Questions
- Dorian automatically backs up his smartphone nightly to the cloud. Does this represent safety, confidentiality, integrity, or availability?
A. Confidentiality
B. Integrity
C. Availability
D. Safety
- Aisha just received an International Information Systems Security Certification Consortium (ISC)² certification. Her primary service as per their Code of Ethics is to:
A. Shareholders
B. Management
C. Users
D. Humanity
- Ian's private data has been attacked and leaked on the internet. Which of the following is NOT his personally identifiable information (PII)?
A. Password
B. Facial photo
C. Media access control (MAC) address
D. Internet Protocol (IP) address
- Gwendolyn completes all the backups for her cloud subscribers. What is her role at the company?
A. Data owner
B. Data subject
C. Data custodian
D. Data processor
- Usain has lost his login and password for the Verbal Co. software-as-a-service (SAAS) system set up in 1999. The system is so old, he no longer has the email account to recover the password. Verbal Co.'s policy is to not provide credentials via technical support. What is his next BEST step?
A. Scour the dark web for the credentials.
B. Recover the login details from 1999 backup tapes.
C. Continue emailing technical support.
D. Give up—he has done everything he can do.
- Quinonez, a CISSP security engineer with SMR Tech, has discovered that Mike and Dave, also CISSPs, colluded and harmed a contractor. How should she report this ethics violation to (ISC)²?
A. Only with the sponsorship of another (ISC)²-certified individual
B. By emailing ethics@isc2.org
C. Through the (ISC)² ethics web page
D. In a typed or handwritten letter
- Elimu has installed firewalls to protect his users from outside attacks. This is a good example of what?
A. Due diligence
B. Due process
C. Due care
D. Regulatory requirements
- Which of the following is it only recommended to follow?
A. Policies
B. Procedures
C. Standards
D. Guidelines
- Wade is required to rebuild the organization and build an IT helpdesk infrastructure for customer support. Which framework and standards would help him BEST facilitate this?
A. The IT Infrastructure Library (ITIL)
B. The Committee of Sponsoring Organizations (COSO)
C. International Organization for Standardization (ISO) 27001
D. Control Objectives for Information and Related Technologies (COBIT)
- Montrie is required to destroy card verification value (CVV) codes after transactions have been completed. She is complying with which standard?
A. The National Institute of Standards and Technology (NIST)
B. ITIL
C. COSO
D. The Payment Card Industry Data Security Standard (PCI-DSS)
- Teecee is running the computer sales department and sees that her team has sold $600,000 of their yearly goal of $1,000,000. What are the key performance indicator (KPI) and the key goal indicator (KGI)?
A. The KPI is 60%, and the KGI is $600,000.
B. The KPI is $600,000, and the KGI is 60%.
C. The KPI is $600,000, and the KGI is $600,000.
D. The KPI is -$400,000, and the KGI is $1,000,000.
- Phillip is reviewing frameworks that would help him with the types of controls that should be in place to secure his organization. Which standard should he use?
A. ISO 27001
B. ISO 27002
C. ISO 27003
D. ISO 27004
- Nina, a forensic accountant, suspects fraud within the organization, and implemented separation of duties (SoD) to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is MOST LIKELY occurring?
A. Collusion
B. Miscalculation of taxes
C. Miscalculation of expenses
D. Miscalculation of net income
- Nina, a forensic accountant, suspects fraud within the organization and implemented SoD to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is her BEST next step?
A. Implement countermeasures
B. Implement business continuity
C. Implement job rotation
D. Implement data leak prevention (DLP)
- What represents the indirect costs, direct costs, replacement costs, and upgrade costs for the entire life cycle of an asset?
A. Total cost of ownership (TCO)
B. Return on investment (ROI)
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)
- Negligence uses a reasonable person standard in cybersecurity measures, showing necessary due care when working with PII. This is also known as:
A. Due diligence principle
B. Due care principle
C. Prudent person principle
D. Measured negligence rule
- Scoop loaned a job slot to the Systems Engineering (SE) department and stored the details using multi-factor authentication (MFA). The SE department refuses to return the job slot because Scoop cannot prove the loan agreement. What should he use combined with his personal identification number (PIN) to recover the detailed records of the loan agreement?
