76 Which one of the following stakeholders is not typically included on a business continuity planning team?Core business function leadersInformation technology staffCEOSupport departments
77 Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?AuthenticationAuthorizationIntegrityNonrepudiation
78 What principle of information security states that an organization should implement overlapping security controls whenever possible?Least privilegeSeparation of dutiesDefense in depthSecurity through obscurity
79 Ryan is a CISSP-certified cybersecurity professional working in a nonprofit organization. Which of the following ethical obligations apply to his work? (Select all that apply.)(ISC)2 Code of EthicsOrganizational code of ethics Federal code of ethicsRFC 1087
80 Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?Purchasing insuranceEncrypting the database contentsRemoving the dataObjecting to the exception
81 The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention?IIIIIIIV
82 Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?Informing other employees of the terminationRetrieving the employee's photo IDCalculating the final paycheckRevoking electronic access rights
83 Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando's organization pursue?Risk avoidanceRisk mitigationRisk transferenceRisk acceptance
84 Helen is the owner of a U.S. website that provides information for middle and high school students preparing for exams. She is writing the site's privacy policy and would like to ensure that it complies with the provisions of the Children's Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?13151718
85 Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown here, and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area?1001 0.10.01
86 You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?IntegrityDenialAvailabilityConfidentiality
87 Alan is performing threat modeling and decides that it would be useful to decompose the system into the core elements shown here. What tool is he using?Vulnerability assessmentFuzzingReduction analysisData modeling
88 Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map shown here from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk?New YorkNorth CarolinaIndianaFlorida
89 Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?QuantitativeQualitativeAnnualized loss expectancyReduction
90 Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the threat?Unpatched web applicationWeb defacement Malicious hackerOperating systemFor questions 91–93, please refer to the following scenario:Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years.
91 Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing's data center?10 percent25 percent50 percent75 percent
92 Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing's data center?0.00250.0050.010.015
93 Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing's data center?$25,000$50,000$250,000$500,000
94 John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?SpoofingRepudiationInformation disclosureElevation of privilege
95 Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?His supply chainHis vendor contractsHis post-purchase build processThe original equipment manufacturer (OEM)
96 In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe?Regression testingCode reviewChange managementFuzz testing
97 After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95 percent completion rate he was aiming for. What is this type of measure called?A KPIA metricAn awareness controlA return on investment rate
98 Which of the following is not typically included in a prehire screening process?A drug testA background checkSocial media reviewFitness evaluation
99 Which of the following would normally be considered a supply chain risk? (Select all that apply.)Adversary tampering with hardware prior while being shipped to the end customerAdversary hacking into a web server run by the organization in an IaaS environmentAdversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accountsAdversary conducting a denial-of-service attack using a botnet
100 Match the following numbered laws or industry standards to their lettered description:Laws and industry standardsGLBAPCI DSSHIPAASOXDescriptionsA U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basisA U.S. law that requires internal controls assessments, including IT transaction flows for publicly traded companiesAn industry standard that covers organizations that handle credit cardsA U.S. law that provides data privacy and security requirements for medical information
Chapter 2 Asset Security (Domain 2)
SUBDOMAINS:
2.1 Identify and classify information and assets
2.2 Establish information and