A.  

Limit access to predefined queries

B.  

Segregate the database into a small number of partitions each with a separate security level

C.  

Implement Role Based Access Control (RBAC)

D.  

Reduce the number of people who have access to the system for statistical purposes

A.  

Derived credential

B.  

Temporary security credential

C.  

Mobile device credentialing service

D.  

Digest authentication

A.  

Code signing

B.  

Class authentication

C.  

Sandboxing

D.  

Type safety

A.  

Common Vulnerabilities and Exposures (CVE)

B.  

Common Vulnerability Scoring System (CVSS)

C.  

Asset Reporting Format (ARF)

D.  

Open Vulnerability and Assessment Language (OVAL)

A.  

Data owner

B.  

Data architect

C.  

Chief Information Security Officer (CISO)

D.  

Chief Information Officer (CIO)

A.  

Implementation Phase

B.  

Initialization Phase

C.  

Cancellation Phase

D.  

Issued Phase

A.  

Diffie-Hellman algorithm

B.  

Secure Sockets Layer (SSL)

C.  

Advanced Encryption Standard (AES)

D.  

Message Digest 5 (MD5)

A.  

Hashing the data before encryption

B.  

Hashing the data after encryption

C.  

Compressing the data after encryption

D.  

Compressing the data before encryption

A.  

Confidentiality

B.  

Integrity

C.  

Identification

D.  

Availability

A.  

Require the cloud 1AM provider to use declarative security instead of programmatic authentication checks.

B.  

Integrate a Web-Application Firewall (WAF) In reverie-proxy mode in front of the service provider.

C.  

Apply Transport layer Security (TLS) to the cloud-based authentication checks.

D.  

Install an on-premise Authentication Gateway Service (AGS) In front of the service provider.

A.  

Penetration testing

B.  

Threat modeling

C.  

Manual inspections and reviews

D.  

Source code review

A.  

The consent form terms and conditions signed by employees

B.  

The organization's data classification model

C.  

Existing employee data classifications

D.  

An organization security plan for human resources

A.  

The attacker could publicly share confidential comments found in the stolen code.

B.  

Competitors might be able to steal the organization's ideas by looking at the stolen code.

C.  

A competitor could run their own copy of the organization's website using the stolen code.

D.  

Administrative credentials or keys hard-coded within the stolen code could be used to access sensitive data.

A.  

Implement two-factor authentication on the underlying infrastructure.

B.  

Encrypt data at the field level and tightly control encryption keys.

C.  

Preprocess the databases to see if inn …… can be disclosed from the learned patterns.

D.  

Implement the principle of least privilege on data elements so a reduced number of users can access the database.

A.  

To perform cyclic redundancy check (CRC) verification and detect changed applications

B.  

To review program code to determine the existence of backdoors

C.  

To analyze possible malicious intent of malware

D.  

To determine the author and behavior of the code

A.  

Biometrics and badge reader

B.  

Biometrics, a password, and personal identification number (PIN)

C.  

Individual password for each user

D.  

Biometrics, a password, and badge reader

A.  

Contract negotiation

B.  

Request for proposal (RFP)

C.  

Implementation

D.  

Vendor selection

A.  

When identified by external consultants

B.  

During the application rollout phase

C.  

During each phase of the project cycle

D.  

When built into application design

A.  

Lower costs throughout the System Development Life Cycle (SDLC)

B.  

Facilitate a root cause analysis (RCA)

C.  

Enable generation of corrective action reports

D.  

Avoid lengthy audit reports

A.  

Bulk data encryption and decryption

B.  

One-way secure hashing for user and message authentication

C.  

Secure key exchange for symmetric cryptography

D.  

Creating digital checksums for message integrity

A.  

Follow-On

B.  

Planning

C.  

Contracting

D.  

Monitoring and Acceptance

A.  

Operating system (OS) versions can be validated prior to allowing network access.

B.  

NAC supports validation of the endpoint's security posture prior to allowing the session to go into an authorized state.

C.  

NAC can require the use of certificates, passwords, or a combination of both before allowing network admission.

D.  

NAC only supports Windows operating systems (OS).

A.  

Unit testing

B.  

Integration testing

C.  

Negative testing

D.  

Acceptance testing

A.  

Layer 2 Tunneling Protocol (L2TP)

B.  

Link Control Protocol (LCP)

C.  

Challenge Handshake Authentication Protocol (CHAP)

D.  

Packet Transfer Protocol (PTP)

A.  

Link layer

B.  

Physical layer

C.  

Session layer

D.  

Application layer

A.  