A. Common access card (CAC)
B. Password
C. Mother's maiden name
D. His birthday
- Randi is an engineering manager who hires Percy, a senior engineer, to manage the ASAN Corp account in Cleveland. Bud, also a senior engineer, hears complaints from the ASAN customers and reports them to Randi instead of Percy. What is Randi's BEST next step?
A. Thank Bud for being a great spy.
B. Get feedback directly from the customer.
C. Immediately transfer Percy to the Detroit office.
D. Follow corporate policies on staff management.
- Dito works in the Detroit office of the organization, and Greg states a management opportunity is soon opening and guarantees that Dito will get the job. Dito would feel more comfortable if the verbal guarantee came with a(n):
A. Non-disclosure agreement (NDA)
B. Contract
C. Intellectual property (IP)
D. Acceptable use policy (AUP)
- Yaza is planning on selling COVID-19 masks online to the European Union (EU). Which regulation is the most important for her to consider?
A. The Federal Trade Commission (FTC)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. The Sarbanes-Oxley Act (SOX)
- Trevor is considering transferring much of his organization's data to the cloud. Which vendor-neutral certification helps him to validate that the cloud provider has good security quality assurance (QA)?
A. Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
B. Azure certification
C. Amazon Web Services (AWS) certification
D. Red Hat (RH) cloud certification
- Shewan's credit card information was stolen, and she realizes this occurred at the AXQA store. She believes the owner should go to prison. Which would MOST LIKELY occur?
A. The PCI-DSS is a contractual agreement between the store owner and the credit card provider. At worst, the owner will lose the right to accept credit cards.
B. The PCI-DSS is a federal regulation, violations of which are punishable by up to 5 years in federal prison.
C. The PCI-DSS is an industry standard. At worst, the owner will lose their credit card license.
D. The PCI-DSS is a legal standard, violations of which are punishable by up to 5 years in state prison.
- Pat plans on outsourcing their Information Technology (IT) services so that they can focus on designing cars and trucks. Which is the BEST way for them to monitor the effectiveness of the service provider?
A. Key risk indicator (KRI)
B. KGI
C. KPI
D. Service-level agreement (SLA)
- Tara's computer started performing very slowly, and then a popup locked her computer and notified her that unless she paid $300, she would never have access to her data again. Which of the following BEST describes this attack?
A. Malware
B. Ransomware
C. Denial of Service (DoS)
D. Man in the Middle (MitM)
- Karthik receives a threatening email stating that they have a video of him performing lewd acts while watching porn. They will release the videos unless he pays them $1,000. This type of attack is BEST called:
A. Social engineering
B. Sextortion
C. Ransomware
D. Spam
- Alexis is a security engineer and must secure her network from outside attackers. Which is the first BEST step she can take?
A. Disable File Transfer Protocol (FTP) and Telnet services
B. Install the latest security update patches
C. Remove default logins and passwords
D. Implement security-hardening standards
- Zosimo works for Maximo Smartphones, and for years, their new smartphone plans have been leaked to the public 2 years ahead of time, hurting sales. What is the BEST administrative control he can use to stop this?
A. Have employees sign an NDA
B. Install DLP
C. Install an internal proxy server
D. Have guards scan workers' briefcases when they leave for the day
- Angalina has noticed that several books have gone missing from the corporate library. She would like to install security controls but is on a budget. Which is the BEST solution for her?
A. Add radio-frequency identification (RFID) to books.
B. Security guards
C. Dummy cameras
D. Security cameras
- Coop, a security manager, practices decrypting secure documents. He has plain text of some of the files and needs to decrypt the rest. Which attack should he use?
A. Chosen plaintext
B. Known ciphertext
C. Chosen ciphertext
D. Known plaintext
- Which of the following is NOT a directive control type?
