CISSP Exam emulation practice test #1 – Hard difficulty – Results

The correct answer: The feasibility phase: Risk assessments should be built into the feasibility phase of the systems or software development lifecycle to ensure that risks are identified and addressed from the very beginning of the project development. During the feasibility phase, the scope, costs, and benefits of the project are analyzed, making it the ideal time to also consider potential risks that could impact the project’s success. Integrating risk assessment early in the lifecycle allows for proactive risk management throughout the subsequent phases. The incorrect answers: The programming phase: Addressing risks during the programming phase would be too late, as many decisions that could introduce risks have already been made. Risks should be identified and managed much earlier in the lifecycle. The specifications phase: While important for detailing requirements, the specifications phase comes after feasibility, and risks should already have been considered by this point to inform the specifications themselves. The user testing phase: By the time a project reaches user testing, the system or software is near completion. Addressing risks at this late stage means that any significant changes required to mitigate risks could be more costly and time-consuming.

The correct answer: The firewall will allow malicious attacks: If the firewall is designed to fail open and it exceeds its threshold of handling more than 10,000 concurrent sessions, it will stop blocking traffic, which includes potentially malicious attacks. With 50 application servers each allowing 201 sessions to be opened, the total number of concurrent sessions would be 10,050 (50 servers * 201 sessions), just over the threshold. This means the firewall’s default behavior when overwhelmed will be to let all traffic through, including what would normally be blocked under normal operating conditions. The incorrect answers: The firewall will allow only the previously allowed traffic: A firewall that fails open when overwhelmed will not discriminate between previously allowed traffic and new traffic. It will allow all traffic to pass, not just the traffic that was previously allowed. The firewall will block malicious attacks: In this scenario, since the firewall fails open, it will not continue to block malicious attacks once it is overwhelmed with more than 10,000 concurrent sessions. The firewall will block any further use of the previously allowed traffic: A firewall that fails open will not block further use of any traffic because it allows all traffic through when it fails, regardless of whether it was previously allowed or not.

The correct answer: Accountability. In the context of information security, accountability refers to the principle that individuals, organizations, and systems are held responsible for their actions. It ensures that actions can be traced back to their source. The incorrect answers: Authentication: This refers to the processes used to verify the identity of a user, system or application. It doesn’t directly relate to holding people responsible for their actions. Assurance: Assurance measures the confidence in the security controls of the system, ensuring they operate as intended. It doesn’t denote responsibility for actions. Authorization: This refers to the rights and permissions granted to a user or system to access and perform functions. It isn’t about holding individuals or entities responsible for their actions.

The correct answer: Multi-factor authentication, strong access controls, strong authorization controls, and encryption: George can implement multi-factor authentication to add a layer of security that requires users to provide two or more verification factors to gain access to the file with Secret information. Strong access controls can ensure that only authenticated users can access the system. Strong authorization controls can define permissions for users to access specific data based on their roles. Encryption can protect the confidentiality and integrity of the file during storage and transmission, making it unreadable to unauthorized individuals even if they gain access to the storage medium. The incorporation of all these controls provides a comprehensive approach to securing sensitive information, addressing various aspects of security from user authentication and access management to data protection. The incorrect answers: Strong authorization controls, strong access controls, and encryption: While encryption is a critical control for protecting the data at rest and in transit, it is not a direct access control measure. Authorization and access controls limit who can access the data, whereas encryption protects the data itself. Multi-factor authentication, strong access controls, strong authorization controls, and encryption: This option combines several elements that are indeed strong security controls. However, the question asks for three controls, whereas this option lists four. Additionally, multi-factor authentication is typically considered part of strong access controls. Strong authorization controls, strong access controls, and detailed audit logs: Detailed audit logs are essential for tracking and after-the-fact analysis of access to sensitive information. However, they serve more as a detective control rather than preventive measures like the need-to-know and least privilege principles, which proactively restrict access.

The correct answer: Due care: Due care refers to the level of care that an individual would reasonably be expected to exercise in a particular situation. As the chief information security officer (CISO) at ThorTeaches.com, Jane is responsible for determining the security goals for the organization, and she must do so with due care. This means she should take reasonable steps to protect the company’s data and systems from threats, aligning with industry best practices and regulatory requirements. The incorrect answers: Prudent person rule: While the prudent person rule is related to due care, it is a legal concept that typically applies to the management of another’s affairs, especially in a fiduciary capacity. It is not specifically a term used to describe the process of setting security goals for an organization. Due diligence: Due diligence is the investigative process conducted to assess a business transaction. When setting security goals, due diligence is part of the broader process Jane would undertake to understand the risks and requirements of the organization, but it is not the term that best describes the minimum standard required of her. Building consensus: Building consensus is about obtaining agreement from various stakeholders or team members. While gaining agreement on security goals is an important part of the CISO’s role, it does not represent the minimum standard of care expected of Jane when she determines those goals. Due care is the term that best fits this requirement.

The correct answer: Digital signatures: Digital signatures are the best method for ensuring non-repudiation because they provide proof of the origin and integrity of the data. A digital signature confirms that a document or message was signed by the purported sender, making it difficult for that sender to deny having sent the message. This is achieved by using a combination of a private key to sign the message and the corresponding public key which can be used by others to verify the signature. The incorrect answers: Strong complex passwords: While strong complex passwords are important for securing access to systems and data, they do not provide non-repudiation. Passwords authenticate a user’s identity but do not log the actions that the user takes in a way that cannot be repudiated later. Collision resistant hashes: Collision-resistant hashes ensure that a given input will always result in the same unique hash output, making it difficult to find two different inputs that produce the same hash value. However, hashes alone do not provide non-repudiation because they do not inherently tie the hash to a specific user’s identity. Symmetric encryption: Symmetric encryption uses the same key for both encryption and decryption. While it secures the data during transmission, it does not prove who sent the message since anyone with access to the key could have encrypted it. Therefore, it cannot be used to ensure non-repudiation.

The correct answer: Assume the data is at the highest sensitivity level: When Yvonne discovers an unlabeled tape in a room with tapes containing varying levels of sensitive data, the most appropriate action to protect the tape is to assume it contains the highest level of sensitivity. This precautionary principle ensures that the data is given the maximum level of security until its actual sensitivity level can be determined. By treating it as highly sensitive, Yvonne minimizes the risk of a potential data breach or unauthorized access. The incorrect answers: Assume the label fell off and is to be found somewhere close by: While it’s possible that the label might have fallen off, assuming this without evidence could lead to inadequate protection of the tape’s contents. Yvonne cannot rely on assumption alone when dealing with potential sensitive data and must take immediate steps to secure the tape. Assume the data is at the lowest sensitivity level: Assuming the data is at the lowest level of sensitivity without knowing its contents could lead to insufficient protection and a high risk of data exposure if the data is actually more sensitive. It is safer to assume a higher level of sensitivity until the actual content is verified. Assume the data should be erased to prevent it from being disclosed: Erasing the tape without knowing its contents is not appropriate as it could lead to the loss of valuable or even critical information. The tape should be secured and its contents assessed by an authorized individual to determine the correct course of action. Erasure should only be considered if it is confirmed that the data is not needed and appropriate permissions have been granted.

The correct answer: Oracle account is shared; best practice is to use “sudo oracle” command: The most likely reason Jada cannot establish who dropped the table is that the Oracle account is shared among the DBAs, meaning multiple users are logging in with the same credentials. The best practice to overcome the problem is for each DBA to use their own account with individual login credentials, and to perform actions as the Oracle user via the “sudo” command. This way, actions taken can be attributed to individual users and logged accordingly. The “sudo” command specifically allows a user to login with a password to input administrator-level commands, maintaining security of the system while providing availability for all necessary users. The incorrect answers: The logs do not capture when the DBAs logged off the Oracle account; best practice is for users to keep a manual log file of when they login and logout from the shared account: While having a manual log may provide some level of tracking, it is not a reliable or secure method of logging activities and can be easily bypassed or falsified. All DBAs know the password so they can login to Oracle account; best practice is for each user to reset the password after they use the account, and track the time and who retrieves the password: Constantly resetting the password and tracking who retrieves it is not practical or efficient, and does not provide a secure method for attributing actions to individual users. The privileges required by Oracle account are higher than normal users; best practice is to use “su oracle” command: While the “su” command can be used to switch to the Oracle user, it does not solve the problem of shared accountability. The best practice is to use “sudo” to allow users to execute commands as another user while logging who issued each command.

The correct answer: Sign off by the treasurer. If the primary goal is to speed up the approval process, having a single person, in this case the treasurer, sign off on the transactions would be the quickest option. The incorrect answers: Digital signature by the manager, then digital signature by the treasurer: Although digital signatures can speed up the process compared to physical signatures, needing approval from two different individuals can still slow down the process compared to a single sign off. Sign off by the manager and the treasurer: This requires two individuals’ approval, which can slow down the process compared to a single sign off. Digital signature using a symmetric key held in two halves: one by the manager and the other by the treasurer: This process, which involves a more complex mechanism of approval, would likely take more time than any of the other options. It requires coordination from two individuals and utilizing half-keys to form a full key for approval. While more secure, it will take additional time and coordination compared to other options.

The correct answer: Spamming. Spamming is typically not part of a reconnaissance attack. Reconnaissance, in the context of cybersecurity, refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack.Spamming would increase awareness of an attack either through logs, reduced performance, or other factors. This would lead to detection. The incorrect answers: Service detection: This can be part of a reconnaissance attack as knowing what services are running on a server can give attackers valuable information about potential vulnerabilities. Scanning: This is a common part of reconnaissance attacks. Scanning can involve checking for open ports, running services, and other elements that might expose a system to attack. Sniffing: Network sniffing can also be part of a reconnaissance attack to monitor and capture data packets in order to gain information about the system that could be useful in an attack.

The correct answer: The data owner should be the employee with the most knowledge about the business function the data supports: When selecting data owners, one of the key considerations should be whether the employee has a deep understanding of the business function that the data supports. This is because the data owner’s primary responsibility is not only to protect the data but also to ensure its accuracy, integrity, and usability. If the data owner understands the data’s business context, they can make more informed decisions about who should have access to the data, how it should be classified, and what security measures are appropriate. This understanding enables the data owner to effectively communicate the importance and value of the data to other stakeholders in the organization, fostering a culture of data protection and security. The incorrect answers: The data owner should have strong technical skills and be familiar with IT security best practices: While having strong technical skills and familiarity with IT security best practices are important for implementing and maintaining security measures, these are not the most critical qualifications for a data owner. Data ownership involves more than just the technical aspects of data security. It also involves understanding the business context of the data, making informed decisions about its use and protection, and fostering a culture of data security. These responsibilities may be better suited to an individual with a deep understanding of the business function the data supports, rather than a technical expert. The data owner should be the highest-ranking employee with access to the data: Although a higher-ranking employee may have the authority to enforce data security measures, this doesn’t necessarily mean they are the best person to be the data owner. The data owner needs to have a deep understanding of the data’s business context, which might not be the case for a high-ranking employee. High-ranking employees often have multiple responsibilities, and they might not have the time or focus to devote to data ownership. The data owner should be the employee who created or gathered the data: The employee who created or gathered the data may not always be the best choice for the data owner. While this employee might have a detailed understanding of the data, they might lack the broader business perspective needed to make decisions about data use and protection. They may not have the necessary authority or influence to enforce data security measures across the organization.

The correct answer: Unlikely. The roll back plan is not complete: The CAB is unlikely to accept Cassandra’s change if the roll back plan is overly simplistic and does not contain detailed, step-by-step instructions to reverse the change. A comprehensive roll back plan is necessary to mitigate risks in the event the change does not work as expected in the production environment. “Undo the change” does not provide the necessary detail or assurance that the system can be returned to its previous state without disruption or data loss. The incorrect answers: Likely. Cassandra and the Change Approval Board (CAB) believe the operator will know to undo the same steps in the reverse order, and can correct any unexpected effects by doing so: It is not safe to assume that the operator will know how to reverse the change without detailed instructions, especially under the pressure of a system malfunction or when the change does not perform as expected. Unlikely. The change procedures cannot be assumed to work in the production environment as they do in the test environment: While it is true that testing in a non-production environment does not guarantee the same results in production, this point alone would not typically make the change unlikely to be accepted. It is the lack of a detailed roll back plan that makes the change unlikely to be accepted. Likely. The change procedures have been tested and it is reasonable to assume they will work the same way in the production environment: Testing in a controlled environment is good practice, but it does not eliminate the need for a comprehensive roll back plan. Changes must always be accompanied by a solid contingency plan in case they do not perform as expected in the production environment.

The correct answer: Buy insurance. In cases where it’s not possible to minimize residual risk to an acceptable level, buying insurance is a common risk management strategy. This does not reduce the risk itself, but it can help to mitigate the financial impact if the risk materializes. The incorrect answers: Update to state-of-the-art firewalls: While updated firewalls can provide better protection, if the leadership has determined that the residual risk is still too high even with all countermeasures in place, it’s likely that simply updating firewalls wouldn’t sufficiently alleviate the concern. Get professional pen-testers to pen test the 2 applications: Penetration testing can help identify vulnerabilities, but if the residual risk is still considered too high despite all possible countermeasures, it’s unlikely that additional pen-testing would solve the problem. Build a SOC (Security Operations Center) and implement live monitoring: Having a SOC can improve incident detection and response times, but it does not directly reduce residual risk. If all plausible countermeasures have been considered and residual risk is deemed too high, setting up a SOC might not be sufficient.

The correct answer: PKI (Public Key Infrastructure). PKI uses a combination of public and private cryptographic keys to ensure message integrity, sender authentication, and non-repudiation. Message integrity ensures the message hasn’t been altered, sender authentication verifies the sender’s identity, and non-repudiation ensures the sender cannot deny having sent the message. The incorrect answers: Symmetric cryptography: While it provides message encryption, it doesn’t inherently provide sender authentication or non-repudiation. Hashing: Hashing can ensure message integrity by detecting changes in the content of the message, but it does not provide sender authentication or non-repudiation. Linear cryptanalysis: This is a method used to break cryptographic algorithms and doesn’t provide the benefits mentioned in the question.

The correct answer: Review current state of the system: Vulnerability testing tools can help Frank by reviewing the current state of the system. These tools scan systems and networks to identify known security weaknesses, misconfigurations, and missing patches based on the current setup. They provide a snapshot of the system’s current vulnerability status, which Frank can use to prioritize and address potential security issues. The incorrect answers: Capture recurring events: Vulnerability testing tools are designed to identify system weaknesses rather than to capture or log events, whether recurring or not. This function is more typically associated with monitoring and event management systems. Examine historical events: Vulnerability testing tools focus on the present state of system security rather than analyzing historical events. They do not typically delve into past security incidents or logs. Capture non-recurring events: While vulnerability testing tools assess current vulnerabilities, they do not capture specific events. Tools meant for capturing non-recurring events are generally within the realm of intrusion detection and prevention systems.

