Cover Page

CISSP®
Official (ISC)
Practice Tests

Wiley Logo

David Seidl

Mike Chapple


Wiley Logo




For Renee, the most patient and caring person I know. Thank you for being the heart of our family.
—MJC


This book is for Lauren, who supports me through each writing endeavor, and for the wonderful teachers and professors who shared both their knowledge and their lifelong love of learning with me.
—DAS

Acknowledgments

The authors would like to thank the many people who made this book possible. Jim Minatel at Wiley Publishing helped us extend the Sybex CISSP franchise to include this new title and gain important support from the International Information Systems Security Consortium (ISC)2. Carole Jelen, our agent, worked on a myriad of logistic details and handled the business side of the book with her usual grace and commitment to excellence. Addam Schroll, our technical editor, pointed out many opportunities to improve our work and deliver a high-quality final product. Jeff Parker’s technical proofing ensured a polished product. Kim Wimpsett served as developmental editor and managed the project smoothly. Many other people we’ll never meet worked behind the scenes to make this book a success.

About the Authors

Mike Chapple, Ph.D., CISSP is an author of the best-selling CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, Sybex, 2015, now in its seventh edition. He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as Senior Director for IT Service Delivery at the University of Notre Dame. In this role, he oversees the information security, data governance, IT architecture, project management, strategic planning, and product management functions for Notre Dame. Mike also serves as a concurrent assistant professor in the university’s Computing and Digital Technologies department, where he teaches undergraduate courses on information security.

Before returning to Notre Dame, Mike served as Executive Vice President and Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.

He is a technical editor for Information Security Magazine and has written 20 books, including Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett, 2015), the CompTIA Security+ Training Kit (Microsoft Press, 2013), and the CISSP Study Guide (Sybex, 7th edition, 2015).

Mike earned both his BS and Ph.D. degrees from Notre Dame in computer science & engineering. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University.


David Seidl CISSP is the Senior Director for Campus Technology Services at the University of Notre Dame. As the Senior Director for CTS, David is responsible for central platform and operating system support, database administration and services, identity and access management, application services, and email and digital signage. Prior to his current role, he was Notre Dame’s Director of Information Security.

David teaches a popular course on networking and security for Notre Dame’s Mendoza College of Business. In addition to his professional and teaching roles, he has co-authored the CompTIA Security+ Training Kit (Microsoft Press, 2013) and Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett, 2015), and served as the technical editor for the 6th (Sybex, 2012) and 7th (Sybex, 2015) editions of the CISSP Study Guide. David holds a bachelor’s degree in communication technology and a master’s degree in information security from Eastern Michigan University, as well as CISSP, GPEN, and GCIH certifications.

Introduction

CISSP Official (ISC)2 Practice Tests is a companion volume to the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. If you’re looking to test your knowledge before you take the CISSP exam, this book will help you by providing a combination of 1,300 questions that cover the CISSP Common Body of Knowledge and easy-to-understand explanations of both right and wrong answers.

If you’re just starting to prepare for the CISSP exam, we highly recommend that you use the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition Stewart/Chapple/Gibson, Sybex, 2015, to help you learn about each of the domains covered by the CISSP exam. Once you’re ready to test your knowledge, use this book to help find places where you may need to study more, or to practice for the exam itself.

Since this is a companion to the CISSP Study Guide, this book is designed to be similar to taking the CISSP exam. It contains multipart scenarios as well as standard multiple-choice questions similar to those you may encounter in the certification exam itself. The book itself is broken up into 10 chapters: 8 domain-centric chapters with 100 questions about each domain, and 2 chapters that contain 250-question practice tests to simulate taking the exam itself.

CISSP Certification

The CISSP certification is offered by the International Information System Security Certification Consortium, or (ISC)2, a global nonprofit. The mission of (ISC)2 is to support and provide members and constituents with credentials, resources, and leadership to address cyber, information, software, and infrastructure security to deliver value to society. They achieve this mission by delivering the world’s leading information security certification program. The CISSP is the flagship credential in this series and is accompanied by several other (ISC)2 programs:

There are also three advanced CISSP certifications for those who wish to move on from the base credential to demonstrate advanced expertise in a domain of information security:

The CISSP certification covers eight domains of information security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in the information security profession. They include:

The CISSP domains are periodically updated by (ISC)2. The last revision in April 2015 changed from 10 domains to the 8 listed here, and included a major realignment of topics and ideas. At the same time, a number of new areas were added or expanded to reflect changes in common information security topics.

