CISSP O icial (ISC)2 Practice Tests

NEXT

PREV

Chapter 1 Security and Risk Management (Domain 1)

Chapter 3 Security Engineering (Domain 3)

Chapter 2
Asset Security (Domain 2)
1.Angelaisaninformationsecurityarchitectatabankandhasbeen
assignedtoensurethattransactionsaresecureastheytraversethe
network.SherecommendsthatalltransactionsuseTLS.Whatthreatis
shemostlikelyattemptingtostop,andwhatmethodissheusingto
protectagainstit?
1.Maninthemiddle,VPN
2.Packetinjection,encryption
3.Sniffing,encryption
4.Sniffing,TEMPEST

2.COBIT,ControlObjectivesforInformationandRelatedTechnology,isa
frameworkforITmanagementandgovernance.Whichdata
managementroleismostlikelytoselectandapplyCOBITtobalancethe
needforsecuritycontrolsagainstbusinessrequirements?
1.Businessowners
2.Dataprocessors
3.Dataowners
4.Datastewards

3.Whattermisusedtodescribeastartingpointforaminimumsecurity
standard?
1.Outline
2.Baseline
3.Policy
4.Configurationguide

4.Whenmediaislabeledbasedontheclassificationofthedataitcontains,
whatruleistypicallyappliedregardinglabels?
1.Thedataislabeledbasedonitsintegrityrequirements.
2.Themediaislabeledbasedonthehighestclassificationlevelofthedatait
contains.
3.Themediaislabeledwithalllevelsofclassificationofthedatait
contains.
4.Themediaislabeledwiththelowestlevelofclassificationofthedatait
contains.

5.Theneedtoprotectsensitivedatadriveswhatadministrativeprocess?
1.Informationclassification
2.Remanence
3.Transmittingdata
4.Clearing

Enjoy Safari? Subscribe Today

6.Howcanadataretentionpolicyhelptoreduceliabilities?

1.Byensuringthatunneededdataisntretained
2.Byensuringthatincriminatingdataisdestroyed
3.Byensuringthatdataissecurelywipedsoitcannotberestoredforlegal
discovery
4.Byreducingthecostofdatastoragerequiredbylaw

7.StaffinanITdepartmentwhoaredelegatedresponsibilityfordaytoday
tasksholdwhatdatarole?
1.Businessowner
2.User
3.Dataprocessor
4.Custodian

8.SusanworksforanAmericancompanythatconductsbusinesswith
customersintheEuropeanUnion.Whatisshelikelytohavetodoifsheis
responsibleforhandlingPIIfromthosecustomers?
1.Encryptthedataatalltimes.
2.LabelandclassifythedataaccordingtoHIPAA.
3.ConductyearlyassessmentstotheEUDPDbaseline.
4.ComplywiththeUSEUSafeHarborrequirements.

9.Benhasbeentaskedwithidentifyingsecuritycontrolsforsystems
coveredbyhisorganizationsinformationclassificationsystem.Why
mightBenchoosetouseasecuritybaseline?
1.Itappliesinallcircumstances,allowingconsistentsecuritycontrols.
2.Theyareapprovedbyindustrystandardsbodies,preventingliability.
3.Theyprovideagoodstartingpointthatcanbetailoredtoorganizational
needs.
4.Theyensurethatsystemsarealwaysinasecurestate.

10.Whattermisusedtodescribeoverwritingmediatoallowforitsreusein
anenvironmentoperatingatthesamesensitivitylevel?
1.Clearing
2.Erasing
3.Purging
4.Sanitization

11.WhichofthefollowingclassificationlevelsistheUSgovernments
classificationlabelfordatathatcouldcausedamagebutwouldntcause
seriousorgravedamage?
1.TopSecret
2.Secret
3.Confidential
4.Classified

12.Whatissueiscommontosparesectorsandbadsectorsonharddrivesas
wellasoverprovisionedspaceonmodernSSDs?
1.Theycanbeusedtohidedata.
2.Theycanonlybedegaussed.
3.Theyarenotaddressable,resultingindataremanence.
4.Theymaynotbecleared,resultingindataremanence.

