Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?
Data leakage of sensitive information is MOST often concealed by which of the following?
What type of test assesses a Disaster Recovery (DR) plan using realistic disaster scenarios while maintaining minimal impact to business operations?
Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access? Click on the correct specification in the image below.
Which of the following is the BEST example of weak management commitment to the protection of security assets and resources?
Regarding asset security and appropriate retention, which of the following INITIAL top three areas are important to focus on?
Which of the following questions can be answered using user and group entitlement reporting?
Which of the following statements is TRUE regarding value boundary analysis as a functional software testing technique?
Which one of the following operates at the session, transport, or network layer of the Open System Interconnection (OSI) model?
Which one of the following is a common risk with network configuration management?
Which of the following is a recommended alternative to an integrated email encryption system?
What does an organization FIRST review to assure compliance with privacy requirements?
Who is ultimately responsible to ensure that information assets are categorized and adequate measures are taken to protect them?
Which of the following disaster recovery test plans will be MOST effective while providing minimal risk?
Which of the following is generally indicative of a replay attack when dealing with biometric authentication?
An organization decides to implement a partial Public Key Infrastructure (PKI) with only the servers having digital certificates. What is the security benefit of this implementation?
A large bank deploys hardware tokens to all customers that use their online banking system. The token generates and displays a six digit numeric password every 60 seconds. The customers must log into their bank accounts using this numeric password. This is an example of
What is the MOST effective method for gaining unauthorized access to a file protected with a long complex password?
From a security perspective, which of the following is a best practice to configure a Domain Name Service (DNS) system?
Which of the following provides effective management assurance for a Wireless Local Area Network (WLAN)?
What does secure authentication with logging provide?
Refer to the information below to answer the question.
Desktop computers in an organization were sanitized for re-use in an equivalent security environment. The data was destroyed in accordance with organizational policy and all marking and other external indications of the sensitivity of the data that was formerly stored on the magnetic drives were removed.
After magnetic drives were degaussed twice according to the product manufacturer's directions, what is the MOST LIKELY security issue with degaussing?
Identify the component that MOST likely lacks digital accountability related to information access.
Click on the correct device in the image below.
Which of the following is a MAJOR consideration in implementing a Voice over IP (VoIP) network?
During the procurement of a new information system, it was determined that some of the security requirements were not addressed in the system specification. Which of the following is the MOST likely reason for this?
Which of the following is a critical factor for implementing a successful data classification program?
Refer to the information below to answer the question.
In a Multilevel Security (MLS) system, the following sensitivity labels are used in increasing levels of sensitivity: restricted, confidential, secret, top secret. Table A lists the clearance levels for four users, while Table B lists the security classes of four different files.
In a Bell-LaPadula system, which user cannot write to File 3?
Which of the following problems is not addressed by using OAuth (Open Standard to Authorization) 2.0 to integrate a third-party identity provider for a service?
Which of the following actions MUST be taken if a vulnerability is discovered during the maintenance stage in a System Development Life Cycle (SDLC)?
Which of the following BEST mitigates a replay attack against a system using identity federation and Security Assertion Markup Language (SAML) implementation?
At a MINIMUM, a formal review of any Disaster Recovery Plan (DRP) should be conducted
Which of the following statements is TRUE for point-to-point microwave transmissions?
Contingency plan exercises are intended to do which of the following?
An external attacker has compromised an organization's network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker's ability to gain further information?
An organization is designing a large enterprise-wide document repository system. They plan to have several different classification level areas with increasing levels of controls. The BEST way to ensure document confidentiality in the repository is to
A disadvantage of an application filtering firewall is that it can lead to
As one component of a physical security system, an Electronic Access Control (EAC) token is BEST known for its ability to
Which of the following does the Encapsulating Security Payload (ESP) provide?
The stringency of an Information Technology (IT) security assessment will be determined by the
Which of the following is considered best practice for preventing e-mail spoofing?
Which of the following assessment metrics is BEST used to understand a system's vulnerability to potential exploits?
Which of the following is a security feature of Global Systems for Mobile Communications (GSM)?
What maintenance activity is responsible for defining, implementing, and testing updates to application systems?
Which one of the following is the MOST important in designing a biometric access system if it is essential that no one other than authorized individuals are admitted?
Which of the following is the BEST mitigation from phishing attacks?
Which of the following in the BEST way to reduce the impact of an externally sourced flood attack?
Which of the following is true of Service Organization Control (SOC) reports?
Which of the following needs to be included in order for High Availability (HA) to continue operations during planned system outages?
What is the FIRST step required in establishing a records retention program?
Which of the following BEST describes how access to a system is granted to federated user accounts?
Which of the following is the weakest form of protection for an application that handles Personally Identifiable Information (PII)?
Which of the following is a characteristic of convert security testing?
Which of the following is critical if an empolyee is dismissed due to violation of an organization’s acceptable use policy (Aup) ?
When can a security program be considered effective?