Complete details on the CISSP Common Body of Knowledge (CBK) are contained in the Candidate Information Bulletin (CIB). The CIB, which includes a full outline of exam topics, can be found on the ISC2 website at www.isc2.org.

Taking the CISSP Exam

The CISSP exam is a 6-hour exam that consists of 250 questions covering the eight domains. Passing requires achieving a score of at least 700 out of 1,000 points. It’s important to understand that this is a scaled score, meaning that not every question is worth the same number of points. Questions of differing difficulty may factor into your score more or less heavily. That said, as you work through these practice exams, you might want to use 70 percent as a yardstick to help you get a sense of whether you’re ready to sit for the actual exam. When you’re ready, you can schedule an exam via links provided on the (ISC)2 website—tests are offered in locations throughout the world.

Questions on the CISSP exam are provided in both multiple-choice form and what (ISC)2 calls “advanced innovative” questions, which are drag and drop and hotspot questions, both of which are offered in computer-based testing environments. Innovative questions are scored the same as traditional multiple-choice questions and have only one right answer.

Computer-Based Testing Environment

Almost all CISSP exams are now administered in a computer-based testing (CBT) format. You’ll register for the exam through the Pearson Vue website and may take the exam in the language of your choice. It is offered in English, French, German, Portuguese, Spanish, Japanese, Simplified Chinese, Korean, and a format for the visually impaired.

You’ll take the exam in a computer-based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you’d like to become more familiar with the testing environment, the Pearson Vue website offers a virtual tour of a testing center: https://home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx

When you sit down to take the exam, you’ll be seated at a computer that has the exam software already loaded and running. It’s a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from Pearson at: http://www.vue.com/athena/athena.asp

Exam Retake Policy

If you don’t pass the CISSP exam, you shouldn’t panic. Many individuals don’t reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When you retake the exam, you’ll have the benefit of familiarity with the CBT environment and CISSP exam format. You’ll also have time to study up on the areas where you felt less confident.

After your first exam attempt, you must wait 30 days before retaking the computer-based exam. If you’re not successful on that attempt, you must then wait 90 days before your third attempt and 180 days before your fourth attempt. You may not take the exam more than three times in a single calendar year.

Work Experience Requirement

Candidates who wish to earn the CISSP credential must not only pass the exam but also demonstrate that they have at least five years of work experience in the information security field. Your work experience must cover activities in at least two of the eight domains of the CISSP program and must be paid, full-time employment. Volunteer experiences or part-time duties are not acceptable to meet the CISSP experience requirement.

You may be eligible to waive one of the five years of the work experience requirement based on your educational achievements. If you hold a bachelor’s degree or four-year equivalent, you may be eligible for a degree waiver that covers one of those years. Similarly, if you hold one of the information security certifications on the current (ISC)2 credential waiver list (https://www.isc2.org/credential_waiver/default.aspx), you may also waive a year of the experience requirement. You may not combine these two programs. Holders of both a certification and an undergraduate degree must still demonstrate at least four years of experience.

If you haven’t yet completed your work experience requirement, you may still attempt the CISSP exam. Individuals who pass the exam are designated Associates of (ISC)2 and have six years to complete the work experience requirement.

Recertification Requirements

Once you’ve earned your CISSP credential, you’ll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the CISSP exam.

Currently, the annual maintenance fees for the CISSP credential are $85 per year. Individuals who hold one of the advanced CISSP concentrations will need to pay an additional $35 annually for each concentration they hold.

The CISSP CPE requirement mandates earning at least 40 CPE credits each year toward the 120-credit three-year requirement. (ISC)2 provides an online portal where certificants may submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.

Using This Book to Practice

This book is composed of 10 chapters. Each of the first eight chapters covers a domain, with a variety of questions that can help you test your knowledge of real-world, scenario, and best practices–based security knowledge. The final two chapters are complete practice exams that can serve as timed practice tests to help determine if you’re ready for the CISSP exam.

