Examen:

CISSP - (ISC)2 Certified Information Systems Security Professional - Chapter 16

1.-Which security principle involves the knowledge and possession of sensitive material as an aspect of one’s occupation?
A. Principle of least privilege
B. Separation of duties
C. Need to know
D. As-needed basis

An organization ensures that users are granted access to only the data they need to perform specific work tasks.

2.-What principle are they following?
A. Principle of least permission
B. Separation of duties (SoD)
C. Need to know
D. Job rotation

3.-What concept is used to grants users only the rights and permissions they need to complete their job responsibilities?
A. Need to know
B. Mandatory vacations
C. Least privilege principle
D. Service- level agreement (SLA)

A large organization using a Microsoft domain wants to limit the amount of time users have elevated privileges.

4.-Which of the following security operation concepts can be used to support this goal?
A. Principle of least permission
B. Separation of duties
C. Need to know
D. Privileged account management

An administrator is granting permissions to a database.

5.-What is the default level of access the administrator should grant to new users in the organization?
A. Read
B. Modify
C. Full access
D. No access

You want to apply the least privilege principle when creating new accounts in the software development department.

6.-Which of the following should you do?
A. Create each account with only the rights and permissions needed by the employee to perform their job.
B. Give each account full rights and permissions to the servers in the software development department.
C. Create each account with no rights and permissions.
D. Add the accounts to the local Administrators group on the new employee’s computer.

Your organization has divided a high- level auditing function into several individual job tasks. These tasks are divided between three administrators. None of the administrators can perform all of the tasks.

7.-What does this describe?
A. Job rotation
B. Mandatory vacation
C. Separation of duties
D. Least privilege

A financial organization commonly has employees switch duty responsibilities every 6 months.

8.-What security principle are they employing?
A. Job rotation
B. Separation of duties
C. Mandatory vacations
D. Least privilege

9.-Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy?
A. To rotate job responsibilities
B. To detect fraud
C. To increase employee productivity
D. To reduce employee stress levels

Your organization has contracted with a third- party provider to host cloud- based servers. Management wants to ensure there are monetary penalties if the third party doesn’t meet their contractual responsibilities related to uptimes and downtimes.

10.-Which of the following is the best choice to meet this requirement?
A. MOU
B. ISA
C. SLA
D. SED

11.-Which one of the following is a cloud- based service model that gives an organization the most control and requires the organization to perform all maintenance on operating systems and applications?
A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Public

12.-Which one of the following is a cloud- based service model that allows users to access email via a web browser?
A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Public

The IT department routinely uses images when deploying new systems.

13.-Of the following choices, what is a primary benefit of using images?
A. Provides a baseline for configuration management
B. Improves patch management response times
C. Reduces vulnerabilities from unpatched systems
D. Provides documentation for changes

A server administrator recently modified the configuration for a server to improve performance. Unfortunately, when an automated script runs once a week, the modification causes the server to reboot. It took several hours of troubleshooting to ultimately determine the problem wasn’t with the script but instead with the modification.

14.-What could have prevented this?
A. Vulnerability management
B. Patch management
C. Change management
D. Blocking all scripts

(Choose three.)
15.-Which of the following steps would be included in a change management process?
A. Immediately implement the change if it will improve performance.
B. Request the change.
C. Create a rollback plan for the change.
D. Document the change.

A new CIO learned that an organization doesn’t have a change management program. The CIO insists one be implemented immediately.

16.-Of the following choices, what is a primary goal of a change management program?
A. Personnel safety
B. Allowing rollback of changes
C. Ensuring that changes do not reduce security
D. Auditing privilege access

Systems within an organization are configured to receive and apply patches automatically. After receiving a patch, 55 of the systems automatically restarted and booted into a stop error.

17.-What could have prevented this problem without sacrificing security?
A. Disable the setting to apply the patches automatically.
B. Implement a patch management program to approve all patches.
C. Ensure systems are routinely audited for patches.
D. Implement a patch management program that tests patches before deploying them.

A security administrator wants to verify the existing systems are up to date with current patches.

18.-Of the following choices, what is the best method to ensure systems have the required patches?
A. Patch management system
B. Patch scanner
C. Penetration tester
D. Fuzz tester

A recent attack on servers within your organization caused an excessive outage. You need to check systems for known issues that attackers may use to exploit other systems in your network.

19.-Which of the following is the best choice to meet this need?
A. Versioning tracker
B. Vulnerability scanner
C. Security audit
D. Security review

20.-Which one of the following processes is most likely to list all security risks within a system?
A. Configuration management
B. Patch management
C. Hardware inventory
D. Vulnerability scan