13.Whattermdescribesdatathatremainsafterattemptshavebeenmadeto
removethedata?
1.Residualbytes
2.Dataremanence
3.Slackspace
4.Zerofill
Forquestions14,15,and16,pleaserefertothefollowingscenario:
Yourorganizationregularlyhandlesthreetypesofdata:informationthat
itshareswithcustomers,informationthatitusesinternallytoconduct
business,andtradesecretinformationthatofferstheorganization
significantcompetitiveadvantages.Informationsharedwithcustomers

Enjoy Safari? Subscribe Today

isusedandstoredonwebservers,whileboththeinternalbusinessdata

andthetradesecretinformationarestoredoninternalfileserversand
employeeworkstations.

14.Whatciviliandataclassificationsbestfitthisdata?
1.Unclassified,confidential,topsecret
2.Public,sensitive,private
3.Public,sensitive,proprietary
4.Public,confidential,private

15.Whattechniquecouldyouusetomarkyourtradesecretinformationin
caseitwasreleasedorstolenandyouneedtoidentifyit?
1.Classification
2.Symmetricencryption
3.Watermarks
4.Metadata

16.Whattypeofencryptionshouldyouuseonthefileserversforthe
proprietarydata,andhowmightyousecurethedatawhenitisinmotion?
1.TLSatrestandAESinmotion
2.AESatrestandTLSinmotion
3.VPNatrestandTLSinmotion
4.DESatrestandAESinmotion

17.WhatdoeslabelingdataallowaDLPsystemtodo?
1.TheDLPsystemcandetectlabelsandapplyappropriateprotections.
2.TheDLPsystemcanadjustlabelsbasedonchangesintheclassification
scheme.
3.TheDLPsystemcannotifythefirewallthattrafficshouldbeallowed
through.
4.TheDLPsystemcandeleteunlabeleddata.

18.Whyisitcosteffectivetopurchasehighqualitymediatocontainsensitive
data?
1.Expensivemediaislesslikelytofail.
2.Thevalueofthedataoftenfarexceedsthecostofthemedia.
3.Expensivemediaiseasiertoencrypt.
4.Moreexpensivemediatypicallyimprovesdataintegrity.

19.Chrisisresponsibleforworkstationsthroughouthiscompanyandknows
thatsomeofthecompanysworkstationsareusedtohandleproprietary
information.Whichoptionbestdescribeswhatshouldhappenattheend
oftheirlifecycleforworkstationsheisresponsiblefor?
1.Erasing
2.Clearing
3.Sanitization
4.Destruction

20.WhichistheproperorderfromleasttomostsensitiveforUSgovernment
classifications?
1.Confidential,Secret,TopSecret
2.Confidential,Classified,Secret
3.TopSecret,Secret,Classified,Public,Classified,TopSecret
4.Public,Unclassified,Classified,TopSecret

21.Whatscenariodescribesdataatrest?
1.DatainanIPsectunnel
2.Datainanecommercetransaction
3.Datastoredonaharddrive
4.DatastoredinRAM

22.IfyouareselectingasecuritystandardforaWindows10systemthat

Enjoy Safari? Subscribe Today

processescreditcards,whatsecuritystandardisyourbestchoice?

1.MicrosoftsWindows10securitybaseline
2.TheCISWindows10baseline
3.PCIDSS
4.TheNSAWindows10baseline
Usethefollowingscenarioforquestions23,24,and25.
TheCenterforInternetSecurity(CIS)workswithsubjectmatterexperts
fromavarietyofindustriestocreatelistsofsecuritycontrolsfor
operatingsystems,mobiledevices,serversoftware,andnetwork
devices.YourorganizationhasdecidedtousetheCISbenchmarksfor
yoursystems.Answerthefollowingquestionsbasedonthisdecision.

23.TheCISbenchmarksareanexampleofwhatpractice?
1.Conductingariskassessment
2.Implementingdatalabeling
3.Propersystemownership
4.Usingsecuritybaselines

24.AdjustingtheCISbenchmarkstoyourorganizationsmissionandyour
specificITsystemswouldinvolvewhattwoprocesses?
1.Scopingandselection
2.Scopingandtailoring
3.Baseliningandtailoring
4.Tailoringandselection

25.Howshouldyoudeterminewhatcontrolsfromthebaselineagiven
systemorsoftwarepackageshouldreceive?
1.Consultthecustodiansofthedata.
2.Selectbasedonthedataclassificationofthedataitstoresorhandles.
3.Applythesamecontrolstoallsystems.
4.Consultthebusinessowneroftheprocessthesystemordatasupports.