We recommend taking the first practice exam to help identify where you may need to spend more study time, and then using the domain-specific chapters to test your domain knowledge where it is weak. Once you’re ready, take the second practice exam to make sure you’ve covered all of the material and are ready to attempt the CISSP exam.

Chapter 1
Security and Risk Management (Domain 1)

  1. What is the final step of a quantitative risk analysis?

    1. Determine asset value.
    2. Assess the annualized rate of occurrence.
    3. Derive the annualized loss expectancy.
    4. Conduct a cost/benefit analysis.
  2. An evil twin attack that broadcasts a legitimate SSID for an unauthorized network is an example of what category of threat?

    1. Spoofing
    2. Information disclosure
    3. Repudiation
    4. Tampering
  3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder?

    1. Storage of information by a customer on a provider’s server
    2. Caching of information by the provider
    3. Transmission of information over the provider’s network by a customer
    4. Caching of information in a provider search engine
  4. FlyAway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly. Which of the seven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used?

    1. Notice
    2. Choice
    3. Onward Transfer
    4. Enforcement
  5. Which one of the following is not one of the three common threat modeling techniques?

    1. Focused on assets
    2. Focused on attackers
    3. Focused on software
    4. Focused on social engineering
  6. Which one of the following elements of information is not considered personally identifiable information that would trigger most US state data breach laws?

    1. Student identification number
    2. Social Security number
    3. Driver’s license number
    4. Credit card number
  7. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule?

    1. Due diligence rule
    2. Personal liability rule
    3. Prudent man rule
    4. Due process rule
  8. Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multifactor authentication?

    1. Username
    2. PIN
    3. Security question
    4. Fingerprint scan
  9. What United States government agency is responsible for administering the terms of safe harbor agreements between the European Union and the United States under the EU Data Protection Directive?

    1. Department of Defense
    2. Department of the Treasury
    3. State Department
    4. Department of Commerce
  10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

    1. GLBA
    2. SOX
    3. HIPAA
    4. FERPA
  11. Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?

    1. FISMA
    2. PCI DSS
    3. HIPAA
    4. GISRA
  12. Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?

    1. Memory chips
    2. Office productivity applications
    3. Hard drives
    4. Encryption software
  13. Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE model?

    1. Spoofing
    2. Repudiation
    3. Tampering
    4. Elevation of privilege
  14. You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next?

    1. Implement new security controls to reduce the risk level.
    2. Design a disaster recovery plan.
    3. Repeat the business impact assessment.
    4. Document your decision-making process.
  15. Which one of the following control categories does not accurately describe a fence around a facility?

    1. Physical
    2. Detective
    3. Deterrent
    4. Preventive
  16. Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

    1. Quantitative risk assessment
    2. Qualitative risk assessment
    3. Neither quantitative nor qualitative risk assessment
    4. Combination of quantitative and qualitative risk assessment
  17. What law provides intellectual property protection to the holders of trade secrets?

    1. Copyright Law
    2. Lanham Act
    3. Glass-Steagall Act
    4. Economic Espionage Act
  18. Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?

    1. Due diligence
    2. Separation of duties
    3. Due care
    4. Least privilege
  19. Darcy is designing a fault tolerant system and wants to implement RAID-5 for her system. What is the minimum number of physical hard disks she can use to build this system?

    1. One
    2. Two
    3. Three
    4. Five
  20. Which one of the following is an example of an administrative control?

    1. Intrusion detection system
    2. Security awareness training
    3. Firewalls
    4. Security guards
  21. Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wishes to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?

    1. Patent
    2. Trade secret
    3. Copyright
    4. Trademark
  22. Which one of the following actions might be taken as part of a business continuity plan?

    1. Restoring from backup tapes
    2. Implementing RAID
    3. Relocating to a cold site
    4. Restarting business operations
  23. When developing a business impact analysis, the team should first create a list of assets. What should happen next?

    1. Identify vulnerabilities in each asset.
    2. Determine the risks facing the asset.
    3. Develop a value for each asset.
    4. Identify threats facing each asset.
  24. Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

    1. Risk acceptance
    2. Risk avoidance
    3. Risk mitigation
    4. Risk transference
  25. Which one of the following is an example of physical infrastructure hardening?

    1. Antivirus software
    2. Hardware-based network firewall
    3. Two-factor authentication
    4. Fire suppression system
  26. Which one of the following is normally used as an authorization tool?

