1.

A minimum set of access rights needed to perform a specific job description is: A) Separation of duties B) Need-to-know C) Separation-of-privilege D) Privileged-controls Correct Answer(s): B

2. An organization's security posture is should exist before any computers are inst alled. Select all that are correct! A) guidelines B) sales projections C) procedures D) None of the others are correct E) standards Correct Answer(s): E, A, C

3. ____________ is used to reduce time by grouping users with a common access need. A) ACLD B) RBAC C) MACP D) DACS Correct Answer(s): B

4. Configuration and change management addresses all of the following except: A) Software B) Networking C) Hardware D) Entity users Correct Answer(s): D

5. Redirecting an internet user from a legitimate site to a malicious Web site for the purpose of harvesting user IDs and passwords is referred to as: A) Phishing B) Pharming C) Scamming D) Slamming Correct Answer(s): B

6. 1. An effective security policy contains which of the following information ? Select all correct answers. A) Compliance management and measurements description B) Smart Card Requirements C) Measurement expectations D) Reference to other policies

Correct Answer(s):

D, C, A

7. Configuration and change management controls: A) Ensure that security is not breached when a system crashes B) Protect company resources and assets C) Involve pre-employment screening and mandatory vacation time D) Identify, control, and audit changes by administrative personnel Correct Answer(s): D

8. A program, disguised as a useful utility, that has hidden and malicious function s is known as: A) Worm B) Virus C) Malware D) Trojan horse Correct Answer(s): D

9. As the software development process matures, who is increasingly responsible for safeguarding applications? A) IT directors B) Security administrators C) Software designers D) Network administrators Correct Answer(s): C

10. All of the following are biometric methods of identification except: A) Fingerprint recognition B) Bone scan C) Retina scan D) Face recognition Feedback: See pages 213 and 214. Correct Answer(s): B 11. ____________ policy speaks to specific issues of concern to the organization. A) Programme-level B) Programme-framework C) Issue-specific D) System-specific Correct Answer(s): C

12. Verification of one's identification credential is done with the ____________. A) Information owner

B) Discretionary access control C) Access control list D) Authentication credentials Feedback: See page 206. Correct Answer(s): D 13. All of the following are threats by the insider to network use and security exce pt: A) Internet usage B) Use of thumb drives threatens intellectual property. C) Instant messaging D) Built-in email controls Correct Answer(s): D

14. Thou shalt not use a computer to bear false witness is an ethics statement inclu ded in whose standard? A) ISC2 Code of Ethics B) Code of Fair Information Practices C) Internet Activities Board's Ethics and the Internet D) Computer Ethics Institute Correct Answer(s): D

15. Which of the following is NOT true for Kerberos? A) It is a network authentication protocol B) Users only log in twice for major resources to check for currency and validit y C) It uses symmetric-key cryptography D) It is free from MIT Feedback: See page 215. Correct Answer(s): B 16. Programs such as e-mail and discussion groups are contained in which OSI layer i n the protocol stack? A) Data Link B) Application C) Network D) Session Correct Answer(s): B

17. Problems associated with passwords include all of the following except: A) Passwords are easily broken B) Passwords might be insecure C) Passwords are inconvenient D) Passwords might be duplicated

Feedback: See page 211. Correct Answer(s): D 18. Which of the following is NOT a characteristic of a good intrusion detection sys tem? A) Run continually B) Observe deviations C) Need constant monitoring D) Be fault tolerant Correct Answer(s): C

19. Avoid phishing, ID theft, and monetary loss by taking all of the following steps except: A) Follow advice of financial services provider B) Ignore links embedded in e-mail messages C) Not Keeping virus software current. D) Recognize the signs of fraud Correct Answer(s): C

20. Which of the following are major categories of physical security threats as defi ned in the CBK? A) Earth movement B) Both of the above C) Neither of the above D) Weather Correct Answer(s): B

21. Which of the following options would not be considered in a disaster recovery pl an or business continuity plan? A) New business B) Multiple centers to spread processing across sites C) Mobile units provided by a third party D) Service bureaus for fast response Correct Answer(s): A