A. Privacy policy (PP)
B. Terms of service (ToS)
C. Guard dog
D. Beware of dog sign
- Ysaline has discovered her staff is spending over 80% of their time on IT-related issues, instead of designing and engineering smartphones. She wants to outsource IT-related issues to AXQO Corp. Which type of risk management is this?
A. Risk mitigation
B. Risk transference
C. Risk avoidance
D. Risk acceptance
- Levi has purchased tablets for his staff for $2,000 each. Insurance will cover 50% if they are lost, stolen, or damaged. On an average year, five laptops are lost, stolen, or damaged. What would be the annualized loss expectancy (ALE) calculation?
A. $10,000
B. $5,000
C. $2,000
D. $1,000
- Zulene has spent weeks collecting pricing, performance, and tuning data to conduct her risk assessment meeting. Now that she has all the data, her team will perform which type of risk analysis?
A. Quantitative
B. Qualitative
C. Likelihood
D. Impact
- Zhenyu advises on security matters, helps draft security policy, and sits on the configuration management board. What is his role in the organization?
A. Senior management
B. Security director
C. Security personnel
D. Systems administrator
- Bianca has already contacted SGI News regarding the use of her copyrighted images on their website, but they refuse to take them down. What is her BEST next step to have her images removed from the site?
A. Use stronger watermarking procedures so that her images are not cloned.
B. Consider that the SGI News posting gives her free publicity.
C. Contact her lawyer to take immediate legal action.
D. Submit a Digital Millennium Copyright Act (DMCA) takedown request to the hosting provider.
- Roger, the chief financial officer (CFO) of NUS Micro, just received an email from his boss requesting he immediately wire $50 million to China to close a business deal. He calls his boss but cannot reach him. The email looks genuine, including the email address and domain name. He wires the money, only to find out later that his boss did not make this request. This represents which type of attack?
A. Phishing
B. Spear phishing
C. Business email compromise (BEC)
D. Whaling
- Sloane received a phone call from her administrator to confirm an email received from her. She then gets a phone call from her CFO that he received a message from her to transfer $1 million overseas. What has MOST LIKELY occurred?
A. Email account compromise (EAC)
B. Spear phishing
C. Phishing
D. Whaling
- Rafael, a systems administrator, notices that spam and phishing attacks are increasing. Which is the next BEST step he can take to safeguard the organization?
A. Add additional firewall rules
B. Implement training on spam and phishing attacks
C. Modify the SpamAssassin rules
D. Modify the external proxy server
- Which of the following represents an acceptable amount of data loss measured in time?
A. RPO
B. RTO
C. Maximum tolerable downtime (MTD)
D. Work recovery time (WRT)
- Individuals from all departments of the organization meet to prioritize risks based on impact, likelihood, and exposure. Which process is this?
A. Business Continuity Planning (BCP)
B. Disaster Recovery Planning (DRP)
C. Incident Response Planning (IRP)
D. BIA
- Attacks such as dumpster diving, phishing, baiting, and piggybacking all represent a class of attacks called:
A. MitM
B. DoS
C. Social engineering
D. Doxxing
- Unexpectedly, Coco has been given 2 weeks of paid time off. What is the security purpose of this event?
A. Mandatory vacation as part of a healthy worker campaign
B. Mandatory vacation to help expose fraud
C. Mandatory vacation because she clicked a phishing email
D. Mandatory vacation as part of a disaster recovery (DR) simulation
- Simon needs to calculate risk. Which formula will he use?
A. Risk = Likelihood * Exposure
B. Risk = Threat/Vulnerability
C. Risk = Threat * Vulnerability
D. Risk = Exposure * Impact
- Qiang has been assigned to find recovery sites as a result of the DR planning meeting. Her job is to find sites with heating, cooling, electricity, internet access, and power. The site will require no computers. Which type of recovery site is this?
A. Mirrored site
B. Hot site
C. Warm site
D. Cold site
- Milos is the chief security officer (CSO) of the organization and is designing a policy that includes fences, secured parking, security policies, firewalls, account management, and patch management. This is an example of which strategy?