    1. ACL
    2. Token
    3. Username
    4. Password
  27. The International Information Systems Security Certification Consortium uses the logo below to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo?

    Diagram shows the logo of International Information Systems Security Certification Consortium.
    1. Copyright
    2. Patent
    3. Trade secret
    4. Trademark
  28. Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?

    Cryptolocker dialog box shows the warning message that Your personal files are encrypted, any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.
    1. Availability
    2. Confidentiality
    3. Disclosure
    4. Distributed
  29. Which one of the following organizations would not be automatically subject to the terms of HIPAA if they engage in electronic transactions?

    1. Healthcare provider
    2. Health and fitness application developer
    3. Health information clearinghouse
    4. Health insurance plan
  30. John’s network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with ICMP ECHO REPLY packets and believes that his organization is the victim of a Smurf attack. What principle of information security is being violated?

    1. Availability
    2. Integrity
    3. Confidentiality
    4. Denial
  31. Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. What type of plan is she developing?

    1. Operational
    2. Tactical
    3. Summary
    4. Strategic
  32. What government agency is responsible for the evaluation and registration of trademarks?

    1. USPTO
    2. Library of Congress
    3. TVA
    4. NIST
  33. The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

    1. Mandatory vacation
    2. Separation of duties
    3. Defense in depth
    4. Job rotation
  34. Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?

    1. Banks
    2. Defense contractors
    3. School districts
    4. Hospitals
  35. Robert is responsible for securing systems used to process credit card information. What standard should guide his actions?

    1. HIPAA
    2. PCI DSS
    3. SOX
    4. GLBA
  36. Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?

    1. Data custodian
    2. Data owner
    3. User
    4. Auditor
  37. Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan’s company’s rights?

    1. Trade secret
    2. Copyright
    3. Trademark
    4. Patent
  38. Florian receives a flyer from a federal agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?

    1. United States Code
    2. Supreme Court rulings
    3. Code of Federal Regulations
    4. Compendium of Laws
  39. Tom is installing a next-generation firewall (NGFW) in his data center that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower?

    1. Impact
    2. RPO
    3. MTO
    4. Likelihood
  40. Which one of the following individuals would be the most effective organizational owner for an information security program?

    1. CISSP-certified analyst
    2. Chief information officer
    3. Manager of network security
    4. President and CEO
  41. What important function do senior managers normally fill on a business continuity planning team?

    1. Arbitrating disputes about criticality
    2. Evaluating the legal environment
    3. Training staff
    4. Designing failure controls
  42. You are the CISO for a major hospital system and are preparing to sign a contract with a Software-as-a-Service (SaaS) email vendor and want to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?

    1. SOC-1
    2. FISMA
    3. PCI DSS
    4. SOC-2
  43. Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?

    1. Repudiation
    2. Information disclosure
    3. Tampering
    4. Elevation of privilege
  44. Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?

    1. Integrity
    2. Availability
    3. Confidentiality
    4. Denial
  45. Which one of the following issues is not normally addressed in a service-level agreement (SLA)?

    1. Confidentiality of customer information
    2. Failover time
    3. Uptime
    4. Maximum consecutive downtime
  46. Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?

    1. Trademark
    2. Copyright
    3. Patent
    4. Trade secret

    Questions 47–49 refer to the following scenario.

    Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The LAN contains modern switch equipment connected to both wired and wireless networks.

    Each office has its own file server, and the IT team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.

    You are the newly appointed IT manager for Juniper Content and you are working to augment existing security controls to improve the organization’s security.

  47. Users in the two offices would like to access each other’s file servers over the Internet. What control would provide confidentiality for those communications?

    1. Digital signatures
    2. Virtual private network
    3. Virtual LAN
    4. Digital content management
  48. You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?

    1. Server clustering
    2. Load balancing
    3. RAID
    4. Scheduled backups
  49. Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?

    1. Hashing
    2. ACLs
    3. Read-only attributes
    4. Firewalls
  50. What law serves as the basis for privacy rights in the United States?

    1. Privacy Act of 1974
    2. Fourth Amendment
    3. First Amendment
    4. Electronic Communications Privacy Act of 1986
  51. Which one of the following is not normally included in business continuity plan documentation?