26.WhatproblemwithFTPandTelnetmakesusingSFTPandSSHbetter
alternatives?
1.FTPandTelnetarentinstalledonmanysystems.
2.FTPandTelnetdonotencryptdata.
3.FTPandTelnethaveknownbugsandarenolongermaintained.
4.FTPandTelnetaredifficulttouse,makingSFTPandSSHthepreferred
solution.

27.ThegovernmentdefensecontractorthatSariaworksforhasrecentlyshut
downamajorresearchprojectandisplanningonreusingthehundreds
ofthousandsofdollarsofsystemsanddatastoragetapesusedforthe
projectforotherpurposes.WhenSariareviewsthecompanysinternal
processes,shefindsthatshecantreusethetapesandthatthemanual
saystheyshouldbedestroyed.WhyisntSariaallowedtodegaussand
thenreusethetapestosaveheremployermoney?
1.Datapermanencemaybeanissue.
2.Dataremanenceisaconcern.
3.Thetapesmaysufferfrombitrot.
4.Datafromtapescantbeerasedbydegaussing.

28.Informationmaintainedaboutanindividualthatcanbeusedto
distinguishortracetheiridentityisknownaswhattypeofinformation?
1.Personallyidentifiableinformation(PII)
2.Personalhealthinformation(PHI)
3.SocialSecuritynumber(SSN)
4.Secureidentityinformation(SII)

29.Whatistheprimaryinformationsecurityrisktodataatrest?
1.Improperclassification
2.Databreach
3.Decryption
4.Lossofdataintegrity

Enjoy Safari? Subscribe Today

30.FulldiskencryptionlikeMicrosoftsBitLockerisusedtoprotectdatain
whatstate?
1.Dataintransit
2.Dataatrest
3.Unlabeleddata
4.Labeleddata

31.SuesemployerhasaskedhertouseanIPsecVPNtoconnecttoits
network.WhenSueconnects,whatdoestheIPsecVPNallowhertodo?
1.Senddecrypteddataoverapublicnetworkandactlikesheisonher
employersinternalnetwork.
2.Createaprivateencryptednetworkcarriedviaapublicnetworkandact
likesheisonheremployersinternalnetwork.
3.CreateavirtualprivatenetworkusingTLSwhileonheremployers
internalnetwork.
4.Createatunnelednetworkthatconnectsheremployersnetworktoher
internalhomenetwork.

32.Whatistheprimarypurposeofdataclassification?
1.Itquantifiesthecostofadatabreach.
2.ItprioritizesITexpenditures.
3.Itallowscompliancewithbreachnotificationlaws.
4.Itidentifiesthevalueofthedatatotheorganization.

33.Fredsorganizationallowsdowngradingofsystemsforreuseafter
projectshavebeenfinishedandthesystemshavebeenpurged.What
concernshouldFredraiseaboutthereuseofthesystemsfromhisTop
SecretclassifiedprojectforafutureprojectclassifiedasSecret?
1.TheTopSecretdatamaybecommingledwiththeSecretdata,resultingin
aneedtorelabelthesystem.
2.Thecostofthesanitizationprocessmayexceedthecostofnew
equipment.
3.Thedatamaybeexposedaspartofthesanitizationprocess.
4.TheorganizationsDLPsystemmayflagthenewsystemduetothe
differenceindatalabels.

34.Whichofthefollowingconcernsshouldnotbepartofthedecisionwhen
classifyingdata?
1.Thecosttoclassifythedata
2.Thesensitivityofthedata
3.Theamountofharmthatexposureofthedatacouldcause
4.Thevalueofthedatatotheorganization

35.Whichofthefollowingistheleasteffectivemethodofremovingdatafrom
media?
1.Degaussing
2.Purging
3.Erasing
4.Clearing

36.SafeHarborispartofaUSprogramtomeetwhatEuropeanUnionlaw?
1.TheEUCyberSafeAct
2.TheNetworkandInformationSecurity(NIS)directives
3.TheGeneralDataProtectionRegulation(GDPR)
4.TheEUDataProtectionDirective
Usethefollowingscenariotoanswerquestions37,38,and39.
ThehealthcarecompanythatLaurenworksforhandlesHIPAAdataas
wellasinternalbusinessdata,protectedhealthinformation,anddayto
daybusinesscommunications.Itsinternalpolicyusesthefollowing
requirementsforsecuringHIPAAdataatrestandintransit.