When it has been validated by the Business Continuity (BC) manager

B.  

When it has been validated by the board of directors

C.  

When it has been validated by all threat scenarios

D.  

When it has been validated by realistic exercises

A.  

Take the computer to a forensic lab

B.  

Make a copy of the hard drive

C.  

Start documenting

D.  

Turn off the computer

A.  

Disable all unnecessary services

B.  

Ensure chain of custody

C.  

Prepare another backup of the system

D.  

Isolate the system from the network

A.  

Certify and approve releases to the environment

B.  

Provide version rollbacks for system changes

C.  

Ensure that all applications are approved

D.  

Ensure accountability for changes to the environment

A.  

Hardware and software compatibility issues

B.  

Applications’ critically and downtime tolerance

C.  

Budget constraints and requirements

D.  

Cost/benefit analysis and business objectives

A.  

Continuously without exception for all security controls

B.  

Before and after each change of the control

C.  

At a rate concurrent with the volatility of the security control

D.  

Only during system implementation and decommissioning

A.  

Collecting security events and correlating them to identify anomalies

B.  

Facilitating system-wide visibility into the activities of critical user accounts

C.  

Encompassing people, process, and technology

D.  

Logging both scheduled and unscheduled system changes

A.  

Walkthrough

B.  

Simulation

C.  

Parallel

D.  

White box

A.  

Determine the cause of the incident

B.  

Disconnect the system involved from the network

C.  

Isolate and contain the system involved

D.  

Investigate all symptoms to confirm the incident

A.  

Guaranteed recovery of all business functions

B.  

Minimization of the need decision making during a crisis

C.  

Insurance against litigation following a disaster

D.  

Protection from loss of organization resources

A.  

Awareness activities should be used to focus on security concerns and respond to those concerns

accordingly

B.  

Awareness is not an activity or part of the training but rather a state of persistence to support the program

C.  

Awareness is training. The purpose of awareness presentations is to broaden attention of security.

D.  

Awareness is not training. The purpose of awareness presentation is simply to focus attention on security.

A.  

Verify that all systems and Standard Operating Procedures (SOP) are properly documented.

B.  

Verify that all personnel supporting a system are knowledgeable of their responsibilities.

C.  

Verify that security controls are established following best practices.

D.  

Verify that applicable security controls are implemented and effective.

A.  

Minimizing attack surface area

B.  

Hardening the network perimeter

C.  

Accepting infrastructure security controls

D.  

Developing independent modules

A.  

Installing an application to retrieve common characteristics of the device

B.  

Storing information about a remote device in a cookie file

C.  

Identifying a device based on common characteristics shared by all devices of a certain type

D.  

Retrieving the serial number of the mobile device

A.  

Physical security

B.  

Data classification

C.  

Network control

D.  

Application layer control

A.  

Transport Layer Security (TLS)

B.  

Ron Rivest Cipher 4 (RC4) encryption

C.  

Security Assertion Markup Language (SAML)

D.  

Multifactor authentication

A.  

Server identify and data confidentially

B.  

Information input validation

C.  

Multi-Factor Authentication (MFA)

D.  

Non-reputation controls and data encryption

A.  

Reasonable data testing

B.  

Input validation testing

C.  

Web session testing

D.  

Allowed data bounds and limits testing

A.  

To ensure the organization is adhering to a well-defined standard

B.  

To ensure the organization is applying security controls to mitigate identified risks

C.  

To ensure the organization is configuring information systems efficiently

D.  

To ensure the organization is documenting findings

A.  

Check arguments in function calls

B.  

Test for the security patch level of the environment

C.  

Include logging functions

D.  

Digitally sign each application module

A.  

Least privilege

B.  

Privilege escalation

C.  

Defense in depth

D.  

Privilege bracketing

A.  

Debug the security issues

B.  

Migrate to newer, supported applications where possible

C.  

Conduct a security assessment

D.  

Protect the legacy application with a web application firewall

A.  

Purchase software from a limited list of retailers

B.  

Verify the hash key or certificate key of all updates

C.  

Do not permit programs, patches, or updates from the Internet

D.  

Test all new software in a segregated environment

A.  

Lack of software documentation

B.  

License agreements requiring release of modified code

C.  

Expiration of the license agreement

D.  

Costs associated with support of the software

A.  

System acquisition and development

B.  

System operations and maintenance

C.  

System initiation

D.  

System implementation

A.  

After the system preliminary design has been developed and the data security categorization has been performed

B.  

After the vulnerability analysis has been performed and before the system detailed design begins

C.  

After the system preliminary design has been developed and before the data security categorization begins

D.  

