SDN) to provide the ability for the network infrastructure to be
integrated with the control and data planes.
C. Implement a virtual local area network (VLAN) to logically separate the local area network (LAN) from
the physical switches.
D. implement software-defined networking (SDN) to provide the ability to apply high-level policies to
shape and reorder network traffic based on users, devices and applications.
Answer: D
Q1094
While performing a security review for a new product, an information security professional discovers that
the organization's product development team is proposing to collect government-issued identification (ID)
numbers from customers to use as unique customer identifiers. Which of the following recommendations
should be made to the product development team?
A. Customer identifiers should be a variant of the user's government-issued ID number.

B. Customer identifiers that do not resemble the user's government-issued ID number should be used.
C. Customer identifiers should be a cryptographic hash of the user's government-issued ID number.
D. Customer identifiers should be a variant of the user's name, for example, "jdoe" or "john.doe."
Answer: C
Q1095
Which of the following is performed to determine a measure of success of a security awareness training
program designed to prevent social engineering attacks?
A. Employee evaluation of the training program

B. Internal assessment of the training program's effectiveness
C. Multiple choice tests to participants
D. Management control of reviews
Answer: B
Q1096
What level of Redundant Array of Independent Disks (RAID) is configured PRIMARILY for high-
performance data reads and writes?
A. RAID-0
B. RAID-1
C. RAID-5
D. RAID-6
Answer: A
Q1097
A retail company is looking to start a development project that will utilize open source components in its
code for the first time. The development team has already acquired several `open source components
and utilized them in proof of concept (POC) code. The team recognizes that the legal and operational
risks are outweighed by the benefits of open-source software use. What MUST the organization do next?
A. Mandate that all open-source components be approved by the Information Security Manager (ISM).
B. Scan all open-source components for security vulnerabilities.
C. Establish an open-source compliance policy.
D. Require commercial support for all open-source components.
Answer: C
Q1098
Upon commencement of an audit within an organization, which of the following actions is MOST
important for the auditor(s) to take?
A. Understand circumstances which may delay the overall audit timelines.

B. Review all prior audit results to remove all areas of potential concern from the audit scope.
C. Meet with stakeholders to review methodology, people to be interviewed, and audit scope.
D. Meet with stakeholders to understand which types of audits have been completed.
Answer: C
Q1099
An organization is planning a penetration test that simulates the malicious actions of a former network
administrator. What kind of penetration test is needed?
A. Functional test
B. Unit test
C. Grey box
D. White box
Answer: C
Q1100
An organization has discovered that organizational data is posted by employees to data storage
accessible to the general public. What is the PRIMARY step an organization must take to ensure data is
properly protected from public release?
A. Implement a data classification policy.

B. Implement a data encryption policy.
C. Implement a user training policy.
D. Implement a user reporting policy.
Answer: C
Q1101
What is the PRIMARY reason that a bit-level copy is more desirable than a file-level copy when
replicating a hard drive's contents for an e-discovery investigation?
A. Files that have been deleted will be transferred.

B. The file and directory structure is retained.
C. File-level security settings will be preserved.
D. The corruption of files is less likely.
Answer: A
Q1102
While reviewing the financial reporting risks of a third-party application, which of the following Service
Organization Control (SOC) reports will be the MOST useful?
A. ISIsOC 1
B. SOC 2
C. SOC 3
D. SOC for cybersecurity
Answer: A
Q1103
A large manufacturing organization arranges to buy an industrial machine system to produce a new line of
products. The system includes software provided to the vendor by a thirdparty organization. The financial
risk to the manufacturing organization starting production is high. What step should the manufacturing
organization take to minimize its financial risk in the new venture prior to the purchase?
A. Hire a performance tester to execute offline tests on a system.

B. Calculate the possible loss in revenue to the organization due to software bugs and vulnerabilities, and
compare that to the system's overall price.
C. Place the machine behind a Layer 3 firewall.
D. Require that the software be thoroughly tested by an accredited independent software testing
company.
Answer: B
Q1104
Which of the following types of hosts should be operating in the demilitarized zone (DMZ)?
A. Hosts intended to provide limited access to public resources
B. Database servers that can provide useful information to the public
C. Hosts that store unimportant data such as demographical information
D. File servers containing organizational data
Answer: A

Q1105
In systems security engineering, what does the security principle of modularity provide?
A. Documentation of functions
B. Isolated functions and data
C. Secure distribution of programs and data
D. Minimal access to perform a function
Answer: A
Q1106
Which of the following is MOST appropriate to collect evidence of a zero-day attack?
A. Firewall
B. Honeypot
C. Antispam
D. Antivirus
Answer: A
Q1107
Which of the following is required to verify the authenticity of a digitally signed document?
A. Digital hash of the signed document

B. Sender's private key
C. Recipient's public key
D. Agreed upon shared secret
Answer: A
Q1108
Which of the following is the BEST method to gather evidence from a computer's hard drive?
A. Disk duplication
B. Disk replacement
C. Forensic signature
D. Forensic imaging
Answer: D
Q1109
Who should perform the design review to uncover security design flaws as part of the Software
Development Life Cycle (SDLC)?
A. The business owner

B. security subject matter expert (SME)
C. The application owner
D. A developer subject matter expert (SME)
Answer: B
Q1110
During a penetration test, what are the three PRIMARY objectives of the planning phase?
A. Determine testing goals, identify rules of engagement, and conduct an initial discovery scan.
B. Finalize management approval, determine testing goals, and gather port and service information.
C. Identify rules of engagement, finalize management approval, and determine testing goals.
D. Identify rules of engagement, document management approval, and collect system and application
information.
Answer: D
Q1111
What term is commonly used to describe hardware and software assets that are stored in a configuration
management database (CMDB)?
A. Configuration element
B. Asset register
C. Ledger item
D. Configuration item
Answer: D
Q1112
Which of the following Disaster recovery (DR) testing processes is LEAST likely to disrupt normal
business operations?
A. Parallel
B. Simulation
C. Table-top
D. Cut-over
Answer: C
Q1113
The Open Web Application Security Project's (OWASP) Software Assurance Maturity Model (SAMM)
allows organizations to implement a flexible software security strategy to measure organizational impact
based on what risk management aspect?
A. Risk tolerance
B. Risk exception
C. Risk treatment
D. Risk response
Answer: D
Q1114
The security architect is designing and implementing an internal certification authority to generate digital
certificates for all employees. Which of the following is the BEST solution to securely store the private
keys?
A. Physically secured storage device
B. Encrypted flash drive
C. Public key infrastructure (PKI)
D. Trusted Platform Module (TPM)
Answer: C
Q1115
Which of the following is a common risk with fiber optical communications, and what is the associated
mitigation measure?
A. Data emanation, deploying Category (CAT) 6 and higher cable wherever feasible
B. Light leakage, deploying shielded cable wherever feasible
C. Cable damage, deploying ring architecture wherever feasible
D. Electronic eavesdropping, deploying end-to-end encryption wherever feasible Questions and Answers
341/451
Answer: B
Q1116
During an internal audit of an organizational Information Security Management System (ISMS),
nonconformities are identified. In which of the following management stages are nonconformities
reviewed, assessed and/or corrected by the organization?
A. Planning
B. Operation
C. Assessment
D. Improvement
Answer: B
Q1117
What is the BEST reason to include supply chain risks in a corporate risk register?
A. Risk registers help fund corporate supply chain risk management (SCRM) systems.
B. Risk registers classify and categorize risk and allow risks to be compared to corporate risk appetite.
C. Risk registers can be used to illustrate residual risk across the company.
D. Risk registers allow for the transfer of risk to third parties.
Answer: B
Q1118
An employee's home address should be categorized according to which of the following references?
A. The consent form terms and conditions signed by employees

B. The organization's data classification model
C. Existing employee data classifications
D. An organization security plan for human resources
Answer: B
Q1119
Why is authentication by ownership stronger than authentication by knowledge? Questions and Answers
342/451
A. It is easier to change.
B. It can be kept on the user's person.
C. It is more difficult to duplicate.
D. It is simpler to control.
Answer: B
Q1120
A network security engineer needs to ensure that a security solution analyzes traffic for protocol
manipulation and various sorts of common attacks. In addition, all Uniform Resource Locator (URL) traffic
must be inspected and users prevented from browsing inappropriate websites. Which of the following
solutions should be implemented to enable administrators the capability to analyze traffic, blacklist
external sites, and log user traffic for later analysis?
A. Intrusion detection system (IDS)

B. Circuit-Level Proxy
C. Application-Level Proxy
D. Host-based Firewall
Answer: B
Q1121
Which of the following is the BEST way to protect an organization's data assets?
A. Monitor and enforce adherence to security policies.

B. Encrypt data in transit and at rest using up-to-date cryptographic algorithms.
C. Create the Demilitarized Zone (DMZ) with proxies, firewalls and hardened bastion hosts.
D. Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD).
Answer: B
Q1122
Which of the following would qualify as an exception to the "right to be forgotten" of the General Data
Protection Regulation's (GDPR)?
A. For the establishment, exercise, or defense of legal claims

B. The personal data has been lawfully processed and collected
C. The personal data remains necessary to the purpose for which it was collected
D. For the reasons of private interest
Answer: C
Q1123
Which of the following is the name of an individual or group that is impacted by a change?
A. Change agent
B. Stakeholder
C. Sponsor
D. End User
Answer: B
Q1124
What is the MINIMUM standard for testing a disaster recovery plan (DRP)?
A. Semi-annually and in alignment with a fiscal half-year business cycle

B. Annually or less frequently depending upon audit department requirements
C. Quarterly or more frequently depending upon the advice of the information security manager
D. As often as necessary depending upon the stability of the environment and business requirements
Answer: D
Q1125
What is the MOST significant benefit of role-based access control (RBAC)?
A. Reduction in authorization administration overhead

B. Reduces inappropriate access
C. Management of least privilege
D. Most granular form of access control
Answer: A
Q1126
A software development company found odd behavior in some recently developed software, creating a
need for a more thorough code review. What is the MOST effective argument for a more thorough code
review?
A. It will increase flexibility of the applications developed.

B. It will increase accountability with the customers.
C. It will impede the development process.
D. lt will reduce the potential for vulnerabilities.
Answer: D
Q1127
A new site's gateway isn't able to form a tunnel to the existing site-to-site Internet Protocol Security
(IPsec) virtual private network (VPN) device at headquarters. Devices at the new site have no problem
accessing resources on the Internet. When testing connectivity between the remote site's gateway, it was
observed that the external Internet Protocol (IP) address of the gateway was set to 192.168.1.1. and was
configured to send outbound traffic to the Internet Service Provider (ISP) gateway at4 192.168.1.2. Which
of the following would be the BEST way to resolve the issue and get the remote site connected?
A. Enable IPSec tunnel mode on the VPN devices at the new site and the corporate headquarters.
B. Enable Layer 2 Tunneling Protocol (L2TP) on the VPN devices at the new site and the corporate
headquarters.
C. Enable Point-to-Point Tunneling Protocol (PPTP) on the VPN devices at the new site and the corporate
headquarters.
D. Enable Network Address Translation (NAT) - Traversal on the VPN devices at the new site and the
corporate headquarters.
Answer: A
Q1128
Which of the following examples is BEST to minimize the attack surface for a customer's private
information?
A. Obfuscation
B. Collection limitation
C. Authentication
D. Data masking
Answer: A
Q1129
What are the essential elements of a Risk Assessment Report (RAR)?
A. Table of contents, testing criteria, and index

B. Table of contents, chapters, and executive summary
C. Executive summary, graph of risks, and process
D. Executive summary, body of the report, and appendices
Answer: D
Q1130
What is the PRIMARY benefit of incident reporting and computer crime investigations?
A. Providing evidence to law enforcement

B. Repairing the damage and preventing future occurrences
C. Appointing a computer emergency response team
D. Complying with security policy
Answer: D
Q1131
Which of the following determines how traffic should flow based on the status of the infrastructure layer?
A. Traffic plane
B. Application plane
C. Data plane
D. Control plane
Answer: A
Q1132
In a multi-tenant cloud environment, what approach will secure logical access to assets?
A. Hybrid cloud
B. Transparency/Auditability of administrative access
C. Controlled configuration management (CM)
D. Virtual private cloud (VPC)
Answer: D
Q1133
A company hired an external vendor to perform a penetration test ofa new payroll system. The company's
internal test team had already performed an in-depth application and security test of the system and
determined that it met security requirements. However, the external vendor uncovered significant security
weaknesses where sensitive personal data was being sent unencrypted to the tax processing systems.
What is the MOST likely cause of the security issues?
A. Failure to perform interface testing

B. Failure to perform negative testing
C. Inadequate performance testing
D. Inadequate application level testing
Answer: A
Q1134
Which of the following is the MOST effective method of detecting vulnerabilities in web-based applications
early in the secure Software Development Life Cycle (SDLC)?
A. Web application vulnerability scanning

B. Application fuzzing
C. Code review
D. Penetration testing
Answer: C
Q1135
A malicious user gains access to unprotected directories on a web server. Which of the following is MOST
likely the cause for this information disclosure?
A. Security misconfiguration
C. Structured Query Language injection (SQLi)
D. Broken authentication management
Answer: A
Q1136
Which of the following security objectives for industrial control systems (ICS) can be adapted to securing
any Internet of Things (IoT) system?
A. Prevent unauthorized modification of data.

B. Restore the system after an incident.
C. Detect security events and incidents.
D. Protect individual components from exploitation
Answer: D
Q1137
Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of assurance that their data will
remain protected by using which protocol?
A. Secure Shell (SSH)

B. Internet Protocol Security (IPsec)
C. Secure Sockets Layer (SSL)
D. Extensible Authentication Protocol (EAP)
Answer: A
Q1138
A software development company has a short timeline in which to deliver a software product. The
software development team decides to use open-source software libraries to reduce the development
time. What concept should software developers consider when using open-source software libraries?
A. Open source libraries contain known vulnerabilities, and adversaries regularly exploit those
vulnerabilities in the wild.
B. Open source libraries can be used by everyone, and there is a common understanding that the
vulnerabilities in these libraries will not be exploited.
C. Open source libraries are constantly updated, making it unlikely that a vulnerability exists for an
adversary to exploit.
D. Open source libraries contain unknown vulnerabilities, so they should not be used.
Answer: A
Q1139
According to the (ISC)? ethics canon "act honorably, honestly, justly, responsibly, and legally," which order
should be used when resolving conflicts?
A. Public safety and duties to principals, individuals, and the profession

B. Individuals, the profession, and public safety and duties to principals Questions and Answers 348/451
C. Individuals, public safety and duties to principals, and the profession
D. The profession, public safety and duties to principals, and individuals
Answer: A
Q1140
When conducting a remote access session using Internet Protocol Security (IPSec), which Open Systems
Interconnection (OSI) model layer does this connection use?
A. Transport
B. Network
C. Data link
D. Presentation
Answer: B
Q1141
Which of the following types of web-based attack is happening when an attacker is able to send a well-
crafted, malicious request to an authenticated user without the user realizing it?
A. ross-Site Scripting (XSS)

B. Cross-Site request forgery (CSRF)
C. Cross injection
D. Broken Authentication And Session Management
Answer: B
Q1142
When reviewing the security logs, the password shown for an administrative login event was ' OR ' '1'='1'
--. This is an example of which of the following kinds of attack?
A. Brute Force Attack

B. Structured Query Language (SQL) Injection
C. Cross-Site Scripting (XSS)
D. Rainbow Table Attack
Answer: B
Q1143
An organization's internal audit team performed a security audit on the company's system and reported
that the manufacturing application is rarely updated along with other issues categorized as minor. Six
months later, an external audit team reviewed the same system with the same scope, but identified
severe weaknesses in the manufacturing application's security controls. What is MOST likely to be the
root cause of the internal audit team's failure in detecting these security issues?
A. Inadequate test coverage analysis

B. Inadequate security patch testing
C. Inadequate log reviews
D. Inadequate change control procedures
Answer: A
Q1144
Which audit type is MOST appropriate for evaluating the effectiveness of a security program?
A. Threat
B. Assessment
C. Analysis
D. Validation
Answer: B
Q1145
The development team has been tasked with collecting data from biometric devices. The application will
support a variety of collection data streams. During the testing phase, the team utilizes data from an old
production database in a secure testing environment. What principle has the team taken into
consideration?
A. biometric data cannot be changed.