22. Physical security deals with all of the following except: A) Logical systems B) Buildings C) Computer devices D) Computer Rooms Correct Answer(s): A

23. The type of computer crime where attacks are made on a country's computer networ

k for economic or military gain is: A) Information warfare B) Emanation eavesdropping C) Embezzlement D) Rogue code Correct Answer(s): A

24. Step-by-step directions to execute a specific security activity is referred to a s a: A) Procedure B) Standard C) Regulation D) Guideline Correct Answer(s): A

25. Which of the following is NOT a reason distributed systems have come into being? A) Increased availability B) Greater versatility C) Improved performance D) Greater security Correct Answer(s): D

26. A Smart Card includes all of the following except: A) Microcontroller B) Printed circuit C) Plastic support D) Biometric control Correct Answer(s): D

27. Virus outbreaks and long passwords prevent users from accessing the systems they need in order to perform their jobs A) True B) False Correct Answer(s): B

28. Which of the following information is part of an audit trail? A) Description of the audit trail B) User password C) Date of the transaction D) All of the above Correct Answer(s): 29. C

Disaster recovery planning includes all of the following except: A) IT systems and applications B) Application data C) Data entry users D) Networks supporting the IT infrastructure Correct Answer(s): C

30. Which of the following are topics of the Physical Security domain? Select all co rrect answers. A) Physical vulnerabilities and threats B) Physical intrusion detection system C) Electrical power issues and solutions D) Backup options and technologies. Correct Answer(s): B, C, A

31. Which of the following is the least effective perimeter security control? A) Fences B) Turnstiles C) Gates D) Mantraps Correct Answer(s): B

32. Protecting data from modification using devices such as firewalls or cryptograph y is an example of: A) Integrity B) Availability C) Confidentiality D) Complexity Correct Answer(s): A

33. Which of the following is NOT typically a goal of the disaster recovery plan? A) Meeting service-level agreements with customers. B) Leasing new computers C) Keeping computers running D) Being proactive Correct Answer(s): B

34. Cryptographic keys are used to do all of the following except: A) Authenticate the sender B) Keep messages private C) Test the integrity of messages D) Maintain the receiver's privacy Correct Answer(s): D

35. Information security is primarily a discipline to manage the behavior of: A) Organizations and People B) Buildings and Grounds C) Technology and Equipment D) Processes and Procedures Correct Answer(s): A

36. Common media controls include all of the following except: A) Disposition B) Logging C) Marking D) Highlighting Correct Answer(s): D

37. The Common Body of Knowledge with ____________ domains is the framework of the i nformation security field. A) 11 B) 16 C) 15 D) 20 E) 10 F) 6 G) 5 Correct Answer(s): E

38. Given enough time, tools, inclination, and ____________, a hacker can break thro ugh any security measure. A) talent B) intelligence C) assets D) skills Correct Answer(s): D

39. Who assigns IP addresses to host computers on the Internet? A) Internet Naming Authority B) Internet Assigned Naming Consortium C) Central Naming Consortium D) Internet Assigned Numbers Authority Correct Answer(s): D

40. Which of the following is NOT a fundamental task in building an information tech nology system? A) Identify program functions

B) Analyze the requirements in detail C) Test the programs individually only D) Understand the requirements of the system Correct Answer(s): C

41. Which of the following are resource that operations security identifies the cont rols for? A) Software B) Site Selection C) Hardware D) Media E) Perimeter Security Correct Answer(s): A, C, D

42. Which of the following computer incidents/crimes/attacks resulted in the largest dollar loss according to the 2004 Computer Crime and Security Survey? A) Telecom fraud B) Sabotage C) Virus D) Insider net abuse Correct Answer(s): C

43. Synonyms for confidentiality include all of the following except: A) integrity B) secrecy C) privacy D) discretion Correct Answer(s): A