After the business functional analysis and the data security categorization have been performed

A.  

It contains the keys of all clients.

B.  

It always operates at root privilege.

C.  

It contains all the tickets for services.

D.  

It contains the Internet Protocol (IP) address of all network entities.

A.  

Determine testing methods

B.  

Develop testing procedures

C.  

Identify all applicable security requirements

D.  

Identify people, processes, and products not in compliance

A.  

hosts are able to establish network communications.

B.  

users can make modifications to their security software configurations.

C.  

common software security components be implemented across all hosts.

D.  

firewalls running on each host are fully customizable by the user.

A.  

Train personnel in roles and responsibilities

B.  

Validate service level agreements

C.  

Train maintenance personnel

D.  

Validate operation metrics

A.  

Programs that write to system resources

B.  

Programs that write to user directories

C.  

Log files containing sensitive information

D.  

Log files containing system calls

A.  

enable the development of High Availability (HA) systems.

B.  

facilitate the creation of Trusted Computing Base (TCB) systems.

C.  

prevent the creation of vulnerable applications.

D.  

encourage the development of open source applications.

A.  

Provides senior management with decision-making tools

B.  

Establishes and adopts ongoing testing and maintenance strategies

C.  

Defines who will perform which functions during a disaster or emergency

D.  

Provides an understanding of the organization's interdependencies

A.  

The process will require too many resources

B.  

It will be difficult to apply to both hardware and software

C.  

It will be difficult to assign ownership to the data

D.  

The process will be perceived as having value

A.  

Assigned security label

B.  

Multilevel Security (MLS) architecture

C.  

Minimum query size

D.  

Passage of time

A.  

Ensuring quality and validation through periodic audits for ongoing data integrity

B.  

Maintaining fundamental data availability, including data storage and archiving

C.  

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

D.  

Determining the impact the information has on the mission of the organization

A.  

Identify the contractual security obligations that apply to the organizations

B.  

Understand the value of the information assets

C.  

Identify the level of residual risk that is tolerable to management

D.  

Identify relevant legislative and regulatory compliance requirements

A.  

Personal Identity Verification (PIV)

B.  

Cardholder Unique Identifier (CHUID) authentication

C.  

Physical Access Control System (PACS) repeated attempt detection

D.  

Asymmetric Card Authentication Key (CAK) challenge-response

A.  

The department should report to the business owner

B.  

Ownership of the asset should be periodically reviewed

C.  

Individual accountability should be ensured

D.  

All members should be trained on their responsibilities

A.  

system security managers

B.  

business managers

C.  

Information Technology (IT) managers

D.  

end users

A.  

Platform as a Service (PaaS)

B.  

Identity as a Service (IDaaS)

C.  

Desktop as a Service (DaaS)

D.  

Software as a Service (SaaS)

A.  

Number of system compromises

B.  

Number of audit findings

C.  

Number of staff reductions

D.  

Number of additional assets

A.  

Timing

B.  

Cold boot

C.  

Side channel

D.  

Acoustic cryptanalysis

A.  

Legal

B.  

Logical

C.  

Physical

D.  

Procedural

A.  

Executive sponsorship

B.  

Information security sponsorship

C.  

End-user acceptance

D.  

Internal audit acceptance

A.  

Non-repudiation

B.  

Traceability

C.  

Anonymity

D.  

Resilience

A.  

Commercial products often have serious weaknesses of the magnetic force available in the degausser product.

B.  

Degausser products may not be properly maintained and operated.

C.  

The inability to turn the drive around in the chamber for the second pass due to human error.

D.  

Inadequate record keeping when sanitizing mediA.

A.  

Scan the application for vulnerabilities

B.  

Contract the vendor for patching

C.  

Negotiate end user application training

D.  

Escrow a copy of the software

A.  

Verify they are operating properly

B.  

Monitor employee productivity

C.  

Identify anomalies in use patterns

D.  

Meet compliance regulations

A.  

Workplace privacy laws

B.  

Level of organizational trust

C.  

Results of background checks

D.  

Business ethical considerations

A.  

In-house security administrators

B.  

In-house Network Team

C.  

Disaster Recovery (DR) Team

D.  

External consultants

A.  

Anti-virus software

B.  

Intrusion Prevention System (IPS)

C.  

Anti-spyware software

D.  

Integrity checking software

A.  

Log review

B.  

Least privilege

C.  

Password complexity

D.  

Non-disclosure agreement

A.  

Time of data validation after disaster

B.  

Time of data restoration from backup after disaster

C.  

Time of application resumption after disaster

D.  

Time of application verification after disaster

A.  