A. Defense-in-depth (DiD)
B. Use of physical controls
C. Proper use of technical controls
D. Combining administrative, technical, and physical controls
- As part of a disaster strategy, Caty asks management for approval of deploying a warm site. Warm sites are which type of control functionality?
A. Recovery
B. Deterrent
C. Detective
D. Preventative
- Arthur, chief executive officer (CEO) of Funutek, wishes to implement online purchasing via their website. The chief marketing officer (CMO) likes the idea because the new system can double sales. The CSO fears internet attacks and suggests NOT moving forward. How should Arthur proceed?
A. Implement the website once certain there is no risk of attack.
B. Implement the website after the CMO collects research on securing websites.
C. Implement the website and secure it within acceptable risk levels.
D. Listen to the CSO and do not implement the website.
- NIST outlines security controls to put in place of federal agencies in which Special Publication (SP)?
A. 800-50
B. 800-51
C. 800-52
D. 800-53
- Bud has just learned about hacking, knows a little about programming, and likes to bring misery to others. He decides to attempt hacking into his school website to change his grades. This puts him in which class of hackers?
A. Advanced persistent threat (APT)
B. Script kiddie
C. Ethical hacker
D. Internal threat
- When it comes to dual-use goods (items that can be used by the military and ordinary citizens), there are special requirements and agreements for import and export. One that seeks to limit military buildup that could threaten international security is called Conventional Arms and Dual-Use Goods and Technologies, or the:
A. Arms Agreement
B. Wassenaar Arrangement
C. Dual-Use Agreement
D. Import/Export Law
- Taylor just won her court case through the benefit of the doubt. Her case falls under which legal system?
A. Contract
B. Administrative
C. Civil
D. Criminal
- Gael and his team have developed the perfect advertising algorithm so that when users search on his website, it leads them exactly to the information they need to reach. What is his BEST approach to assuring the secrecy of this algorithm?
A. Trade secret
B. Patent
C. Copyright
D. Trademark
- Su-wei uses the Linux operating system, and freely copies it and gives it to friends. She is allowed to do this because of which of the following licenses?
A. Shareware
B. Commercial
C. End-user license agreement (EULA)
D. Academic
- The area of United States (US) copyright law that makes it a crime to copy and distribute stolen software is called:
A. DMCA
B. EULA
C. Privacy Act
D. Business Software Alliance (BSA)
- Fritz works with a document providing him step-by-step instructions. Which of the following is he working with?
A. Policies
B. Procedures
C. Standards
D. Guidelines
- Naomi needs to calculate the TCO. Which of the following will she NOT use to complete the calculation?
A. Support costs
B. Cost to replace the unit
C. Cost of maintenance
D. Asset cost
- Viktor is conducting a risk assessment and needs to determine the percentage of risk his organization would suffer if an asset is compromised. Which of the following signifies this aspect of risk?
A. Safeguards
B. Vulnerabilities
C. Exposure factor
D. Risk
- Ons, a security manager, is working with her team to develop and update policies for staff and vendors. Controls in this area are considered which of the following?
A. Management
B. Operational
C. Technical
D. Logical
- Which of these is NOT true?
A. Procedures are the same as written directions.
B. Strategic documents would be considered policies.
C. Guidelines contain step-by-step instructions that must be followed.
D. Standards can define KPIs.
- Kei, a security manager, just completed a risk assessment with his team, and they determined that the new planned plant location was too dangerous, so they decided not to expand there. Which risk response did his team use?
A. Mitigation
B. Avoidance
C. Transfer
D. Acceptance
- Molla, a project engineer, puts together a project, and she adds security according to which of the following life cycles?
A. Requirements, planning, design, test, develop, production, disposal
B. Planning, requirements, design, develop, test, production, disposal
C. Design, develop, requirements, planning, test, production, disposal
D. Planning, design, requirements, test, develop, production, disposal
- Wilfried is the security administrator of a store and is preparing for the PCI-DSS audit. Which is NOT one of the PCI-DSS requirements?