Enjoy Safari? Subscribe Today

Classification

Confidential

HandlingRequirements

Encryptatrestandintransit.

(HIPAA)
Fulldiskencryptionrequiredforall
workstations.
Filescanonlybesentinencryptedform,and
passwordsmustbetransferredunderseparate
cover.
PrinteddocumentsmustbelabeledwithHIPAA
handlingrequired.

Private(PHI)

Encryptatrestandintransit.
PHImustbestoredonsecureservers,and
copiesshouldnotbekeptonlocalworkstations.
Printeddocumentsmustbelabeledwith
Private.

Sensitive

Encryptionisrecommendedbutnotrequired.

(business
confidential)

Public

Informationcanbesentunencrypted.

Usingthetable,answerthefollowingquestions.

37.WhattypeofencryptionwouldbeappropriateforHIPAAdocumentsin
transit?
1.AES256
2.DES
3.TLS
4.SSL

38.LaurensemployerasksLaurentoclassifypatientXraydatathathasan
internalpatientidentifierassociatedwithitbutdoesnothaveanywayto
directlyidentifyapatient.Thecompanysdataownerbelievesthat
exposureofthedatacouldcausedamage(butnotexceptionaldamage)to
theorganization.HowshouldLaurenclassifythedata?
1.Public
2.Sensitive
3.Private
4.Confidential

39.WhattechnologycouldLaurensemployerimplementtohelpprevent
confidentialdatafrombeingemailedoutoftheorganization?
1.DLP
2.IDS
3.Afirewall
4.UDP

40.AUSgovernmentdatabasecontainsSecret,Confidential,andTopSecret
data.Howshoulditbeclassified?
1.TopSecret
2.Confidential
3.Secret
4.Mixedclassification

41.Whattoolisusedtopreventemployeeswholeavefromsharing
proprietaryinformationwiththeirnewemployers?
1.Encryption
2.NDA
3.Classification
4.Purging

Enjoy Safari? Subscribe Today

42.WhatencryptionalgorithmisusedbybothBitLockerandMicrosofts
EncryptingFileSystem?
1.Blowfish
2.Serpent
3.AES
4.3DES

43.Chrisisresponsibleforhisorganizationssecuritystandardsandhas
guidedtheselectionandimplementationofasecuritybaselinefor
WindowsPCsinhisorganization.HowcanChrismosteffectivelymake
surethattheworkstationsheisresponsibleforarebeingcheckedfor
complianceandthatsettingsarebeingappliedasnecessary?
1.Assignuserstospotcheckbaselinecompliance.
2.UseMicrosoftGroupPolicy.
3.Createstartupscriptstoapplypolicyatsystemstart.
4.Periodicallyreviewthebaselineswiththedataownerandsystem
owners.

44.Whattermisusedtodescribeasetofcommonsecurityconfigurations,
oftenprovidedbyathirdparty?
1.Securitypolicy
2.Baseline
3.DSS
4.SP800

45.Whattypeofpolicydescribeshowlongdataisretainedandmaintained
beforedestruction?
1.Classification
2.Audit
3.Recordretention
4.Availability

46.WhichattackhelpeddrivevendorstomoveawayfromSSLtowardTLS
onlybydefault?
1.POODLE
2.Stuxnet
3.BEAST
4.CRIME

47.Whatsecuritymeasurecanprovideanadditionalsecuritycontrolinthe
eventthatbackuptapesarestolenorlost?
1.Keepmultiplecopiesofthetapes.
2.Replacetapemediawithharddrives.
3.Useappropriatesecuritylabels.
4.UseAES256encryption.

48.Joeworksatamajorpharmaceuticalresearchanddevelopmentcompany
andhasbeentaskedwithwritinghisorganizationsdataretentionpolicy.
Aspartofitslegalrequirements,theorganizationmustcomplywiththe
USFoodandDrugAdministrationsCodeofFederalRegulationsTitle21.
Todoso,itisrequiredtoretainrecordswithelectronicsignatures.Why
wouldasignaturebepartofaretentionrequirement?
1.Itensuresthatsomeonehasreviewedthedata.
2.Itprovidesconfidentiality.
3.Itensuresthatthedatahasnotbeenchanged.
4.Itvalidateswhoapprovedthedata.