User accounts

B.  

System accounts

C.  

Generic accounts

D.  

Privileged accounts

A.  

Formal acceptance of the security strategy

B.  

Disciplinary actions taken against unethical behavior

C.  

Development of an awareness program for new employees

D.  

Audit of all organization system configurations for faults

A.  

Ensure the fire prevention and detection systems are sufficient to protect personnel

B.  

Review the architectural plans to determine how many emergency exits are present

C.  

Conduct a gap analysis of a new facilities against existing security requirements

D.  

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

A.  

Network redundancies are not implemented

B.  

Security awareness training is not completed

C.  

Backup tapes are generated unencrypted

D.  

Users have administrative privileges

A.  

Development, testing, and deployment

B.  

Prevention, detection, and remediation

C.  

People, technology, and operations

D.  

Certification, accreditation, and monitoring

A.  

Examine the device for physical tampering

B.  

Implement more stringent baseline configurations

C.  

Purge or re-image the hard disk drive

D.  

Change access codes

A.  

Audit logs

B.  

Role-Based Access Control (RBAC)

C.  

Two-factor authentication

D.  

Application of least privilege

A.  

Trusted third-party certification

B.  

Lightweight Directory Access Protocol (LDAP)

C.  

Security Assertion Markup language (SAML)

D.  

Cross-certification

A.  

Warm site

B.  

Hot site

C.  

Mirror site

D.  

Cold site

A.  

Consolidation of multiple providers

B.  

Directory synchronization

C.  

Web based logon

D.  

Automated account management

A.  

Absence of a Business Intelligence (BI) solution

B.  

Inadequate cost modeling

C.  

Improper deployment of the Service-Oriented Architecture (SOA)

D.  

Insufficient Service Level Agreement (SLA)

A.  

False Acceptance Rate (FAR) is greater than 1 in 100,000

B.  

False Rejection Rate (FRR) is greater than 5 in 100

C.  

Inadequately specified templates

D.  

Exact match

A.  

No, different jurisdictions have different rules.

B.  

No, not if the data is encrypted.

C.  

No, companies' codes of ethics don't require it.

D.  

No, only if the breach had a material impact.

A.  

Secure Sockets Layer (SSL)

B.  

Secure Hash Algorithm (SHA)

C.  

Wired Equivalent Privacy (WEP)

D.  

Secure Post Office Protocol (POP)

A.  

Data Custodian

B.  

Data Owner

C.  

Data Creator

D.  

Data User

A.  

Application Layer

B.  

Physical Layer

C.  

Data-Link Layer

D.  

Network Layer

A.  

Static discharge

B.  

Consumption

C.  

Generation

D.  

Magnetism

A.  

dig

B.  

ifconfig

C.  

ipconfig

D.  

nbtstat

A.  

A document that expresses an implementation independent set of security requirements for an IT product that meets specific consumer needs.

B.  

A document that is used to develop an IT security product from its security requirements definition.

C.  

A document that expresses an implementation dependent set of security requirements which contains only the security functional requirements.

D.  

A document that represents evaluated products where there is a one-to-one correspondence between a PP and a Security Target (ST).

A.  

Data at rest encryption

B.  

Configuration Management

C.  

Integrity checking software

D.  

Cyclic redundancy check (CRC)

A.  

As a means for improvement

B.  

As alternative options for awareness and training

C.  

As indicators of a need for policy

D.  

As business function gap indicators

A.  

Revoke access temporarily.

B.  

Block user access and delete user account after six months.

C.  

Block access to the offices immediately.

D.  

Monitor account usage temporarily.

A.  

The estimated period of time a business critical database can remain down before customers are affected.

B.  

The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning

C.  

The estimated period of time a business can remain interrupted beyond which it risks never recovering

D.  

The fixed length of time in a DR process before redundant systems are engaged

A.  

Confidentiality

B.  

Integrity

C.  

Availability

D.  

Accessibility

A.  

Transport

B.  

Data link

C.  

Network

D.  

Application

A.  

Cost effectiveness of business recovery

B.  

Cost effectiveness of installing software security patches

C.  

Resource priorities for recovery and Maximum Tolerable Downtime (MTD)

D.  

Which security measures should be implemented

A.  

Calculate the value of assets being accredited.

B.  

Create a list to include in the Security Assessment and Authorization package.

C.  

Identify obsolete hardware and software.

D.  

Define the boundaries of the information system.

A.  

Federated security and authenticated access controls

B.  

Trusted software development and run time integrity controls

C.  

Encryption and security enabled applications

D.  