The correct answer: The ratio of false positives to false negatives: The best metric to use when evaluating the effectiveness of Intrusion Detection Systems (IDSs) is the ratio of false positives to false negatives. This metric provides insight into the accuracy and precision of the IDS, considering both its sensitivity (which could result in false positives, where benign activity is incorrectly flagged as malicious) and its specificity (which could result in false negatives, where actual malicious activity is not detected). A balanced ratio indicates an effective IDS that neither overburdens staff with false alarms nor misses genuine threats. The incorrect answers: The number of attacks we detect: While the total number of detected attacks can be an indicator of IDS activity, it does not provide comprehensive insight into the system’s effectiveness, as it may include false positives and does not account for missed detections (false negatives). The number of successful attacks: The number of successful attacks is a critical security metric, but it only provides information about the IDS’s failures and does not account for its successes or the accuracy of its detections. The ratio of successful attacks to unsuccessful attacks: This ratio reveals the number of breaches compared to thwarted attempts, which is valuable but does not directly speak to the IDS’s performance in terms of accurate detection. It also does not differentiate between true and false detections.

The correct answer: 3, 4, 2, 1: In rule-based access control systems, the order in which rules are listed can affect how they are processed. Given the requirements stated by Naomi, the sequence should be: -Allow Accounts Receivable (AR) update access (most specific rule allowing the most permissions). -Allow Accounts Payable (AP) read access (specific to a department with read-only permissions). -Allow Managers read access (broader rule allowing read access to a larger group). -Deny all other access (the general rule that ensures anyone not matched by the previous rules is denied access). This sequence ensures that the most specific permissions are granted first before the more general permissions, and lastly, any access not explicitly allowed earlier is denied. The incorrect answers: 2, 3, 4, 1: This sequence incorrectly places the Managers read access rule before the more specific departmental rules for AR and AP, which could lead to unintended access permissions due to the processing order of ACLs. 4, 3, 2, 1: This sequence starts with AP read access, but following the principle of placing the most specific rules first, the AR update access should come before AP read access. 1, 2, 4, 3: Placing the deny rule first would prevent any of the subsequent allow rules from being processed, effectively blocking all access, which contradicts the intent.

The correct answer: Our previous financial results. Generally, previous financial results would have the lowest level of security protection because they are often publicly disclosed as a part of regularly scheduled reporting and are not confidential, sensitive, or private. The incorrect answers: Our strategic plan: These documents are usually highly confidential and therefore typically have high levels of security protection. Our upcoming financial results: These are also highly confidential until they are officially released. Unauthorized disclosure could violate securities laws and regulations. Customer PII (Personally Identifiable Information): Laws such as GDPR in Europe and CCPA in California mandate strict protection of this information to prevent unauthorized access and potential identity theft.

The correct answer: Second line of defense: Dee, in her role as a compliance manager, forms the second line of defense in her organization’s risk management and control framework. The second line of defense typically includes functions that oversee risk management and compliance with external regulations and internal policies. As a compliance manager, Dee helps to ensure that controls are in place to meet compliance standards and works to identify and mitigate risks related to non-compliance. The incorrect answers: First line of defense: The first line of defense is typically composed of operational managers and staff who are directly responsible for maintaining control over the day-to-day business activities and processes. They are the ones who implement risk controls and procedures as a part of their regular job functions. Third line of defense: The third line of defense usually consists of internal audit functions. Their role is to provide independent assurance to the organization’s board and senior management regarding the effectiveness of the company’s governance, risk management, and internal control processes. Fourth line of defense: The concept of a fourth line of defense is not commonly recognized in standard risk management frameworks. Some organizations may informally refer to external auditors, regulators, or other external parties that provide another layer of oversight as a “fourth line of defense,” but this is not a standard classification within the three lines of defense model.

The correct answer: Periodically, Mark sends a random number he has chosen encrypted using the work server’s public key and waits for the server to reply with the same number encrypted with his public key: This method is a good way to prevent a Man-In-The-Middle (MitM) attack because it utilizes asymmetric encryption to ensure that the communications are secure between Mark and the work server. By using the server’s public key to encrypt the number, only the server, with its private key, can decrypt it. When the server replies using Mark’s public key, only Mark can decrypt the message with his private key. This process helps to confirm that the parties in the transaction are legitimate and that there has not been interference by a third party. The incorrect answers: Mark and the work server should create and send a digital signature of every packet: While using digital signatures for every packet can provide strong security by ensuring the integrity and authenticity of the communications, this method may not be the most efficient, as it can produce significant overhead and delay due to the computational cost of signing every packet. Mark and the work server should create and send a digital signature of every nth packet: This approach can leave packets without digital signatures vulnerable to interception and manipulation, as every packet is not verified. It creates a gap in the security model, which could be exploited by an attacker. Mark sends the current time (including milliseconds) to the work server and waits for the work server to reply with the time it received Mark’s message, together with the server’s own time when it sent the reply: Sending timestamps can help detect replay attacks or delays in the network that might indicate tampering, but it does not encrypt or secure the data, so it would not be effective as a standalone measure against a MitM attack.

The correct answer: Send log entries to a separate server on UDP port 514: Sending log entries to a separate server on UDP port 514 is the most appropriate method for increasing controls over accountability, as this is the standard port for Syslog, a protocol used widely for sending event notification messages across IP networks to event message collectors (Syslog servers). By directing logs to a separate server, Linda can ensure that the logs are not tampered with on the source device and that there is a central place for log review and analysis, enhancing accountability. The incorrect answers: Send log entries to a separate server on UDP port 162: UDP port 162 is the standard port for SNMP Trap, which is used for sending alert messages from network devices to a management station. It is not primarily used for log transfer and hence is not the most appropriate choice for improving log accountability. Keep log entries on a different partition on the hard drive: Keeping logs on a different partition on the same physical hard drive does not increase controls over accountability significantly, because if the system is compromised, an attacker could gain access to the logs and alter or delete them, compromising the integrity of the logs. Send log entries to a separate server on TCP port 1433: TCP port 1433 is the default port for Microsoft SQL Server. Sending log entries to a server on this port would imply that they are being sent to a database server, which is not the standard practice for log transfer. Moreover, using a database server does not necessarily increase controls over accountability compared to dedicated log management systems.

The correct answer: “Conduct a risk assessment of the company’s current IT systems and practices.” would be the option to pick here. It is far more beneficial to inventory all assets through a risk assessment, then decide from there how to handle security. Otherwise, a business is taking things into consideration that have no effect on them. The incorrect answers:Determine the company’s overall goals and objectives for IT security is the first step in identifying the business needs for improving the IT security practices. Understanding what the organization aims to achieve through its IT security practices ensures that all subsequent steps, align with the company’s overall strategy and objectives. It sets the foundation for the entire review process. Identifying the regulatory requirements that the company must comply with is also crucial, especially in a regulated industry like finance. However, this step should be taken in conjunction with understanding the overall goals and objectives, as compliance is typically one aspect of a broader security strategy. Gathering input and feedback from employees across all departments and business units is valuable for gaining insights into the practical realities of the company’s IT systems and practices. Still, it is not the first step. Understanding the overarching goals and objectives ensures that such feedback is collected and analyzed in the context of the company’s strategic direction.

The correct answer: Asset inventory: The first artifact Dee is most likely to review when evaluating the design completeness of the backup procedures is the asset inventory. An asset inventory will provide information on all the assets that require backup, including their locations, importance, and the data they hold. This comprehensive understanding is critical for ensuring that the backup procedures are designed to cover all necessary assets and that no critical components are overlooked. The incorrect answers: Classification of data: Data classification is crucial for determining the sensitivity and handling requirements of data, but before Dee can understand what needs to be backed up from a data perspective, she must know what physical and digital assets exist that store this data. Retention requirements: While retention requirements are essential for defining how long data should be kept, they are geared more towards the duration of storage rather than the scope of what needs to be backed up, which is driven by the asset inventory. Disposal requirements: Disposal requirements relate to the process of securely eliminating data that is no longer required. It is generally a step considered after retention periods have been met, and it does not directly inform the initial design of backup procedures.

The correct answer: All of the options are related to microservices, but the primary concern when shifting to a microservices architecture is to ensure that each microservice is resilient and fault-tolerant. This is because, in the event of a failure, you want to avoid a single microservice causing the entire system to crash. Each microservice should be designed to handle failures gracefully, ensuring that even if it fails, it doesn’t cause a systemic failure. This is paramount in maintaining system resilience and ensuring continuous service availability. The incorrect answers: Using the same programming language can contribute to the consistency and maintainability of the codebase, but it is not the primary concern when shifting to microservices. Microservices are designed to be highly independent, meaning they can be developed using the programming language best suited to the task they are meant to perform. It’s true that having more individual components can increase the number of points of failure, but the design and management of these microservices should mitigate this risk. Rather than just considering the increased points of failure, the focus should be on how to make each of these services resilient and fault-tolerant to handle any failures that may occur. Containerization does help in the efficient utilization of resources and can be beneficial in a microservices architecture, but it is not the primary concern. Containerization provides an isolated environment for each microservice to run in, which can aid in managing dependencies and resource usage. However, the resilience and fault-tolerance of each microservice should be prioritized to ensure the overall system stability and reliability.

The correct answer: Compiled language like C+ or Pascal. Compiled languages are converted into machine code that can be directly executed by the computer’s hardware. The resulting binary (such as an EXE file) cannot be easily inspected or reverse-engineered to view the original source code. The incorrect answers: Executable binary: This is not a programming language, but a format for program files that can be directly executed by a computer’s hardware. Assembly language: While assembly language can be used to write executable code, it is much lower-level and more difficult to work with than a high-level compiled language like C+ or Pascal. Interpreted language like VBScript or Visual Basic for Applications (VBA): Code written in interpreted languages is generally distributed in a format that allows the source code to be viewed, which would not meet Marsha’s need to prevent inspection of the source code.

The correct answer: Physical security measures and access controls: While these are important to ensure the security of a processing site, they are the most basic level of security measures. They primarily focus on the physical environment, such as securing entry points and monitoring access to the site. They do not address digital threats or vulnerabilities that can arise within the IT infrastructure. The incorrect answers: Network security measures and firewalls: This level of security is more advanced than just physical security measures. Network security measures include firewalls, intrusion detection systems, and other tools to protect the organization’s network from unauthorized access and potential cyber threats. Data encryption and backup procedures are essential for protecting sensitive information and ensuring business continuity in case of data loss or system failure. These measures add a layer of security that goes beyond physical and network security. Regular security assessments and audits are critical for identifying vulnerabilities and ensuring that security measures are effective in safeguarding an organization’s assets. This level of security is more comprehensive than the other options, as it involves ongoing evaluation and improvement of security measures.

The correct answer: The goals and objectives are clearly defined: Before having outside contractors conduct a penetration test, it is most important to ensure that the goals and objectives of the penetration test are clearly defined. Clear goals and objectives will guide the scope of the penetration test, the methodologies to be used, the systems to be tested, the rules of engagement, and the expected deliverables. This clarity is crucial for the penetration test to be effective, targeted, and for the results to be actionable. The incorrect answers: The penetration testers show us what the plan to do on a test system: While it’s beneficial to understand the testers’ approach and plan, having them demonstrate on a test system is not a prerequisite and is less critical than having clear goals and objectives for the actual penetration test. Our IT staff has been informed about the penetration test: Informing the IT staff about the penetration test is important to avoid confusion and ensure they do not mistake the test for a real attack. However, this should be done after establishing the goals and objectives of the penetration test. Everyone including senior management is unaware of the penetration test; to ensure the penetration test is as close to a real attack as possible: Keeping senior management and others unaware of the penetration test (a “blind” test) can provide insights into how an organization detects and responds to a real attack, but this is risky without clearly defined goals and objectives. Stakeholders must be aware and in agreement with the penetration test to provide authorization and to manage risks.

The correct answer: Install and remove programs: A security administrator is typically responsible for managing software installations and removals on an organization’s systems, ensuring that only authorized programs are used and that systems are kept secure from potentially harmful software. Terminate user’s access when advised by HR: The security administrator is also responsible for managing user access, including the termination of access rights when employees leave the company or change roles, as advised by the Human Resources department. Produce reports of access rights for management review: Part of a security administrator’s responsibilities includes producing reports that detail user access rights within the organization. These reports are vital for management to review in order to ensure that proper access controls are in place and that the principle of least privilege is being followed. The incorrect answers: Create generic group user accounts when requested by HR with full access privileges: As a general security practice, creating generic accounts with full access privileges is discouraged because it violates the principle of least privilege and individual accountability. Each user should have a unique account with access rights tailored to their specific job functions. A security administrator is responsible for enforcing this principle and would typically deny such requests to maintain security standards.

The correct answer: The significance of providing diligent and competent services is the most crucial aspect that your new recruits must comprehend. All the rules, laws, and ethical codes mentioned, including the Electronic Communication Privacy Act (ECPA), ISC2 Code of Ethics, and the Ten Commandments from the Computer Ethics Institute, fundamentally revolve around the principle of providing diligent and competent services. This covers a broad range of actions, including respecting the privacy of others, not causing harm or interfering with others’ computer work, and respecting intellectual property rights. The incorrect answers: The importance of not using a computer to harm other people: While this is certainly a crucial principle, it is just one component of delivering diligent and competent services. The necessity of not copying or using proprietary software without payment: This principle focuses on intellectual property rights, which is again only one aspect of the broader commitment to providing diligent and competent services. The essentiality of not interfering with other people’s computer work: This principle contributes to maintaining a respectful and non-disruptive environment, but it is just one element of the broader principle of providing diligent and competent services.

The correct answer: All the co-workers of the user in the workgroup. The focus of a user access review process is on the permissions and accesses granted to a particular user. Information about a user’s coworkers, while potentially informative for other reasons, is less likely to be directly relevant to this process. The incorrect answers: All the applications the user can use: A thorough review process would include a review of all applications a user can access. All the computers the user can connect to, use, or log into: Similarly, a review would also include all machines or systems the user can access. All the accounts created for the user, or to which the user has been granted access: This is a key part of a user access review, ensuring that each user has the appropriate level of access for their role.

The correct answer: Source code: Source code should have the most limited access because it is the human-readable version of the software and contains the original design and structure of the application. Protecting access to the source code is crucial as it is the most informative for anyone looking to understand or modify the application, which could lead to security vulnerabilities or intellectual property theft if it falls into the wrong hands. The incorrect answers: Object code: Object code, which is the output of the compilation of source code, is an intermediate form between source code and executable code. It is less readable than source code and typically requires further linking to be run. While still sensitive, it is not as critical to protect as the source code. Executable code: Executable code, which can be run by a computer’s operating system to perform the functions the software is designed to do, is important to protect. However, it does not usually contain the detailed information present in the source code, making it less sensitive. Machine code: Machine code is a low-level code for computers that is actually executed by the computer’s CPU. It is the most difficult for humans to read and modify due to its binary form. While it is important to protect, the source code is usually of greater interest and should be more tightly controlled.

The correct answer: Delegated Identity Management (DIM): Delegated Identity Management refers to a scenario where authentication is performed by one service but is trusted and accepted by another. In John’s case, he is using his Facebook identity to log into the store online, which constitutes a delegation of the authentication process. The online store trusts Facebook to verify John’s identity and does not require him to create a new account and password for their site. The incorrect answers: Single Sign-On (SSO): Single Sign-On is a user authentication process that allows a user to access multiple applications with one set of login credentials. However, SSO is generally used within the same organization or suite of services, rather than leveraging an external identity provider like Facebook. Federated Identity Management (FIM): Federated Identity Management is a system that links and manages the identity information across multiple autonomous systems or domains. While FIM encompasses the use of shared identities across different domains, the term “federated” usually implies a more mutual and cooperative arrangement, which might not be what is directly intended by the term “Delegated Identity Management.” Active Directory Domain Services (AD DS): AD DS is a directory service for Windows domain networks and is not typically used for consumers logging into unrelated online stores. It is more focused on internal network authentication and directory services within an enterprise environment.