    1. Statement of accounts
    2. Statement of importance
    3. Statement of priorities
    4. Statement of organizational responsibility
  52. An accounting employee at Doolitte Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?

    1. Separation of duties
    2. Least privilege
    3. Defense in depth
    4. Mandatory vacation
  53. Which one of the following is not normally considered a business continuity task?

    1. Business impact assessment
    2. Emergency response guidelines
    3. Electronic vaulting
    4. Vital records program
  54. Which information security goal is impacted when an organization experiences a DoS or DDoS attack?

    1. Confidentiality
    2. Integrity
    3. Availability
    4. Denial
  55. Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?

    1. Policy
    2. Baseline
    3. Guideline
    4. Procedure
  56. Who should receive initial business continuity plan training in an organization?

    1. Senior executives
    2. Those with specific business continuity roles
    3. Everyone in the organization
    4. First responders
  57. James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization’s primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?

    1. Purchase cost
    2. Depreciated cost
    3. Replacement cost
    4. Opportunity cost
  58. The Computer Security Act of 1987 gave a federal agency responsibility for developing computer security standards and guidelines for federal computer systems. What agency did the act give this responsibility to?

    1. National Security Agency
    2. Federal Communications Commission
    3. Department of Defense
    4. National Institute of Standards and Technology
  59. Which one of the following is not a requirement for an invention to be patentable?

    1. It must be new.
    2. It must be invented by an American citizen.
    3. It must be nonobvious.
    4. It must be useful.
  60. Frank discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt?

    1. Confidentiality
    2. Integrity
    3. Availability
    4. Denial
  61. What is the formula used to determine risk?

    1. Risk = Threat * Vulnerability
    2. Risk = Threat / Vulnerability
    3. Risk = Asset * Threat
    4. Risk = Asset / Threat
  62. The graphic below shows the NIST risk management framework with step 4 missing. What is the missing step?

    Diagram shows the steps such as categorize information system, select security controls, implement security controls, authorize information system and monitor security controls which are numbered as 1, 2, 3, 5 and 6 respectively.
    1. Assess security controls
    2. Determine control gaps
    3. Remediate control gaps
    4. Evaluate user activity
  63. HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?

    1. Risk mitigation
    2. Risk acceptance
    3. Risk transference
    4. Risk avoidance
  64. Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?

    1. Availability
    2. Denial
    3. Confidentiality
    4. Integrity
  65. Which one of the following components should be included in an organization’s emergency response guidelines?

    1. List of individuals who should be notified of an emergency incident
    2. Long-term business continuity protocols
    3. Activation procedures for the organization’s cold sites
    4. Contact information for ordering equipment
  66. Who is the ideal person to approve an organization’s business continuity plan?

    1. Chief information officer
    2. Chief executive officer
    3. Chief information security officer
    4. Chief operating officer
  67. Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?

    1. Structured analysis of the organization
    2. Review of the legal and regulatory landscape
    3. Creation of a BCP team
    4. Documentation of the plan
  68. Gary is implementing a new RAID-based disk system designed to keep a server up and running even in the event of a single disk failure. What principle of information security is Gary seeking to enforce?

    1. Denial
    2. Confidentiality
    3. Integrity
    4. Availability
  69. Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?

    1. Cold site
    2. Warm site
    3. Hot site
    4. Mobile site
  70. What is the threshold for malicious damage to a federal computer system that triggers the Computer Fraud and Abuse Act?

    1. $500
    2. $2,500
    3. $5,000
    4. $10,000
  71. Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?

    1. ITIL
    2. ISO 27002
    3. CMM
    4. PMBOK Guide
  72. Which one of the following laws requires that communications service providers cooperate with law enforcement requests?

    1. ECPA
    2. CALEA
    3. Privacy Act
    4. HITECH Act
  73. Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?

    1. FERPA
    2. GLBA
    3. HIPAA
    4. HITECH
  74. Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement?

    1. NCA
    2. SLA
    3. NDA
    4. RTO
  75. Which one of the following is not an example of a technical control?

    1. Router ACL
    2. Firewall rule
    3. Encryption
    4. Data classification
  76. Which one of the following stakeholders is not typically included on a business continuity planning team?

    1. Core business function leaders
    2. Information technology staff
    3. CEO
    4. Support departments
  77. Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?