Which of the following objects should be removed FIRST prior to uploading code to public code repositories?
Change management policies and procedures belong to which of the following types of controls?
Which of the following types of data would be MOST difficult to detect by a forensic examiner?
Which of the following authorization standards is built to handle Application programming Interface (API) access for federated Identity management (FIM)?
When selecting a disk encryption technology, which of the following MUST also be assured to be encrypted?
What is the MAIN reason to ensure the appropriate retention periods are enforced for data stored on electronic media?
With what frequency should monitoring of a control occur when implementing Information Security Continuous Monitoring (ISCM) solutions?
Which of the following is the FIRST step in the incident response process?
Which of the following types of business continuity tests includes assessment of resilience to internal and external risks without endangering live operations?
When is a Business Continuity Plan (BCP) considered to be valid?
Which of the following is a PRIMARY advantage of using a third-party identity service?
What would be the MOST cost effective solution for a Disaster Recovery (DR) site given that the organization’s systems cannot be unavailable for more than 24 hours?
Recovery strategies of a Disaster Recovery planning (DRIP) MUST be aligned with which of the following?
What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application?
What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?
What is the PRIMARY reason for implementing change management?
A continuous information security monitoring program can BEST reduce risk through which of the following?
A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following?
An organization is found lacking the ability to properly establish performance indicators for its Web hosting solution during an audit. What would be the MOST probable cause?
Which Redundant Array c/ Independent Disks (RAID) Level does the following diagram represent?
What is the benefit of using Network Admission Control (NAC)?
An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests.
Which contract is BEST in offloading the task from the IT staff?
When implementing a data classification program, why is it important to avoid too much granularity?
Which of the following is MOST important when assigning ownership of an asset to a department?
Which of the following is an initial consideration when developing an information security management system?
Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identification (RFID) based access cards?
In a data classification scheme, the data is owned by the
Which one of the following affects the classification of data?
Which of the following BEST describes the responsibilities of a data owner?
A chemical plan wants to upgrade the Industrial Control System (ICS) to transmit data using Ethernet instead
of RS422. The project manager wants to simplify administration and maintenance by utilizing the office
network infrastructure and staff to implement this upgrade.
Which of the following is the GREATEST impact on security for the network?
Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?
What are the steps of a risk assessment?
What is the MOST significant benefit of an application upgrade that replaces randomly generated session keys with certificate based encryption for communications with backend servers?
Which of the following is the MOST efficient mechanism to account for all staff during a speedy nonemergency evacuation from a large security facility?
Digital certificates used in Transport Layer Security (TLS) support which of the following?
Which of the following techniques is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections?
What is the purpose of an Internet Protocol (IP) spoofing attack?
An external attacker has compromised an organization’s network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker’s ability to gain further information?
Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats?
Which of the following factors contributes to the weakness of Wired Equivalent Privacy (WEP) protocol?
In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node?
Which of the following is the BEST network defense against unknown types of attacks or stealth attacks in progress?
An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly implement a control?
Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model?
At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located?
What is the BEST approach for controlling access to highly sensitive information when employees have the same level of security clearance?
Which of the following BEST describes an access control method utilizing cryptographic keys derived from a smart card private key that is embedded within mobile devices?
Users require access rights that allow them to view the average salary of groups of employees. Which control would prevent the users from obtaining an individual employee’s salary?
A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its 20 different supplier companies. Which of the following is the BEST solution for the manufacturing organization?
A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with?
Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas?
Which of the following is the PRIMARY risk with using open source software in a commercial software construction?
Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?
When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?
A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the MOST probable security feature of Java preventing the program from operating as intended?
Which of the following is the BEST method to prevent malware from being introduced into a production environment?
The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?
What is the BEST approach to addressing security issues in legacy web applications?
Who in the organization is accountable for classification of data information assets?
Which security service is served by the process of encryption plaintext with the sender’s private key and decrypting cipher text with the sender’s public key?
Which of the following mobile code security models relies only on trust?
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?
What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?
The use of private and public encryption keys is fundamental in the implementation of which of the following?
Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to estimate the severity of vulnerabilities identified automated vulnerability assessments?
In which of the following programs is it MOST important to include the collection of security process data?
Which of the following is a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E)?
Which of the following BEST represents the concept of least privilege?
A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach should be followed to determine and maintain ownership information to bring the company into compliance?
A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the MOST suitable approach that the administrator should take?
A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually?
The goal of a Business Impact Analysis (BIA) is to determine which of the following?
Which of the following is needed to securely distribute symmetric cryptographic keys?
In order to assure authenticity, which of the following are required?
Which technology is a prerequisite for populating the cloud-based directory in a federated identity solution?
In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ?
Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an organization network?
An Intrusion Detection System (IDS) has recently been deployed in a Demilitarized Zone (DMZ). The IDS detects a flood of malformed packets. Which of the following BEST describes what has occurred?
An organization’s information security strategic plan MUST be reviewed
During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?
What does the Maximum Tolerable Downtime (MTD) determine?