The correct answer: Periodic staged intrusions: The best way for Nayeli to obtain valuable information about a network’s vulnerabilities is through periodic staged intrusions, also known as penetration testing or ethical hacking. This proactive security measure involves simulating cyber attacks under controlled conditions to discover security weaknesses, potential entry points for actual attackers, and to understand the effectiveness of existing security measures. The incorrect answers: Periodic procedure updates: While updating procedures periodically is important for maintaining security, it does not directly provide information about network vulnerabilities. Procedures need to be actively tested against potential threats to reveal vulnerabilities. Periodic policy updates: Updating policies is a crucial part of maintaining a security posture, but policy updates alone do not expose or identify network vulnerabilities. Policies define the framework for security, but testing is required to find actual weaknesses in the network. Periodic drills: Drills often refer to exercises designed to prepare for emergency situations. While they can be valuable in training staff and testing incident response, they may not be as focused on identifying technical network vulnerabilities as a staged intrusion would be.

The correct answer: CWSS (Common Weakness Scoring System) is used to score and rank software weaknesses in terms of their severity, taking into consideration the attack surface, attack impact, and the environmental impact. Implementing the latest security patches and updates is an important part of maintaining a secure system, but it doesn’t directly contribute to determining the CWSS score of a system. Rather, it is a reactive step taken to address vulnerabilities that have already been identified, and doesn’t itself provide a measure of the overall security of a system or its specific weaknesses. The incorrect answers: Assessing the vulnerabilities of a system is an integral part of determining the CWSS score. The CWSS is specifically designed to score vulnerabilities based on their characteristics, and thus assessing the vulnerabilities of a system is directly tied to determining its CWSS score. Evaluating the effectiveness of security controls isn’t part of the CWSS calculation itself, the effectiveness of security controls can affect the environmental score component of the CWSS, which takes into account how well a system is protected. Comparing the system’s security score to industry standards is a valid method of using CWSS scores. By comparing a system’s scores to industry standards or to scores of similar systems, one can gain insights into how the system’s security measures up. While this won’t directly affect the CWSS score, it can provide valuable context for interpreting the score and assessing the system’s relative security.

The correct answer: Our e-commerce website: The e-commerce website should have the shortest RTO because it is directly tied to the organization’s revenue generation and customer service. If the e-commerce website is down, it can immediately affect sales, impact the company’s reputation, and result in financial loss. Thus, it’s crucial to restore this service as quickly as possible to minimize disruption to the business and its customers. The incorrect answers: Our change management system: While important for controlling IT processes and managing changes, the change management system typically does not require as immediate a recovery as an e-commerce platform that is critical for ongoing business operations and revenue. Our intranet: The intranet is used internally for employee communications and sharing resources. Although it is significant for internal business functions, it is usually not as critical as an e-commerce website, which has a direct impact on customers and business income. Our VPN (Virtual Private Network) access for our remote contractors: VPN access is essential for remote contractors to perform their work, but the overall impact of a VPN outage is generally less severe than the downtime of an e-commerce website. The VPN may have a longer RTO as the contractors may have alternative ways to work or communicate temporarily.

The correct answer: Object, subject. In the context of an access request, the “subject” is the entity that is making the request or performing an action, which is Francis in this scenario. The “object” is the entity that the action is performed on or that is being requested, which in this case is the “Tuna Notes” file. The incorrect answers: Subject, object: This is the inverse of the correct relationship. In this scenario, “Tuna Notes” is the object, not the subject, and Francis is the subject, not the object. Active entity, passive entity: While these terms could be used to describe a similar relationship, they are less commonly used in this context than “subject” and “object.” Passive entity, active entity: This is the inverse of the active/passive relationship and is less commonly used than “subject” and “object.”

The correct answer: Data processor: The role most likely given to the company that runs an application to produce reports about data subjects, for Naomi, is that of a data processor. When an organization outsources a task that involves the handling of PII to another company, that company performs the role of a data processor. They process the data according to the data owner’s instructions and do not determine the purposes and means of processing that data. The incorrect answers: Data custodian: The data custodian is responsible for the safe custody, transport, and storage of the data and implementing the technical environment and database systems. While a data custodian may assist with managing the infrastructure needed to produce reports, the company running the application specifically for reporting is acting as a data processor. Data controller: The data controller decides the purposes for which and the means by which personal data is processed. As the VP of Sales, Naomi would generally fill this role herself because she is determining how the data is used, not the company contracted to run the application. Data steward: A data steward has an oversight role, focusing on ensuring data governance, data quality, and adherence to data management policies and standards. A data steward does not usually run applications to produce reports; their focus is on the overall quality and proper use of the data within the organization.

The correct answer: Calculate the risk: When faced with a system change that conflicts with security standards, the best initial course of action is to calculate the risk associated with the proposed change. By assessing the potential impact and likelihood of security issues that could result from the change, decision-makers can make an informed choice about whether to proceed with the change, modify it, or reject it. This risk assessment will help determine the most appropriate response, which may include enforcing security standards, adjusting the change, or adding mitigating controls. The incorrect answers: Enforce the security standard: While security standards are crucial and should be enforced, immediately enforcing them without assessing the specific risk may disregard the potential benefits of the system owner’s request or the uniqueness of the situation. Make changes to the proposed system change to match the security standard: Making changes to align with security standards is important, but without first understanding the risk, those changes might be unnecessary or ineffective. Add mitigating controls to the system: Adding mitigating controls may be part of the solution after a risk assessment. However, without calculating the risk first, it’s not possible to know which controls would be effective or necessary.

The correct answer: Brewer Nash. The Brewer-Nash model, also known as the ‘cinderella’ or ‘chinese wall’ model, imposes dynamic access controls based on a user’s prior actions. In this case, it would prevent a sales rep from sharing information until the sale has concluded, but would still allow them to answer incoming calls from any client. The term is now known as “cone of silence” or “ethical wall” instead of “chinese wall”. The incorrect answers: Bell-LaPadula: This model primarily focuses on maintaining the confidentiality of information and would not adequately address the dynamic access needs in this scenario. Clark-Wilson: This model focuses on enforcing integrity in commercial transaction systems. It’s not particularly suited to the needs described in this scenario. Biba: This model is concentrated on maintaining the integrity of information and would not adequately handle the described scenario.

The correct answer: The team pretends to have a disaster and responds to the plan with their teams input. In a simulation test of a Disaster Recovery Plan (DRP), a scenario is created and the disaster recovery team uses the DRP to respond, just as they would in a real disaster. This helps to verify that procedures are understood and effective, and it can identify gaps or issues that need to be addressed. The incorrect answers: We go through the plan on our own, making sure each step for our team is accurate: This sounds more like a review or walk-through of the plan rather than a simulation test. Team members review the plan quickly looking for glaring omissions, gaps, or missing sections: This also sounds more like a review of the plan, rather than a simulation test which would involve acting out a response to a simulated disaster. We bring critical components up our secondary site and fail the traffic over to that site: This sounds more like a full-scale or failover test, not a simulation test. In a full-scale test, the team actually switches over to the disaster recovery site to see if it can handle the load in a real-world scenario.

The correct answer: Ensure integrity of new data: Ross is creating a subroutine in the database front end to compare postal codes with street names to ensure the integrity of the new data being entered. This check helps verify that the data is accurate, consistent, and reliable, by confirming that the postal codes match the correct corresponding street names. The incorrect answers: Ensure availability of new data: Ensuring the availability of data typically involves maintaining access to data or systems, such as through redundancy or backup solutions. A subroutine that validates postal codes against street names is not directly related to data availability. Ensure confidentiality of the new data: Ensuring confidentiality involves protecting data from unauthorized access or disclosure. Comparing postal codes with street names does not pertain to the protection of data, but rather to its correctness and validity. Ensure the data entry staff are held accountable if they enter wrong data: While having checks in place can help trace the source of data entry errors and potentially hold individuals accountable, the primary reason for implementing such a subroutine is to prevent incorrect data from being entered into the system in the first place, thereby maintaining data integrity.

The correct answers: The correct sequence for the TCP Three-way Handshake is: -Client sends TCP packet with SYN raised: The client initiates the handshake by sending a synchronize (SYN) packet to the server, indicating a desire to establish a connection. -Server responds with packet with ACK and SYN raised: The server acknowledges (ACK) the client’s SYN packet and sends its own SYN packet, indicating it’s ready to establish the connection. -Client responds with packet with ACK raised: The client acknowledges the server’s SYN packet, completing the three-way handshake and establishing the connection. The incorrect answers: The incorrect sequences provided are not representative of the TCP Three-way Handshake. They describe different TCP flags and scenarios like connection termination (FIN), connection reset (RST), and urgent data processing (URG), which are not involved in the initial connection establishment process.

The correct answer: Controls that have not been implemented yet. Security controls provide no protection until they are actually implemented. Even if a control has been designed or chosen, it does not contribute to security until it is put into operation. The incorrect answers: New controls that have not been proven to work: While these might not be as reliable as proven controls, they still provide some level of security protection once they are implemented. Existing controls that due to their age of use have probably been cracked: While such controls may not be as effective as they once were, they still provide some level of security until the vulnerabilities are exploited. Existing controls that have been proven to work: These controls definitely provide security protection, assuming they are still relevant to the threats faced by the organization.

The correct answer: To maintain an inventory of network assets. While it is important for an organization to keep track of its physical assets, this doesn’t directly contribute to the performance or capability improvements typically associated with a network upgrade. The incorrect answers: To carry more network capacity: Network upgrades often aim to increase capacity, allowing more data to be transmitted simultaneously. This is a key objective in any network upgrade. To improve system response time: Faster and more efficient networks can decrease latency, improving the response time of applications reliant on the network. This is a common goal in network upgrades. To improve network services: Upgrading a network can allow for the implementation of new services or improve the performance of existing ones. This is a major reason for undertaking a network upgrade.

The correct answer: Missing patches: A network vulnerability assessment typically identifies security weaknesses, such as missing patches or updates for software and systems. Vulnerability assessments use various tools and software to scan the network for known vulnerabilities, which would include identifying systems that are not up-to-date with the latest security patches. The incorrect answers: 0-day vulnerabilities: 0-day vulnerabilities are security flaws that are not yet known or disclosed to the public, and therefore no patch or fix exists for them at the time of discovery. A standard vulnerability assessment is unlikely to identify these, as it relies on databases of known vulnerabilities. Malware: While some vulnerability assessments may detect certain types of malware indirectly by noting suspicious behavior or unauthorized changes to systems, identifying active malware is typically the role of antimalware tools and not the primary focus of a vulnerability assessment. Security design flaws: A vulnerability assessment can identify some security configuration issues, but complex security design flaws often require a more in-depth analysis such as a security audit or penetration test. Vulnerability assessments are generally focused on known issues listed in vulnerability databases and may not uncover intricate design flaws that have not yet been catalogued.

The correct answer: A cloud-based identity service: Given the requirements to minimize infrastructure, management overhead, and rapidly deploy the solution, a cloud-based identity service would be the best choice for Natalie. Cloud-based identity services can provide authentication for both on-premise and cloud-based services without the need for additional infrastructure. They are managed by the service provider, which reduces the overhead for Natalie’s company, and can typically be deployed quickly. The incorrect answers: A federated identity solution: While federated identity solutions allow for single sign-on across different systems and can potentially work with cloud services, they may require more infrastructure and management overhead compared to a fully cloud-based identity service, especially if the federated solution is managed on-premise. An on-premise authentication solution: An on-premise solution would likely require significant infrastructure and ongoing management, which does not align with Natalie’s goal to minimize infrastructure and overhead. A third-party identity service: This kind of service could potentially meet the requirements, but it is less specific than a cloud-based identity service. Third-party identity services could be either on-premise or cloud-based, so without more context, it’s harder to assert that it would be the best solution compared to a clearly defined cloud-based identity service.

The correct answer: Conduct a privacy impact assessment: This is the most accurate response as a Privacy Impact Assessment (PIA) is a systematic process used to evaluate the potential effects that a particular activity or process may have on the privacy of individuals. The primary purpose of a PIA is to identify and mitigate privacy risks. PIAs can help ensure that the data mining process is conducted in a secure and ethical manner, by determining the nature of the data, how it will be used, stored and protected. The assessment can guide the decision-making process on whether to proceed with the data mining project, modify it, or discard it altogether, all while considering privacy laws and regulations. The incorrect answers: Use a secure data warehouse to store the data: While it’s important to store the data securely, merely using a secure data warehouse doesn’t inherently ensure that the data mining process is being conducted in a secure and ethical manner. Secure data storage is just one aspect of a comprehensive data protection strategy. It does not address issues of consent, minimal data collection, purpose limitation, or data accuracy, among others. Use a trusted third-party vendor to perform the data mining: While delegating data mining to a trusted third-party might alleviate some of the concerns, it does not necessarily ensure the process is conducted securely and ethically. There’s a risk of misuse, especially if there aren’t strong contractual agreements and controls in place. Trusting a third party also means you have less control over the actual process, and you may not know the extent to which they are adhering to privacy and security best practices. Encrypt the data before storing it in the data warehouse: Encrypting data before storage is indeed a best practice for protecting sensitive information. However, it is more relevant to preventing unauthorized access to the data rather than ensuring that data mining itself is conducted ethically and securely. Encryption doesn’t address potential ethical issues such as data minimization, purpose limitation, accountability, transparency, and fairness in data mining. It’s part of data security, but not a comprehensive solution to the ethical handling of data.

The correct answer: Accountability: Accountability ensures that actions taken on a system can be attributed to an identified individual or entity, which provides assurance that only authorized users are accessing the system and using it properly. It involves the ability to track user activities and to hold users responsible for their actions, typically through logging and monitoring mechanisms. The incorrect answers: Authentication: While authentication is the process of verifying a user’s identity before granting access to a system, by itself, it does not provide assurance that the system is being used properly after access has been granted. Authorization: Authorization determines what an authenticated user is allowed to do within a system, such as what resources they can access and what actions they can perform. It does not, however, track or record what the user actually does, which is necessary for accountability. Auditing: Auditing is the process of reviewing and analyzing records of system activities to ensure compliance with policies and procedures. While auditing is closely related to accountability and is often used to measure it, the term ‘accountability’ directly refers to the concept of users being answerable for their actions on the system.

The correct answer: Tokens: Dee is most likely to use tokens as the factor for strong authentication when logging onto the firewalls, especially if she’s seeking enhancement over traditional username and password methods. Tokens can provide a second factor in two-factor authentication systems, either as physical devices that generate one-time passwords (OTPs) or as soft tokens provided by mobile applications. They strengthen the authentication process by adding a “something you have” factor to the “something you know” factor (such as a password or a PIN). The incorrect answers: User IDs: User IDs or usernames alone are not considered strong authentication because they are typically public identifiers and do not verify the user’s identity on their own. PINs: Personal Identification Numbers (PINs) are a knowledge-based authentication factor similar to passwords. On their own, PINs are not considered strong authentication for high-security environments like firewall access. Account numbers: Account numbers are generally used as identifiers rather than for authentication purposes. They are not considered a secure method for authentication on their own and are not commonly used for firewall login processes.