    1. Authentication
    2. Authorization
    3. Integrity
    4. Nonrepudiation
  78. What principle of information security states that an organization should implement overlapping security controls whenever possible?

    1. Least privilege
    2. Separation of duties
    3. Defense in depth
    4. Security through obscurity
  79. Which one of the following is not a goal of a formal change management program?

    1. Implement change in an orderly fashion.
    2. Test changes prior to implementation.
    3. Provide rollback plans for changes.
    4. Inform stakeholders of changes after they occur.
  80. Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?

    1. Purchasing insurance
    2. Encrypting the database contents
    3. Removing the data
    4. Objecting to the exception
  81. The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown below. Which quadrant contains the risks that require the most immediate attention?

    Probability versus impact plot shows a 2 by 2 matrix in which quadrants on top right, top left, bottom left and bottom right are numbered as 1, 2, 3 and 4 respectively.
    1. I
    2. II
    3. III
    4. IV
  82. Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with Human Resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?

    1. Informing other employees of the termination
    2. Retrieval of photo ID
    3. Calculation of final paycheck
    4. Revocation of electronic access rights
  83. Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?

    1. Risk avoidance
    2. Risk mitigation
    3. Risk transference
    4. Risk acceptance
  84. Helen is the owner of a website that provides information for middle and high school students preparing for exams. She is concerned that the activities of her site may fall under the jurisdiction of the Children’s Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?

    1. 13
    2. 15
    3. 17
    4. 18
  85. Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown below, and determines that the area he is considering lies within a 100-year flood plain.

    Image described by surrounding text.

    What is the ARO of a flood in this area?

    1. 100
    2. 1
    3. 0.1
    4. 0.01
  86. You discover that a user on your network has been using the Wireshark tool, as shown in the following screen shot. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?

    Screenshot shows time, source IP number, destination IP number and info of ARP, NBNS, ICMP, IGMP, DNS, UDP and TCP. It also shows source port, destination port, sequence number and header length of TCP.
    1. Integrity
    2. Denial
    3. Availability
    4. Confidentiality
  87. Alan is performing threat modeling and decides that it would be useful to decompose the system into the key elements shown in the following illustration. What tool is he using?

    Diagram shows the communication between users, user-web server boundary, web servlet, login process, web pages, web server-database boundary, college library database and database files.

    Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.

    1. Vulnerability assessment
    2. Fuzzing
    3. Reduction analsis
    4. Data modeling
  88. What law governs the handling of information related to the financial statements of publicly traded companies?

    1. GLBA
    2. PCI DSS
    3. HIPAA
    4. SOX
  89. Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map below from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk?

    Map of the United States shows regions of 0 to 2, 2 to 4, 4 to 8, 8 to 16, 16 to 24, 24 to 32 and more than 32 percentage of hazard.

    Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.

    1. New York
    2. North Carolina
    3. Indiana
    4. Florida
  90. Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

    1. Password
    2. Retinal scan
    3. Username
    4. Token
  91. Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?

    1. Quantitative
    2. Qualitative
    3. Annualized loss expectancy
    4. Reduction
  92. Which one of the following is the first step in developing an organization’s vital records program?

    1. Identifying vital records
    2. Locating vital records
    3. Archiving vital records
    4. Preserving vital records
  93. Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?

    1. Awareness
    2. Training
    3. Education
    4. Indoctrination
  94. Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding?

    1. Training
    2. Education
    3. Indoctrination
    4. Awareness
  95. Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a hacker might use a SQL injection attack to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the threat?

    1. Unpatched web application
    2. Web defacement
    3. Hacker
    4. Operating system

    Questions 96–98 refer to the following scenario.

    Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.

    Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.

  96. Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s data center?

    1. 10%
    2. 25%
    3. 50%
    4. 75%
  97. Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s data center?

    1. 0.0025
    2. 0.005
    3. 0.01
    4. 0.015
  98. Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s data center?

    1. $25,000
    2. $50,000
    3. $250,000
    4. $500,000
  99. John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?

    1. Spoofing
    2. Repudiation
    3. Information disclosure
    4. Elevation of privilege
  100. Which one of the following is an administrative control that can protect the confidentiality of information?

    1. Encryption
    2. Non-disclosure agreement
    3. Firewall
    4. Fault tolerance