B. Separate biometric data streams require increased security.
C. The biometric devices are unknown.
D. Biometric data must be protected from disclosure.
Answer: A
Q1146
An attacker has intruded into the source code management system and is able to download but not
modify the code. Which of the following aspects of the code theft has the HIGHEST security impact?
A. The attacker could publicly share confidential comments found in the stolen code.
B. Competitors might be able to steal the organization's ideas by looking at the stolen code.
C. A competitor could run their own copy of the organization's website using the stolen code.
D. Administrative credentials or keys hard-coded within the stolen code could be used to access sensitive
data.
Answer: A
Q1147
Which of the following statements BEST describes least privilege principle in a cloud environment?
A. Network segments remain private if unneeded to access the internet.

B. Internet traffic is inspected for all incoming and outgoing packets.
C. A single cloud administrator is configured to access core functions.
D. Routing configurations are regularly updated with the latest routes.
Answer: B
Q1148
Which is the BEST control to meet the Statement on Standards for Attestation Engagements 18 (SSAE-
18) confidentiality category?
A. Data processing
B. Storage encryption
C. File hashing
D. Data retention policy
Answer: C
Q1149
The initial security categorization should be done early in the system life cycle and should be reviewed
periodically. Why is it important for this to be done correctly?
A. It determines the security requirements.

B. It affects other steps in the certification and accreditation process.
C. It determines the functional and operational requirements.
D. The system engineering process works with selected security controls.
Answer: B

Q1150
Which of the following vulnerabilities can be BEST detected using automated analysis?
A. Valid cross-site request forgery (CSRF) vulnerabilities

B. Multi-step process attack vulnerabilities
C. Business logic flaw vulnerabilities
D. Typical source code vulnerabilities
Answer: D
Q1151
An organization wants to migrate to Session Initiation Protocol (SIP) to save on telephony expenses.
Which of the following security related statements should be considered in the decision-making process?
A. Cloud telephony is less secure and more expensive than digital telephony services.
B. SIP services are more secure when used with multi-layer security proxies.
C. H.323 media gateways must be used to ensure end-to-end security tunnels.
D. Given the behavior of SIP traffic, additional security controls would be required.
Answer: C
Q1152
An organization's retail website provides its only source of revenue, so the disaster recovery plan (DRP)
must document an estimated time for each step in the plan. Which of the following steps in the DRP will
list the GREATEST duration of time for the service to be fully operational?
A. Update the Network Address Translation (NAT) table.

B. Update Domain Name System (DNS) server addresses with domain registrar.
C. Update the Border Gateway Protocol (BGP) autonomous system number.
D. Update the web server network adapter configuration.
Answer: B
Q1153
Why is it important that senior management clearly communicates the formal Maximum Tolerable
Downtime (MTD) decision?
A. To provide each manager with precise direction on selecting an appropriate recovery alternative
B. To demonstrate to the regulatory bodies that the company takes business continuity seriously
C. To demonstrate to the board of directors that senior management is committed to continuity recovery
efforts
D. To provide a formal declaration from senior management as required by internal audit to demonstrate
sound business practices
Answer: D
Q1154
Which of the following activities should a forensic examiner perform FIRST when determining the priority
of digital evidence collection at a crime scene?
A. Gather physical evidence,

B. Establish order of volatility.
C. Assign responsibilities to personnel on the scene.
D. Establish a list of files to examine.
Answer: C
Q1155
When assessing web vulnerabilities, how can navigating the dark web add value to a penetration test?
A. The actual origin and tools used for the test can be hidden.
B. Information may be found on related breaches and hacking.
C. Vulnerabilities can be tested without impact on the tested environment.
D. Information may be found on hidden vendor patches.
Answer: D
Q1156
Which of the following is the top barrier for companies to adopt cloud technology?
A. Migration period
B. Data integrity
C. Cost
D. Security
Answer: D
Q1157
In which of the following scenarios is locking server cabinets and limiting access to keys preferable to
locking the server room to prevent unauthorized access?
A. Server cabinets are located in an unshared workspace.

B. Server cabinets are located in an isolated server farm.
C. Server hardware is located in a remote area.
D. Server cabinets share workspace with multiple projects.
Answer: D
Q1158
Which of the following criteria ensures information is protected relative to its importance to the
organization?
A. The value of the data to the organization's senior management

B. Legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification
C. Legal requirements determined by the organization headquarters' location
D. Organizational stakeholders, with classification approved by the management board
Answer: D
Q1159
What is the FIRST step for an organization to take before allowing personnel to access social media from
a corporate device or user account?
A. Publish a social media guidelines document.

B. Publish an acceptable usage policy.
C. Document a procedure for accessing social media sites.
D. Deliver security awareness training.
Answer: A
Q1160
Which of the following is an indicator that a company's new user security awareness training module
has been effective?
A. There are more secure connections to the internal database servers.

B. More incidents of phishing attempts are being reported.
C. There are more secure connections to internal e-mail servers.
D. Fewer incidents of phishing attempts are being reported.
Answer: B
Q1161
An access control list (ACL) on a router is a feature MOST similar to which type of firewall?
A. Packet filtering firewall

B. Application gateway firewall
C. Heuristic firewall
D. Stateful firewall
Answer: B
Q1162
Which of the following is the BEST way to protect privileged accounts?
A. Quarterly user access rights audits

B. Role-based access control (RBAC)
C. Written supervisory approval
D. Multi-factor authentication (MFA)
Answer: D
Q1163
Which of the following is the FIRST step for defining Service Level Requirements (SLR)?
A. Creating a prototype to confirm or refine the customer requirements

B. Drafting requirements for the service level agreement (SLA)
C. Discussing technology and solution requirements with the customer
D. Capturing and documenting the requirements of the customer
Answer: D

Q1164
Which software defined networking (SDN) architectural component is responsible for translating network
requirements?
A. SDN Application
B. SDN Data path
C. SDN Controller
D. SDN Northbound Interfaces
Answer: D
Q1165
When MUST an organization's information security strategic plan be reviewed?
A. Quarterly, when the organization's strategic plan is updated

B. Whenever there are significant changes to a major application
C. Every three years, when the organization's strategic plan is updated
D. Whenever there are major changes to the business
Answer: D
Q1166
A large human resources organization wants to integrate their identity management with a trusted partner
organization. The human resources organization wants to maintain the creation and management of the
identities and may want to share with other partners in the future. Which of the following options BEST
serves their needs?
A. Federated identity
B. Cloud Active Directory (AD)
C. Security Assertion Markup Language (SAML)
D. Single sign-on (SSO)
Answer: A
Q1167
Which of the following is the PRIMARY type of cryptography required to support non-repudiation of a
digitally signed document?
A. Message digest (MD)

B. Asymmetric
C. Symmetric
D. Hashing
Answer: A
Q1168
The quality assurance (QA) department is short-staffed and is unable to test all modules before the
anticipated release date of an application. What security control is MOST likely to be violated?
A. Separation of environments
B. Program management
C. Mobile code controls
D. Change management
Answer: D
Q1169
Which is the PRIMARY mechanism for providing the workforce with the information needed to protect an
agency's vital information resources?
A. Incorporating security awareness and training as part of the overall information security program
B. An information technology (IT) security policy to preserve the confidentiality, integrity, and availability of
systems
C. Implementation of access provisioning process for coordinating the creation of user accounts
D. Execution of periodic security and privacy assessments to the organization
Answer: A
Q1170
What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM)
program?
A. Establish an ISCM technical architecture.

B. Collect the security-related information required for metrics, assessments, and reporting.
C. Establish an ISCM program determining metrics, status monitoring frequencies, and control
assessment frequencies.
D. Define an ISCM strategy based on risk tolerance.
Answer: D

Q1171
Which of the following minimizes damage to information technology (IT) equipment stored in a data center
when a false fire alarm event occurs?
A. A pre-action system is installed.

B. An open system is installed.
C. A dry system is installed.
D. A wet system is installed.
Answer: C
Q1172
Which of the following is the MOST effective corrective control to minimize the effects of a physical
intrusion?
A. Automatic videotaping of a possible intrusion

B. Rapid response by guards or police to apprehend a possible intruder
C. Activating bright lighting to frighten away a possible intruder
D. Sounding a loud alarm to frighten away a possible intruder
Answer: C
Q1173
Which type of access control includes a system that allows only users that are type=managers and
department=sales to access employee records?
A. Discretionary access control (DAC)

B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Attribute-based access control (ABAC)
Answer: C
Q1174
Which of the following describes the BEST method of maintaining the inventory of software and hardware
within the organization?
A. Maintaining the inventory through a combination of desktop configuration, administration management,

and procurement management tools
B. Maintaining the inventory through a combination of asset owner interviews, open-source system
management, and open-source management tools
C. Maintaining the inventory through a combination of on-premise storage configuration, cloud
management, and partner management tools
D. Maintaining the inventory through a combination of system configuration, network management, and
license management tools
Answer: C
Q1175
Which of the following is a correct feature of a virtual local area network (VLAN)?
A. A VLAN segregates network traffic therefore information security is enhanced significantly.

B. Layer 3 routing is required to allow traffic from one VLAN to another.
C. VLAN has certain security features such as where the devices are physically connected.
D. There is no broadcast allowed within a single VLAN due to network segregation.
Answer: A
Q1176
In the "Do" phase of the Plan-Do-Check-Act model, which of the following is performed?
A. Monitor and review performance against business continuity policy and objectives, report the results to
management for review, and determine and authorize actions for remediation and improvement.
B. Maintain and improve the Business Continuity Management (BCM) system by taking corrective action,
based on the results of management review.
C. Ensure the business continuity policy, controls, processes, and procedures have been implemented.
D. Ensure that business continuity policy, objectives, targets, controls, processes and procedures relevant
to improving business continuity have been established.
Answer: D
Q1177
Commercial off-the-shelf (COTS) software presents which of the following additional security concerns?
A. Vendors take on the liability for COTS software vulnerabilities.

B. In-house developed software is inherently less secure.
C. Exploits for COTS software are well documented and publicly available.
D. COTS software is inherently less secure.
Answer: C
Q1178
What is the correct order of execution for security architecture?
A. Governance, strategy and program management, project delivery, operations

B. Strategy and program management, governance, project delivery, operations
C. Governance, strategy and program management, operations, project delivery
D. Strategy and program management, project delivery, governance, operations
Answer: A
Q1179
Which of the following is the PRIMARY purpose of due diligence when an organization embarks on a
merger or acquisition?
A. Assess the business risks.

B. Formulate alternative strategies.
C. Determine that all parties are equally protected.
D. Provide adequate capability for all parties.
E. Strategy and program management, project delivery, governance, operations
Answer: A
Q1180
What should be used to determine the risks associated with using Software as a Service (SaaS) for
collaboration and email?
A. Cloud access security broker (CASB)

B. Open Web Application Security Project (OWASP)
C. Process for Attack Simulation and Threat Analysis (PASTA)
D. Common Security Framework (CSF)
Answer: A

Q1181
A federal agency has hired an auditor to perform penetration testing on a critical system as part of the
mandatory, annual Federal Information Security Management Act (FISMA) security assessments. The
auditor is new to this system but has extensive experience with all types of penetration testing.
The auditor has decided to begin with
sniffing network traffic. What type of penetration testing is the auditor conducting?
A. White box testing

B. Black box testing
C. Gray box testing
D. Red box testing
Answer: C
Q1182
A software developer wishes to write code that will execute safely and only as intended. Which of the
following programming language types is MOST likely to achieve this goal?
A. Statically typed
B. Weakly typed
C. Strongly typed
D. Dynamically typed
Answer: D
Q1183
A security professional has been assigned to assess a web application. The assessment report
recommends switching to Security Assertion Markup Language (SAML). What is the PRIMARY security
benefit in switching to SAML?
A. It uses Transport Layer Security (TLS) to address confidentiality.

B. it enables single sign-on (SSO) for web applications.
C. The users' password Is not passed during authentication.
D. It limits unnecessary data entry on web forms.
Answer: B
Q1184
What is the MOST common security risk of a mobile device?
A. Insecure communications link

B. Data leakage
C. Malware infection
D. Data spoofing
Answer: C
Q1185
Which of the following protection is provided when using a Virtual Private Network (VPN) with
Authentication Header (AH)?
A. Payload encryption
B. Sender confidentiality
C. Sender non-repudiation
Answer: C
Q1186
Which of the following poses the GREATEST privacy risk to personally identifiable information (PII) when
disposing of an office printer or copier?
A. The device could contain a document with PII on the platen glass
B. Organizational network configuration information could still be present within the device
C. A hard disk drive (HDD) in the device could contain PII
D. The device transfer roller could contain imprints of PII
Answer: B
Q1187
Which of the following is a key responsibility for a data steward assigned to manage an enterprise data
lake?
A. Ensure proper business definition, value, and usage of data collected and stored within the enterprise
data lake.
B. Ensure proper and identifiable data owners for each data element stored within an enterprise data
lake.
C. Ensure adequate security controls applied to the enterprise data lake.
D. Ensure that any data passing within remit is being used in accordance with the rules and regulations of
the business.
Answer: A
Q1188
Which of the following are the three MAIN categories of security controls?
A. Administrative, technical, physical

B. Corrective, detective, recovery
C. Confidentiality, integrity, availability
D. Preventative, corrective, detective
Answer: A
Q1189
What part of an organization's strategic risk assessment MOST likely includes information on items
affecting the success of the organization?
A. Key Risk Indicator (KRI)

B. Threat analysis
C. Vulnerability analysis
D. Key Performance Indicator (KPI)
Answer: A
Q1190
An organization has implemented a protection strategy to secure the network from unauthorized external
access. The new Chief Information Security Officer (CISO) wants to increase security by better protecting
the network from unauthorized internal access. Which Network Access Control (NAC) capability BEST
meets this objective?
A. Application firewall
B. Port security
C. Strong passwords
D. Two-factor authentication (2FA)
Answer: D

Q1191
What is the BEST way to restrict access to a file system on computing systems?
A. Allow a user group to restrict access.
B. Use a third-party tool to restrict access.
C. Use least privilege at each level to restrict access.
D. Restrict access to all users.
Answer: C
Q1192
During testing, where are the requirements to inform parent organizations, law enforcement, and a
computer incident response team documented?
A. Unit test results

B. Security assessment plan
C. System integration plan
D. Security Assessment Report (SAR)
Answer: D
Q1193
What is static analysis intended to do when analyzing an executable file?
A. Collect evidence of the executable file's usage, including dates of creation and last use.
B. Search the documents and files associated with the executable file.
C. Analyze the position of the file in the file system and the executable file's libraries.
D. Disassemble the file to gather information about the executable file's function.
Answer: D
Q1194
In addition to life, protection of which of the following elements is MOST important when planning a data
center site?
A. Data and hardware

B. Property and operations
C. Profits and assets
D. Resources and reputation
Answer: D
Q1195
In an IDEAL encryption system, who has sole access to the decryption key?
A. System owner
B. Data owner
C. Data custodian
D. System administrator
Answer: B
Q1196
Which of the following roles is responsible for ensuring that important datasets are developed,
maintained, and are accessible within their defined specifications?
A. Data Reviewer
B. Data User
C. Data Custodian
D. Data Owner
Answer: D
Q1197
What is the MOST important criterion that needs to be adhered to during the data collection process of an
active investigation?
A. Capturing an image of the system

B. Maintaining the chain of custody
C. Complying with the organization's security policy
D. Outlining all actions taken during the investigation
Answer: A
Q1198
What is the PRIMARY benefit of relying on Security Content Automation Protocol (SCAP)? Questions and
Answers 365/451
A. Save security costs for the organization.