The correct answer: Lost or missing features after major code changes. Regression testing is a type of software testing that ensures that previously developed and tested software still performs as expected after changes or additions. It is used to catch new bugs, or regressions, in existing functionality that may have occurred due to those changes. The incorrect answers: That the software installs correctly on the customers hardware: This is more in line with installation or compatibility testing, not regression testing. Interfaces between components in the software: This would be more related to integration testing, which verifies that different components of the system work well together. Processes and security alerts when encountering errors: This would be more related to error or exception handling testing, not regression testing.

The correct answer: Phishing attack: Ken has most likely been the victim of a phishing attack. Phishing attacks typically involve the attacker sending emails that appear to be from a legitimate source with the intent to deceive the recipient into providing sensitive information. In this case, Ken believed the email was from Dee and clicked on a fraudulent link that led to a fake website designed to capture his username and password. The incorrect answers: Pharming attack: Pharming redirects a website’s traffic to a fraudulent website without the user’s knowledge, which can occur through malware on the user’s system or by exploiting vulnerabilities in DNS servers. Since Ken was actively directed to the fake site by clicking on a link in an email, this is more indicative of phishing rather than pharming. Poisoning attack: Poisoning attacks often refer to techniques that corrupt or falsify data, such as cache poisoning in DNS or ARP (Address Resolution Protocol) poisoning on networks. Ken’s situation does not involve data corruption but rather deception through a fake website. DNS Pharming attack: DNS pharming is a type of attack that involves compromising DNS servers to redirect users to malicious sites even when they type in the correct website address. Ken’s case involves an email link, which suggests a direct phishing attempt rather than DNS pharming, where the attack occurs at the DNS level.

The correct answer: The side effects of the disaster: The side effects of a disaster are most likely to be the greatest factor determining the size of the financial loss. Side effects can include a wide range of consequences, such as prolonged business interruption, loss of customer trust, reputational damage, regulatory fines, and more. While the immediate impact of the disaster is crucial, it is often the subsequent, sometimes unforeseen side effects that can significantly increase the financial loss and extend the recovery period. The incorrect answers: The disaster itself: While the disaster’s immediate impact is critical, it typically represents the starting point of potential financial loss. The eventual financial impact is more significantly shaped by the following side effects and how they are managed. The effects on suppliers: The impact on suppliers can contribute to financial losses, particularly if the company relies heavily on a specific supplier or operates with a lean supply chain. However, it is generally a subset of the wider side effects of the disaster. The effects on investors: The effects on investors, such as changes in stock price or investors pulling out, are more indirect and typically follow the initial disaster and its side effects. While they can impact a company’s financial position, they are reactive to the situation rather than direct determinants of loss.

The correct answer: System development phase: Building security controls and audit trails into a new application is best accomplished during the system development phase of the system development life cycle (SDLC). At this stage, the application is being designed and programmed, which allows for the integration of security features directly into the system architecture. Addressing security early in the development process ensures that it is not just an afterthought and typically results in stronger, more effective controls. The incorrect answers: System initiation phase: While the system initiation phase often involves defining high-level requirements, the actual building and integration of detailed security controls and audit trails occur later during the development phase. System implementation phase: The system implementation phase typically involves installing and deploying the system. While some aspects of security can be configured during this phase, integrating security controls into the application itself should have already taken place in the development phase. System operations phase: By the time the system reaches the operations phase, it is already in use. Adding or significantly altering security controls at this stage can be more difficult and disruptive, making it less ideal compared to integrating them during the development phase.

The correct answer: Data processor: The role most likely given to the third-party building and generating the report for Naomi is that of a data processor. In the context of data protection, a data processor is an entity that processes personal data on behalf of a data controller. Since Naomi, the data owner, is contracting the third-party specifically to handle the data for the purpose of creating a report, the third-party acts as a processor, carrying out the task according to Naomi’s instructions. The incorrect answers: Data custodian: A data custodian is typically someone within the organization who has technical responsibilities for safeguarding the data, such as maintaining databases, servers, and networks. They do not usually process the data for specific business needs, which is the role of a data processor. Data controller: A data controller is the person or organization that determines the purposes for which and the means by which personal data is processed. While Naomi acts as a data controller by deciding to use the PII to generate a report, the third-party does not decide on the reason for processing the data and thus is not the data controller in this context. Data steward: A data steward is responsible for the management of data elements, both in terms of content and metadata. They ensure the quality and fitness of the data for purpose within the organization, including compliance with data governance policies. The third-party in this scenario is not managing the overall data environment but is instead performing a specific processing task on behalf of Naomi.

The correct answer: Last nine bits, 386: The subnet mask /23 indicates that the first 23 bits are the network portion and the remaining 9 bits are for the host addresses. To find the specific server address within the subnet, Mark would look at the last 9 bits of the address. The value “386” is derived from converting these last 9 bits from binary to decimal. However, it’s important to note that the complete IP address must still be presented in standard IPv4 notation, which is in the form of four octets. Here, the “386” represents the combined decimal value of the third octet’s last bit and the entire fourth octet. The correct IPv4 address would actually be in the format of 47.152.x.y, where x and y are derived from the binary representation of the last 9 bits. The decimal value of “386” relates to the binary representation of the host part of the address (binary ‘000000001 10000010’), which corresponds to ‘1.130’ when broken down into two octets. Therefore, the full server address is 47.152.1.130. The incorrect answers: First 23 bits, 47.152.42: While the first 23 bits of the IP address determine the network portion, they do not specify the exact address of an individual server. Additionally, the representation “47.152.42” is incomplete because it does not provide a full octet for the third part of the address. Last eight bits, 130: In a /23 subnet, the host portion is more than the last eight bits; it is the last nine bits of the address. Representing the server address by only the last eight bits does not take the full subnetting into account. Last seven bits, 2: This choice incorrectly suggests that only the last seven bits are used for the host portion in a /23 subnet. In reality, a /23 subnet uses the last nine bits for host addressing, not seven.

The correct answer: Vulnerability assessments focus on identifying potential exploits, while penetration tests focus on actively exploiting them: A vulnerability assessment is a process that defines, identifies, and classifies the vulnerabilities in a computer, network, or communications infrastructure. It can also forecast the effectiveness of proposed countermeasures and predict their effectiveness when they are put into practice. Essentially, it’s a systematic review of security weaknesses that an attacker could exploit. On the other hand, a penetration test (also known as a pen test) is a simulated cyber attack against a computer system, network, or web application to check for exploitable vulnerabilities. These are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices, and other potential points of exposure. The focus here is not merely identifying vulnerabilities, but actively exploiting them to understand the level of access or other malicious activities a potential attacker could perform. The incorrect answers: Vulnerability assessments are more comprehensive: This is not necessarily true. The breadth and depth of either assessment largely depend on the scope defined before conducting the process. While vulnerability assessments may cover a wide range of systems, devices, and software to identify potential weaknesses, penetration tests can also be comprehensive, focusing on both the breadth of systems and the depth of attack vectors. Moreover, penetration tests often include vulnerability assessments as part of their process. Therefore, it’s not accurate to categorize one as more comprehensive than the other. Penetration tests are more intrusive: The term ‘intrusive’ can be misleading here. While penetration testing does involve trying to exploit vulnerabilities (which could be seen as more ‘intrusive’), it’s done with the permission of the organization and with the aim of improving security. Both vulnerability assessments and penetration tests are invasive to some degree because they both involve analyzing and testing systems for weaknesses. However, the level of intrusiveness doesn’t define the primary difference between these two. Vulnerability assessments are performed on a regular basis, while penetration tests are only performed when requested: The frequency of either test largely depends on the organization’s security policies, available resources, and applicable regulatory requirements. Both vulnerability assessments and penetration tests can be performed regularly or on request. For instance, some organizations may perform vulnerability assessments regularly (daily, weekly, or monthly), while penetration tests might be conducted annually or bi-annually. Conversely, a company might request a penetration test after implementing a new system or post a security incident. The timing or frequency of these tests does not represent the primary difference between them.

The correct answer: Secret question and answer: To best implement a passwordless strategy, Ann’s company should not require secret questions and answers as part of their authentication process. Secret questions and answers often function similarly to passwords in that they are knowledge-based and something that the user knows. For a truly passwordless approach, the company should rely on other types of authentication factors that do not involve memorized secrets. The incorrect answers: Token: Tokens, especially hardware tokens, are a common component of passwordless authentication systems. They are something the user physically possesses and can be used to verify identity without entering a traditional password. Public-Private key pair: Public-private key pairs are also essential for passwordless systems, especially those that rely on cryptographic methods for authentication. The private key remains with the user and is used to generate a digital signature that can be verified with the corresponding public key. Fingerprint: Biometric factors like fingerprints are a hallmark of passwordless authentication, as they utilize something inherent to the user (a biometric trait) to confirm their identity, avoiding the need for traditional passwords or knowledge-based challenges.

The correct answer: Controls. When defining inherent risk, you’re looking at the risk that exists assuming no controls or other mitigation actions are in place. Thus, controls are not a factor typically considered when calculating inherent risk, as they are measures implemented to reduce that inherent risk. The incorrect answers: Likelihood or Probability: This is an essential facet of determining risk. It measures the chance of a given threat exploiting a vulnerability. Asset Valuation (AV): The value of the asset is a key component of risk. The more valuable the asset, the higher the potential risk. Impact or Consequence: This is another crucial variable for assessing risk. It measures the potential damage or consequences to the organization if a threat exploits a vulnerability.

The correct answer: The data owner. In this scenario, the data owner is likely to be the best person to work with to ensure that the files are correctly classified and given the proper protection profile. As the person responsible for the data, the data owner would have the best understanding of the data’s sensitivity, value, and the potential impact of its loss or misuse. The incorrect answers: The payroll manager: While the payroll manager may have insight into the data’s use, they may not necessarily understand all the nuances of data classification and protection. The risk manager: The risk manager could provide guidance on potential risks, but the data owner would have more specific knowledge about the data itself. The entire payroll team: While the team’s input might be useful in some instances, it’s generally more effective to work directly with the person who has responsibility for the data, which would be the data owner.

The correct answer: Both internal and external users. To accurately measure the success of an incident handling process, it’s helpful to gather feedback from both internal and external users. Internal users can provide insight into the efficiency of the process, while external users can offer perspective on how incidents were communicated and resolved from their end. The incorrect answers: All business units: While feedback from all business units can be valuable, it’s only part of the picture. Including external users provides a more comprehensive understanding of the process’s effectiveness. External investors, shareholders, and stakeholders: These parties are typically not directly involved in incident handling and are therefore less suitable for gauging the success of the process. Internal users only: While internal users can provide important feedback, it’s also valuable to gain perspective from external users who interact with the organization’s systems or services.

The correct answer: New risk detection. The ability to detect new risks is crucial for maintaining an effective risk management program. If an organization fails to recognize new risks, it leaves itself vulnerable to threats it isn’t prepared for. While all the options listed contribute to a robust risk management program, detecting new risks directly impacts the organization’s risk exposure and its ability to preemptively manage and mitigate those risks. The incorrect answers: A flexible Information Security budget: While having financial flexibility can support adaptive responses, not detecting new risks could result in serious security incidents that can’t be readily fixed with budgetary adjustments. A solid risk baseline: Having a solid risk baseline is important for comparison and for monitoring changes over time. However, this doesn’t replace the need to continuously identify and address new risks. Accurate risk reporting: Accurate risk reporting is a significant aspect of risk management. However, if the organization fails to detect new risks in the first place, the reporting, no matter how accurate, would be incomplete.

The correct answer: Gather information from different sources. Gathering information from different sources provides a more comprehensive view of the network, which can enhance the efficiency and effectiveness of Security Information and Event Management (SIEM) systems in correlating events and detecting attacks. This approach provides a holistic view of the network and enables the SIEM to identify patterns and connections that may not be visible when looking at data from individual sources. For example, gathering info from a router and honeypot devices may allow us to know exactly what an attacker is seeking, versus just router logs. The incorrect answers: Gather information only from web servers: This approach would limit the visibility of the SIEM to just the web servers, possibly missing attacks targeting other parts of the infrastructure. Gather information only from network devices such as routers and firewalls: While these devices are crucial for network security, they should not be the sole source of information for a SIEM. Attacks can also target servers, applications, and other parts of the network. Gather information only from application servers: This approach would limit the visibility of the SIEM to just application servers, missing attacks that may target other parts of the network.

The correct answer: Design. During the design phase of the Software Development Life Cycle (SDLC), potential threats are analyzed through threat modeling to understand how they could materialize. This helps in building robust security mechanisms in the design of the system. The incorrect answers: Requirements gathering: While potential risks could be considered during the requirements gathering phase, specific identification of how threats could materialize typically happens during the design phase. Development: By the development stage, potential threats should already have been identified during the design phase, and mitigations for these threats should be incorporated into the code being developed. Testing/Validation: At this stage, the software is tested for defects, including any vulnerabilities from threats identified during the design phase. However, the actual identification of potential threats and their actualization usually happens earlier, during the design phase.

The correct answer: Started the authentication sequence by claiming an identity: By entering his username on the system, Thor has initiated the authentication process by claiming an identity. A username is a claim of identity that will typically be followed by providing credentials (such as a password) to verify or authenticate that claim. The incorrect answers: Completed the authentication by claiming an identity: Thor has not completed the authentication process just by entering a username. Authentication involves verifying the claimed identity, usually through additional factors like a password, biometric data, or a security token. Started the authentication sequence with something that he knows: While a username is something Thor knows, it is not in itself sufficient to start the authentication sequence. Authentication sequences typically require knowledge of a secure credential like a password or PIN, not just a username, which is considered public information. Started the authentication sequence with something that anyone can claim: A username on its own is something that anyone can claim, but the phrase does not fully describe the action Thor has taken. The act of entering a username starts the process by which the system identifies who might be trying to authenticate, not just what could be claimed by anyone.

The correct answer: Logs: The best control that Natalie can use to compensate for the risk of role incompatibility under separation of roles is logging. By maintaining detailed logs of user activities, Natalie can create an audit trail that can help detect and review actions taken by individuals with conflicting roles. This provides a way to monitor and potentially correct any improper actions that result from the combination of roles. Logs can help ensure accountability and traceability, even when roles are not ideally separated. The incorrect answers: Access controls: While access controls are essential for limiting which resources a user can access, they do not directly compensate for the lack of separation of roles once access has been granted. Hashes: Hashes are used to verify the integrity of data and ensure that it has not been altered. They are not a control mechanism for handling separation of roles within an organization’s operations. Processing totals: Processing totals is a method used to ensure that a batch of transactions has been processed correctly by comparing total values. It does not provide a means to compensate for the risks associated with individuals performing incompatible roles.

The correct answer: Front-end processors. A front-end processor is typically associated with managing input and output for a mainframe. While they can offload work from the main system, they may not directly improve network reliability as much as the other options listed here. The incorrect answers: Parallel physical circuits: These increase network reliability by providing alternative paths for data traffic in case a circuit fails. Standby power supplies: These can keep network devices running during a power outage, significantly improving network reliability. Redundant switching equipment: Redundant switches can provide a backup in case the primary switch fails, improving overall network reliability.