A. Configure switch settings
B. Maintain the firewall
C. Encrypt transmission of credit card transactions
D. Use antivirus software
- Vania, an administrative assistant, has discovered that her employer has been listening to her telephone conversations and reading her emails. She approaches her boss, and she shows her that she signed the reasonable expectation of privacy (REP) agreement. Which steps can Vania take next?
A. Report the supervisor to human resources (HR).
B. File a civil lawsuit.
C. Nothing—she waived her rights to phone privacy while at work.
D. Contact the police or federal authorities and open a criminal case.
- Grigor fears he will lose his job if his employer learns of his cancer diagnosis. He does not want which of the following to leak?
A. Health and Human Services (HHS)
B. Health Information Technology for Economic and Clinical Health Act (HITECH)
C. HIPAA
D. Personal health information (PHI)
- Martina seeks to press criminal charges against the CEO of RMS Foods Inc. because their employee stole her credit card. What happens next?
A. The government will press charges against the CEO.
B. Conflicts are managed under PCI-DSS agreements, not the government.
C. Conflicts are managed under ISO or NIST certification, not the government.
D. Conflicts are managed under GDPR laws, so there will only be fines.
- Boris is working to complete a design project. He decides to hire a contractor to help complete the project on time. Which type of risk response is he using?
A. Transfer
B. Acceptance
C. Division
D. Avoidance
- Petra uses her own secret formula to manufacturer her synthetic gut tennis string. This is then stolen by the SGI Strings Company. Which law or agreement has been broken?
A. Patent
B. Trade secret
C. Copyright
D. Trademark
- As Bjorn leaves the office this day, Steffi tells him she overheard men starting to break in earlier that evening to steal documents. The men are later caught, and Bjorn is brought onto the witness stand in court to mention what he heard. This type of evidence is termed which of the following?
A. Conclusive
B. Admissible
C. Hearsay
D. Best evidence
- Garbine performs inspections of whether security policies, procedures, standards, and guidelines are followed according to the organization's security objectives. What is her role for the firm?
A. Auditor
B. Chief information security officer (CISO)
C. Information security manager (ISM)
D. Data owner
- Which is critical for proper incident response?
A. Evidence handling
B. Security information and event management (SIEM)
C. Intrusion detection system (IDS)
D. Incident response policy
- Novak is preparing a DR exercise and emails the emergency task lists to the DR teams for review. Which type of exercise is he running?
A. Full interruption test
B. Parallel test
C. Tabletop test
D. Checklist test
- Simona is a space fleet lieutenant putting together classifications for her computer system. Which of the following sensitivity systems will she follow?
A. Confidential, private, sensitive, public
B. Top-secret, secret, confidential, unclassified
C. Highly sensitive, sensitive, classified, unclassified
D. Top-secret, secret, classified, unclassified
- Andre has provided his phone number, email address, and home address to Pyramid Grocer so that they can deliver groceries to his home. He is considered to be which of the following?
A. Data owner
B. Data custodian
C. Data subject
D. Data auditor
- Venus needs an administrative control to enhance the confidentiality of data. Which should she choose?
A. DLP system
B. Fencing
C. Security guards
D. NDA
- Juan plans to perform testing on his website and generate random input to see if it is vulnerable to which type of attack?
A. Fuzzing
B. DoS
C. Malware
D. Input validation
- Victoria has worked in several departments of the company, including marketing, quality, and production. An audit found she still has privileges in all of her past departments even though she works in finance. This is called:
A. SoD
B. Collusion
C. Privilege creep
D. Least privilege
- Stan wishes to set up secure authentication for his users. Which of the following is NOT BEST for authentication?
A. Retinal scan
B. Username
C. Palm vein scan
D. CAC
- Billie needs to determine how much risk her organization can handle and still operate efficiently. She will first conduct a?
A. Risk assessment
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance
- Which of the following does NOT require an AUP?
A. Consultant
B. Contractor
C. Employee
D. Computer
- Stefanos has just signed an SLA with NUS Systems. Which of the following is NOT part of the agreement?