B. Improve vulnerability assessment capabilities.
C. Standardize specifications between software security products.
D. Achieve organizational compliance with international standards.
Answer: C
Q1199
A user's credential for an application is stored in a relational database. Which control protects the
confidentiality of the credential while it is stored?
A. Validate passwords using a stored procedure.

B. Allow only the application to have access to the password field in order to verify user authentication.
C. Use a salted cryptographic hash of the password.
D. Encrypt the entire database and embed an encryption key in the application.
Answer: C
Q1200
What is the PRIMARY consideration when testing industrial control systems (ICS) for security
weaknesses?
A. ICS often do not have availability requirements.

B. ICS are often isolated and difficult to access.
C. ICS often run on UNIX operating systems.
D. ICS are often sensitive to unexpected traffic.
Answer: B
Q1201
An organization implements Network Access Control (NAC) ay Institute of Electrical and Electronics
Engineers (IEEE) 802.1x and discovers the printers do not support the IEEE 802.1x standard. Which of
the following is the BEST resolution?
A. Implement port security on the switch ports for the printers.

B. Implement a virtual local area network (VLAN) for the printers.
C. Do nothing; IEEE 802.1x is irrelevant to printers.
D. Install an IEEE 802. 1x bridge for the printers.
Answer: A
Q1202
What process facilitates the balance of operational and economic costs of protective measures with gains
in mission capability?
A. Risk assessment
B. Performance testing
C. Security audit
D. Risk management
Answer: D
Q1203
Which of the following BEST describes why software assurance is critical in helping prevent an increase
in business and mission risk for an organization?
A. Software that does not perform as intended may be exploitable which makes it vulnerable to attack.
B. Request for proposals (RFP) avoid purchasing software that does not meet business needs.
C. Contracting processes eliminate liability for security vulnerabilities for the purchaser.
D. Decommissioning of old software reduces long-term costs related to technical debt.
Answer: B
Q1204
In software development, which of the following entities normally signs the code to protect the code
integrity?
A. The organization developing the code

B. The quality control group
C. The data owner
D. The developer
Answer: B
Q1205
Which security evaluation model assesses a product's Security Assurance Level (SAL) in comparison to
similar solutions?
A. Payment Card Industry Data Security Standard (PCI-DSS)

B. International Organization for Standardization (ISO) 27001
C. Common criteria (CC)
D. Control Objectives for Information and Related Technology (COBIT)
Answer: C
Q1206
Which of the following is a risk matrix?
A. A database of risks associated with a specific information system.

B. A table of risk management factors for management to consider.
C. A two-dimensional picture of risk for organizations, products, projects, or other items of interest.
D. A tool for determining risk management decisions for an activity or system.
Answer: C
Q1207
Which evidence collecting technique would be utilized when it is believed an attacker is employing a
rootkit and a quick analysis is needed?
A. Memory collection
B. Forensic disk imaging
C. Malware analysis
D. Live response
Answer: A
Q1208
A user is allowed to access the file labeled "Financial Forecast," but only between 9:00 a.m. and 5:00
A. m., Monday through Friday. Which type of access mechanism should be used to accomplish this?
B. Minimum access control
C. Rule-based access control
D. Limited role-based access control (RBAC)
E. Access control list (ACL)
Answer: B
Q1209
An organization wants to share data securely with their partners via the Internet. Which standard port is
typically used to meet this requirement?
A. Setup a server on User Datagram Protocol (UDP) port 69

B. Setup a server on Transmission Control Protocol (TCP) port 21
C. Setup a server on Transmission Control Protocol (TCP) port 22
D. Setup a server on Transmission Control Protocol (TCP) port 80
Answer: C
Q1210
Which part of an operating system (OS) is responsible for providing security interfaces among the
hardware, OS, and other parts of the computing system?
A. Time separation
B. Trusted Computing Base (TCB)
C. Reference monitor
D. Security kernel
Answer: D
Q1211
Recently, an unknown event has disrupted a single Layer-2 network that spans between two
geographically diverse data centers. The network engineers have asked for assistance in identifying the
root cause of the event. Which of the following is the MOST likely cause?
A. Misconfigured routing protocol
B. Smurf attack
C. Broadcast domain too large
D. Address spoofing
Answer: D
Q1212
What would be the BEST action to take in a situation where collected evidence was left unattended
overnight in an unlocked vehicle?
A. Report the matter to the local police authorities.

B. Move evidence to a climate-controlled environment.
C. Re-inventory the evidence and provide it to the evidence custodian.
D. Immediately report the matter to the case supervisor.
Answer: D
Q1213
Which of the following contributes MOST to the effectiveness of a security officer?
A. Understanding the regulatory environment

B. Developing precise and practical security plans
C. Integrating security into the business strategies
D. Analyzing the strengths and weakness of the organization
Answer: A
Q1214
An organization wants a service provider to authenticate users via the users' organization domain
credentials. Which markup language should the organization's security personnel use to support the
integration?
A. Security Assertion Markup Language (SAML)

B. YAML Ain't Markup Language (YAML)
C. Hypertext Markup Language (HTML)
D. Extensible Markup Language (XML)
Answer: A
Q1215
A recent security audit is reporting several unsuccessful login attempts being repeated at specific times
during the day on an Internet facing authentication server. No alerts have been generated by the security
information and event management (SIEM) system. What PRIMARY action should be taken to improve
SIEM performance?
A. Implement role-based system monitoring

B. Audit firewall logs to identify the source of login attempts
C. Enhance logging detail
D. Confirm alarm thresholds
Answer: B
Q1216
What is a security concern when considering implementing software-defined networking (SDN)?
A. It increases the attack footprint.

B. It uses open source protocols.
C. It has a decentralized architecture.
D. It is cloud based.
Answer: C
Q1217
Which of the following is the MOST important rule for digital investigations?
A. Ensure event logs are rotated.

B. Ensure original data is never modified.
C. Ensure individual privacy is protected.
D. Ensure systems are powered on.
Answer: C
Q1218
A cybersecurity engineer has been tasked to research and implement an ultra-secure communications
channel to protect the organization's most valuable intellectual property (IP). The primary directive in this
initiative is to ensure there Is no possible way the communications can be intercepted without detection.
Which of the following Is the only way to ensure this `outcome?
A. Diffie-Hellman key exchange

B. Symmetric key cryptography
C. [Public key infrastructure (PKI)
D. Quantum Key Distribution
Answer: C
Q1219
An organization is trying to secure instant messaging (IM) communications through its network perimeter.
Which of the following is the MOST significant challenge?
A. IM clients can interoperate between multiple vendors.

B. IM clients can run without administrator privileges.
C. IM clients can utilize random port numbers.
D. IM clients can run as executable that do not require installation.
Answer: B
Q1220
A company wants to store data related to users on an offsite server. What method can be deployed to
protect the privacy of the user's information while maintaining the field-level configuration of the
database?
A. {Encryption
B. Encoding
C. Tokenization
D. Hashing
Answer: A
Q1221
What is the FIRST step in developing a patch management plan?
A. Subscribe to a vulnerability subscription service.

B. Develop a patch testing procedure.
C. Inventory the hardware and software used.
D. Identify unnecessary services installed on systems.
Answer: B
Q1222
When resolving ethical conflicts, the information security professional MUST consider many factors. In
what order should these considerations be prioritized?
A. Public safety, duties to individuals, duties to the profession, and duties to principals
B. Public safety, duties to principals, duties to individuals, and duties to the profession
C. Public safety, duties to the profession, duties to principals, and duties to individuals Questions and
Answers 372/451
D. Public safety, duties to principals, duties to the profession, and duties to individuals
Answer: C
Q1223
An organization is implementing security review as part of system development. Which of the following is
the BEST technique to follow?
A. Engage a third-party auditing firm.

B. Review security architecture.
C. Perform incremental assessments.
D. Conduct penetration testing.
Answer: C
Q1224
How does Radio-Frequency Identification (RFID) assist with asset management?
A. It uses biometric information for system identification.

B. It uses two-factor authentication (2FA) for system identification.
C. It transmits unique Media Access Control (MAC) addresses wirelessly.
D. It transmits unique serial numbers wirelessly.
Answer: B
Q1225
Which of the following services can be deployed via a cloud service or on-premises to integrate with
Identity as a Service (IDaaS) as the authoritative source of user identities?
A. Directory
B. User database
C. Multi-factor authentication (MFA)
D. Single sign-on (SSO)
Answer: A
Q1226
Which of the following security tools monitors devices and records the information in a central Questions
and Answers 373/451
database for further analysis?
A. Security orchestration automation and response

B. Host-based intrusion detection system (HIDS)
C. Antivirus
D. Endpoint detection and response (EDR)
Answer: A
Q1227
Secure coding can be developed by applying which one of the following?
A. Applying the organization's acceptable use guidance

B. Applying the industry best practice coding guidelines
C. Applying rapid application development (RAD) coding
D. Applying the organization's web application firewall (WAF) policy
Answer: B
Q1228
A company is moving from the V model to Agile development. How can the information security
department BEST ensure that secure design principles are implemented in the new methodology?
A. All developers receive a mandatory targeted information security training.

B. The non-financial information security requirements remain mandatory for the new model.
C. The information security department performs an information security assessment after each sprint.
D. Information security requirements are captured in mandatory user stories.
Answer: D
Q1229
An organization wants to define its physical perimeter. What primary device should be used to accomplish
this objective if the organization's perimeter MUST cost-efficiently deter casual trespassers?
A. Fences eight or more feet high with three strands of barbed wire
B. Fences three to four feet high with a turnstile
C. Fences accompanied by patrolling security guards
D. Fences six to seven feet high with a painted gate
Answer: A
Q1230
The acquisition of personal data being obtained by a lawful and fair means is an example of what
principle?
A. Data Quality Principle

B. Openness Principle
C. Purpose Specification Principle
D. Collection Limitation Principle
Answer: D
Q1231
What is the BEST control to be implemented at a login page in a web application to mitigate the ability to
enumerate users?
A. Implement a generic response for a failed login attempt.

B. Implement a strong password during account registration.
C. Implement numbers and special characters in the user name.
D. Implement two-factor authentication (2FA) to login process.
Answer: A
Q1232
If the wide area network (WAN) is supporting converged applications like Voice over Internet Protocol
(VoIP), which of the following becomes even MORE essential to the assurance of network?
A. Classless Inter-Domain Routing (CIDR)

B. Deterministic routing
C. Internet Protocol (IP) routing lookups
D. Boundary routing
Answer: C
Q1233
A cloud service accepts Security Assertion Markup Language (SAML) assertions from users to on and
security However, an attacker was able to spoof a registered account on the network and query the SAML
provider.
What is the MOST common attack leverage against this flaw?
A. Attacker forges requests to authenticate as a different user.

B. Attacker leverages SAML assertion to register an account on the security domain.
C. Attacker conducts denial-of-service (DoS) against the security domain by authenticating as the same
user repeatedly.
D. Attacker exchanges authentication and authorization data between security domains.
Answer: A
Q1234
A company is attempting to enhance the security of its user authentication processes. After evaluating
several options, the company has decided to utilize Identity as a Service (IDaaS). Which of the following
factors leads the company to choose an IDaaS as their solution?
A. In-house development provides more control.

B. In-house team lacks resources to support an on-premise solution.
C. Third-party solutions are inherently more secure.
D. Third-party solutions are known for transferring the risk to the vendor.
Answer: B
Q1235
In which of the following system life cycle processes should security requirements be developed?
A. Risk management
B. Business analysis
C. Information management
D. System analysis
Answer: B
Q1236
Which of the following virtual network configuration options is BEST to protect virtual machines (VM)?
A. Traffic filtering
B. Data encryption
C. Data segmentation
D. Traffic throttling
Answer: D
Q1237
Which of the following is the BEST method to validate secure coding techniques against injection and
overflow attacks?
A. Scheduled team review of coding style and techniques for vulnerability patterns
B. Using automated programs to test for the latest known vulnerability patterns
C. The regular use of production code routines from similar applications already in use
D. Ensure code editing tools are updated against known vulnerability patterns
Answer: B
Q1238
A Distributed Denial of Service (DDoS) attack was carried out using malware called Mirai to create a
large-scale command and control system to launch a botnet. Which of the following devices were the
PRIMARY sources used to generate the attack traffic?
A. Internet of Things (IoT) devices

B. Microsoft Windows hosts
C. Web servers running open source operating systems (OS)
D. Mobile devices running Android
Answer: A
Q1239
An establish information technology (IT) consulting firm is considering acquiring a successful local startup.
To gain a comprehensive understanding of the startup's security posture' which type of assessment
provides the BEST information?
A. A security audit
B. A penetration test
C. A tabletop exercise
D. A security threat model
Answer: A

Q1240
As a design principle, which one of the following actors is responsible for identifying and approving data
security requirements in a cloud ecosystem?
A. Cloud broker
B. Cloud provider
C. Cloud consumer
D. Cloud auditor
Answer: C
Q1241
A company is enrolled in a hard drive reuse program where decommissioned equipment is sold back to
the vendor when it is no longer needed. The vendor pays more money for functioning drives than
equipment that is no longer operational. Which method of data sanitization would provide the most secure
means of preventing unauthorized data loss, while also receiving the most money from the vendor?
A. Pinning
B. Single-pass wipe
C. Degaussing
D. Multi-pass wipes
Answer: C
Q1242
In supervisory control and data acquisition (SCADA) systems, which of the following controls can be used
to reduce device exposure to malware?
A. Disable all command line interfaces.

B. Disallow untested code in the execution space of the SCADA device.
C. Prohibit the use of unsecure scripting languages.
D. Disable Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port 138 and 139 on
the SCADA device.
Answer: B
Q1243
What is considered a compensating control for not having electrical surge protectors installed?
A. Having dual lines to network service providers built to the site

B. Having backup diesel generators installed to the site
C. Having a hot disaster recovery (DR) environment for the site
D. Having network equipment in active-active clusters at the site
Answer: D
Q1244
What is considered the BEST when determining whether to provide remote network access to a third-
party security service?
A. Contract negotiation
B. Vendor demonstration
C. Supplier request
D. Business need
Answer: D
Q1245
When network management is outsourced to third parties, which of the following is the MOST effective
method of protecting critical data assets?
A. Provide links to security policies

B. Log all activities associated with sensitive systems
C. Employ strong access controls
D. Confirm that confidentiality agreements are signed
Answer: C
Q1246
What is the FIRST step in reducing the exposure of a network to Internet Control Message Protocol
(ICMP) based attacks?
A. Implement egress filtering at the organization's network boundary.