The correct answer: Comprehensible: When deciding on an Identity and Access Management (IAM) scheme, comprehensibility can be the most important factor for Cassandra to consider. An IAM system that is easily understood by both administrators and users is crucial for its effective adoption and operation. A comprehensible IAM scheme helps ensure that policies are correctly implemented and followed, reduces the likelihood of errors, and facilitates training and troubleshooting, leading to better overall security and efficiency. The incorrect answers: Timely: Although timely administration of access is crucial for security, the decision on which IAM system to choose is more likely hinged on how clear and user-friendly the system is rather than solely on the timeliness of changes. Detailed: While details are important for accurate access control, the complexity of an overly detailed system can hinder usability. The goal is to achieve a balance where the system provides enough detail to maintain security without compromising the ability for users and administrators to effectively navigate and manage it. Consistent: Consistency is vital in IAM for applying uniform policies and access control across an organization. However, if the system is not comprehensible, consistent application of policies can still fail due to misunderstanding or misconfiguration by its users and administrators.

The correct answer: Implementing strict quality control measures throughout the development process: Software development is a multi-step process where defects can occur at any stage. The most effective strategy for achieving zero-defects is to implement strict quality control measures throughout the development process. This involves adopting quality assurance practices at each stage of the process, from requirement analysis, design, coding, to testing. This way, errors can be detected and rectified as soon as they occur, reducing the probability of defects making it into the final product. This approach is based on the principle of ‘prevention over detection,’ emphasizing preventing defects from occurring in the first place, rather than finding and fixing them later on. This not only reduces the defect rate but also saves time and resources in the long run. The incorrect answers: Relying on rigorous testing to catch defects before release: While testing is a crucial step in the software development process, relying solely on it to achieve zero defects is not the most effective strategy. Testing is a phase that comes later in the development process, and if defects are found at this stage, they could require significant changes to the software, consuming a lot of time and resources. Moreover, testing can only find defects; it can’t prevent them from happening. While rigorous testing is necessary, it must be complemented with other practices, like strict quality control measures throughout the development process. Setting aggressive deadlines to motivate developers to work faster: Setting aggressive deadlines can sometimes be counterproductive in achieving zero-defects. While it might motivate developers to work faster, it can also lead to stress and fatigue, which can in turn result in errors. Also, in a rush to meet deadlines, developers might take shortcuts or ignore certain protocols, which could potentially introduce defects into the software. While timely delivery is crucial in software development, it should not compromise the quality of the product. Investing in cutting-edge software development tools and technology: Investing in advanced tools and technology can indeed enhance software development capabilities. They can offer features like automated code review, debugging, and testing, which can help reduce defects. Tools alone can’t guarantee zero defects. The quality of software primarily depends on factors like the skill of the developers, the development process followed, and the quality assurance practices in place. While investing in tools and technology can help, it is not the most effective strategy for achieving zero-defects.

The correct answer: Separate but complementary plans: The Disaster Recovery Plan (DRP) and the Business Continuity Plan (BCP) are separate but complementary plans. The DRP is focused on the recovery of IT systems and operations after a disaster, while the BCP aims to ensure the continuity of the essential business functions during and after a disruption. The BCP encompasses broader business strategies, of which the DRP is a critical component, especially for the IT-dependent aspects of the organization. The incorrect answers: Overlapping plans: While the DRP and BCP may have some areas of overlap, particularly regarding IT systems that support critical business functions, the description “overlapping plans” does not capture the full nature of how they complement each other and work together. Separate and diverse plans: Although the plans are separate, with distinct focuses, the term “diverse” suggests that they may not be related, which is not accurate. The DRP is an integral part of the BCP, and they align toward a common goal of organizational resiliency. Competing plans: “Competing plans” inaccurately suggests that the DRP and BCP may have conflicting goals or priorities. In reality, they are designed to support each other and ensure the organization’s ability to respond and recover from disasters.

The correct answer: Identifying the critical files and directories to be monitored: Before deploying a File Integrity Monitoring (FIM) system, it’s crucial to determine which files and directories are critical and should be monitored. This involves identifying sensitive data, configuration files, system files, and other assets that, if altered, could impact the security or functionality of a system. By prioritizing these critical assets, organizations can ensure that the FIM system is focused on the most relevant and potentially vulnerable parts of their environment. The incorrect answers: Installing the FIM software: While it’s essential to install the FIM software to begin monitoring, it’s more important first to determine what files and directories are critical. Installing the software without this determination could lead to inefficiencies or missed vulnerabilities. Configuring the FIM system: Configuring the system is a subsequent step after determining which assets are critical and after the software is installed. Without first identifying what to monitor, configurations may not be optimized. Conducting a risk assessment: While risk assessments are vital in understanding and prioritizing threats, the direct first step in implementing an FIM system specifically involves identifying the files and directories for monitoring. Once we know which files needs to be monitored we can conduct a risk assessment on those assets.

The correct answer: Provide a constrained interface, so that commands are shown but dimmed if the user does not have sufficient privileges: Implementing the Clark-Wilson security model involves using the principle of well-formed transactions and separation of duties. A constrained interface is a way to enforce these principles. It allows the application to show users all the commands they may potentially execute while making it clear which commands they are not authorized to perform (dimmed options). This helps prevent unauthorized access to functions and ensures data integrity by restricting users to only the transactions they are permitted to execute. The incorrect answers: Provide a drop-down menu showing all possible subcommands: Simply providing a drop-down menu with all possible subcommands does not enforce any of the Clark-Wilson integrity constraints. It does not differentiate between transactions that a user can and cannot perform based on their privileges. Ensure users cannot read down to a classification below their security clearance level: This principle is related to the Bell-LaPadula model, which is focused on maintaining confidentiality in a system with different levels of classification. It primarily deals with preventing “read down” operations, where a higher-classified user might read information at a lower classification. The Clark-Wilson model is focused on data integrity, not confidentiality. Ensure users cannot write down to a classification below their clearance level: This is also a principle from the Bell-LaPadula model, known as the “no write down” or “ss-property” rule. It prevents users from writing information to a lower classification level, potentially causing a data spill. The Clark-Wilson model is concerned with integrity and does not deal with classification levels.

The correct answer: Given the severe implications of a SYN flood attack on a TCP-based web server architecture. In such an attack, the attacker initiates a large number of TCP connections but never completes the three-way handshake. This leaves the server holding a vast number of partially open connections, consuming resources, potentially leading to a Denial of Service (DoS) as the server might be unable to handle legitimate requests. The impact on a web server – a crucial part of the infrastructure that often faces the public internet – could be enormous, leading to significant downtime and potential loss of business. The incorrect answers: Fraggle attacks against UDP are indeed a concern, but they may not be as critical in this context. These attacks use UDP and not ICMP, making them potentially more successful, but the damage might be limited given the context. This scenario mentions a gaming server, and while downtime is a problem, the implications may not be as far-reaching as an attack on the web server infrastructure. Smurf attacks utilize ICMP, not UDP, rendering this option less pertinent. These types of attacks might pose a risk to your infrastructure, but as UDP is used for live video streaming in this context, they don’t apply directly. Also, ICMP blocking is common, which may reduce the potential impact of this type of attack. Sequence number prediction attacks on TCP connections are a concern, but in this context, the data being transmitted is from IoT sensors. It’s important to protect IoT data, but this threat may not be as critical in terms of potential damage to the infrastructure as a SYN flood attack on the web server architecture. Modern TCP/IP stack implementations also use random sequence numbers, making these types of attacks more difficult.

The correct answer: Prioritizing systems and components based on the Maximum Tolerable Downtime (MTD) is the most critical action at this stage. In the context of a healthcare organization, ensuring continuity of critical systems and minimizing downtime is of utmost importance because it can directly impact patient care and safety. This process involves assigning different systems to different tiers according to their importance and defining their MTD, that is, the maximum time that the system can be down without causing unacceptable damage to the organization’s operations or reputation. By identifying the MTD for each system, the organization can effectively prioritize its efforts in the event of a disruption, focusing on recovering the most critical systems first. The incorrect answers: Identifying all critical systems and components within the organization is indeed an essential step in conducting a BIA, but simply identifying systems does not give them a priority level in case of a disaster. The organization needs to go further by assigning an MTD to each system to prioritize its efforts effectively. Getting approval from senior management to proceed with the BIA is an important part of the project initiation phase, which usually happens before the BIA. Assuming that the BIA has already been approved as part of the BCP/DRP project, this step is less crucial at the current stage. Defining the scope of the BIA with all stakeholders is important, but it typically happens before starting the BIA. At this stage, prioritizing systems and components based on the MTD is more critical to ensure the effective recovery of systems in the event of a disaster.

The correct answer: Ensure accuracy and completeness: Claire is performing a one-for-one check of input documents most likely to ensure both the accuracy and completeness of the records. This type of check involves verifying that each item on a list or in a set of documents corresponds to an actual, specific counterpart in another set, ensuring that all items are accounted for and correctly recorded. The incorrect answers: Ensure completeness: While a one-for-one check does help to ensure completeness by making sure that all items are present, it also checks for accuracy by confirming that the items are correct. Therefore, the reason is broader than just completeness. Ensure correct sequence: A one-for-one check is not specifically about ensuring the correct sequence of items, although it may help identify sequence issues. Its primary purpose is to match items between sets to verify their existence and details. Ensure totals match the expected results: A one-for-one check typically focuses on the individual items rather than the aggregation of those items into a total. Ensuring totals match is more related to reconciliation tasks rather than the detailed verification of each item.

The correct answer: “It is a set of rules and guidelines used to ensure the security and integrity of data.”: This is the correct answer. The Clark-Wilson model is indeed a set of rules and guidelines used to maintain the integrity of data in a system. It introduces the concepts of well-formed transaction and separation of duties to prevent unauthorized or malicious actions. This model focuses on certifying that applications and processes are in place to change and manage access to data, making it particularly useful for business environments where data integrity is crucial. The incorrect answers: “It is a mathematical model used to describe the behavior of physical systems.”: This statement is not correct with respect to the Clark-Wilson model. While mathematical models are used in various fields to describe the behavior of systems, the Clark-Wilson model is a security model aimed at data integrity, not a mathematical model used to describe physical systems. “It is a database management system designed to store and organize large amounts of data.”: This statement is also not correct. The Clark-Wilson model is not a database management system. While it can be applied to systems that involve databases to ensure data integrity, it is not a tool or system for managing databases. “It is a security model that focuses on the separation of duties and the use of well-defined interfaces.”: While the concept of separation of duties is a part of the Clark-Wilson model, this statement is not entirely accurate. The Clark-Wilson model is more comprehensive, providing a framework for implementing a wide range of integrity controls in addition to separation of duties. It also includes the concept of well-formed transactions, which involves checking data integrity before and after a transaction, rather than focusing on well-defined interfaces.

The correct answer: Delegate the role of data custodian to an IT support specialist: The most likely action Naomi will take is to delegate the role of data custodian to an IT support specialist. Data custodians are typically responsible for the technical aspects of data management, such as granting and revoking access, taking backups, restoring files, and ensuring data integrity. An IT support specialist is usually well-equipped to handle these tasks, as they possess the necessary technical skills and access to the IT infrastructure. The incorrect answers: Delegate the role of data custodian to a junior manager in the Sales department: While a junior manager in the Sales department may have some managerial capacity, they might not have the technical expertise or the appropriate access to systems to manage the data effectively as a data custodian. Delegate the role of data custodian to a senior sales representative in the Sales department: A senior sales representative is likely to be more focused on sales activities rather than IT tasks. Therefore, they might not be the right choice for handling technical responsibilities associated with data management. Transfer the ownership to the IT department: Transferring the ownership of the data to the IT department is not the same as delegating custodial duties. Naomi, as the VP of Sales, should retain ownership of the sales data because it is used by her department and is within her area of expertise. The IT department can be given custodial responsibilities but not ownership.

The correct answer: Scheduling regular scans to identify new and existing vulnerabilities is the most crucial aspect when integrating vulnerability scanning into your security protocols. Given the dynamic nature of cybersecurity threats and the continuous updates in systems and software, regular scans are essential to identify new vulnerabilities as they emerge. Regular scans will help you keep up with any changes in your system configuration, detect outdated software, and track unpatched vulnerabilities. The incorrect answers: Selecting a scanning tool with the most comprehensive list of common vulnerabilities is important, but it doesn’t ensure protection against new or emerging threats. Also, without regular scanning, even a comprehensive tool may fail to identify vulnerabilities that emerge after the initial scan. Defining the IP range for the scanning tool to focus on is a practical approach, but its utility is limited in an environment where the network configuration changes frequently. Defining the IP range also doesn’t ensure the timely discovery of vulnerabilities unless combined with regular scanning. Ensuring the vulnerability scanning tool has the latest updates and definitions is a valuable practice as it keeps your scanning tool up-to-date with the latest known vulnerabilities, but without regular scans, even an up-to-date tool won’t be effective in identifying new vulnerabilities in your systems.

The correct answer: Bond a DSL connection and a satellite connection: Bonding these two different types of internet connections can provide continuous internet connectivity by offering complementary features. A DSL connection provides stable and reasonably fast speeds using a wired infrastructure, while a satellite connection ensures connectivity in the event of local infrastructure failures that could affect DSL service. Satellite connections can provide internet access even in remote areas where traditional wired or cellular connections may not be available. This combination allows for a backup in diverse scenarios, including local outages or severe weather conditions that might disrupt ground communications. The incorrect answers: Bond a fiber connection and a 5G MiFi connection: Although bonding a high-speed fiber connection with a wireless 5G connection would provide a robust setup, it’s not the combination mentioned as the correct answer for this question context. Specifically, a local natural disaster could render both ineffective and thus, stop a successful internet connection. Bond a fiber connection, 5G connection, and a DSL connection: While this setup would offer great redundancy and speed, incorporating fiber, wireless 5G, and DSL, it is not the chosen correct answer as per the context provided. Bond a 5G connection and 4G connection: Bonding two wireless connections from the same technology spectrum (cellular) does not provide as much diversity since similar issues affecting a 5G network could also affect a 4G network. However, this is not the correct answer according to the context.

The correct answer: Audit logs. Audit logs record events as they happen and can then be analyzed later to identify significant events or anomalies. They also meet the requirement of being passive, as they typically don’t require active management until an event of interest is detected. The incorrect answers: Line monitoring: This typically involves active management and immediate response to issues, so it doesn’t meet Nayeli’s requirements for a passive, after-the-fact analysis strategy. Motion detectors: While motion detectors are indeed passive, they don’t typically record detailed information that allows for in-depth analysis after the fact. Security guard and dog: This security measure is very active and immediate; it doesn’t facilitate in-depth, after-the-fact analysis.

The correct answer: Using a software inventory management tool, periodically compare the inventory software list. This proactively identifies any unauthorized or unlicensed software installations. By regularly monitoring and auditing your software inventory, you can detect and address the illegal use of software. The incorrect answers: Remind all users periodically not to use illegally obtained software: While reminders may be part of a comprehensive approach to managing software licenses, they would not be as effective at detecting illegal software use as a software inventory tool. Send a questionnaire by email to all users: This method relies heavily on user honesty and awareness, and may not yield accurate or complete information. Develop a software anti-piracy policy immediately and distribute to all users without fail: While having such a policy is important, it won’t help identify current illegal use of software. It’s more about prevention and establishing guidelines for future behavior.