49.WhatprotocolispreferredoverTelnetforremoteserveradministration
viathecommandline?
1.SCP
2.SFTP
3.WDS
4.SSH

Enjoy Safari? Subscribe Today

50.Whatmethodusesastrongmagneticfieldtoerasemedia?
1.Magwipe
2.Degaussing
3.Sanitization
4.Purging

51.Whatprimaryissuedoespersonnelretentiondealwith?
1.Employeesquitting
2.Employeesnotmovingontonewpositions
3.Knowledgegainedafteremployment
4.Knowledgegainedduringemployment

52.AlexworksforagovernmentagencythatisrequiredtomeetUSfederal
governmentrequirementsfordatasecurity.Tomeettheserequirements,
Alexhasbeentaskedwithmakingsuredataisidentifiablebyits
classificationlevel.WhatshouldAlexdotothedata?
1.Classifythedata.
2.Encryptthedata.
3.Labelthedata.
4.ApplyDRMtothedata.

53.BenisfollowingtheNISTSpecialPublication80088guidelinesfor
sanitizationanddispositionasshowninthefollowingdiagram.Heis
handlinginformationthathisorganizationclassifiedassensitive,which
isamoderatesecuritycategorizationintheNISTmodel.Ifthemediais
goingtobesoldassurplus,whatprocessdoesBenneedtofollow?

1.Destroy,validate,document
2.Clear,purge,document
3.Purge,document,validate
4.Purge,validate,document

54.Whatmethodsareoftenusedtoprotectdataintransit?
1.Telnet,ISDN,UDP
2.Encryptedstoragemedia
3.AES,Serpent,IDEA
4.TLS,VPN,IPsec

55.Whichdataroleisdescribedasthepersonwhohasultimate
organizationalresponsibilityfordata?
1.Systemowners
2.Businessowners
3.Dataowners
4.Missionowners

56.WhatUSgovernmentagencyoverseescompliancewiththeSafeHarbor
frameworkfororganizationswishingtousethepersonaldataofEU
citizens?
1.TheFTC
2.TheFDA

Enjoy Safari? Subscribe Today

3.TheDoD
4.TheDepartmentofCommerce
Forquestions57,58,and59,usethefollowingscenario.
Chrishasrecentlybeenhiredintoaneworganization.Theorganization
thatChrisbelongstousesthefollowingclassificationprocess:
1.Criteriaaresetforclassifyingdata.
2.Dataownersareestablishedforeachtypeofdata.
3.Dataisclassified.
4.Requiredcontrolsareselectedforeachclassification.
5.Baselinesecuritystandardsareselectedfortheorganization.
6.Controlsarescopedandtailored.
7.Controlsareappliedandenforced.
8.Accessisgrantedandmanaged.
Usetheclassificationprocesstoanswerthefollowingquestions.

57.IfChrisisoneofthedataownersfortheorganization,whatstepsinthis
processishemostlikelyresponsiblefor?
1.Heisresponsibleforsteps3,4,and5.
2.Heisresponsibleforsteps1,2,and3.
3.Heisresponsibleforsteps5,6,and7.
4.Allofthestepsarehisdirectresponsibility.

58.Chrismanagesateamofsystemadministrators.Whatdatarolearethey
fulfillingiftheyconductsteps6,7,and8oftheclassificationprocess?
1.Theyaresystemownersandadministrators.
2.Theyareadministratorsandcustodians.
3.Theyaredataownersandadministrators.
4.Theyarecustodiansandusers.

59.IfChrisscompanyoperatesintheEuropeanUnionandhasbeen
contractedtohandlethedataforathirdparty,whatroleishiscompany
operatinginwhenitusesthisprocesstoclassifyandhandledata?
1.Businessowners
2.Missionowners
3.Dataprocessors
4.Dataadministrators

60.WhichofthefollowingisnotapartoftheEuropeanUnionsData
Protectionprinciples?
1.Notice
2.Reason
3.Security
4.Access

61.Benscompany,whichisbasedintheEU,hiresathirdpartyorganization
thatprocessesdataforit.Whohasresponsibilitytoprotecttheprivacyof
thedataandensurethatitisntusedforanythingotherthanitsintended
purpose?
1.Benscompanyisresponsible.
2.Thethirdpartydataprocessorisresponsible.
3.Thedatacontrollerisresponsible.
4.Bothorganizationsbearequalresponsibility.