B. Implement network access control lists (ACL).
C. Implement a web application firewall (WAF).
D. Implement an intrusion prevention system (IPS).
Answer: B
Q1247
A system developer has a requirement for an application to check for a secure digital signature before the
application is accessed on a user's laptop. Which security mechanism addresses this requirement?
A. Hardware encryption
B. Certificate revocation list (CRL) policy
C. Trusted Platform Module (TPM)
D. Key exchange
Answer: B
Q1248
The security organization is looking for a solution that could help them determine with a strong level of
confidence that attackers have breached their network. Which solution is MOST effective at discovering a
successful network breach?
A. Deploying a honeypot
B. Developing a sandbox
C. Installing an intrusion prevention system (IPS)
D. Installing an intrusion detection system (IDS)
Answer: A
Q1249
A security architect is reviewing plans for an application with a Recovery Point Objective (RPO) of 15
minutes. The current design has all of the application infrastructure located within one co-location data
center. Which security principle is the architect currently assessing?
A. Availability
B. Disaster recovery (DR)
C. Redundancy
D. Business continuity (BC)
Answer: D
Q1250
Which of the following outsourcing agreement provisions has the HIGHEST priority from a security
operations perspective?
A. Conditions to prevent the use of subcontractors

B. Terms for contract renegotiation in case of disaster
C. Escalation process for problem resolution during incidents
D. Root cause analysis for application performance issue
Answer: D
Q1251
When designing a Cyber-Physical System (CPS), which of the following should be a security practitioner's
first consideration?
A. Detection of sophisticated attackers

B. Resiliency of the system
C. Topology of the network used for the system
D. Risk assessment of the system
Answer: B
Q1252
A security professional was tasked with rebuilding a company's wireless infrastructure. Which of the
following are the MOST important factors to consider while making a decision on which wireless spectrum
to deploy?
A. Hybrid frequency band, service set identifier (SSID), and interpolation

B. Performance, geographic location, and radio signal interference
C. Facility size, intermodulation, and direct satellite service
D. Existing client devices, manufacturer reputation, and electrical interference
Answer: D
Q1253
A subscription service which provides power, climate control, raised flooring, and telephone wiring but
NOT the computer and peripheral equipment is BEST described as a:
A. warm site.
B. reciprocal site.
C. sicold site.
D. hot site.
Answer: C
Q1254
Which of the following is the PRIMARY goal of logical access controls?
A. Restrict access to an information asset.

B. Ensure integrity of an information asset.
C. Restrict physical access to an information asset.
D. Ensure availability of an information asset.
Answer: C
Q1255
The ability to send malicious code, generally in the form of a client side script, to a different end user is
categorized as which type of vulnerability?
A. Session hijacking
D. Command injection
Answer: C
Q1256
The security architect has been mandated to assess the security of various brands of mobile devices. At
what phase of the product lifecycle would this be MOST likely to occur?
A. Disposal
B. Implementation
C. Development
D. Operations and maintenance
Answer: C
Q1257
A hacker can use a lockout capability to start which of the following attacks?
A. Denial of service (DoS)

B. Dictionary
C. Ping flood
D. Man-in-the-middle (MITM)
Answer: A
Q1258
An Internet media company produces and broadcasts highly popular television shows. The company is
suffering a huge revenue loss due to piracy. What technique should be used to track the distribution of
content?
A. Install the latest data loss prevention (DLP) software at every server used to distribute content.
B. Log user access to servers. Every day those log records are going to be audited by a team of
specialized investigators.
C. Hire several investigators to identify sources of pirated content and report people sharing the content.
D. Use watermarking to hide a signature into the digital media such that it can be used to find who is
using the company's content.
Answer: D
Q1259
Using the cipher text and resultant clear text message to derive the non-alphabetic cipher key is an
example of which method of cryptanalytic attack?
A. Frequency analysis
B. Ciphertext-only attack
C. Probable-plaintext attack
D. Known-plaintext attack
Answer: D
Q1260
All hosts on the network are sending logs via syslog-ng to the log collector. The log collector is behind its
own firewall, The security professional wants to make sure not to put extra load on the firewall due to the
amount of traffic that is passing through it. Which of the following types of filtering would Questions and
Answers 383/451
MOST likely be used?
A. Uniform Resource Locator (URL) Filtering

B. Web Traffic Filtering
C. Dynamic Packet Filtering
D. Static Packet Filtering
Answer: C
Q1261
An organization has been collecting a large amount of redundant and unusable data and filling up the
storage area network (SAN). Management has requested the identification of a solution that will address
ongoing storage problems. Which is the BEST technical solution?
A. Deduplication
B. Compression
C. Replication
D. Caching
Answer: B
Q1262
A security practitioner has been asked to model best practices for disaster recovery (DR) and business
continuity. The practitioner has decided that a formal committee is needed to establish a business
continuity policy. Which of the following BEST describes this stage of business continuity development?
A. Project Initiation and Management

B. Risk Evaluation and Control
C. Developing and Implementing business continuity plans (BCP)
D. Business impact analysis (BIA)
Answer: D
Q1263
What is the MOST appropriate hierarchy of documents when implementing a security program?
A. Organization principle, policy, standard, guideline

B. Policy, organization principle, standard, guideline
C. Standard, policy, organization principle, guideline
D. Organization principle, guideline, policy, standard
Answer: C
Q1264
Which of the following is the MOST common cause of system or security failures?
A. Lack of system documentation

B. Lack of physical security controls
C. Lack of change control
D. Lack of logging and monitoring
Answer: D
Q1265
Which access control method is based on users issuing access requests on system resources, features
assigned to those resources, the operational or situational context, and a set of policies specified in terms
of those features and context?
A. Mandatory Access Control (MAC)

B. Role Based Access Control (RBAC)
C. Discretionary Access Control (DAC)
D. Attribute Based Access Control (ABAC)
Answer: B
Q1266
Information security practitioners are in the midst of implementing a new firewall. Which of the following
failure methods would BEST prioritize security in the event of failure?
A. Fail-Closed
B. Fail-Open
C. Fail-Safe
D. Failover
Answer: A
Q1267
Which of the following is a PRIMARY security weakness in the design of Domain Name System (DNS)?
A. A DNS server can be disabled in a denial-of-service (DoS) attack.

B. A DNS server does not authenticate source of information.
C. Each DNS server must hold the address of the root servers.
D. A DNS server database can be injected with falsified checksums.
Answer: A
Q1268
Which of the following BEST describes the purpose of the reference monitor when defining access control
to enforce the security model?
A. Quality design principles to ensure quality by design

B. Policies to validate organization rules
C. Cyber hygiene to ensure organizations can keep systems healthy
D. Strong operational security to keep unit members safe
Answer: B
Q1269
A project manager for a large software firm has acquired a government contract that generates large
amounts of Controlled Unclassified Information (CUI). The organization's information security manager
has received a request to transfer project-related CUI between systems of differing security
classifications. What role provides
the authoritative guidance for this transfer?
A. Information owner
B. PM
C. Data Custodian
D. Mission/Business Owner
Answer: C
Q1270
Which of the following protects personally identifiable information (PII) used by financial services
organizations?
A. National Institute of Standards and Technology (NIST) SP 800-53 Questions and Answers 386/451
B. Gramm-Leach-Bliley Act (GLBA)
C. Payment Card Industry Data Security Standard (PCI-DSS)
D. Health Insurance Portability and Accountability Act (HIPAA)
Answer: B
Q1271
Which of the following is a common term for log reviews, synthetic transactions, and code reviews?
A. Security control testing

B. Application development
C. Spiral development functional testing
D. DevOps Integrated Product Team (IPT) development
Answer: B
Q1272
At what stage of the Software Development Life Cycle (SDLC) does software vulnerability remediation
MOST likely cost the least to implement?
A. Development
B. Testing
C. Deployme
D. Design
Answer: D
Q1273
Clothing retailer employees are provisioned with user accounts that provide access to resources at
partner businesses. All partner businesses use common identity and access management (IAM) protocols
and differing technologies. Under the Extended Identity principle, what is the process flow between
partner businesses to allow this TAM action?
A. Clothing retailer acts as identity provider (IdP), confirms identity of user using industry standards, then
sends credentials to partner businesses that act as a Service Provider and allows access to services.
B. Clothing retailer acts as User Self Service, confirms identity of user using industry standards, then
sends credentials to partner businesses that act as a Service Provider and allows access to services.
C. Clothing retailer acts as Service Provider, confirms identity of user using industry standards, then
sends credentials to partner businesses that act as an identity provider (IdP) and allows access to
resources.
D. Clothing retailer acts as Access Control Provider, confirms access of user using industry standards,
then sends credentials to partner businesses that act as a Service Provider and allows access to
resources.
Answer: A
Q1274
Using Address Space Layout Randomization (ASLR) reduces the potential for which of the following
attacks?
A. SQL injection (SQLi)

B. Man-in-the-middle (MITM)
D. Heap overflow
Answer: D
Q1275
Which of the following ensures old log data is not overwritten?
A. Increase log file size

B. Implement Syslog
C. Log preservation
D. Log retention
Answer: D
Q1276
What is the benefit of using Network Admission Control (NAC)?
A. Operating system (OS) versions can be validated prior to allowing network access.
B. NAC supports validation of the endpoint's security posture prior to allowing the session to go into an
authorized state.
C. NAC can require the use of certificates, passwords, or a combination of both before allowing network
admission.
D. NAC only supports Windows operating systems (OS).
Answer: C

Q1277
The European Union (EU) General Data Protection Regulation (GDPR) requires organizations to
implement appropriate technical and organizational measures to ensure a level of security appropriate to
the risk. The Data Owner should therefore consider which of the following requirements?
A. Data masking and encryption of personal data

B. Only to use encryption protocols approved by EU
C. Anonymization of personal data when transmitted to sources outside the EU
D. Never to store personal data of EU citizens outside the EU
Answer: D
Q1278
Which of the following is the BEST approach to implement multiple servers on a virtual system?
A. Implement multiple functions per virtual server and apply the same security configuration for each
virtual server.
B. Implement one primary function per virtual server and apply high security configuration on the host
operating system.
C. Implement one primary function per virtual server and apply individual security configuration for each
virtual server.
D. Implement multiple functions within the same virtual server and apply individual security configurations
to each function.
Answer: C
Q1279
Which of the following is the MOST important consideration in selecting a security testing method based
on different Radio-Frequency Identification (RFID) vulnerability types?
A. The performance and resource utilization of tools

B. The quality of results and usability of tools
C. An understanding of the attack surface
D. Adaptability of testing tools to multiple technologies
Answer: C

Q1280
A financial services organization has employed a security consultant to review processes used by
employees across various teams. The consultant interviewed a member of the application development
practice and found gaps in their threat model. Which of the following correctly represents a trigger for
when a threat model should be revised?
A. A new data repository is added.

B. is After operating system (OS) patches are applied
C. After a modification to the firewall rule policy
D. A new developer is hired into the team.
Answer: D
Q1281
When testing password strength, which of the following is the BEST method for brute forcing passwords?
A. Conduct an offline attack on the hashed password information.

B. Conduct an online password attack until the account being used is locked.
C. Use a comprehensive list of words to attempt to guess the password.
D. Use social engineering methods to attempt to obtain the password.
Answer: C
Q1282
What is a use for mandatory access control (MAC)?
A. Allows for labeling of sensitive user accounts for access control

B. Allows for mandatory user identity and passwords based on sensitivity
C. Allows for mandatory system administrator access control over objects
D. Allows for object security based on sensitivity represented by a label
Answer: D
Q1283
Which of the following MUST be done before a digital forensics investigator may acquire digital evidence?
A. Inventory the digital evidence.

B. Isolate the digital evidence.
C. Verify that the investigator has the appropriate legal authority to proceed.
D. Perform hashing to verify the integrity of the digital evidence.
Answer: C
Q1284
A security engineer is required to integrate security into a software project that is implemented by small
groups test quickly, continuously, and independently develop, test, and deploy code to the cloud. The
engineer will MOST likely integrate with which software development process'
A. Service-oriented architecture (SOA)

B. Spiral Methodology
C. Structured Waterfall Programming Development
D. Devops Integrated Product Team (IPT)
Answer: C
Q1285
An authentication system that uses challenge and response was recently implemented on an
organization's network, because the organization conducted an annual penetration test showing that
testers were able to move laterally using authenticated credentials. Which attack method was MOST
likely used to achieve this?

B. Pass the ticket
C. Brute force
D. Hash collision
Answer: B
Q1286
Which of the following is an example of a vulnerability of full-disk encryption (FDE)?
A. Data at rest has been compromised when the user has authenticated to the device.
B. Data on the device cannot be restored from backup.
C. Data in transit has been compromised when the user has authenticated to the device.
D. Data on the device cannot be backed up.
Answer: A

Q1287
What is the PRIMARY purpose of creating and reporting metrics for a security awareness, training, and
education program?
A. Make all stakeholders aware of the program's progress.

B. Measure the effect of the program on the organization's workforce.
C. Facilitate supervision of periodic training events.
D. Comply with legal regulations and document due diligence in security practices.
Answer: C
Q1288
Which one of the following BEST protects vendor accounts that are used for emergency maintenance?
A. Encryption of routing tables

B. Vendor access should be disabled until needed
C. Role-based access control (RBAC)
D. Frequent monitoring of vendor access
Answer: B
Q1289
Which part of an operating system (OS) is responsible for providing security interfaces among the
hardware, OS, and other parts of the computing system?
A. Trusted Computing Base (TCB)

B. Time separation
C. Security kernel
D. Reference monitor
Answer: C
Q1290
The Industrial Control System (ICS) Computer Emergency Response Team (CERT) has released an alert
regarding ICS-focused malware specifically propagating through Windows-based business networks.
Technicians at a local water utility note that their dams, canals, and locks controlled by an Questions and
Answers 392/451
internal Supervisory Control and Data Acquisition (SCADA) system have been malfunctioning. A digital
forensics professional is consulted in the Incident Response (IR) and recovery. Which of the following is
the
MOST challenging aspect of this investigation?
A. SCADA network latency

B. Group policy implementation
C. Volatility of data
D. Physical access to the system
Answer: C
Q1291
To minimize the vulnerabilities of a web-based application, which of the following FIRST actions will lock
down the system and minimize the risk of an attack?
A. Install an antivirus on the server

B. Run a vulnerability scanner
C. Review access controls
D. Apply the latest vendor patches and updates
Answer: D
Q1292
A hospital has allowed virtual private networking (VPN) access to remote database developers. Upon
auditing the internal firewall configuration, the network administrator discovered that split-tunneling was
enabled. What is the concern with this configuration?
A. Remote sessions will not require multi-layer authentication.

B. Remote clients are permitted to exchange traffic with the public and private network.
C. Multiple Internet Protocol Security (IPSec) tunnels may be exploitable in specific circumstances.
D. The network intrusion detection system (NIDS) will fail to inspect Secure Sockets Layer (SSL) traffic.
Answer: C
Q1293
A cloud hosting provider would like to provide a Service Organization Control (SOC) report relevant to its
security program. This report should an abbreviated report that can be freely distributed. Which type of
report BEST meets this requirement?
A. SOC 1
B. SOC 2 Type I
C. SOC 2 Type II
D. SOC 3
Answer: D
Q1294
What action should be taken by a business line that is unwilling to accept the residual risk in a system
after implementing compensating controls?
A. Notify the audit committee of the situation.