A. Financial credit for downtime
B. Alpha services
C. Covered service
D. Service-level objectives (SLOs)
- Madison received an email from Justine stating that $1,000 in funds had been transferred to her. Justine states she never sent the email. Which process would prove Justine sent the email?
A. Fingerprinting
B. Encryption
C. Non-repudiation
D. Hashing
- Security education should be required for whom in an organization?
A. Computer users
B. Everyone
C. Senior executives
D. Security teams
- Lleyton is planning on hiring 50 new engineers. What should be his FIRST step when reviewing new candidates?
A. Make sure prospects pass lie-detector screening.
B. Conduct thorough background checks.
C. Follow the employment candidate-screening process.
D. Perform drug screenings.
- Non-compete agreements (NCAs) are generally unenforceable because:
A. NCAs are illegal.
B. Courts value a citizen's right to earn a reasonable income.
C. Competition is covered in the NDA.
D. NCAs are always enforceable.
- Ana, a systems engineer, caught Bud stealing corporate financial documents and informed her manager. Which department handles Bud's termination?
A. HR
B. Security
C. Engineering
D. Finance
- Daniil has finished a successful career with DDA Motors. As part of the exit interview, he's required to return everything Except for:
A. Last week's paycheck
B. Smart card
C. Corporate smartphone
D. Employee identifier (ID) card
- Which of the following does NOT represent an asset for an organization?
A. Sunk costs
B. Computer
C. Trademark
D. Staff
- Which is BEST represented as the product of a threat and vulnerability?
A. Safeguard
B. Exposure
C. Risk
D. Breach
- What is the biggest threat to any organization?
A. Pandemics
B. Malware
C. Clear text
D. Disgruntled employees
- Elina is interviewing risk consulting firms. What is the main item she should NOT look for in a qualified firm?
A. Can assist in defining the scope and purpose of risk assessments
B. Categorizes and prioritizes assets
C. Helps in defining acceptable levels of risk
D. Years of experience in bringing organizations' risk to zero
- What represents the product of the asset value (AV) and exposure factor (EF)?
A. Annual rate of occurrence (ARO)
B. Single loss expectancy (SLE)
C. ALE
D. Annual cost of a safeguard (ACS)
- An organization is initiating the qualitative risk analysis process. Which of the following is NOT part of the process?
A. Cost versus benefit analysis
B. Educated guesses
C. Opinions considered
D. Multiple experts
- The Risk Management Framework (RMF) is also known as which NIST SP?
A. 800-35
B. 800-36
C. 800-37
D. 800-38
- Feliciano has applied multiple risk mitigations to protect an asset. When should he stop?
A. When risk reaches an acceptable level
B. When the asset becomes unusable
C. After purchasing insurance for the asset
D. When the risk is reduced to zero
- According to the Cisco 2020 CISO Benchmark Report, cyber (security) fatigue is defined as virtually giving up on proactively defending against malicious actors. What is the number 1 source of cyber fatigue?
A. Malware
B. Phishing attacks
C. Shadow IT
D. Password management
- Sofia, a senior manager, needs to get a Linux update installed on her team's server. Central IT has not performed the update even after being asked three times. Sofia selects a team member to install it and work around the IT department. This is BEST referred to as:
A. Self-help
B. Delegation of IT
C. Policy violation
D. Shadow IT
- Benoit, the company CISO, is researching high-security systems that authenticate everything attempting connections to the corporate network. Such an architecture is called:
A. Zed trust
B. No trust
C. Zero trust
D. Null trust
- The following type of security learning yields a credential such as a certificate or a degree:
A. Awareness
B. Education
C. Training
D. Birds of a feather (BOAF) sessions
- For most organizations, which is the most important asset when a firm enters into BCP or DRP mode?
A. People
B. Network
C. Server room
D. Cash
- Eugenie is the production manager at FAUX Widgets, and the lights went out for the entire building. Which action does she execute FIRST?
A. Contact the electric company.
B. Check the fuse box.
C. Follow the DRP plan.
D. Follow the BCP plan.
