1. How many canons are there in the ISC2 Code of Ethics?
   1. 3
   2. 4
   3. 5
   4. 6
2. What is the purpose of conducting a Business Impact Analysis (BIA)?
   1. Enumerating vulnerabilities and prioritizing them for the business
   2. Reporting a breach and determining its impact on the business
   3. Determining and quantifying the cybersecurity risk to the business
   4. Identifying and evaluating the impact that unexpected events have on the business
3. Which of the following should be used to determine the risks associated with using a Cloud Provider (CP) for the backend of a mobile application?
   1. Control Objectives for Information and Related Technology (COBIT)
   2. Open Web Application Security Project (OWASP)
   3. Cloud Access Security Broker (CASB)
   4. Process for Attack Simulation and Threat Analysis (PASTA)
4. Which privacy regulation would an international company need to meet to be compliant in Canada?
   1. Health Insurance Portability and Accountability Act (HIPAA)
   2. Personal Information Protection and...

5. Which of the following roles has technical control over an information asset dataset?
   1. Data creator
   2. Data custodian
   3. Data processor
   4. Data owner
6. Which classification type is BEST suited for information that, if compromised or accessed without authorization, could lead to criminal charges?
   1. Internal-only
   2. Confidential
   3. Restricted
   4. Public
7. How long should an organization retain its data?
   1. 1 to 3 years
   2. It depends on the kind of data being retained
   3. At least 7 years
   4. Destroy it as soon as it is no longer needed

8. Which class of fire extinguishers is BEST for electrical fires?
   1. Class A
   2. Class B
   3. Class C
   4. Class D
9. Which type of attack was MOST likely used if users visiting a website are seeing anti-virus warnings about malicious code?
   1. Cross-Site Scripting (XSS)
   2. Distributed Denial of Service (DDoS)
   3. Structured Query Language (SQL) injection
   4. Buffer overflow
10. Which method is BEST for protecting laptops?
    1. Full Disk Encryption (FDE)
    2. Advanced Encryption Standard (AES)
    3. Blowfish
    4. Multi-Factor Authentication (MFA)

11. Which of the following is a well-known Transmission Control Protocol (TCP) port used by Simple Mail Transfer Protocol (SMTP)?
    1. 22
    2. 21
    3. 25
    4. 79
12. Which of the following wireless security protocols utilizes Simultaneous Authentication of Equals (SAE) for secure authentication?
    1. Wired Equivalent Privacy (WEP)
    2. Wi-Fi Protected Access 2 (WPA2)
    3. Wi-Fi Protected Access (WPA) Enterprise
    4. Wi-Fi Protected Access 3 (WPA3)
13. Which of the following communication protocols is vulnerable to a snooping attack?
    1. Secure Shell (SSH)
    2. Layer 2 Tunneling Protocol (L2TP) v2
    3. Point-to-Point Tunneling Protocol (PPTP)
    4. Internet Protocol Security (IPsec)

14. Which of the following biometric authentication methods is the fastest while also being accurate?
    1. Facial imaging
    2. Hand geometry
    3. Iris recognition
    4. Signature
15. Which of the following components of an access control system determines what a user is allowed to do?
    1. Authentication
    2. Authorization
    3. Identification
    4. Verification
16. Which of the following security management methodologies can make use of geo-location to grant access?
    1. Attribute-Based Access Control (ABAC)
    2. Mandatory Access Control (MAC)
    3. Discretionary Access Control (DAC)
    4. Role-Based Access Control (RBAC)

17. Which application security testing approach is the MOST cost-effective and comprehensive?
    1. Dynamic Application Security Testing (DAST)
    2. Static Application Security Testing (SAST)
    3. Interactive Application Security Testing (IAST)
    4. Penetration Testing Execution Standard (PTES)
18. Which of the following information security metrics is the BEST Key Risk Indicator (KRI) for an e-commerce business?
    1. Mean Time To Contain (MTTC)
    2. Number of days to deactivate former employee credentials
    3. Number of systems with known vulnerabilities
    4. Percentage of business partners with effective cybersecurity policies
19. What is the PRIMARY limitation of a Common Vulnerability Scoring System (CVSS) score?
    1. It doesn’t take into account the impact of a successful vulnerability
    2. It doesn’t take into account the attack vector
    3. It doesn’t take into account the damage to your company
    4. It doesn’t take into account the attack’s complexity

20. When performing disaster recovery planning, which of the following options is the MOST applicable to determine the data backup’s frequency?
    1. Recovery Time Objective (RTO)
    2. Recovery Point Objective (RPO)
    3. Maximum Tolerable Downtime (MTD)
    4. Mean Time between Failures (MTBF)
21. Which internal control is BEST used to prevent a single user from having control of every aspect of a change?
    1. Separation of Duties (SoD)
    2. Two-Factor Authentication (2FA)
    3. Least privilege
    4. Job history verification
22. Which failure method for an inline Intrusion Prevention System (IPS) would BEST serve security in the event of a failure?
    1. Fail-safe
    2. Fail-open
    3. Fail-closed
    4. Failover

23. What is the PRIMARY factor in determining whether Commercial-Off-the-Shelf (COTS) software should be acquired?
    1. Procurement
    2. Business needs
    3. Development timeline
    4. Maintenance requirements
24. What best practice should a software design team adhere to when designing secure code?
    1. Limit the runtime of all functions
    2. Write Don’t Repeat Yourself (DRY) code
    3. Use open source libraries
    4. Validate input from all untrusted data sources
25. Which secure coding practice will assist in preventing the disclosure of sensitive information in error responses?
    1. Session management
    2. Communication security
    3. Database security
    4. Error handling and logging

1. Answer B.

   This is a simple knowledge question, but it can be hard if you have never seen the Ethics page on the official ISC2 website, specifically the Code of Ethics Canons section. See https://packt.link/NRHh1.

2. Answer D.

   The answer options can be wordy, but each describes a specific security work product. For example, A is a SAR. B is a breach report. C is a RAR. D is the best answer that matches the purpose of a BIA. See https://packt.link/4iqjJ.

3. Answer D.

   COBIT is a security framework. OWASP is a nonprofit foundation that works to improve the security of software, which might seem like the right answer but it is not the best option. A CASB might sound right if you don’t know it is cloud-hosted software, on-premises software, or hardware that acts as an intermediary between users and cloud service providers. PASTA is the best option. See https://packt.link/cGkUc.

4. Answer B.

   You need to be familiar with all the options to know that only the PIPEDA is...

This chapter represented a miniature version of the CISSP test and should have given you an idea of where your strengths and weaknesses are. The questions matched the domain weights specified in the exam outline, just at a smaller scale. Keep in mind that it would be impossible to truly test your knowledge of the exam outline without a pre-assessment test with a thousand questions. So, even if you got the answers right—or you guessed and got the answers right—you should still read the chapters that cover that domain.

The next chapter will start covering the material in Domain 1, including professional ethics, foundational security concepts, and governance principles.