B. Purchase insurance to cover the residual risk.
C. Implement operational safeguards.
D. Find another business line willing to accept the residual risk.
Answer: B
Q1295
Which of the following BEST represents a defense in depth concept?
A. Network-based data loss prevention (DLP), Network Access Control (NAC), network-based Intrusion
prevention system (NIPS), Port security on core switches
B. Host-based data loss prevention (DLP), Endpoint anti-malware solution, Host-based integrity checker,
Laptop locks, hard disk drive (HDD) encryption
C. Endpoint security management, network intrusion detection system (NIDS), Network Access Control
(NAC), Privileged Access Management (PAM), security information and event management (SIEM)
D. Web application firewall (WAF), Gateway network device tuning, Database firewall, Next- Generation
Firewall (NGFW), Tier-2 demilitarized zone (DMZ) tuning
Answer: C
Q1296
Which of the following statements BEST distinguishes a stateful packet inspection firewall from a
stateless packet filter firewall?
A. The SPI inspects the flags on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
packets.
B. The SPI inspects the traffic in the context of a session.
C. The SPI is capable of dropping packets based on a pre-defined rule set.
D. The SPI inspects traffic on a packet-by-packet basis.
Answer: B
Q1297
A client server infrastructure that provides user-to-server authentication describes which one of the
following?
A. Secure Sockets Layer (SSL)

B. Kerberos
C. 509
D. User-based authorization
Answer: B
Q1298
An organization has developed a way for customers to share information from their wearable devices with
each other. Unfortunately, the users were not informed as to what information collected would be shared.
What technical controls should be put in place to remedy the privacy issue while still trying to accomplish
the organization's business goals?
A. Default the user to not share any information.

B. Inform the user of the sharing feature changes after implemented.
C. Share only what the organization decides is best.
D. Stop sharing data with the other users.
Answer: D
Q1299
In which process MUST security be considered during the acquisition of new software?
A. Contract negotiation
B. Request for proposal (RFP)
C. Implementation
D. Vendor selection
Answer: B

Q1300
An organization contracts with a consultant to perform a System Organization Control (SOC) 2 audit on
their internal security controls. An auditor documents a finding related to an Application Programming
Interface (API) performing an action that is not aligned with the scope or objective of the system. Which
trust service principle would
be MOST applicable in this situation?
A. Processing Integrity
B. Availability
C. Confidentiality
D. Security
Answer: B
Q1301
A company needs to provide shared access of sensitive data on a cloud storage to external business
partners. Which of the following identity models is the BEST to blind identity providers (IdP) and relying
parties (RP) so that subscriber lists of other parties are not disclosed?
A. Federation authorities
B. Proxied federation
C. Static registration
D. Dynamic registration
Answer: D
Q1302
Which algorithm gets its security from the difficulty of calculating discrete logarithms in a finite field and is
used to distribute keys, but cannot be used to encrypt or decrypt messages?
A. Diffie-Hellman
B. Digital Signature Algorithm (DSA)
C. Rivest-Shamir-Adleman (RSA)
D. Kerberos
Answer: C
Q1303
Which Wide Area Network (WAN) technology requires the first router in the path to determine the
full path the packet will travel, removing the need for other routers in the path to make independent
determinations?
A. Multiprotocol Label Switching (MPLS)

B. Synchronous Optical Networking (SONET)
C. Session Initiation Protocol (SIP)
D. Fiber Channel Over Ethernet (FCoE)
Answer: A
Q1304
An organization recently suffered from a web-application attack that resulted in stolen user session cookie
information. The attacker was able to obtain the information when a user's browser executed a script
upon visiting a compromised website. What type of attack MOST likely occurred?

B. Extensible Markup Language (XML) external entities
C. SQL injection (SQLI)
D. Cross-Site Request Forgery (CSRF)
Answer: A
Q1305
An organization recently upgraded to a Voice over Internet Protocol (VoIP) phone system. Management is
concerned with unauthorized phone usage. security consultant is responsible for putting together a plan
to secure these phones. Administrators have assigned unique personal identification number codes for
each person in the organization. What is the BEST solution?
A. Use phone locking software to enforce usage and PIN policies.

B. Inform the user to change the PIN regularly. Implement call detail records (CDR) reports to track
usage.
C. Have the administrator enforce a policy to change the PIN regularly. Implement call detail records
(CDR) reports to track usage.
D. Have the administrator change the PIN regularly. Implement call detail records (CDR) reports to track
usage.
Answer: C
Q1306
Which of the following regulations dictates how data breaches are handled?
A. Sarbanes-Oxley (SOX)
B. National Institute of Standards and Technology (NIST)
C. Payment Card Industry Data Security Standard (PCI-DSS)
D. General Data Protection Regulation (GDPR)
Answer: D
Q1307
Which of the following is fundamentally required to address potential security issues when initiating
software development?
A. Implement ongoing security audits in all environments.

B. Ensure isolation of development from production.
C. Add information security objectives into development.
D. Conduct independent source code review.
Answer: C
Q1308
Which of the following is the BEST method a security practitioner can use to ensure that systems and
sub-systems gracefully handle invalid input?
A. Unit testing
B. Integration testing
C. Negative testing
D. Acceptance testing
Answer: B
Q1309
An information security administrator wishes to block peer-to-peer (P2P) traffic over Hypertext Transfer
Protocol (HTTP) tunnels. Which of the following layers of the Open Systems Interconnection (OSI) model
requires inspection?
A. Presentation
B. Transport
C. Session
D. Application
Answer: A
Q1310
An organization has requested storage area network (SAN) disks for a new project. What Redundant
Array of Independent Disks (RAID) level provides the BEST redundancy and fault tolerance?
A. RAID level 1
B. RAID level 3
C. RAID level 4
D. RAID level 5
Answer: D
Q1311
An organization has implemented a password complexity and an account lockout policy enforcing five
incorrect logins tries within ten minutes. Network users have reported significantly increased account
lockouts. Which of the following security principles is this company affecting?
A. Availability
B. Integrity
C. Confidentiality
D. Authentication
Answer: A
Q1312
In the last 15 years a company has experienced three electrical failures. The cost associated with each
failure is listed below.
Which of the following would be a reasonable annual loss expectation?
A. 140,000
B. 3,500
C. 350,000
D. 14,000
Answer: B
Q1313
Which of the following addresses requirements of security assessments during software acquisition?
A. Software configuration management (SCM)

B. Data loss prevention (DLP) policy
C. Continuous monitoring
D. Software assurance policy
Answer: A
Q1314
Which of the following BEST obtains an objective audit of security controls?
A. The security audit is measured against a known standard.
B. The security audit is performed by a certified internal auditor.
C. The security audit is performed by an independent third-party.
D. The security audit produces reporting metrics for senior leadership.
Answer: A
Q1315
Which of the following is established to collect information Se eee ee ee nation readily available in part
through implemented security controls?
A. Security Assessment Report (SAR)

B. Organizational risk tolerance
C. Information Security Continuous Monitoring (ISCM)
D. Risk assessment report
Answer: D
Q1316
In order to provide dual assurance in a digital signature system, the design MUST include which of
the following?
A. The public key must be unique for the signed document.

B. signature process must generate adequate authentication credentials.
C. The hash of the signed document must be present.
D. The encrypted private key must be provided in the signing certificate.
Answer: B
Q1317
Which of the following attacks, if successful, could give an intruder complete control of a software- defined
networking (SDN) architecture?
A. Sniffing the traffic of a compromised host inside the network

B. Sending control messages to open a flow that does not pass a firewall from a compromised host within
the network
C. A brute force password attack on the Secure Shell (SSH) port of the controller
D. Remote Authentication Dial-In User Service (RADIUS) token replay attack
Answer: B
Q1318
What type of investigation applies when malicious behavior is suspected between two organizations?
A. Regulatory
B. Criminal
C. Civil
D. Operational
Answer: A
Q1319
The Chief Information Security Officer (CISO) of a small organization is making a case for building a
security operations center (SOC). While debating between an in-house, fully outsourced, or a hybrid
capability, which of the following would be the MAIN consideration, regardless of the model?
A. Skill set and training

B. Headcount and capacity
C. Tools and technologies
D. Scope and service catalog
Answer: C
Q1320
What are the three key benefits that application developers should derive from the northbound application
programming interface (API) of software defined networking (SDN)?
A. Familiar syntax, abstraction of network topology, and definition of network protocols

B. Network syntax, abstraction of network flow, and abstraction of network protocols
C. Network syntax, abstraction of network commands, and abstraction of network protocols
D. Familiar syntax, abstraction of network topology, and abstraction of network protocols
Answer: C
Q1321
What security principle addresses the issue of "Security by Obscurity"?
A. Open design
B. Segregation of duties (SoD)
C. Role Based Access Control (RBAC)
D. Least privilege
Answer: D
Q1322
In Federated Identity Management (FIM), which of the following represents the concept of federation?
A. Collection of information logically grouped into a single entity

B. Collection, maintenance, and deactivation of user objects and attributes in one or more systems,
directories or applications
C. Collection of information for common identities in a system
D. Collection of domains that have established trust among themselves
Answer: D

Q1323
A software engineer uses automated tools to review application code and search for application flaws,
back doors, or other malicious code. Which of the following is the FIRST Software Development Life
Cycle (SDLC) phase where this takes place?
A. Design
B. Test
C. Development
D. Deployment
Answer: C
Q1324
Which of the following vulnerability assessment activities BEST exemplifies the Examine method of
assessment?
A. Ensuring that system audit logs capture all relevant data fields required by the security controls
baseline
B. Performing Port Scans of selected network hosts to enumerate active services
C. Asking the Information System Security Officer (ISSO) to describe the organization's patch
management processes
D. Logging into a web server using the default administrator account and a default password
Answer: D
Q1325
Which of the following is the MOST appropriate control for asset data labeling procedures?
A. Logging data media to provide a physical inventory control

B. Reviewing audit trails of logging records
C. Categorizing the types of media being used
D. Reviewing off-site storage access controls
Answer: C
Q1326
What BEST describes the confidentiality, integrity, availability triad?
A. A tool used to assist in understanding how to protect the organization's data Questions and Answers
403/451
B. The three-step approach to determine the risk level of an organization
C. The implementation of security systems to protect the organization's data
D. A vulnerability assessment to see how well the organization's data is protected
Answer: C
Q1327
When developing an external facing web-based system, which of the following would be the MAIN focus
of the security assessment prior to implementation and production?
A. Assessing the Uniform Resource Locator (URL)

B. Ensuring Secure Sockets Layer (SSL) certificates are signed by a certificate authority
C. Ensuring that input validation is enforced
D. Ensuring Secure Sockets Layer (SSL) certificates are internally signed
Answer: B
Q1328
What type of risk is related to the sequences of value-adding and managerial activities undertaken in an
organization?
A. Demand risk
B. Process risk
C. Control risk
D. Supply risk
Answer: B
Q1329
In an environment where there is not full administrative control over all network connected endpoints,
such as a university where non-corporate devices are used, what is the BEST way to restrict access to
the network?
A. Use switch port security to limit devices connected to a particular switch port.
B. Use of virtual local area networks (VLAN) to segregate users.
C. Use a client-based Network Access Control (NAC) solution.
D. Use a clientless Network Access Control (NAC) solution
Answer: A

Q1330
Which of the following threats would be MOST likely mitigated by monitoring assets containing open
source libraries for vulnerabilities?
A. Distributed denial-of-service (DDoS) attack

B. Zero-day attack
C. Phishing attempt
D. Advanced persistent threat (APT) attempt
Answer: A
Q1331
Which of the following is the BEST way to determine the success of a patch management process?
A. Analysis and impact assessment

B. Auditing and assessment
C. Configuration management (CM)
D. Change management
Answer: A
Q1332
A company needs to provide employee access to travel services, which are hosted by a third-party
service provider, Employee experience is important, and when users are already authenticated, access to
the travel portal is seamless. Which of the following methods is used to share information and grant user
access to the travel portal?
A. Security Assertion Markup Language (SAML) access

B. Single sign-on (SSO) access
C. Open Authorization (OAuth) access
D. Federated access
Answer: D
Q1333
Why is data classification control important to an organization? Questions and Answers 405/451
A. To ensure its integrity, confidentiality and availability

B. To enable data discovery
C. To control data retention in alignment with organizational policies and regulation
D. To ensure security controls align with organizational risk appetite
Answer: A
Q1334
Which of the following is the strongest physical access control?
A. Biometrics and badge reader

B. Biometrics, a password, and personal identification number (PIN)
C. Individual password for each user
D. Biometrics, a password, and badge reader
Answer: D
Q1335
While dealing with the consequences of a security incident, which of the following security controls are
MOST appropriate?
A. Detective and recovery controls

B. Corrective and recovery controls
C. Preventative and corrective controls
D. Recovery and proactive controls
Answer: C
Q1336
A Chief Information Security Officer (CISO) of a firm which decided to migrate to cloud has been tasked
with ensuring an optimal level of security. Which of the following would be the FIRST consideration?
A. Define the cloud migration roadmap and set out which applications and data repositories should be
moved into the cloud.
B. Ensure that the contract between the cloud vendor and the firm clearly defines responsibilities for
operating security controls.
C. Analyze the firm's applications and data repositories to determine the relevant control requirements.
D. Request a security risk assessment of the cloud vendor be completed by an independent third-
party.
Answer: A
Q1337
Which technique helps system designers consider potential security concerns of their systems and
applications?
A. Penetration testing
B. Threat modeling
C. Manual inspections and reviews
D. Source code review
Answer: B
Q1338
What is the MOST important goal of conducting security assessments?
A. To prepare the organization for an external audit, particularly by a regulatory entity

B. To discover unmitigated security vulnerabilities, and propose paths for mitigating them
C. To align the security program with organizational risk appetite
D. To demonstrate proper function of security controls and processes to senior management
Answer: B
Q1339
A hospital's building controls system monitors and operates the environmental equipment to maintain a
safe and comfortable environment. Which of the following could be used to minimize the risk of utility
supply interruption?
A. Digital devices that can turn equipment off and continuously cycle rapidly in order to increase supplies
and conceal activity on the hospital network
B. Standardized building controls system software with high connectivity to hospital networks
C. Lock out maintenance personnel from the building controls system access that can impact critical utility
supplies
D. Digital protection and control devices capable of minimizing the adverse impact to critical utility
Answer: D

Q1340
To monitor the security of buried data lines inside the perimeter of a facility, which of the following is the
MOST effective control?
A. Fencing around the facility with closed-circuit television (CCTV) cameras at all entry points
B. Ground sensors installed and reporting to a security event management (SEM) system
C. Steel casing around the facility ingress points
D. regular sweeps of the perimeter, including manual inspection of the cable ingress points
Answer: D
Q1341
What is the BEST method to use for assessing the security impact of acquired software?
A. Common vulnerability review

B. Software security compliance validation
C. Threat modeling
D. Vendor assessment
Answer: B
Q1342
Which of the following is the MOST effective way to ensure the endpoint devices used by remote users
are compliant with an organization's approved policies before being allowed on the network?
A. Group Policy Object (GPO)

B. Network Access Control (NAC)
C. Mobile Device Management (MDM)
D. Privileged Access Management (PAM)
Answer: B
Q1343
Which of the following factors should be considered characteristics of Attribute Based Access Control
(ABAC) in terms of the attributes used?
A. Mandatory Access Control (MAC) and Discretionary Access Control (DAC)

B. Discretionary Access Control (DAC) and Access Control List (ACL)
C. Role Based Access Control (RBAC) and Mandatory Access Control (MAC) Questions and Answers
408/451
D. Role Based Access Control (RBAC) and Access Control List (ACL)
Answer: D
Q1344
A security architect is developing an information system for a client. One of the requirements is to deliver
a platform that mitigates against common vulnerabilities and attacks, What is the MOST efficient option
used to prevent buffer overflow attacks?
A. Process isolation
B. Address Space Layout Randomization (ASLR)
C. Processor states
D. Access control mechanisms
Answer: B
Q1345
A security engineer is assigned to work with the patch and vulnerability management group. The
deployment of a new patch has been approved and needs to be applied. The research is complete, and
the security engineer has provided recommendations. Where should the patch be applied FIRST?
A. Server environment
B. Desktop environment
C. Lower environment
D. Production environment
Answer: C
Q1346
When telephones in a city are connected by a single exchange, the caller can only connect with the
switchboard operator. The operator then manually connects the call.
This is an example of which type of network topology?
A. Star
B. Tree
C. Point-to-Point Protocol (PPP)
D. Bus
Answer: A

Q1347
Which of the following departments initiates the request, approval, and provisioning business process?
A. Operations
B. Human resources (HR)
C. Information technology (IT)
D. Security
Answer: A
Q1348
Which of the following should be done at a disaster site before any item is removed, repaired, or
replaced?
A. Take photos of the damage

B. Notify all of the Board of Directors
C. Communicate with the press following the communications plan
D. Dispatch personnel to the disaster recovery (DR) site
Answer: A
Q1349
Which organizational department is ultimately responsible for information governance related to e- mail
and other e-records?
A. Audit
B. Compliance
C. Legal
D. Security
Answer: C
Q1350
What is the FIRST step in risk management?
A. Establish the expectations of stakeholder involvement.