The correct answer: In a GP-based system, the core element is the evaluation of the programs’ performance in solving the problem at hand. In the case of a NIDS, the “problem” would be detecting and responding to potential network intrusions. The effectiveness of the GP-based NIDS would largely hinge on how accurately and efficiently the programs can identify and respond to these intrusions. Setting up a robust evaluation metric is critical, and this would be the most important aspect when deploying a GP-based NIDS. The incorrect answers: The generation of an initial population of random computer programs is indeed a crucial step in the GP process, but without a robust evaluation mechanism to identify which programs are most successful at solving the problem, these initial programs would lack direction and purpose. Assigning problems to the generated programs is a necessary part of the GP process, particularly in the context of a NIDS where the “problems” would be potential network intrusions, but this alone does not ensure the effectiveness of the NIDS; it’s how the programs respond to these problems and how these responses are evaluated that ultimately determines the system’s effectiveness. Creating new programs based on the best existing programs, a process involving mutation and crossover, is a key aspect of the evolutionary process in GP. Nevertheless, identifying which programs are the “best” requires a robust evaluation process. Without this, it would be unclear which traits should be carried forward and which should be discarded. While important, this step is not as critical as the evaluation of the programs’ performance.

The correct answer: Overloading the host system with resource-intensive processes: This option does not typically result in a guest escape. Overloading the host system with resource-intensive processes, or a Denial-of-Service (DoS) attack, is an attack method where the attacker overwhelms the system’s resources, making the system unresponsive or slow to respond. However, this doesn’t result in the attacker gaining additional privileges or the ability to break out of their current environment. While such an attack can negatively impact the host and other guests sharing the same host, it does not provide a path for a guest to escape its virtualized or containerized environment and directly access the host system or other guests. The incorrect answers: Using a kernel vulnerability to gain root access to the host system: This is a common method of guest escape. If a guest system can exploit a vulnerability in the host’s kernel, it can potentially gain root access to the host system. The kernel is a key component of the host operating system, and having root access to it essentially gives the attacker full control of the host system, effectively allowing the guest to escape its confinement. Leveraging a VM escape vulnerability in the hypervisor: This is also a common method of guest escape. A hypervisor is the software that creates and manages virtual machines. If a guest can exploit a vulnerability in the hypervisor, it can potentially escape its virtualized environment and directly interact with the host system. This kind of exploit is known as a VM escape, and it is a significant security concern for virtualized environments. Using a software exploit to bypass security controls: This is another common method of guest escape. If a guest can exploit a vulnerability in the software on the host system, it can potentially bypass security controls and gain unauthorized access to the host system. This might involve exploiting a software bug, a configuration error, or a weakness in a security protocol. Once the security controls are bypassed, the guest can effectively escape its environment and interact directly with the host system.

The correct answer: Acquisition of a competing organization: The acquisition of a competing organization would normally have the largest impact on Information Security due to the complexity and scale of integrating different IT systems, policies, and processes. It involves merging sensitive data, aligning security practices, and potentially inheriting vulnerabilities from the acquired entity. Thorough security assessments and strategic planning are required to manage the numerous risks associated with such a major change. The incorrect answers: Opening a new office: While opening a new office involves security considerations such as setting up network connections and physical security measures, the impact is generally more localized and limited in scope compared to acquiring an entire organization. Moving our data center: Moving a data center is a significant event that affects Information Security, as it involves the physical and logical relocation of critical IT infrastructure. However, with proper planning and security controls, the impact can be managed effectively, while an acquisition introduces a much broader range of security variables and unknowns. Upgrading our firewalls: Upgrading firewalls is a routine information security activity that can be significant but is usually well-contained and managed within the scope of existing security operations. It does not typically have as profound or wide-reaching an impact on Information Security as the acquisition of another organization.

The correct answer: To identify potential attacks on our internal network: The main purpose of an Intrusion Detection System (IDS) is to monitor network and system traffic for suspicious activity and known threats, effectively identifying potential attacks on the internal network. The IDS analyzes traffic to detect various types of malicious activities, including security policy violations, threats, and any signs of compromised systems. The incorrect answers: To block traffic seen as malicious: While blocking malicious traffic is related to intrusion prevention, it is the primary function of an Intrusion Prevention System (IPS), not an IDS. An IPS is designed to not only detect but also prevent or block identified threats in real-time. To identify network misconfigurations: Identifying network misconfigurations is not the main purpose of an IDS. While an IDS might detect activity that could stem from a misconfigured network, its primary role is to identify potential security breaches or attacks, not to audit the network for configuration issues. To alert on true negatives: Alerting on true negatives would mean alerting on events that are not attacks, which is the opposite of what an IDS is intended to do. IDS aims to alert on true positives (actual attacks or suspicious activities) and minimize false positives (benign activities mistaken as attacks) and false negatives (missed actual attacks).

The correct answer: How easy it is to maintain and how often signature updates are released: The most important consideration before choosing an antivirus software product is its maintainability and the frequency of signature updates. Antivirus software must be kept up to date with the latest definitions (signatures) to effectively protect against new threats. Ease of maintenance ensures that the software can be kept current with minimal effort, reducing the risk of the organization being exposed to viruses and other malware. The incorrect answers: How large market share the product has and the TCO (Total Cost of Ownership): While market share can give an indication of the popularity and potential reliability of a product, and TCO is an important financial consideration, these factors are secondary to the software’s effectiveness and maintainability. How well it works with our IDSs (Intrusion Detection Systems), IPSs (Intrusion Prevention Systems) and firewalls: Compatibility with other security systems is important, but the primary function of antivirus software is to detect and eliminate malware. Its effectiveness and the ability to stay current with threats is the most critical aspect. How often the vendor releases major updates and their feature roadmap: The release schedule for major updates and the vendor’s roadmap are worth considering, as they provide insight into the product’s future. However, immediate ease of maintenance and the regular updating of signatures are paramount for ongoing protection.

The correct answer: Employing the RTM as a dynamic, iterative tool that adjusts to changing requirements over time is the most significant aspect. This approach ensures that the RTM stays relevant and useful throughout the software development lifecycle, capturing changes in requirements, project tasks, and deliverable documents, as well as adapting to evolving security landscapes. This continuous adaptation and tracking of requirements are key to avoiding overlooked elements and mitigating potential vulnerabilities. The incorrect answers: Updating the RTM to reflect the requirements of every new software version is an important practice, but it’s not the most significant aspect. This practice ensures that the new requirements are documented, but it doesn’t necessarily ensure that the RTM evolves with changing project needs or that the implementation of these requirements is tracked effectively. Having the RTM encompass all software requirements, including project tasks and deliverable documents, is crucial for comprehensive project management. But the breadth of information included in the RTM is less significant than how this information is used and updated over time, particularly as the requirements and priorities of a project may change. Including specific security requirements in the RTM from the start is a best practice, as it embeds security into the software development process. Nevertheless, while this is important, it does not address the need for these requirements to be adaptable over time in response to changing threats and project objectives.

The correct answer: Eight: In a /29 subnet, there are 8 total IP addresses, ranging from 201.225.231.120 to 201.225.231.127 when considering the subnet’s binary representation. However, in typical subnetting practice, the first address (201.225.231.120) is reserved as the network address, and the last address (201.225.231.127) is reserved as the broadcast address, leaving 6 usable IP addresses for hosts. Nonetheless, since the question specifies that the maximum number of servers that can use the NAT at the same time is being asked and does not account for network and broadcast addresses, the answer would be 8, implying that Dynamic NAT has been set up to use all addresses in the allocated address pool without the typical reservations. However, it is important to clarify that in a production environment, you would typically reserve the first and last address of the subnet and have only 6 usable addresses for devices. The incorrect answers: Five: The calculation for a /29 subnet results in 8 total IP addresses. Subtracting the network and broadcast addresses, which are traditionally reserved and not used for host assignments, would typically leave 6 usable IP addresses. Since the question implies that all 8 addresses are used for Dynamic NAT, stating 5 would be an undercount, making it an incorrect answer. Six: Under normal circumstances, a /29 subnet, which contains 8 IP addresses in total, would have 6 usable addresses after reserving one for the network address and one for the broadcast address. But the question, as framed, suggested using all addresses in the /29 subnet range, including typically reserved ones, for Dynamic NAT. Sixteen: A /29 subnet mask does not allow for sixteen usable IP addresses. It only provides 8 total addresses. With the standard practice of reserving the first address as the network address and the last as the broadcast address, this would generally leave 6 usable addresses. The number sixteen far exceeds the capacity of a /29 subnet and is not a correct answer.

The correct answer: This address cannot be reached by the firewall: The IP address 127.0.0.1 is known as the loopback address, which is used by a computer to direct traffic to itself. It is not a valid destination for external traffic, as it is used for internal communication within the host. Thus, a firewall rule permitting traffic to these ports on the loopback address does not make sense, because the firewall typically manages traffic between distinct hosts on a network, not traffic sent to a host from itself. The incorrect answers: This address is missing the subnet mask: While it’s true that IP addresses can be associated with a subnet mask, the concern with a rule involving 127.0.0.1 is not about subnetting. The loopback address is universally recognized and does not require a subnet mask in the context of a firewall rule. The web server would never be assigned this address: This statement is partially true; a web server intended for external access would not be assigned 127.0.0.1 as its IP address. However, the key reason for suspicion is that the loopback address is not reachable through the network and is intended for internal host communications only. This address is used to send a broadcast to all servers on the subnet: The address 127.0.0.1 is not used for broadcasting. Broadcasts to all hosts on a local network are typically done using the broadcast address specific to the subnet, not the loopback address. The loopback address is used solely for traffic internal to the host.

The correct answer: Non-Disclosure Agreement: The most likely document that would prevent Mark from sharing his inside knowledge with a friend who works for a competitor is a Non-Disclosure Agreement (NDA). An NDA is a legal contract between an employee and an employer that explicitly prohibits the sharing of confidential information with unauthorized parties. NDAs are designed to protect sensitive business information and trade secrets, and violating an NDA can result in legal consequences. The incorrect answers: Acceptable Use Policy: An Acceptable Use Policy (AUP) typically outlines the proper usage of company resources, such as computers, networks, and internet services. While it might include clauses about protecting company information, it is not as specifically targeted to prevent the sharing of inside knowledge as an NDA. Non-Compete Agreement: A Non-Compete Agreement (NCA) restricts an employee from working for competitors or starting a competing business for a specified period after leaving the company. While it’s related to competition, it doesn’t specifically prohibit the sharing of knowledge while employed. Third-party Access Policy: A Third-Party Access Policy governs how external entities can access the company’s resources and what security controls are in place for such access. It is more relevant to vendors or partners than to employees and does not directly address the issue of an employee sharing information with friends.

The correct answer: Testing. Dynamic analysis involves executing the software under test and observing its behavior to detect possible errors. This approach is often used in testing, where a program is run with selected inputs and the outputs are checked for correctness. The incorrect answers: Inspections: These do not involve executing the software; instead, they involve manually reviewing the code or design documents. Code reading: This is a form of static analysis, not dynamic. It involves reading through the code to understand its purpose and functionality and to check for potential errors. Tracing: While tracing can be part of dynamic analysis, it refers specifically to following the flow of execution through a program, not the process of detecting errors as a whole.

The correct answer: Biba; Tim can read and Harvey cannot; but Harvey can write comments and Tim cannot: The Biba model focuses on ensuring the integrity of the information, which is achieved through two main principles: the “no read down” rule and the “no write up” rule. Given that the documents are at a mid-level clearance (Confidential), under the Biba model, Tim, who has a low-level clearance (Enhanced Reliability), would be able to read the documents (no read down) but not write to them (no write up) to prevent contamination of the higher integrity data. Harvey, with a high-level clearance (Secret), would not be able to read the documents (to maintain his higher integrity level and prevent potential downgrading of information), but he would be allowed to write comments (no write down), as his higher integrity level ensures that he would not compromise the data’s integrity. The incorrect answers: Biba; both Tim and Harvey can read; but only Harvey can write comments: This choice is incorrect because, according to the Biba model’s “no read down” rule, Harvey should not be able to read data at lower integrity levels than his own to prevent him from accessing potentially less reliable data. Bell-LaPadula; Harvey can read, and Tim cannot; but Tim can write comments and Harvey cannot: The Bell-LaPadula model is primarily focused on maintaining confidentiality, not integrity. Its “no read up” and “no write down” rules serve to prevent unauthorized access to information based on clearance levels and would not allow a lower clearance individual to write to a higher clearance document. Brewer-Nash; both Harvey and Tim can read Jada’s papers and write their comments; but neither can read or write to their marketing documents at the same time: The Brewer-Nash model, or Chinese Wall model, is designed to prevent conflicts of interest by separating access to data based on conflict classes. It does not handle data integrity in the same way as the Biba model and does not apply clearance levels to read and write operations as described in the scenario.

The correct answer: Authorization comes after authentication. Authentication is the process of verifying the identity of a user, system, or device. It often involves checking a username and password, or some other form of credentials. Authorization comes after a user or system is authenticated. It involves granting permissions to the authenticated user or system, determining what they can access and what actions they can perform. The incorrect answers: Authentication is granting permissions: This is incorrect. Authentication is about verifying identity, not granting permissions. Authorization is verifying the identity of a user: This is incorrect. Authorization is about granting access and permissions, not verifying identity. Authorization comes before authentication: This is incorrect. Authentication usually comes before authorization. You need to know who someone is (authentication) before you can decide what they can do (authorization).

The correct answer: Cold site: A cold site is the cheapest solution for an alternate site where specialized hardware is available in the event of a disaster. Cold sites typically provide only the basic physical environment for a data center, such as space, power, and connectivity, but not the actual hardware or data replication. The company would be responsible for installing and configuring their specialized hardware at the cold site in the event of a disaster, which allows for cost savings compared to more fully-equipped alternatives. The incorrect answers: Hot site: A hot site is a fully equipped and operational data center that includes not only the physical space but also the hardware, software, and live data replication necessary to assume operations quickly after a disaster. Hot sites are the most expensive alternate site solutions due to the high level of readiness and maintenance required. Warm site: A warm site is a compromise between a hot site and a cold site, providing some level of pre-installed equipment, but not the full real-time data replication of a hot site. Warm sites are less expensive than hot sites but more costly than cold sites because they include more infrastructure. Mobile site: A mobile site typically consists of a portable structure that can be shipped to a location and set up quickly in the event of a disaster. These sites are equipped with necessary hardware and connectivity solutions, making them more expensive than a cold site, which does not include such pre-installed equipment.

The correct answer: The hold down timer is a feature that could have significant implications for network performance. While it’s intended to allow routes to stabilize before the routing table is updated, if set incorrectly or inappropriately for the network’s conditions, it could lead to inefficiencies. For example, it could cause delays in route updates if it’s set too long, or frequent, unnecessary updates if set too short. As a result, it’s a critical feature to evaluate when looking to improve the performance and efficiency of a network using RIP. The incorrect answers: It is true that RIP uses UDP Port 520, but this is more of a technical detail and doesn’t have as significant an impact on overall network performance as other factors. Changing this would require altering the entire protocol, which is more disruptive than adjusting certain settings or features. The built-in loop prevention mechanism is essential to the functioning of RIP and any other routing protocol. Removing or altering this would likely lead to instability and inefficiency, as it could result in routing loops. This is not something to be critically evaluated, but something that should be maintained. Split horizon is another crucial feature that prevents routing loops, which are detrimental to network performance. Although it is worth understanding how it functions and its implications, it isn’t the feature most in need of critical evaluation.