44. ____________ is the message passed through (a) ____________ to become __________ __. A) Plaintext, cipher, ciphertext B) Ciphertext, cipher, plaintext C) Cipher, plaintext, ciphertext D) Cipher, ciphertext, plaintext Correct Answer(s): A

45. Which of the following are common hashing function found with most commercial so ftware? A) MD5 B) PGP C) HASH-2 D) HIO-3 E) SHA-1

Correct Answer(s):

E, A

46. Which of the following uses symmetric key or shared secret cryptography? A) ROT B) DES C) RSA D) PGP Correct Answer(s): B

47. Networking professionals who create a plan to protect a computer system consider all of the following in the planning process except: A) Defining the structural composition of data B) Preserving the integrity of data C) Promoting the availability of data for authorized use D) Protecting the confidentiality of data Correct Answer(s): A

48. With nondiscretionary access control in use, the system uses ____________ to det ermine who gains access to information A) ACL, objects, information B) Objects, subjects, data C) Programs, MAC D) Subjects, objects, labels Correct Answer(s): D

49. ____________, written by Phil Zimmerman, is used to encrypt documents that can b e shared via e-mail over the Internet. A) TLS B) PGP C) SSL D) SET Correct Answer(s): B

50. Operations security process controls include which of the following: A) User recovery controls B) Personnel security C) Privileged entity controls D) Resource protection Correct Answer(s): B, D, C

51. Why would New Orleans possibly not be an ideal site for a data operations center ? A) Prevalence of hazardous waste sites

B) Lack of a trained work force C) Lack of transportation D) Danger of natural disaster. Correct Answer(s): D

52. A(n) ____________ policy might prescribe the need for information security and m ay delegate the creation and management of the program. A) System-specific B) Issue-specific C) Programme-level D) Programme-framework Correct Answer(s): C

53. The Security Management Practices domain highlights the importance of a comprehe nsive security plan. A) True B) False Correct Answer(s): A

54. Which of the following was the fastest growing telecommunications system in hist ory? A) Telegraph B) E-Mail C) Telephone D) Internet Correct Answer(s): D

55. After undergoing formal testing and validation a trusted system can meet user's requirements for all of the following except: A) Speed B) Reliability C) Security D) Effectiveness Correct Answer(s): A

56. Which of the following is NOT a well known vendor of antivirus software? A) Adobe B) F-Secure C) Symantec D) Network Associates Correct Answer(s): 57. A

Which of the following was NOT a recommendation of the SDLC patch management sub group? A) Backup and risk mitigation plans included B) DHS set up guidelines for critical infrastructure companies C) Encourage independent software venders to stay current with security techniqu es D) Create a security verification/validation program Correct Answer(s): D

58. Which ITSEC assurance class includes a formal specification of security enforcin g functions and architectural design? A) E5 B) E3 C) E6 D) E4 Correct Answer(s): C

59. Which of the following are reasons to plan for emergencies? Select all correct a nswers. A) Protect lives B) Reduce stress C) maximize disruptions D) Save time and money Correct Answer(s): D, B, A

60. Which of the following is NOT true for PPK cryptography? A) Received messages are from their advertised source B) Messages sent and received arrive intact C) ROT13 is used to derive the public key D) Sent messages can be read only by the intended receiver Correct Answer(s): C

61. Any security system must balance what with security? A) Intrusion B) Convenience C) Scalability D) Convenience Store Access Correct Answer(s): B

62. Which of the following is NOT true for RADIUS? A) The policy can be applied at a single administered network point B) It was used by AOL to authenticate users C) A private tunnel between end points is created D) It uses remote access Dial-In User Service

Feedback: See page 220. Correct Answer(s): C

63. Which of the following is a network traffic management device (aka, a layer 3 co mputer networking device that buffers and forwards data packets across an intern etwork toward their destinations)? A) Packet filter B) Server C) Firewall D) Router Correct Answer(s): D

64. Functional requirements and assurance requirements answer which of the following questions? A) Does the system do the right things? B) Does the system do the right things in the right way? C) Both of the above D) None of the above Correct Answer(s): C