B. Identify the factors that have potential to impact business.
C. Establish the scope and actions required.
D. Identify existing controls in the environment.
Answer: C
Q1351
Which element of software supply chain management has the GREATEST security risk to organizations?
A. New software development skills are hard to acquire.

B. Unsupported libraries are often used.
C. Applications with multiple contributors are difficult to evaluate.
D. Vulnerabilities are difficult to detect.
Answer: B
Q1352
A colleague who recently left the organization asked a security professional for a copy of the
organization's confidential incident management policy. Which of the following is the BEST response to
this request?
A. Email the policy to the colleague as they were already part of the organization and familiar with it.
B. Do not acknowledge receiving the request from the former colleague and ignore them.
C. Access the policy on a company-issued device and let the former colleague view the screen.
D. Submit the request using company official channels to ensure the policy is okay to distribute.
Answer: B
Q1353
Within a large organization, what business unit is BEST positioned to initiate provisioning and
deprovisioning of user accounts?
A. Training department
B. Internal audit
C. Human resources
D. Information technology (IT)
Answer: C

Q1354
An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being
awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity
standard?
A. It should be expressed as general requirements.

B. It should be expressed in legal terminology.
C. It should be expressed in business terminology.
D. It should be expressed as technical requirements.
Answer: D
Q1355
Which of the following is the MOST effective strategy to prevent an attacker from disabling a network?
A. Test business continuity and disaster recovery (DR) plans.

B. Design networks with the ability to adapt, reconfigure, and fail over.
C. Implement network segmentation to achieve robustness.
D. Follow security guidelines to prevent unauthorized network access.
Answer: D
Q1356
Which of the following features is MOST effective in mitigating against theft of data on a corporate mobile
device which has been stolen?
A. Mobile Device Management (MDM) with device wipe

B. Whole device encryption with key escrow
C. Virtual private network (VPN) with traffic encryption
D. Mobile device tracking with geolocation
Answer: A
Q1357
An organization is implementing data encryption using symmetric ciphers and the Chief Information
Officer (CIO) is concerned about the risk of using one key to protect all sensitive data, The security
practitioner has been tasked with recommending a solution to address the CIO's concerns, Which of
the following is the BEST approach to achieving the objective by encrypting all sensitive data?
A. Use a Secure Hash Algorithm 256 (SHA-256).

B. Use a hierarchy of encryption keys.
C. Use Hash Message Authentication Code (HMAC) keys.
D. Use Rivest-Shamir-Adleman (RSA) keys.
Answer: D
Q1358
International bodies established a regulatory scheme that defines how weapons are exchanged between
the signatories. It also addresses cyber weapons, including malicious software, Command and Control
(C2) software, and internet surveillance software. This is a description of which of the following?
A. General Data Protection Regulation (GDPR)

B. Palermo convention
C. Wassenaar arrangement
D. International Traffic in Arms Regulations (ITAR)
Answer: C
Q1359
In software development, developers should use which type of queries to prevent a Structured Query
Language (SQL) injection?
A. Parameterised
B. Dynamic
C. Static
D. Controlled
Answer: A
Q1360
Which of the following BEST describes when an organization should conduct a black box security audit
on a new software product?
A. When the organization wishes to check for non-functional compliance

B. When the organization wants to enumerate known security vulnerabilities across their infrastructure
C. When the organization has experienced a security incident
D. When the organization is confident the final source code is complete
Answer: B
Q1361
The Chief Information Officer (CIO) has decided that as part of business modernization efforts the
organization will move towards a cloud architecture. All business-critical data will be migrated to either
internal or external cloud services within the next two years. The CIO has a PRIMARY obligation to work
with personnel in which role in
order to ensure proper protection of data during and after the cloud migration?
A. Information owner
B. General Counsel
C. Chief Information Security Officer (CISO)
D. Chief Security Officer (CSO)
Answer: A
Q1362
When reviewing vendor certifications for handling and processing of company data, which of the following
is the BEST Service Organization Controls (SOC) certification for the vendor to possess?
A. SOC 1 Type 1
B. SOC 2 Type 1
C. SOC 2 Type 2
D. SOC 3
Answer: C
Q1363
Which of the following is a covert channel type?
A. Storage
B. Pipe
C. Memory
D. Monitoring
Answer: A

Q1364
Which change management role is responsible for the overall success of the project and supporting the
change throughout the organization?
A. Change driver
B. Change implementer
C. Program sponsor
D. Project manager
Answer: D
Q1365
Which of the following is a unique feature of attribute-based access control (ABAC)?
A. A user is granted access to a system based on group affinity.

B. A user is granted access to a system with biometric authentication.
C. A user is granted access to a system at a particular time of day.
D. A user is granted access to a system based on username and password.
Answer: C
Q1366
When auditing the Software Development Life Cycle (SDLC) which of the following is one of the high-
level audit phases?
A. Requirements
B. Risk assessment
C. Due diligence
D. Planning
Answer: B
Q1367
Which of the following BEST describes the purpose of Border Gateway Protocol (BGP)?
A. Maintain a list of network paths between internet routers.

B. Provide Routing Information Protocol (RIP) version 2 advertisements to neighboring layer 3 devices.
C. Provide firewall services to cloud-enabled applications.
D. Maintain a list of efficient network paths between autonomous systems.
Answer: B
Q1368
Which of the following is the PRIMARY purpose of installing a mantrap within a facility?
A. Control traffic
B. Prevent rapid movement
C. Prevent plggybacking
D. Control air flow
Answer: C
Q1369
A security professional can BEST mitigate the risk of using a Commercial Off-The-Shelf (COTS) solution
by deploying the application with which of the following controls in ?
A. Whitelisting application
B. Network segmentation
C. Hardened configuration
D. Blacklisting application
Answer: A
Q1370
Which of the following would an information security professional use to recognize changes to content,
particularly unauthorized changes?
A. File Integrity Checker

B. Security information and event management (SIEM) system
C. Audit Logs
D. Intrusion detection system (IDS)
Answer: A
Q1371
An organization with divisions in the United States (US) and the United Kingdom (UK) processes data
comprised of personal information belonging to subjects living in the European Union (EU) and in the US.
Which data MUST be handled according to the privacy protections of General Data Protection Regulation
(GDPR)?
A. Only the EU citizens' data

B. Only the EU residents' data
C. Only the UK citizens' data
D. Only data processed in the UK
Answer: A
Q1372
Which of the following has the responsibility of information technology (IT) governance?
A. Chief Information Officer (CIO)

B. Senior IT Management
C. Board of Directors
D. Chief Information Security Officer (CISO)
Answer: A
Q1373
Dumpster diving is a technique used in which stage of penetration testing methodology?
A. Attack
B. Discovery
C. Reporting
D. Planning
Answer: B
Q1374
What is the MOST common cause of Remote Desktop Protocol (RDP) compromise?
A. Port scan
B. Brute force attack
C. Remote exploit
D. Social engineering
Answer: B
Q1375
An organization is looking to include mobile devices in its asset management system for better tracking.
In which system tier of the reference architecture would mobile devices be tracked?
A. 0
B. 1
C. 2
D. 3
Answer: A
Q1376
Which is MOST important when negotiating an Internet service provider (ISP) service-level agreement
(SLA) by an organization that solely provides Voice over Internet Protocol (VoIP) services?
A. Mean time to repair (MTTR)

B. Quality of Service (QoS) between applications
C. Availability of network services
D. Financial penalties in case of disruption
Answer: B
Q1377
A company developed a web application which is sold as a Software as a Service (SaaS) solution to the
customer. The application is hosted by a web server running on a `specific operating system (OS) on a
virtual machine (VM). During the transition phase of the service, it is determined that the support team will
need access to the application logs. Which of the following privileges would be the MOST suitable?
A. Administrative privileges on the OS

B. Administrative privileges on the web server
C. Administrative privileges on the hypervisor
D. Administrative privileges on the application folders
Answer: D
Q1378
A systems engineer is designing a wide area network (WAN) environment for a new organization. The
WAN will connect sites holding information at various levels of sensitivity, from publicly available to highly
confidential. The organization requires a high degree of interconnectedness to support existing business
processes. What is the
BEST design approach to securing this environment?
A. Place firewalls around critical devices, isolating them from the rest of the environment.
B. Layer multiple detective and preventative technologies at the environment perimeter.
C. Use reverse proxies to create a secondary "shadow" environment for critical systems.
D. Align risk across all interconnected elements to ensure critical threats are detected and handled.
Answer: B
Q1379
Which event magnitude is defined as deadly, destructive, and disruptive when a hazard interacts with
human vulnerability?
A. Disaster
B. Catastrophe
C. Crisis
D. Accident
Answer: B
Q1380
Which of the following goals represents a modern shift in risk management according to National Institute
of Standards and Technology (NIST)?
A. Focus on operating environments that are changing, evolving, and full of emerging threats.
B. Secure information technology (IT) systems that store, process, or transmit organizational information.
C. Enable management to make well-informed risk-based decisions justifying security expenditure.
D. Provide an improved mission accomplishment approach.
Answer: C
Q1381
A web developer is completing a new web application security checklist before releasing the application to
production. the task of disabling unecessary services is on the checklist. Which web Questions and
Answers 419/451
application threat is being mitigated by this action?
A. Security misconfiguration
B. Sensitive data exposure
C. Broken access control
D. Session hijacking
Answer: B
Q1382
Which of the following is a limitation of the Bell-LaPadula model?
A. Segregation of duties (SoD) is difficult to implement as the "no read-up" rule limits the ability of an
object to access information with a higher classification.
B. Mandatory access control (MAC) is enforced at all levels making discretionary access control (DAC)
impossible to implement.
C. It contains no provision or policy for changing data access control and works well only with access
systems that are static in nature.
D. It prioritizes integrity over confidentiality which can lead to inadvertent information disclosure.
Answer: A
Q1383
Which of the following is the BEST option to reduce the network attack surface of a system?
A. Ensuring that there are no group accounts on the system

B. Removing unnecessary system user accounts
C. Disabling unnecessary ports and services
D. Uninstalling default software on the system
Answer: C
Q1384
Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record
generation?
A. Lower costs throughout the System Development Life Cycle (SDLC)

B. Facilitate a root cause analysis (RCA)
C. Enable generation of corrective action reports
D. Avoid lengthy audit reports
Answer: B
Q1385
A financial organization that works according to agile principles has developed a new application for their
external customer base to request a line of credit. A security analyst has been asked to assess the
security risk of the minimum viable product (MVP). Which is the MOST important activity the analyst
should assess?
A. The software has the correct functionality.

B. The software has been code reviewed.
C. The software had been branded according to corporate standards,
D. The software has been signed off for release by the product owner.
Answer: A
Q1386
When configuring Extensible Authentication Protocol (EAP) in a Voice over Internet Protocol (VoIP)
network, which of the following authentication types is the MOST secure?
A. EAP-Transport Layer Security (TLS)

B. EAP-Flexible Authentication via Secure Tunneling
C. EAP-Tunneled Transport Layer Security (TLS)
D. EAP-Protected Extensible Authentication Protocol (PEAP)
Answer: C
Q1387
An organization would like to ensure that all new users have a predefined departmental access template
applied upon creation. The organization would also like additional access for users to be granted on a
per-project basis. What type of user access administration is BEST suited to meet the organization's
needs?
A. Hybrid
B. Federated
C. Decentralized
D. Centralized
Answer: A

Q1388
A firm within the defense industry has been directed to comply with contractual requirements for
encryption of a government client's Controlled Unclassified Information (CUI). What encryption strategy
represents how to protect data at rest in the MOST efficient and cost-effective manner?
A. Perform physical separation of program information and encrypt only information deemed critical by the
defense client
B. Perform logical separation of program information, using virtualized storage solutions with built-in
encryption at the virtualization layer
C. Perform logical separation of program information, using virtualized storage solutions with encryption
management in the back-end disk systems
D. Implement data at rest encryption across the entire storage area network (SAN)
Answer: C
Q1389
A software developer installs a game on their organization-provided smartphone. Upon installing the
game, the software developer is prompted to allow the game access to call logs, Short Message Service
(SMS) messaging, and Global Positioning System (GPS) location dat
A. What has the game MOST likely introduced to the smartphone?

B. Alerting
C. Vulnerability
D. Geo-fencing
E. Monitoring
Answer: B
Q1390
A developer is creating an application that requires secure logging of all user activity. What is the BEST
permission the developer should assign to the log file to ensure requirements are met?
A. Read
B. Execute
C. Write
D. Append
Answer: C
Q1391
What industry-recognized document could be used as a baseline reference that is related to data security
and business operations for conducting a security assessment?
A. Service Organization Control (SOC) 1 Type 2

B. Service Organization Control (SOC) 2 Type 1
C. Service Organization Control (SOC) 1 Type 1
D. Service Organization Control (SOC) 2 Type 2
Answer: D
Q1392
A scan report returned multiple vulnerabilities affecting several production servers that are mission critical.
Attempts to apply the patches in the development environment have caused the servers to crash. What is
the BEST course of action?
A. Upgrade the software affected by the vulnerability.

B. Inform management of possible risks.
C. Mitigate the risks with compensating controls.
D. Remove the affected software from the servers.
Answer: C
Q1393
Which of the following would be the BEST guideline to follow when attempting to avoid the exposure of
sensitive data?
A. Store sensitive data only when necessary.