The correct answer: hornsbp1, because this format follows the guidelines: John is most likely to create the username “hornsbp1” for the new employee, Frank Hornsby, because it follows the company’s recommended guidelines for username creation. Companies often have specific username formats to maintain consistency, make account management easier, and may include elements that tie the account to the actual user’s name for identification purposes internally. The incorrect answers: cowboy, because the guidelines are optional, and this username is unique: Even if the guidelines are not mandatory and the requested username is unique, it is generally best practice to follow established company guidelines for consistency and potential security reasons unless there is a compelling justification to deviate. hornsbp1, because cowboy would be too conspicuous and may attract attackers: While “cowboy” could be considered more conspicuous than “hornsbp1”, the primary reason for choosing “hornsbp1” would typically be adherence to company guidelines rather than the risk of attracting attackers, which is a less common concern for usernames. cowboy1, because this almost follows the guidelines and would not be too conspicuous: Adding a numeral “1” to the requested username “cowboy” does not make it align with the guidelines, which likely specify a particular structure based on the employee’s real name. The adherence to the format is usually more important than the conspicuousness of the username.

The correct answer: CPU utilization and network utilization: The most likely pair of metrics that will indicate a distributed denial-of-service (DDoS) attack is in progress is CPU utilization and network utilization. DDoS attacks typically involve overwhelming a target’s network with a flood of internet traffic, which can lead to high network utilization. This in turn can cause increased CPU utilization as the system tries to process the incoming requests. The incorrect answers: Memory utilization and network utilization: While high network utilization is a strong indicator of a DDoS attack, memory utilization may not necessarily be affected in the same way as CPU or disk resources, as DDoS attacks primarily overwhelm network capacity and processing power rather than memory. CPU utilization and disk activity: DDoS attacks are focused on saturating network resources and causing service disruption, rather than causing high disk activity. Therefore, monitoring disk activity is less likely to indicate a DDoS attack compared to network utilization. Disk activity and network utilization: Disk activity is not typically the primary indicator of a DDoS attack, as these attacks target network resources. While high network utilization is relevant, disk activity does not correlate as directly with DDoS attacks as CPU utilization does.

The correct answer: System interconnectivity and poor security management. High system interconnectivity can increase the risk exposure of IT assets, especially if combined with poor security management. If security management practices are deficient, potential vulnerabilities might not be effectively identified or mitigated, making the interconnected systems more susceptible to security breaches or data loss. Security management can also encompass keeping data secure during disasters, which would include having backups. The incorrect answers: System interconnectivity and poor controls over data sensitivity: Although this could increase risk, poor security management generally poses a greater overall risk as it affects all aspects of security, not only those related to data sensitivity. System interconnectivity and lack of system backups: While lack of backups could be a significant issue in case of data loss, the immediate risk due to lack of proper security management can be higher. System interconnectivity and inadequate physical security: Physical security is crucial, but in a highly interconnected system, poor security management practices can potentially expose the system to more immediate and expansive risks.

The correct answer: To minimize residual risk. The primary objective of any risk management program is to minimize residual risk to an acceptable level. Residual risk is the risk that remains after all risk management strategies have been applied. The incorrect answers: To eliminate business risk: It’s unrealistic and impractical to completely eliminate business risk. The goal is to manage risk within acceptable levels. To implement effective controls: While this is a part of managing risk, the ultimate goal is not just to have controls in place, but to use those controls to reduce residual risk. To minimize inherent risk: Inherent risk is the risk that exists before any controls or mitigation strategies are implemented. The focus of risk management is on reducing the residual risk that remains after controls are applied.

The correct answer: Regular testing of the incident response plan: To avoid the mistake of not properly reporting a security incident, regular testing of the incident response plan is crucial. This ensures that all relevant personnel, including systems administrators, are familiar with their roles and responsibilities during an incident, and it reinforces the importance of timely communication with the Information Security team. This can also be known as a simulation. The incorrect answers: Regular testing of our IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems): While it is important to ensure that IDS and IPS are functioning correctly, this does not address the procedural mistake made by the systems administrator in failing to notify the Information Security team. Regular reviews of the incident response procedures: Regular reviews are important to ensure that incident response procedures are up to date and effective, but simply reviewing the procedures may not ensure that personnel will follow them during an actual incident. This can be known as a tabletop exercise. Testing and drills are needed to reinforce the correct actions to take. Creating mandatory Information Security training for all employees: Mandatory Information Security training for all employees is a good practice for raising overall awareness. However, regarding an incident response, it is more important to focus on specific training and testing for those directly involved in managing incidents to ensure they understand and can execute the response plan effectively.

The correct answer: HR department needs to perform identity proofing: The most likely reason for the request to bring a driver’s license, government-issued photo identification, and college diploma is for the Human Resources (HR) department to perform identity proofing. This process involves verifying that a person is who they claim to be. By checking government-issued IDs and education credentials, HR can ensure that Frank’s identity and the claims made during the hiring process (such as education qualifications) are accurate and valid. The incorrect answers: Manager needs to verify his education credentials: While verifying education credentials is important, it’s typically a function of the HR department rather than the direct manager, and it would not usually require a driver’s license or photo ID, but rather just the diploma or transcripts. Security department needs to copy his photo in order to create his company access badge: A security department may need a photo to create a company access badge, but it’s unlikely they would request a college diploma for that purpose, and a company photo can often be taken on-site. Finance department needs to add him to insurance policy covering company drivers: If Frank’s role required driving, obtaining his driver’s license might be necessary for insurance purposes. However, a college diploma and a separate government-issued photo ID would typically not be required for this purpose.

The correct answer: Prudent person rule: The prudent person rule is the correct term for Thor’s personal responsibility as the CEO in addressing risks facing the organization. This rule requires individuals in positions of authority, like Thor, to exercise the same degree of care and diligence that a prudent person would under similar circumstances. It focuses on the accountability and expected behavior of someone entrusted with governance and oversight, ensuring that the decisions made are prudent and in the best interest of the organization and its stakeholders. The incorrect answers: Due care: While due care is a legal and ethical obligation to act responsibly and is often associated with the prudent person rule, it is more specific to taking the necessary care to protect the company and its assets. In contrast, the prudent person rule is a broader standard that emphasizes the decision-making process and the approach that someone in a position of trust should take, which is why it’s the best descriptor for Thor’s role. Due diligence: Due diligence is the investigation and evaluation process undertaken to understand the risks associated with a business decision or transaction. It’s evidence of the prudent person rule in action, but as a term, it specifically refers to the careful examination and research done before concluding agreements or investments, rather than the ongoing risk oversight provided by an executive like Thor. Building consensus: Building consensus involves uniting a group behind a decision or strategy. It is a crucial part of leadership, especially for a CEO who needs the support of various stakeholders to move the company forward. However, it does not directly relate to the individual responsibility of addressing overall risks facing the organization. The prudent person rule is more relevant in this context as it relates to the fiduciary duties of the CEO.

The correct answer: Conflict of interest: Naomi, as the VP of Sales, is responsible for managing the customer data. By deciding to run a report that involves analyzing customer stability based on the length of time they stay in the same house, and doing so using her desktop, she may inadvertently create a conflict of interest. This is especially true if the information is sensitive, and running the report on her desktop could lead to a potential breach of trust or security. As a data owner, she should be aware of the proper channels and procedures for handling PII and should avoid situations where her personal handling of data could conflict with the company’s data protection policies or legal obligations regarding customer privacy. Specifically, this may breach any agreements between the business and customers on what data will be used and how. The incorrect answers: Data controller: The data controller is an entity that determines the purposes and means of processing personal data. In many organizational contexts, the VP of Sales would be considered a data controller since they decide how customer data is used. However, in this scenario, Naomi’s actions involving the processing of PII on her personal desktop raise concerns about a potential conflict of interest or breach of data governance practices. Data processor: A data processor processes personal data on behalf of the data controller. While Naomi’s actions involve processing data, the primary concern here is not her role in processing but the possibility that her actions may lead to a misuse of customer data or an insecure handling of sensitive information, which depicts a conflict of interest. Data steward: A data steward manages the integrity, usability, and security of the data based on the organization’s guidelines. Although Naomi has stewardship over the data being the VP of Sales, the scenario raises issues about personal handling and potential conflicts of interest rather than issues related to data quality or integrity management.

The correct answer: Internet – FW1 – DMZ – FW2 – OZ – FW3 – RZ: This configuration provides the most secure setup by having a dedicated firewall (FW) for each network zone transition. Traffic from the Internet comes through FW1 to reach the DMZ, then through FW2 to get to the Operations Zone (OZ), and finally through FW3 to access the Restricted Zone (RZ). Each firewall enforces policies specific to the traffic allowed in and out of its respective zone, thus creating a layered security approach with clear boundaries between each zone. The incorrect answers: Internet – FW1 – DMZ – FW2 – OZ and FW2 – RZ: This configuration suggests two separate paths from the DMZ to both the Operations Zone and Restricted Zone through the same firewall (FW2). Having both OZ and RZ behind FW2 without an additional layer of firewall protection for the RZ from the OZ could compromise the security between these sensitive zones. Internet – FW1 – DMZ and FW1 – OZ – FW2 – RZ: This configuration implies a single firewall (FW1) between the Internet and both the DMZ and OZ, with a second firewall (FW2) between the OZ and RZ. This shared FW1 between the Internet and OZ could introduce vulnerabilities and does not provide as strong a security boundary as separate firewalls for each transition. Internet – FW1 – DMZ and FW1 – OZ and FW1 – RZ: This configuration suggests one firewall (FW1) is used for all zones, which is the least secure. It does not provide the benefits of a layered defense and could potentially allow for lateral movement between zones if a breach occurs.

The correct answer: Provide non-repudiation, protect confidentiality, and protect integrity. Cryptography provides multiple benefits, including: Non-repudiation: Ensures that a party cannot deny the authenticity of their signature on a document or the sending of a message. Confidentiality: Ensures that only authorized parties can access the data. Integrity: Ensures that data has not been altered in transit. The incorrect answers: Provide non-repudiation and protect confidentiality: This misses the benefit of ensuring data integrity. Protect both confidentiality and integrity: This misses the benefit of non-repudiation. Protect confidentiality, integrity, and availability: While cryptography can help protect confidentiality and integrity, it doesn’t directly ensure availability, which usually depends on system resilience and redundancy.

The correct answer: The data owner: Bob should notify the data owner first. In the context of incident response, the data owner is the individual responsible for the data that has been compromised and is in the best position to understand the significance of the breach. The data owner can assess the impact, help determine which customers are affected, and play a crucial role in coordinating the appropriate response, including customer notification and regulatory reporting. The incorrect answers: The Information Security steering committee: While the Information Security steering committee is an important body that should be informed about security incidents, notifying the data owner first is more critical for immediate response actions. The customers who were compromised: Notifying customers is a necessary step, but it typically comes after an initial assessment and containment of the breach. The data owner, along with the incident response team, will determine the timing and content of communication to customers. The regulatory agencies that govern our sector: Regulatory agencies are often required to be notified in the event of certain types of breaches; however, they are typically not the first point of contact. The immediate response involves assessment and containment, followed by notification to regulatory agencies as dictated by applicable laws and regulations, after the initial internal actions are taken.

The correct answer: The Recovery Time Objective (RTO) should be your primary focus given the nature of the hospital’s patient records systems. The RTO represents the duration of time within which a business process must be restored after a disaster (or disruption) to avoid unacceptable consequences associated with a break in business continuity. In this scenario, any significant disruption in access to patient records can lead to life-threatening situations, so the aim should be to restore access to these systems as quickly as possible, making RTO the most critical metric. The incorrect answers: The Recovery Point Objective (RPO) is the maximum targeted period in which data (transactions) might be lost from an IT service due to a major incident. This is also an important metric, but it may not be as crucial as RTO in this scenario. Though loss of data can also lead to severe problems, the immediate priority for the hospital would be to get the patient records systems up and running again to avoid any immediate threats to patients’ lives. The Maximum Tolerable Downtime (MTD) is the total amount of time that a business process can be disrupted without causing irreparable harm to the business, but in a critical health-care setting like a hospital where downtime can result in life-threatening situations, the MTD might be close to the RTO. Even so, focusing on achieving a very low RTO can ensure that the MTD is not exceeded. Work Recovery Time (WRT) is the duration of time it takes to catch up on work not done during an outage. This is important but is less critical in this scenario compared to RTO, given the urgency to get the patient records systems operational again. The priority in this case is to restore the systems and not necessarily to catch up on work not done during the outage.

The correct answer: Smartphones typically receive regular patches, making them more secure than other IoT devices, but they can still present security risks. They can be lost, stolen, or compromised, and if connected to the primary secure network, these incidents can pose a significant threat to the organization’s network security. Isolating smartphones on a separate IoT VLAN minimizes these risks by segregating them from the primary network. Even if a smartphone is compromised, the impact is confined within its VLAN, limiting potential damage to the organization’s main business operations. The incorrect answers: Keeping smartphones on the primary secure network due to their regular patching can still expose the network to potential threats. Patching only mitigates known vulnerabilities, and there might still be unknown or zero-day vulnerabilities that can be exploited by attackers. Mandating frequent manual patch updates on all smartphones is a good practice, but it doesn’t provide a comprehensive solution. Despite frequent patching, there could still be vulnerabilities, and human error can lead to lapses in the manual patching process. Implementing a strict mobile device management (MDM) policy to monitor and control smartphones is also essential for an organization’s mobile security. However, an MDM policy primarily provides control and monitoring of mobile devices and doesn’t inherently isolate potential threats.

The correct answer: The process owners. Process owners, who have a deep understanding of their operations, are usually the best suited for performing risk analysis. They are most familiar with their processes and likely to accurately identify and assess associated risks. Managers, for example can assess overall risk and implement solutions with a top-down approach. The incorrect answers: External auditors: While they play a crucial role in independently verifying that risk management processes are being followed, they may not have the detailed knowledge of specific day-to-day operations required for in-depth risk analysis. A group of peers from our competitors: Besides potential conflicts of interest, peers from competitors likely lack the intimate knowledge of your organization’s specific processes and operations necessary for effective risk analysis. An external management consultant specialized on our line of business: Although they can provide valuable insights, they may not have the same level of detailed knowledge about the specific processes and operations as the process owners do.

The correct answer: Parameterized queries are one of the most effective ways to prevent SQL injection attacks. These queries make sure that an attacker can’t change the intent of a query, even if they insert malicious input. The parameters to SQL commands are separated from the commands themselves, meaning they are treated as strings of text and not executable code. This method essentially renders SQL injection attacks useless because even if an attacker attempts to insert malicious SQL as a parameter, it won’t be executed as SQL, instead, it would be treated just as a regular string. The incorrect answers: While input validation is a good practice for general security, it alone is not very effective at preventing SQL injection attacks. Input validation involves checking the user’s input to ensure it meets certain criteria before processing it. Since SQL injections involve the insertion of valid SQL code into user input fields, they may pass through input validation if it is not specifically designed to detect SQL code. This method also fails against sophisticated attacks where SQL code is obfuscated or encoded to bypass basic validation checks. A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. While firewalls can prevent many types of network-based attacks, they typically don’t analyze the contents of individual database queries. A firewall wouldn’t necessarily protect against SQL injection attacks, which involves injecting malicious SQL code into valid application requests. Encryption is a method used to protect data confidentiality by transforming plain text information into an unreadable form (cipher text). It is mainly used to prevent unauthorized access to data, but it does not prevent SQL injection attacks. SQL injection involves the misuse of application interfaces to execute unintended commands. Even if the data is encrypted, if an attacker can inject SQL commands into the database query, the database will decrypt the data before processing it, and the injected commands will still be executed.