62.MajorHunter,amemberoftheUSarmedforces,hasbeenentrustedwith
informationthat,ifexposed,couldcauseseriousdamagetonational
security.UnderUSgovernmentclassificationstandards,howshouldthis
databeclassified?
1.Unclassified
2.TopSecret
3.Confidential
4.Secret

Enjoy Safari? Subscribe Today

63.Whenacomputerisremovedfromserviceanddisposedof,theprocess
thatensuresthatallstoragemediahasbeenremovedordestroyedis
knownaswhat?
1.Sanitization
2.Purging
3.Destruction
4.Declassification

64.LinuxsystemsthatusebcryptareusingatoolbasedonwhatDES
alternativeencryptionscheme?
1.3DES
2.AES
3.DiffieHellman
4.Blowfish

65.Susanworksinanorganizationthatlabelsallremovablemediawiththe
classificationlevelofthedataitcontains,includingpublicdata.Why
wouldSusansemployerlabelallmediainsteadoflabelingonlythe
mediathatcontainsdatathatcouldcauseharmifitwasexposed?
1.Itischeapertoorderallprelabeledmedia.
2.Itpreventssensitivemediafromnotbeingmarkedbymistake.
3.Itpreventsreuseofpublicmediaforsensitivedata.
4.LabelingallmediaisrequiredbyHIPAA.

66.DatastoredinRAMisbestcharacterizedaswhattypeofdata?
1.Dataatrest
2.Datainuse
3.Dataintransit
4.Dataatlarge

67.WhatissueisthevalidationportionoftheNISTSP80088sample
certificateofsanitizationintendedtohelpprevent?
1.Destruction
2.Reuse
3.Dataremanence
4.Attribution

68.Whyisdeclassificationrarelychosenasanoptionformediareuse?
1.Purgingissufficientforsensitivedata.
2.Sanitizationisthepreferredmethodofdataremoval.
3.Itismoreexpensivethannewmediaandmaystillfail.
4.Clearingisrequiredfirst.

69.NISTSP80060providesaprocessshowninthefollowingdiagramto
assessinformationsystems.Whatprocessdoesthisdiagramshow?

1.Selectingastandardandimplementingit
2.Categorizingandselectingcontrols
3.Baseliningandselectingcontrols
4.Categorizingandsanitizing
Thefollowingimageshowsatypicalworkstationandserverandtheir
connectionstoeachotherandtheInternet.Usetheimagetoanswer
questions70,71,and72.

Enjoy Safari? Subscribe Today

70.Whichlettersshouldbeassociatedwithdataatrest?
1.A,B,andC
2.CandE
3.AandE
4.B,D,andF

71.WhatwouldbethebestwaytosecuredataatpointsB,D,andF?
1.AES256
2.SSL
3.TLS
4.3DES

72.WhatisthebestwaytosecurefilesthataresentfromworkstationAvia
theInternetservice(C)toremoteserverE?
1.UseAESatrestatpointA,andTLSintransitviaBandD.
2.Encryptthedatafilesandsendthem.
3.Use3DESandTLStoprovidedoublesecurity.
4.UsefulldiskencryptionatAandE,anduseSSLatBandD.

73.Incineration,crushing,shredding,anddisintegrationalldescribewhat
stageinthelifecycleofmedia?
1.Sanitization
2.Degaussing
3.Purging
4.Destruction

74.TheEuropeanUnion(EU)DataProtectionDirectivessevenprinciples
donotincludewhichofthefollowingkeyelements?
1.Theneedtoinformsubjectswhentheirdataisbeingcollected
2.Theneedtosetalimitonhowlongdataisretained
3.Theneedtokeepthedatasecure
4.Theneedtoallowdatasubjectstobeabletoaccessandcorrecttheirdata

75.Whymightanorganizationuseuniquescreenbackgroundsordesignson
workstationsthatdealwithdataofdifferentclassificationlevels?
1.Toindicatethesoftwareversioninuse
2.Topromoteacorporatemessage
3.Topromoteavailability
4.Toindicatetheclassificationlevelofthedataorsystem

76.Charleshasbeenaskedtodowngradethemediausedforstorageof
privatedataforhisorganization.WhatprocessshouldCharlesfollow?
1.Degaussthedrives,andthenrelabelthemwithalowerclassification
level.