B. Educate end-users on methods of attacks on sensitive data.
C. Establish report parameters for sensitive data.
D. Monitor mail servers for sensitive data being exfilltrated.
Answer: A
Q1394
Which application type is considered high risk and provides a common way for malware and viruses to
enter a network?
A. Instant messaging or chat applications

B. E-mail applications
C. Peer-to-Peer (P2P) file sharing applications
D. End-to-end applications
Answer: A
Q1395
In a disaster recovery (DR) test, which of the following would be a trait of crisis management?
A. Wide focus
B. Strategic
C. Anticipate
D. Process
Answer: D
Q1396
The existence of physical barriers, card and personal identification number (PIN) access systems,
cameras, alarms, and security guards BEST describes this security approach?
A. Security information and event management (SIEM)

B. Security perimeter
C. Defense-in-depth
D. Access control
Answer: B
Q1397
A software architect has been asked to build a platform to distribute music to thousands of users on a
global scale. The architect has been reading about content delivery networks (CDN). Which of the
following is a principal task to undertake?
A. Establish a service-oriented architecture (SOA).

B. Establish a media caching methodology.
C. Establish relationships with hundreds of Internet service providers (ISP).
D. Establish a low-latency wide area network (WAN).
Answer: B

Q1398
Which of the following BEST describes centralized identity management?
A. Service providers rely on a trusted third party (TTP) to provide requestors with both credentials and
identifiers.
B. Service providers agree to integrate identity system recognition across organizational boundaries.
C. Service providers identify an entity by behavior analysis versus an identification factor.
D. Service providers perform as both the credential and identity provider (IdP).
Answer: B
Q1399
A database server for a financial application is scheduled for production deployment. Which of the
following controls will BEST prevent tampering?
A. Service accounts removal

B. Data validation
C. Logging and monitoring
D. Data sanitization
Answer: B
Q1400
What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?
A. Configuration management (CM)

B. Information Rights Management (IRM)
C. Policy creation
D. Data classification
Answer: D
Q1401
What is the benefit of an operating system (OS) feature that is designed to prevent an application from
executing code from a non-executable memory region?
A. Identifies which security patches still need to be installed on the system

B. Stops memory resident viruses from propagating their payload Questions and Answers 425/451
C. Reduces the risk of polymorphic viruses from encrypting their payload
D. Helps prevent certain exploits that store code in buffers
Answer: C
Q1402
What Hypertext Transfer Protocol (HTTP) response header can be used to disable the execution of inline
JavaScript and the execution of eval()-type functions?
A. Strict-Transport-Security
B. X-XSS-Protection
C. X-Frame-Options
D. Content-Security-Policy
Answer: D
Q1403
Which section of the assessment report addresses separate vulnerabilities, weaknesses, and gaps?
A. Key findings section

B. Executive summary with full details
C. Risk review section
D. Findings definition section
Answer: A
Q1404
In a quarterly system access review, an active privileged account was discovered that did not exist in the
prior review on the production system. The account was created one hour after the previous access
review. Which of the following is the BEST option to reduce overall risk in addition to quarterly access
reviews?
A. Increase logging levels.

B. Implement bi-annual reviews.
C. Create policies for system access.
D. Implement and review risk-based alerts.
Answer: D

Q1405
When recovering from an outage, what is the Recovery Point Objective (RPO), in terms of data recovery?
A. The RPO is the maximum amount of time for which loss of data is acceptable.
B. The RPO is the minimum amount of data that needs to be recovered.
C. The RPO is a goal to recover a targeted percentage of data lost.
D. The RPO is the amount of time it takes to recover an acceptable percentage of data lost.
Answer: B
Q1406
The security operations center (SOC) has received credible intelligence that a threat actor is planning to
attack with multiple variants of a destructive virus. After obtaining a sample set of this virus' variants and
reverse engineering them to understand how they work, a commonality was found. All variants are coded
to write to a specific memory location. It is determined this virus is of no threat to the organization
because they had the focresight to enable what feature on all endpoints?
A. Process isolation
B. Trusted Platform Module (TPM)
C. Address Space Layout Randomization (ASLR)
D. Virtualization
Answer: C
Q1407
An information technology (IT) employee who travels frequently to various ies remotely to an organization'
the following solutions BEST serves as a secure control mechanism to meet the organization's
requirements?
to troubleshoot p Which of the following solutions BEST serves as a secure control mechanisn to meet
the organization's requirements?
A. Update the firewall rules to include the static Internet Protocol (IP) addresses of the locations where
the employee connects from.
B. Install a third-party screen sharing solution that provides remote connection from a public website.
C. Implement a Dynamic Domain Name Services (DDNS) account to initiate a virtual private network
(VPN) using the DDNS record.
D. Install a bastion host in the demilitarized zone (DMZ) and allow multi-factor authentication (MFA)
access.
Answer: D
Q1408
What is the term used to define where data is geographically stored in the cloud?
A. Data warehouse
B. Data privacy rights
C. Data subject rights
D. Data sovereignty
Answer: D
Q1409
Assuming an individual has taken all of the steps to keep their internet connection private, which of the
following is the BEST to browse the web privately?
A. Prevent information about browsing activities from being stored in the cloud.
B. Store browsing activities in the cloud.
C. Prevent information about browsing activities farm being stored on the personal device.
D. Store information about browsing activities on the personal device.
Answer: A
Q1410
Which of the following types of firewall only examines the "handshaking" between packets before
forwarding traffic?
A. Proxy firewalls
B. Host-based firewalls
C. Circuit-level firewalls
D. Network Address Translation (NAT) firewalls
Answer: C
Q1411
The security team plans on using automated account reconciliation in the corporate user access review
process. Which of the following must be implemented for the BEST results with fewest errors when
running the audit?
A. Removal of service accounts from review

B. Segregation of Duties (SoD)
C. Clear provisioning policies
D. Frequent audits
Answer: C
Q1412
Which of the following is included in change management?
A. Business continuity testing

B. User Acceptance Testing (UAT) before implementation
C. Technical review by business owner
D. Cost-benefit analysis (CBA) after implementation
Answer: A
Q1413
Which of the following technologies can be used to monitor and dynamically respond to potential threats
on web applications?
A. Security Assertion Markup Language (SAML)

B. Web application vulnerability scanners
C. Runtime application self-protection (RASP)
D. Field-level tokenization
Answer: C
Q1414
Before allowing a web application into the production environment, the security practitioner performs
multiple types of tests to confirm that the web application performs as expected. To test the username
field, the security practitioner creates a test that enters more characters into the field than is allowed.
Which of the following BEST describes the type of test performed?
A. Misuse case testing

B. Penetration testing
C. Web session testing
D. Interface testing
Answer: A
Q1415
When developing an organization's information security budget, it is important that the
A. expected risk can be managed appropriately with the funds allocated.

B. requested funds are at an equal amount to the expected cost of breaches.
C. requested funds are part of a shared funding pool with other areas.
D. expected risk to the organization does not exceed the funds allocated.
Answer: A
Q1416
A digitally-signed e-mail was delivered over a wireless network protected with Wired Equivalent Privacy
(WEP) protocol. Which of the following principles is at risk?
A. Availability
B. Non-Repudiation
C. Confidentiality
D. Integrity
Answer: B
Q1417
When determining data and information asset handling, regardless of the specific toolset being used,
which of the following is one of the common components of big data?
A. Consolidated data collection

B. Distributed storage locations
C. Distributed data collection
D. Centralized processing location
Answer: C
Q1418
In a DevOps environment, which of the following actions is MOST necessary to have confidence in the
quality of the changes being made?
A. Prepare to take corrective actions quickly.

B. Receive approval from the change review board.
C. Review logs for any anomalies.
D. Automate functionality testing.
Answer: B
Q1419
Which of the following is TRUE for an organization that is using a third-party federated identity service?
A. The organization enforces the rules to other organization's user provisioning

B. The organization establishes a trust relationship with the other organizations
C. The organization defines internal standard for overall user identification
D. The organization specifies alone how to authenticate other organization's users
Answer: C
Q1420
Computer forensics requires which of the following MAIN steps?
A. Announce the incident to responsible sections, analyze the data, assimilate the data for correlation
B. Take action to contain the damage, announce the incident to responsible sections, analyze the data
C. Acquire the data without altering, authenticate the recovered data, analyze the data
D. Access the data before destruction, assimilate the data for correlation, take action to contain the
damage
Answer: B
Q1421
Which of the following is the MAIN benefit of off-site storage?
A. Cost effectiveness
B. Backup simplicity
C. Fast recovery
D. Data availability
Answer: A
Q1422
Which type of disaster recovery plan (DRP) testing carries the MOST operational risk?
A. Cutover
B. Walkthrough
C. Tabletop
D. Parallel
Answer: C
Q1423
If an employee transfers from one role to another, which of the following actions should this trigger within
the identity and access management (IAM) lifecycle?
A. New account creation

B. User access review and adjustment
C. Deprovisioning
D. System account access review and adjustment
Answer: B
Q1424
What is the PRIMARY objective of business continuity planning?
A. Establishing a cost estimate for business continuity recovery operations

B. Restoring computer systems to normal operations as soon as possible
C. Strengthening the perceived importance of business continuity planning among senior management
D. Ensuring timely recovery of mission-critical business processes
Answer: B
Q1425
What Is a risk of using commercial off-the-shelf (COTS) products?
A. COTS products may not map directly to an organization's security requirements.

B. COTS products are typically more expensive than developing software in-house.
C. Cost to implement COTS products is difficult to predict.
D. Vendors are often hesitant to share their source code.
Answer: A
Q1426
Which of the following is the FIRST step an organization's security professional performs when defining a
cyber-security program based upon industry standards?
A. Map the organization's current security practices to industry standards and frameworks.
B. Define the organization's objectives regarding security and risk mitigation.
C. Select from a choice of security best practices.
D. Review the past security assessments.
Answer: A
Q1427
What are the PRIMARY responsibilities of security operations for handling and reporting violations and
incidents?
A. Monitoring and identifying system failures, documenting incidents for future analysis, and scheduling
patches for systems
B. Scheduling patches for systems, notifying the help desk, and alerting key personnel
C. Monitoring and identifying system failures, alerting key personnel, and containing events
D. Documenting incidents for future analysis, notifying end users, and containing events
Answer: D
Q1428
An internal audit for an organization recently identified malicious actions by a user account. Upon further
investigation, it was determined the offending user account was used by multiple people at multiple
locations simultaneously for various services and applications. What is the BEST method to prevent this
problem in the future?
A. Ensure the security information and event management (SIEM) is set to alert.
B. Inform users only one user should be using the account at a time.
C. Ensure each user has their own unique account,
D. Allow several users to share a generic account.
Answer: A
Q1429
Which of the following are all elements of a disaster recovery plan (DRP)?
A. Document the actual location of the ORP, developing an incident notification procedure, evaluating
costs of critical components
B. Document the actual location of the ORP, developing an incident notification procedure, establishing
recovery locations
C. Maintain proper documentation of all server logs, developing an incident notification procedure,
establishing recovery locations
D. Document the actual location of the ORP, recording minutes at all ORP planning sessions, establishing
recovery locations
Answer: C
Q1430
Which of the following BEST ensures the integrity of transactions to intended recipients?
A. Public key infrastructure (PKI)

B. Blockchain technology
C. Pre-shared key (PSK)
D. Web of trust
Answer: A
Q1431
A breach investigation ...... a website was exploited through an open soured .....Is The FIRB Stan In the
Process that could have prevented this breach?
A. Application whitelisting
B. Web application firewall (WAF)
C. Vulnerability remediation
D. Software inventory
Answer: B
Q1432
Which of the following statements is TRUE about Secure Shell (SSH)?
A. SSH does not protect against man-in-the-middle (MITM) attacks.

B. SSH supports port forwarding, which can be used to protect less secured protocols.
C. SSH can be used with almost any application because it is concerned with maintaining a circuit.
D. SSH is easy to deploy because it requires a Web browser only.
Answer: B
Q1433
What type of database attack would allow a customer service employee to determine quarterly sales
results before they are publically announced?
A. Polyinstantiation
B. Inference
C. Aggregation
D. Data mining
Answer: A
Q1434
Which of the following frameworks provides vulnerability metrics and characteristics to support the
National Vulnerability Database (NVD)?
A. Center for Internet Security (CIS)

B. Common Vulnerabilities and Exposures (CVE)
C. Open Web Application Security Project (OWASP)
D. Common Vulnerability Scoring System (CVSS)
Answer: D
Q1435
Which of the following would be the BEST mitigation practice for man-in-the-middle (MITM) Voice over
Internet Protocol (VoIP) attacks?
A. Use Media Gateway Control Protocol (MGCP)

B. Use Transport Layer Security (TLS) protocol
C. Use File Transfer Protocol (FTP)
D. Use Secure Shell (SSH) protocol
Answer: B
Q1436
Which of the following should be included in a good defense-in-depth strategy provided by object-
oriented programming for software deployment?
A. Polyinstantiation
B. Polymorphism
C. Encapsulation
D. Inheritance
Answer: A
Q1437
Which of the following documents specifies services from the client's viewpoint?
A. Service level report

B. Business impact analysis (BIA)
C. Service level agreement (SLA)
D. Service Level Requirement (SLR)
Answer: C
Q1438
An organization is planning to have an it audit of its as a Service (SaaS) application to demonstrate to
external parties that the security controls around availability are designed. The audit report must also
cover a certain period of time to show the operational effectiveness of the controls. Which Service
Organization Control (SOC) report would BEST fit their needs?
A. SOC 1 Type 1
B. SOC 1 Type 2
C. SOC 2 Type 1
D. SOC 2 Type 2
Answer: D
Q1439
Which Open Systems Interconnection (OSI) layer(s) BEST corresponds to the network access layer in the
Transmission Control Protocol/Internet Protocol (TCP/IP) model?
A. Transport Layer
B. Data Link and Physical Layers
C. Application, Presentation, and Session Layers
D. Session and Network Layers
Answer: B
Q1440
An organization is considering partnering with a third-party supplier of cloud services. The organization
will only be providing the data and the third-party supplier will be providing the security controls. Which of
the following BEST describes this service offering?
A. Platform as a Service (PaaS)

B. Infrastructure as a Service (IaaS)
C. Software as a Service (SaaS)
D. Anything as a Service (XaaS)
Answer: D
Q1441
Which security audit standard provides the BEST way for an organization to understand a vendor's
Information Systems (IS) in relation to confidentiality, integrity, and availability?
A. Statement on Auditing Standards (SAS) 70

B. Service Organization Control (SOC) 2
C. Service Organization Control (SOC) 1
D. Statement on Standards for Attestation Engagements (SSAE) 18
Answer: B
Q1442
Which of the following is the MOST appropriate technique for destroying magnetic platter style hard disk
drives (HDD) containing data with a "HIGH" security categorization?
A. Drill through the device and platters.

B. Mechanically shred the entire HDD.
C. Remove the control electronics.
D. HP iProcess the HDD through a degaussing device.
Answer: D
Q1443
employee training, risk management, and data handling procedures and policies could be characterized
as which type of security measure?
A. Non-essential
B. Management
C. Preventative
D. Administrative
Answer: D
Q1444
The Chief Information Security Officer (CISO) of an organization has requested that a Service
Organization Control (SOC) report be created to outline the security and availability of a particular system
over a 12-month period. Which type of SOC report should be utilized?
A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 2 Type 2
D. SOC 3 Type 1
Answer: C
Q1445
A security practitioner needs to implementation solution to verify endpoint security protections and
operating system (0S) versions. Which of the following is the BEST solution to implement?
A. An intrusion prevention system (IPS)

B. An intrusion prevention system (IPS)
C. Network Access Control (NAC)
D. A firewall
Answer: B
Q1446
A new employee formally reported suspicious behavior to the organization security team. The report
claims that someone not affiliated with the organization was inquiring about the member's work location,
length of employment, and building access controls. The employee's reporting is MOST likely the result of
which of the following?
A. Risk avoidance
B. Security engineering
C. security awareness
D. Phishing
Answer: C
Q1447
The MAIN purpose of placing a tamper seal on a computer system's case is to:
A. raise security awareness.