Enclave boundary protection and computing environment defense

A.  

Data custodian

B.  

Information owner

C.  

Database administrator

D.  

Quality control

A.  

Reduced risk to internal systems.

B.  

Prepare the server for potential attacks.

C.  

Mitigate the risk associated with the exposed server.

D.  

Bypass the need for a firewall.

A.  

Asset Management, Business Environment, Governance and Risk Assessment

B.  

Access Control, Awareness and Training, Data Security and Maintenance

C.  

Anomalies and Events, Security Continuous Monitoring and Detection Processes

D.  

Recovery Planning, Improvements and Communications

A.  

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

B.  

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

C.  

Management teams will understand the testing objectives and reputational risk to the organization

D.  

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

A.  

Change management processes

B.  

User administration procedures

C.  

Operating System (OS) baselines

D.  

System backup documentation

A.  

Quarterly access reviews

B.  

Security continuous monitoring

C.  

Business continuity testing

D.  

Annual security training

A.  

Host VM monitor audit logs

B.  

Guest OS access controls

C.  

Host VM access controls

D.  

Guest OS audit logs

A.  

Encryption of audit logs

B.  

No archiving of audit logs

C.  

Hashing of audit logs

D.  

Remote access audit logs

A.  

Countermeasure effectiveness

B.  

Type of potential loss

C.  

Incident likelihood

D.  

Information ownership

A.  

Use a web scanner to scan for vulnerabilities within the website.

B.  

Perform a code review to ensure that the database references are properly addressed.

C.  

Establish a secure connection to the web server to validate that only the approved ports are open.

D.  

Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.

A.  

undergo a security assessment as part of authorization process

B.  

establish a risk management strategy

C.  

harden the hosting server, and perform hosting and application vulnerability scans

D.  

establish policies and procedures on system and services acquisition

A.  

Mandatory Access Control (MAC)

B.  

Access Control List (ACL)

C.  

Discretionary Access Control (DAC)

D.  

Authorized user control

A.  

Users, permissions, operations, and protected objects

B.  

Roles, accounts, permissions, and protected objects

C.  

Users, roles, operations, and protected objects

D.  

Roles, operations, accounts, and protected objects

A.  

Mutual authentication

B.  

Server authentication

C.  

User authentication

D.  

Streaming ciphertext data

A.  

Establish an information security policy.

B.  

Identify factors affecting information security.

C.  

Establish baseline security controls.

D.  

Identify critical security infrastructure.

A.  

Deploying load balancers to distribute inbound traffic across multiple data centers

B.  

Set Up Web Application Firewalls (WAFs) to filter out malicious traffic

C.  

Implementing reverse web-proxies to validate each new inbound connection

D.  

Coordinate with and utilize capabilities within Internet Service Provider (ISP)

A.  

Single Sign-On (SSO) authentication support

B.  

Privileged user authentication support

C.  

Password reset service support

D.  

Terminal Access Controller Access Control System (TACACS) authentication support

A.  

Ensures that a trace for all deliverables is maintained and auditable

B.  

Enforces backward compatibility between releases

C.  

Ensures that there is no loss of functionality between releases

D.  

Allows for future enhancements to existing features

A.  

identification, analysis, evaluation

B.  

analysis, evaluation, mitigation

C.  

classification, identification, risk management

D.  

identification, evaluation, mitigation

A.  

Inert gas fire suppression system

B.  

Halon gas fire suppression system

C.  

Dry-pipe sprinklers

D.  

Wet-pipe sprinklers

A.  

Diffle-Hellman (DH) algorithm

B.  

Elliptic Curve Cryptography (ECC) algorithm

C.  

Digital Signature algorithm (DSA)

D.  

Rivest-Shamir-Adleman (RSA) algorithm

A.  

If the data is lost, it must be decrypted to be opened.

B.  

If the data is lost, it will not be accessible to unauthorized users.

C.  

When the data is being viewed, it can only be printed by authorized users.

D.  

When the data is being viewed, it must be accessed using secure protocols.

A.  

exploits weak authentication to penetrate networks.

B.  

can be detected with signature analysis.

C.  

looks like normal network activity.

D.  

is commonly confused with viruses or worms.

A.  

Policies are used to enforce violations, and procedures create penalties

B.  

Policies point to guidelines, and procedures are more contractual in nature

C.  

Policies are included in awareness training, and procedures give guidance

D.  

Policies are generic in nature, and procedures contain operational details

A.  

Review automated patch deployment reports

B.  

Periodic third party vulnerability assessment

C.  

Automated vulnerability scanning

D.  

Perform vulnerability scan by security team