Enjoy Safari? Subscribe Today

2.Pulverizethedrives,andthenreclassifythembasedonthedatathey
contain.
3.Followtheorganizationspurgingprocess,andthendowngradeand
replacelabels.
4.Relabelthemedia,andthenfollowtheorganizationspurgingprocessto
ensurethatthemediamatchesthelabel.

77.Whichofthefollowingtasksarenotperformedbyasystemownerper
NISTSP80018?
1.Developsasystemsecurityplan
2.Establishesrulesforappropriateuseandprotectionofdata
3.Identifiesandimplementssecuritycontrols
4.Ensuresthatsystemusersreceiveappropriatesecuritytraining

78.Susanneedstoprovideasetofminimumsecurityrequirementsfor
email.Whatstepsshouldsherecommendforherorganizationtoensure
thattheemailremainssecure?
1.Allemailshouldbeencrypted.
2.Allemailshouldbeencryptedandlabeled.
3.Sensitiveemailshouldbeencryptedandlabeled.
4.Onlyhighlysensitiveemailshouldbeencrypted.

79.Whattermdescribestheprocessofreviewingbaselinesecuritycontrols
andselectingonlythecontrolsthatareappropriatefortheITsystemyou
aretryingtoprotect?
1.Standardcreation
2.CISbenchmarking
3.Baselining
4.Scoping

80.Whatdataroledoesasystemthatisusedtoprocessdatahave?
1.Missionowner
2.Dataowner
3.Dataprocessor
4.Custodian

81.Whichofthefollowingwillbesupercededin2018bytheEuropean
UnionsGeneralDataProtectionRegulation(GDPR)
1.TheEUDataProtectionDirective
2.NISTSP80012
3.TheEUPersonalDataProtectionRegulation
4.COBIT

82.WhattypeofhealthinformationistheHealthInsurancePortabilityand
AccountabilityActrequiredtoprotect?
1.PII
2.PHI
3.SHI
4.HPHI

83.Whatencryptionalgorithmwouldprovidestrongprotectionfordata
storedonaUSBthumbdrive?
1.TLS
2.SHA1
3.AES
4.DES

84.LaurensmultinationalcompanywantstoensurecompliancewiththeEU
DataProtectionDirective.Ifsheallowsdatatobeusedagainstthe
requirementsofthenoticeprincipleandagainstwhatusersselectedin
thechoiceprinciple,whatprinciplehasherorganizationviolated?
1.Onwardtransfer

Enjoy Safari? Subscribe Today

2.Dataintegrity
3.Enforcement

4.Access

85.Whatisthebestmethodtosanitizeasolidstatedrive(SSD)?
1.Clearing
2.Zerofill
3.Disintegration
4.Degaussing
Forquestions86,87,and88,usethefollowingscenario.
Asshowninthefollowingsecuritylifecyclediagram(looselybasedon
theNISTreferencearchitecture),NISTusesafivestepprocessforrisk
management.Usingyourknowledgeofdatarolesandpractices,answer
thefollowingquestionsbasedontheNISTframeworkprocess.

86.Whatdatarolewillownresponsibilityforstep1,thecategorizationof
informationsystems,towhomwilltheydelegatestep2,andwhatdata
rolewillberesponsibleforstep3?
1.Dataowners,systemowners,custodians
2.Dataprocessors,custodians,users
3.Businessowners,administrators,custodians
4.Systemowners,businessowners,administrators

87.Ifthesystemsthatarebeingassessedallhandlecreditcardinformation
(andnoothersensitivedata),atwhatstepwouldthePCIDSSfirstplayan
importantrole?
1.Step1
2.Step2
3.Step3
4.Step4

88.Whatdatasecurityroleisprimarilyresponsibleforstep5?
1.Dataowners
2.Dataprocessors
3.Custodians
4.Users