The correct answer: Communications team: Following the formal declaration of a disaster and the initial triage team assessment, the Communications team would most likely be called upon next. They play a crucial role in managing internal and external communications, informing stakeholders, coordinating with emergency services, issuing public statements, and keeping employees updated on the situation. Effective communication is critical in managing the aftermath of a disaster and in the recovery process. The incorrect answers: Facilities management: While Facilities management is important in addressing the physical impact of a disaster on the organization’s property, the immediate next step after triage typically involves communication rather than facility repair or management. IT Services department: The IT Services department will be essential in restoring technological infrastructure and systems, but they are more likely to be called upon after the initial communication phase unless the disaster specifically impacted IT systems directly. Legal department: The Legal department will be important in navigating any legal implications of the disaster and for advising on regulatory reporting requirements. However, they are generally not the next team called upon immediately following the triage, unless there are immediate legal considerations that need to be addressed.

The correct answer: Capability Table: If Thor is assigning read access to a group of files and can organize the users into five departments, using a capability table would be the most likely mechanism. A capability table is a system used to define access rights based on capabilities, which are tokens or keys that grant permissions to users or groups to access specific system objects such as files. Since Thor is dealing with several hundred employees, it would be more efficient to manage access by assigning capabilities to departments, rather than managing individual file permissions for each user. The incorrect answers: Access Control List: While ACLs are a common method for controlling access to files based on user identities and group memberships, they are not as suited to scenarios with a large number of users where permissions are uniform across common objects. ACLs could become complex and cumbersome to manage with several hundred individual entries. Content-dependent access controls: This form of access control relies on the content within the objects to determine access, rather than predefined capabilities or groups. This would not be the most efficient method for Thor, as he is looking to assign access based on departmental grouping, not content evaluation. Application access control: Although application access control could theoretically be used to govern access to certain files within an application, it is not the most likely choice for managing file access at an organizational or departmental level across multiple applications or systems. Application access controls are more specific to the functions within the application itself.

The correct answer: Detecting network layers. In the context of network monitoring, observing network layers would generally refer to monitoring the activities or status of different layers in the OSI model, but it’s not a task typically associated with verifying proper network operation. The other tasks listed are more directly related to monitoring network performance and identifying potential issues. The incorrect answers: Detecting terminal errors: These could indicate problems with end-user devices or the applications running on them, affecting the overall network performance. Detecting line errors: Line errors could indicate problems with the physical network connections or with the transmission of data over the network. Detecting router errors: Router errors could affect the routing of data across the network and therefore impact network performance.

The correct answer: Verify data accuracy and completeness: As the data custodian, Fred is responsible for ensuring the technical accuracy and completeness of the data. When facing an issue with referential integrity in a database, verifying the accuracy and completeness of the data is critical. This process involves checking that all data is present and correct in relation to the defined relationships within the database. Fred would need to identify the specific discrepancies or errors causing the referential integrity problem and then make the necessary corrections to resolve them. The incorrect answers: Create new data: Creating new data will not typically resolve an issue with referential integrity. Referential integrity problems arise when the relationships between data in a database become inconsistent. Simply adding new data will not fix these inconsistencies and may even compound the problem if not done with an understanding of the underlying referential constraints. Restore previous values from backup: Restoring values from a backup may be a potential solution to address referential integrity issues, especially if the problem is the result of recent corruption or erroneous changes. However, this approach might lead to loss of all changes made after the last backup, including legitimate updates, and does not involve actively verifying the current data’s accuracy or completeness. Alert the security operations team: While alerting the security operations team is important if there is a suspicion of a security breach leading to the referential integrity issue, it does not directly resolve the problem. The immediate task is to verify the data and its relationships, ensuring they conform to the database’s referential rules, which is a responsibility of the data custodian.

The correct answer: To authorize changes: The primary purpose of the change control process is to authorize changes. This process ensures that any alterations to systems, software, or procedures are reviewed, approved, and documented before implementation. It helps to manage risk by ensuring that changes are necessary, beneficial, and will not disrupt operations or compromise security. The incorrect answers: To apply changes: While the application of changes is part of the overall change management process, the primary purpose of change control is to provide a formalized approach to authorizing changes before they are applied. To document changes: Documentation is an important aspect of the change control process, but it is not the primary purpose; rather, it supports the goal of ensuring that authorized changes are recorded for future reference and accountability. To test changes: Testing is a critical step in the change management process to ensure that changes do not negatively impact existing systems, but it is not the primary purpose of the change control process. Testing typically occurs after authorization and before final implementation.

The correct answer: COBIT 2019: COBIT, which stands for Control Objectives for Information and Related Technologies, is primarily a framework focused on governance and management of enterprise IT. Although COBIT can help organizations align IT with business strategies and manage IT-related risks, it is less likely to be directly used for listing specific security controls for application development compared to other standards that provide detailed control catalogs. The incorrect answers: ISO 27002: ISO 27002 is a well-established international standard that provides best practice recommendations on information security controls, making it a suitable reference for listing security controls in application development. NIST SP 800-53: NIST SP 800-53 is a comprehensive catalog of security and privacy controls for all U.S. federal information systems (except those related to national security) and is directly focused on listing such controls, making it highly relevant for application development. NIST SP 800-53A: NIST SP 800-53A provides guidelines for assessing the effectiveness of security controls, and while it is not the primary resource for listing controls, it is related to the implementation of the controls listed in NIST SP 800-53, which itself is applicable for the development process.

The correct answer: Least privilege: The principle of least privilege is the best term for this type of activity where privileges are limited to the minimum necessary to perform a job or task. Francis, as a developer, has the privileges to write and compile code and update the version control library, which are necessary for his role. Tanya, as a business analyst, has privileges to update requirements but does not have privileges that are not relevant to her role, such as writing and compiling code. The incorrect answers: Segregation of Duties: Segregation of duties involves dividing tasks and associated privileges among multiple people to reduce the risk of error or fraud. While related, this concept doesn’t specifically describe the assignment of privileges based on job function; it’s more about ensuring that no single individual has control over all aspects of a critical process. Need to know: The need to know principle is about access to information rather than system privileges. It states that individuals should only have access to information that is necessary for them to perform their job functions. Four eyes rule: The four eyes principle requires that a certain process or decision must be approved by at least two people. It is an internal control mechanism to prevent unilateral decisions on important matters but is not specifically related to the assignment of system privileges.

The correct answer: Server responds with an ephemeral port above 49,000, and listens for Ken’s traffic on that port: This answer is not typically associated with the standard behavior of the TCP three-way handshake. Normally, port numbers do not change during the process of establishing a TCP connection. The server would conventionally respond to Ken’s initial SYN message on the same port that Ken used to initiate the connection, which is port 443 in this case. The incorrect answers: Server responds on port 443 and continues to listen for Ken’s traffic on that port: Typically in a TCP three-way handshake, the server responds to the client’s initial SYN message by sending a SYN-ACK message back to the client’s source port from the server’s port on which it received the client’s SYN message, which is why this would be the expected behavior. Server responds on port 49,123 and listens for Ken’s traffic on port 49,123: The server would not use Ken’s source port to listen for traffic. In a TCP connection, the server responds to the port from which the client initiated the connection, but it listens on its own service port. Server responds on port 49,123 and continues to listen for Ken’s traffic on port 443: The server sends its response to the client’s source port, but it does not listen on the client’s source port. The server continues to listen on the port associated with the service it provides, which in this case is port 443 for HTTPS.

The correct answer: Finish updating the system documents: Before the deployment of the next version of an application, especially one that is a total rewrite, updating system documentation may be considered a lower priority, or even unnecessary, if the documents will not be applicable to the new version. In a total rewrite scenario, the focus might shift to preparing documentation for the new system, rather than updating documents for the current one that will soon be replaced. The incorrect answers: Archive the critical information: Archiving critical information is a likely activity, as it preserves essential data that may be needed for reference or compliance purposes, even when a new application version is being deployed. Sanitize the media before it is disposed: Sanitizing media is a standard security practice to protect sensitive information before disposal of storage devices, making it a likely activity if any media is being decommissioned in association with the new deployment. Dispose the hardware: While disposing of hardware is less likely in the context of a software rewrite, if the new application requires different hardware specifications, disposing of or repurposing old hardware could potentially be considered as part of the upgrade process. However, this would generally not occur before the deployment of the new software, but rather as a part of the transition planning.

The correct answer: Establish baseline standards for all locations, and then add additional standards for locations that require more security. This approach allows for creating a consistent minimum level of security across the organization while acknowledging and addressing the specific regulatory requirements of each location. The incorrect answers: Incorporate all of the regulations into one overarching policy that covers all the requirements of all the locations and ensure all locations follow it: This approach might be unnecessarily strict for some locations and may not fully address the specific needs of each location. Find the industry best practices and ensure all locations are in compliance with those: Best practices are useful guides, but complying with them doesn’t necessarily ensure compliance with specific regulations in each location. Find the common requirements that all locations have and implement those: This approach may miss specific requirements that are unique to certain locations. While it creates uniformity, it might not fully comply with all regulations.

The correct answer: A lot of emergency change requests: A high number of emergency change requests can be an indicator of insufficient or ineffective planning and control within the change management process. Emergency changes are typically unplanned and urgent, suggesting that the standard change request procedures may not be adequately addressing the needs of the organization or that changes are not being anticipated and managed proactively. The incorrect answers: A lot of canceled change requests: While a high number of canceled change requests might indicate indecision or a lack of clarity at the initial stages of the change process, it does not necessarily point to a problem with the change request procedures themselves. A lot of postponed change requests: Postponement could indicate scheduling or resource allocation challenges but does not inherently signal an issue with the change request procedures. A lot of similar change requests: Similar change requests could point to a common issue that needs addressing, or a broad need within the organization. It may not necessarily reflect a problem with the change request procedures, but rather with other aspects of system management or maintenance.

The correct answer: Unclear roles and responsibilities for security stand as a fundamental flaw indicative of a lack of cloud security architecture and strategy. If an organization doesn’t clearly define who is responsible for what in the security realm, it creates confusion, overlap, or gaps in responsibility. This may lead to security risks not being properly identified or mitigated, simply because no one knows whose job it is to handle them. In a well-structured security architecture, each role, from management to technical staff, should have well-defined responsibilities and authorities concerning security. Lack of clarity here undermines the entire security posture and reflects a failure at a strategic planning level. The incorrect answers: Insufficient security controls: Insufficient security controls might reflect a specific operational failure or a lack of investment in certain areas, but not necessarily a total lack of architecture or strategy. It might also be indicative of budget constraints or a misalignment with business needs, rather than an overarching flaw in strategic planning. Lack of monitoring and reporting capabilities: While monitoring and reporting are essential for security, a lack of these capabilities might not necessarily point to an absence of an overall security strategy or architecture. It might reflect a focus on other security priorities, a lack of understanding of the importance of monitoring, or even budget limitations. While concerning, it’s not as fundamental a flaw as a lack of clarity in roles and responsibilities. Inadequate incident response plans: An inadequate incident response plan is certainly a serious issue and might reflect a failure in a specific area of planning and preparedness. It doesn’t necessarily point to a complete lack of architecture or strategy. It could be the result of failing to keep plans updated, insufficient training, or lack of coordination between departments. While it needs to be addressed, it doesn’t necessarily reflect a fundamental failure in the overarching security architecture and strategy, as the unclear roles and responsibilities do.

The correct answer: Calculating the ROI (Return on Investment): Calculating the ROI is the most helpful action when developing a business case for buying new security software. ROI measures the profitability or effectiveness of an investment and compares it against the cost. By calculating the ROI, we can demonstrate the value that the security software would bring to the organization relative to its cost, which is a compelling financial justification for the purchase. The incorrect answers: Assess how often the software could help us mitigate specific security risks: While assessing the effectiveness of the software in mitigating security risks is important, this action alone does not provide a complete business case. A comprehensive business case should also include financial considerations, such as ROI, to justify the investment. Quantifying the cost of the control failures: Quantifying the cost of control failures helps understand the potential losses associated with security incidents. However, it does not offer a full picture of the benefits versus the expenses of the new software, which is necessary for a business case. Compare the spending to what is normal in organizations similar to ours: Comparing spending with industry norms can provide context for budgeting decisions, but it does not directly measure the value or performance of the specific investment in new security software. A business case should be based on the specific benefits and financial return of the investment rather than solely on industry spending benchmarks.

The correct answer: CN=Francis Smith, OU=Sales, DC=ISC2, DC=org: The best way for Thor to query the LDAP server for a user, Francis Smith, is to use a distinguished name (DN) that includes not just the common name (CN) but also other attributes that will uniquely identify the user within the LDAP directory structure. The DN typically includes the organizational unit (OU), domain components (DC), and other relevant attributes. In this case, specifying the user’s CN, their OU (as a department or group they belong to), and the domain components (representing the company’s domain) will likely provide the needed specificity to retrieve Francis Smith’s user attributes from the LDAP server. The incorrect answers: CN=Francis Smith: While the CN specifies the user’s name, it may not be sufficient if there are multiple entries for that name or if the LDAP directory requires a more fully-qualified DN to uniquely identify the user. UID=fsmith: Although a user ID (UID) is a common attribute in LDAP and could be used as a search query, the UID alone does not constitute a DN. LDAP queries typically require a DN unless the LDAP server is configured for specific search filters or aliases. CN=Francis Smith, DC=ISC2, DC=org: This DN includes the user’s CN and the domain components, but it omits the organizational unit. Including the OU can be crucial for specificity, particularly in larger organizations where the same CN could exist in different OUs.

The correct answer: Software configuration management: The most likely tool Natalie can use to determine which versions of the software components constitute the current product is software configuration management. Software Configuration Management (SCM) involves tracking and controlling changes in the software, part of which includes maintaining the records of what versions of each software component are part of a specific build or release. SCM tools help manage different versions and ensure that the configuration of the product is known and reproducible. The incorrect answers: Bug tracking: Bug tracking tools are used to record, report, and manage bugs within the software development process. While they are an essential part of the development workflow, they do not typically maintain information about which versions of software components are used in the product. Source code repository: A source code repository is where the actual code is stored, and it can be part of an SCM system. However, by itself, it does not necessarily provide the overarching view of which versions of each component are combined to make the current product; that’s the role of SCM. Versioning control: Version control is a component of SCM and refers specifically to the management of changes to documents, computer programs, large websites, and other collections of information. While version control systems are integral to SCM, the term SCM is more encompassing of the task Natalie needs to perform.

The correct answer: High FRR (False Rejection Rate): When deploying biometric access readers for areas labeled as critical security, setting the sensitivity to a high FRR is advisable. A high FRR means that the system is more stringent in its authentication process, leading to a lower chance of false acceptance (FAR), which is paramount in high-security areas. The trade-off with a high FRR is that legitimate users might occasionally be denied access and have to go through additional steps to authenticate, but this is acceptable in environments where security is the top priority. The incorrect answers: High FAR (False Accept Rate): A high FAR is not desirable in any security context, especially not in critical security areas, as it would mean a higher risk of unauthorized access being granted. Low CER (Crossover Error Rate): While a low CER indicates a good balance between FAR and FRR, in high-security areas, the priority is to minimize the chance of unauthorized access, which could mean accepting a higher FRR. Exactly at the CER (Crossover Error Rate): Setting the sensitivity exactly at the CER means equating FAR and FRR rates, which is not the most secure option for critical security areas. The focus should be on minimizing the risk of unauthorized access, typically by accepting a higher FRR.