Examen

Examen:

CISSP - (ISC)2 Certified Information Systems Security Professional - Chapter 02

You have been tasked with overseeing the security improvement project for your organization. The goal is to reduce the current risk profile to a lower level without spending considerable amounts of money. You decide to focus on the largest concern mentioned by your CISO.

1.-Which of the following is likely the element of the organization that is considered the weakest?
A. Software products
B. Internet connections
C. Security policies
D. Humans

Due to recent organization restructuring, the CEO believes that new workers should be hired to perform necessary work tasks and support the mission and goals of the organization.

2.-When seeking to hire new employees, what is the first step?
A. Create a job description.
B. Set position classification.
C. Screen candidates.
D. Request résumés.

3.-_________________ is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics.
A. Reissue
B. Onboarding
C. Background checks
D. Site survey

After repeated events of retraining, a particular worker was caught for the fourth time attempting to access documents that were not relevant to their job position. The CSO decides this was the last chance and the worker is to be fired. The CSO reminds you that the organization has a formal termination process that should be followed.

4.-Which of the following is an important task to perform during the termination procedure to reduce future security issues related to this ex-employee?
A. Return the exiting employees personal belongings.
B. Review the nondisclosure agreement.
C. Evaluate the exiting employees performance.
D. Cancel the exiting employees parking permit.

5.- Which of the following is a true statement in regard to vendor, consultant, and contractor controls?
A. Using business email compromise (BEC) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization.
B. Outsourcing can be used as a risk response option known as acceptance or appetite.
C. Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved. true
D. Risk management strategies implemented by one party do not cause additional risks against or from another party.

Match the term to its definition:

I. The weakness in an asset, or the absence or the weakness of a safeguard or countermeasure.
II. Anything used in a business process or task.
III. Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited.
IV. The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.
V. Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.
6.-1. Asset
2. Threat
3. Vulnerability
4. Exposure
5. Risk
A. 1-II, 2-V, 3-I, 4-III, 5-IV
B. 1-I, 2-II, 3-IV, 4-II, 5-V
C. 1-II, 2-V, 3-I, 4-IV, 5-III
D. 1-IV, 2-V, 3-III, 4-II, 5-I

While performing a risk analysis, you identify a threat of fire and a vulnerability of things being flammable because there are no fire extinguishers.

7.-Based on this information, which of the following is a possible risk?
A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information

During a meeting of company leadership and the security team, discussion focuses on defining the value of assets in dollars, inventorying threats, predicting the specific amount of harm of a breach, and determining the number of times a threat could cause harm to the company each year.

8.-What is being performed?
A. Qualitative risk assessment
B. Delphi technique
C. Risk avoidance
D. Quantitative risk assessment

You have performed a risk assessment and determined the threats that represent the most significant concern to your organization.

9.-When evaluating safeguards, what is the rule that should be followed in most cases?
A. The expected annual cost of asset loss should not exceed the annual costs of safeguards.
B. The annual costs of safeguards should equal the value of the asset.
C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss.
D. The annual costs of safeguards should not exceed 10 percent of the security budget.

During a risk management project, an evaluation of several controls determines that none are cost-effective in reducing the risk related to a specific important asset.

10.-What risk response is being exhibited by this situation?
A. Mitigation
B. Ignoring
C. Acceptance
D. Assignment

During the annual review of the companys deployed security infrastructure, you have been reevaluating each security control selection.

11.-How is the value of a safeguard to a company calculated?
A. ALE before safeguard ALE after implementing the safeguard annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard + annual cost of safeguard controls gap
D. Total risk controls gap

(Choose all that apply.)
12.-Which of the following are valid definitions for risk?
A. An assessment of probability, possibility, or chance
B. Anything that removes a vulnerability or protects against one or more specific threats
C. Risk = threat * vulnerability
D. Every instance of exposure
E. The presence of a vulnerability when a related threat exists

A new web application was installed onto the companys public web server last week. Over the weekend a malicious hacker was able to exploit the new code and gained access to data files hosted on the system.

13.-This is an example of what issue?
A. Inherent risk
B. Risk matrix
C. Qualitative assessment
D. Residual risk

Your organization is courting a new business partner. During the negotiations the other party defines several requirements of your organizations security that must be met prior to the signing of the SLA and business partners agreement (BPA). One of the requirements is that your organization demonstrate their level of achievement on the Risk Maturity Model (RMM). The requirement is specifically that a common or standardized risk framework is adopted organization-wide.

14.-Which of the five possible levels of RMM is being required of your organization?
A. Preliminary
B. Integrated
C. Defined
D. Optimized

The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF has seven steps or phases.

15.-Which phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable?
A. Categorize
B. Authorize
C. Assess
D. Monitor

Company proprietary data are discovered on a public social media posting by the CEO. While investigating, a significant number of similar emails were discovered to have been sent to employees, which included links to malicious sites. Some employees report that they had received similar messages to their personal email accounts as well.

(Choose two.)
16.-What improvements should the company implement to address this issue?
A. Deploy a web application firewall.
B. Block access to personal email from the company network.
C. Update the company email server.
D. Implement multifactor authentication (MFA) on the company email server.
E. Perform an access review of all company files.
F. Prohibit access to social networks on company equipment.

17.- What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions?
A. Education
B. Awareness
C. Training
D. Termination

(Choose all that apply.)
18.-Which of the following could be classified as a form of social engineering attack?
A. A user logs in to their workstation and then decides to get a soda from the vending machine in the stairwell. As soon as the user walks away from their workstation, another person sits down at their desk and copies all the files from a local folder onto a network share.
B. You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it, since it indicates the presence of the virus.
C. A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to download the access software.
D. A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEOs private cell phone number so that they can call them.

19.-Often a _____________ is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the groups work activities. _____________ are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors.
A. CISO(s)
B. Security champion(s)
C. Security auditor(s)
D. Custodian(s)

The CSO has expressed concern that after years of security training and awareness programs, the level of minor security violations has actually increased. A new security team member reviews the training materials and notices that it was crafted four years ago. They suggest that the materials be revised to be more engaging and to include elements that allow for the ability to earn recognition, team up with coworkers, and strive toward a common goal. They claim these efforts will improve security compliance and foster security behavior change.

20.-What is the approach that is being recommended?
A. Program effectiveness evaluation
B. Onboarding
C. Compliance enforcement
D. Gamification