89.Susansorganizationperformsazerofillonharddrivesbeforetheyare
senttoathirdpartyorganizationtobeshredded.Whatissueisher
organizationattemptingtoavoid?
1.Dataremanencewhileatthethirdpartysite
2.Mishandlingofdrivesbythethirdparty
3.Classificationmistakes
4.Datapermanence

90.Embeddeddatausedtohelpidentifytheownerofafileisanexampleof
whattypeoflabel?
1.Copyrightnotice
2.DLP

Enjoy Safari? Subscribe Today

3.Digitalwatermark
4.Steganography

91.Retainingandmaintaininginformationforaslongasitisneededis
knownaswhat?
1.Datastoragepolicy
2.Datastorage
3.Assetmaintenance
4.Recordretention

92.Whichofthefollowingactivitiesisnotaconsiderationduringdata
classification?
1.Whocanaccessthedata
2.Whattheimpactwouldbeifthedatawaslostorbreached
3.Howmuchthedatacosttocreate
4.Whatprotectionregulationsmayberequiredforthedata

93.Whattypeofencryptionistypicallyusedfordataatrest?
1.Asymmetricencryption
2.Symmetricencryption
3.DES
4.OTP

94.Whichdataroleistaskedwithgrantingappropriateaccesstostaff
members?
1.Dataprocessors
2.Businessowners
3.Custodians
4.Administrators

95.WhichCalifornialawrequiresconspicuouslypostedprivacypolicieson
commercialwebsitesthatcollectthepersonalinformationofCalifornia
residents?
1.ThePersonalInformationProtectionandElectronicDocumentsAct
2.TheCaliforniaOnlinePrivacyProtectionAct
3.CaliforniaOnlineWebPrivacyAct
4.CaliforniaCivilCode1798.82

96.Fredispreparingtosendbackuptapesoffsitetoasecurethirdparty
storagefacility.WhatstepsshouldFredtakebeforesendingthetapesto
thatfacility?
1.Ensurethatthetapesarehandledthesamewaytheoriginalmediawould
behandledbasedontheirclassification.
2.Increasetheclassificationlevelofthetapesbecausetheyareleavingthe
possessionofthecompany.
3.Purgethetapestoensurethatclassifieddataisnotlost.
4.Encryptthetapesincasetheyarelostintransit.

97.Whichofthefollowingdoesnotdescribedatainmotion?
1.Dataonabackuptapethatisbeingshippedtoastoragefacility
2.DatainaTCPpacket
3.Datainanecommercetransaction
4.Datainfilesbeingcopiedbetweenlocations

98.Anewlawispassedthatwouldresultinsignificantfinancialharmto
yourcompanyifthedatathatitcoverswasstolenorinadvertently
released.Whatshouldyourorganizationdoaboutthis?
1.Selectanewsecuritybaseline.
2.Relabelthedata.
3.Encryptallofthedataatrestandintransit.
4.Reviewitsdataclassificationsandclassifythedataappropriately.

99.Edhasbeenaskedtosenddatathathisorganizationclassifiesas
confidentialandproprietaryviaemail.Whatencryptiontechnology
wouldbeappropriatetoensurethatthecontentsofthefilesattachedto

Enjoy Safari? Subscribe Today

theemailremainconfidentialastheytraversetheInternet?

1.SSL
2.TLS
3.PGP
4.VPN

100.Whichmappingcorrectlymatchesdataclassificationsbetween
nongovernmentandgovernmentclassificationschemes?
1.TopSecretConfidential/Proprietary
1.SecretPrivate
2.ConfidentialSensitive
2.SecretBusinessconfidential
1.ClassifedProprietary
2.ConfidentialBusinessInternal
3.TopSecretBusinesssensitive
1.SecretBusinessinternal
2.ConfidentialBusinessproprietary
4.SecretProprietary
1.ClassifiedPrivate
2.UnclassifiedPublic

NEXT

PREV

Recommended
/ Queue
/ History
/ Topics / Tutorials
Settings / Blog / Get the App / Sign Out
Chapter 1 Security
and
Risk Management
(Domain/ 1)
2016 Safari. Terms of Service / Privacy Policy

Enjoy Safari? Subscribe Today

Chapter 3 Security Engineering (Domain 3)