B. detect efforts to open the case.
C. expedite physical auditing.
D. make it difficult to steal internal components.
Answer: A
Q1448
An organization is preparing to achieve General Data Protection Regulation (GDPR) compliance. The
Chief Information Security Officer (CISO) is reviewing data protection methods. Which of the following is
the BEST data protection method?
A. Encryption
B. Backups
C. Data obfuscation
D. Strong authentication
Answer: C
Q1449
Which of the following describes the order in which a digital forensic process is usually conducted?
A. Ascertain legal authority, agree upon examination strategy, conduct examination, and report results
B. Ascertain legal authority, conduct investigation, report results, and agree upon examination strategy
C. Agree upon examination strategy, ascertain legal authority, conduct examination, and report results
D. Agree upon examination strategy, ascertain legal authority, report results, and conduct examination
Answer: A
Q1450
Compared to a traditional network, which of the following is a security-related benefit that software-
defined networking (SDN) provides?
A. Centralized network provisioning

B. Centralized network administrator control
C. Reduced network latency when scaled
D. Reduced hardware footprint and cost
Answer: B
Q1451
Which of the following are mandatory canons for the (ISC)* Code of Ethics?
A. Develop comprehensive security strategies for the organization.

B. Perform is, honestly, fairly, responsibly, and lawfully for the organization.
C. Create secure data protection policies to principals.
D. Provide diligent and competent service to principals.
Answer: D
Q1452
Which of the following is the MOST significant key management problem due to the number of keys
created?
A. Keys are more difficult to provision and

B. Storage of the keys require increased security
C. Exponential growth when using asymmetric keys
D. Exponential growth when using symmetric keys
Answer: B

Q1453
When conducting a third-party risk assessment of a new supplier, which of the following reports should be
reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy
trust principles?
A. Service Organization Control (SOC) 1, Type 2

B. Service Organization Control (SOC) 2, Type 2
C. International Organization for Standardization (ISO) 27001
D. International Organization for Standardization (ISO) 27002
Answer: B
Q1454
Which of the following is the BEST method a security practitioner can use to ensure that systems and
sub-system gracefully handle invalid input?
A. Negative testing
B. Integration testing
C. Unit testing
D. Acceptance testing
Answer: B
Q1455
Which of the following determines how traffic should flow based on the status of the infrastructure true?
A. Application plane
B. Data plane
C. Control plane
D. Traffic plane
Answer: D
Q1456
Which of the (ISC)? Code of Ethics canons is MOST reflected when preserving the value of systems,
applications, and entrusted information while avoiding conflicts of interest? Questions and Answers
441/451
A. Act honorably, honestly, justly, responsibly, and legally.

B. Protect society, the commonwealth, and the infrastructure.
C. Provide diligent and competent service to principles.
D. Advance and protect the profession.
Answer: B
Q1457
he security organization is loading for a solution that could help them determine with a strong level of
confident that attackers have breached their network. Which solution is MOST effective at discovering
successful network breach?
A. Installing an intrusion prevention system (IPS)

B. Deploying a honeypot
C. Installing an intrusion detection system (IDS)
D. Developing a sandbox
Answer: B
Q1458
Which of the following techniques evaluates the secure design principles of network OF software
architectures?
A. Risk modeling
B. Threat modeling
C. Fuzzing
D. Waterfall method
Answer: B
Q1459
When designing a business continuity plan (BCP), what is the formula to determine the Maximum
Tolerable Downtime (MTD)?
A. Annual Loss Expectancy (ALE) + Work Recovery Time (WRT)
B. Business impact analysis (BIA) + Recovery Point Objective (RPO)
C. Recovery Time Objective (RTO) + Work Recovery Time (WRT)
D. Estimated Maximum Loss (EML) + Recovery Time Objective (RTO) Questions and Answers 442/451
Answer: C
Q1460
A company wants to implement two-factor authentication (2FA) to protect their computers from
unauthorized users. Which solution provides the MOST secure means of authentication and meets the
criteria they have set?
A. Username and personal identification number (PIN)

B. Fingerprint and retinal scanners
C. Short Message Services (SMS) and smartphone authenticator
D. Hardware token and password
Answer: D
Q1461
Which of the following is the MOST important first step in preparing for a security audit?
A. Identify team members.

B. Define the scope.
C. Notify system administrators.
D. Collect evidence.
Answer: B
Q1462
An attacker is able to remain indefinitely logged into a exploiting to remain on the web service?
A. Alert management
B. Password management
C. Session management
D. Identity management (IM)
Answer: C
Q1463
Which of the following attack types can be used to compromise the integrity of data during transmission?
A. Keylogging
B. Packet sniffing
C. Synchronization flooding
D. Session hijacking
Answer: B
Q1464
A recent information security risk assessment identified weak system access controls on mobile devices
as a high me In order to address this risk and ensure only authorized staff access company information,
which of the following should the organization implement?
A. Intrusion prevention system (IPS)

B. Multi-factor authentication (MFA)
C. Data loss protection (DLP)
D. Data at rest encryption
Answer: B
Q1465
Which of the following addresses requirements of security assessment during software acquisition?
A. Software assurance policy

B. Continuous monitoring
C. Software configuration management (SCM)
D. Data loss prevention (DLP) policy
Answer: B
Q1466
Which of the following MUST the administrator of a security information and event management (SIEM)
system ensure?
A. All sources are reporting in the exact same Extensible Markup Language (XML) format.
B. Data sources do not contain information infringing upon privacy regulations.
C. All sources are synchronized with a common time reference.
D. Each source uses the same Internet Protocol (IP) address for reporting.
Answer: C

Q1467
Which of the following terms BEST describes a system which allows a user to log in and access multiple
related servers and applications?
A. Remote Desktop Protocol (RDP)

B. Federated identity management (FIM)
C. Single sign-on (SSO)
Answer: B
Q1468
After the INITIAL input o f a user identification (ID) and password, what is an authentication system that
prompts the user for a different response each time the user logs on?
A. Persons Identification Number (PIN)

B. Secondary password
C. Challenge response
D. Voice authentication
Answer: C
Q1469
What is the P R IM A R Y reason criminal law is difficult to enforce when dealing with cyber-crime?
A. Extradition treaties are rarely enforced.

B. Numerous language barriers exist.
C. Law enforcement agencies are understaffed.
D. Jurisdiction is hard to define.
Answer: D
Q1470
Which of the following are the B EST characteristics of security metrics?
A. They are generalized and provide a broad overview

B. They use acronyms and abbreviations to be concise
C. They use bar charts and Venn diagrams
D. They are consistently measured and quantitatively expressed
Answer: D
Q1471
At which phase of the software assurance life cycle should risks associated with software acquisition
strategies be identified?
A. Follow-on phase
B. Planning phase
C. Monitoring and acceptance phase
D. Contracting phase
Answer: C
Q1472
Which of the following would be considered an incident if reported by a security information and event
management (SIEM) system?
A. An administrator is logging in on a server through a virtual private network (VPN).

B. A log source has stopped sending data.
C. A web resource has reported a 404 error.
D. A firewall logs a connection between a client on the Internet and a web server using Transmission
Control Protocol (TCP) on port 80.
Answer: C
Q1473
a large organization uses biometrics to allow access to its facilities. It adjusts the biometric value for
incorrectly granting or denying access so that the two numbers are the same.
What is this value called?
A. False Rejection Rate (FRR)

B. Accuracy acceptance threshold
C. Equal error rate
D. False Acceptance Rate (FAR)
Answer: C

Q1474
Spyware is BEST described as
A. data mining for advertising.

B. a form of cyber-terrorism,
C. an information gathering technique,
D. a web-based attack.
Answer: B
Q1475
If traveling abroad and a customs official demands to examine a personal computer, which of the
following should be assumed?
A. The hard drive has been stolen.

B. The Internet Protocol (IP) address has been copied.
C. The hard drive has been copied.
D. The Media Access Control (MAC) address was stolen
Answer: C
Q1476
What are the first two components of logical access control?
A. Confidentiality and authentication

B. Authentication and identification
C. Identification and confidentiality
D. Authentication and availability
Answer: B
Q1477
What is the MAIN purpose of a security assessment plan?
A. Provide guidance on security requirements, to ensure the identified security risks are properly
addressed based on the recommendation
B. Provide the objectives for the security and privacy control assessments and a detailed roadmap of how
to conduct such assessments.
C. Provide technical information to executives to help them understand information security Questions
and Answers 447/451
postures and secure funding.
D. Provide education to employees on security and privacy, to ensure their awareness on policies and
procedures
Answer: B
Q1478
What is the MAIN purpose of conducting a business impact analysis (BIA)?
A. To determine the critical resources required to recover from an incident within a specified time period
B. To determine the effect of mission-critical information system failures on core business processes
C. To determine the cost for restoration of damaged information system
D. To determine the controls required to return to business critical operations
Answer: B
Q1479
Which of the following is the FIRST requirement a data owner should consider before implementing a
data retention policy?
A. Training
B. Legal
C. Business
D. Storage
Answer: B
Q1480
Information Security Continuous Monitoring (1SCM) is defined as maintaining ongoing awareness of
information security, vulnerabilities, and threats to support organizational risk management decisions.
Which of the following is the FIRST step in developing an ISCM strategy and implementing an ISCM
program?
A. Define a strategy based on risk tolerance that maintains clear visibility into assets, awareness of
vulnerabilities, up-to-date threat information, and mission/business impacts.
B. Conduct a vulnerability assessment to discover current threats against the environment and
incorporate them into the program.
C. Respond to findings with technical management, and operational mitigating activities or acceptance,
transference/sharing, or avoidance/rejection.
D. Analyze the data collected and report findings, determining the appropriate response. It may be
necessary to collect additional information to clarify or supplement existing monitoring data.
Answer: A
Q1481
When designing a Cyber-Physical System (CPS), which of the following should be a security practitioner's
first consideration?
A. Resiliency of the system

B. Detection of sophisticated attackers
C. Risk assessment of the system
D. Topology of the network used for the system
Answer: A
Q1482
Which of the following BEST describes the use of network architecture in reducing corporate risks
associated with mobile devices?
A. Maintaining a "closed applications model on all mobile devices depends on demilitarized 2one (DM2)
servers
B. Split tunneling enabled for mobile devices improves demilitarized zone (DMZ) security posture
C. Segmentation and demilitarized zone (DMZ) monitoring are implemented to secure a virtual private
network (VPN) access for mobile devices
D. Applications that manage mobile devices are located in an Internet demilitarized zone (DMZ)
Answer: C
Q1483
Which of the following is an important design feature for the outer door o f a mantrap?
A. Allow it to be opened by an alarmed emergency button.

B. Do not allow anyone to enter it alone.
C. Do not allow it to be observed by dosed-circuit television (CCTV) cameras.
D. Allow it be opened when the inner door of the mantrap is also open
Answer: D

Q1484
In setting expectations when reviewing the results of a security test, which of the following statements is
MOST important to convey to reviewers?
A. The target's security posture cannot be further compromised.

B. The results of the tests represent a point-in-time assessment of the target(s).
C. The accuracy of testing results can be greatly improved if the target(s) are properly hardened.
D. The deficiencies identified can be corrected immediately
Answer: C
Q1485
What is the overall goal of software security testing?
A. Identifying the key security features of the software

B. Ensuring all software functions perform as specified
C. Reducing vulnerabilities within a software system
D. Making software development more agile
Answer: B
Q1486
Which of the fallowing statements is MOST accurate regarding information assets?
A. International Organization for Standardization (ISO) 27001 compliance specifies which information
assets must be included in asset inventory.
B. S3 Information assets include any information that is valuable to the organization,
C. Building an information assets register is a resource-intensive job.
D. Information assets inventory is not required for risk assessment.
Answer: B
Q1487
An information security professional is reviewing user access controls on a customer-facing application.
The application must have multi-factor authentication (MFA) in place. The application currently requires a
username and password to login. Which of the following options would BEST implement MFA?
A. Geolocate the user and compare to previous logins

B. Require a pre-selected number as part of the login
C. Have the user answer a secret question that is known to them
D. Enter an automatically generated number from a hardware token
Answer: C
Thank You for your purchase

ISC2 CISSP Exam Question & Answers
Certified Information Systems Security Professional
Exam

Security Sample Questions 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Sample Questions 1

Uploaded by

Copyright:

Available Formats

Q999

A. Determine if audit records contain sufficient information.

A. Do not store sensitive unencrypted data on the back end.

A. Strict integration of application management, configuration management (CM), and phone

A. identify key stakeholders,

A. Host-based intrusion prevention system (HIPS)

Questions and Answers 308/451

A. Full functional drill

A. Service Organization Control (SOC) 1

A. Implement a dedicated COTS sandbox environment

A. Statement on Auditing Standards (SAS)70

Questions and Answers 310/451

A. Organizations can only reach a maturity level 3 when using CMMs

A. Industry framework to audit against

A. Cipher Feedback (CFB)

A. Cross-Site Scripting (XSS)

A. Application threat modeling

A. Data driven risk assessment with a focus on data

A. Diffie-hellman (DH) key exchange: DH (>=2048 bits)

Questions and Answers 313/451

A. A detailed overview of all equipment involved in the outsourcing contract

A. Turing off unauthorized services and rebooting the system

A. Processor agreements with card holders

A. New members added to the steering committee

Questions and Answers 315/451

Questions and Answers 316/451

A. Organizational Security Policy

A. Create a plan based on recent vulnerability scans of the systems in question.

A. Add another AP.

A. The link is improperly terminated

A. Use an IP scanner and target the cloud WAN network addressing

Questions and Answers 319/451

A. Verify the session time-out configuration on the captive portal settings

A. Virtual network computing

A. OWASP Top 10 Project

A. Configure an intrusion detection system (IDS).

A. File-system level encryption

A. A reference to the stability of the security control.

Questions and Answers 325/451

A. A Service Organization Control (SOC) 3 report

A. Crime Prevention through Environmental Design (CPTED)

A. To obtain the expiration date of an X.509 digital certificate

A. The organization can avoid e-discovery processes in the event of litigation.

A. Reset all passwords.

A. Information Security Management System (ISMS)

A. Build in appropriate levels of fault tolerance.

A. Transport Layer Security (TLS)

A. improve the IR process.

A. Health Insurance Portability and Accountability Act (HIPAA)

A. Check the technical design.

A. Network is flooded with communication traffic by the attacker.

A. Implement a role-based access control (RBAC) system.

A. A network-based firewall is stateful, while a host-based firewall is stateless.

A. The SDN is mostly composed of virtual machines (VM).

Questions and Answers 334/451

A. Facility provides an acceptable level of risk

A. Customer identifiers should be a variant of the user's government-issued ID number.

A. Employee evaluation of the training program

important for the auditor(s) to take?

A. Understand circumstances which may delay the overall audit timelines.

A. Implement a data classification policy.

A. Files that have been deleted will be transferred.

A. Hire a performance tester to execute offline tests on a system.

Questions and Answers 338/451