Information Security Fundamentals – Final
Exam Study Guide 2026/2027 – Complete
Course Review and Practice Q&A Material
Introduction:
This document provides a comprehensive review of core
concepts in information security, including risk management,
security controls, networking standards, legal regulations, and
incident response. It also includes extensive practice questions
and answers covering topics such as the OSI model,
cryptography, business continuity planning, cyberattacks, and
secure software development.
Additionally, the material explores modern practices like cloud
security, microservices architecture, OWASP principles, and
SDLC security, making it highly suitable for final exam
preparation.
Exam Questions and Answers:
Mark is considering outsourcing security functions to a third-
party service provider. What benefit is he most likely to
achieve? ---Correct precise answer---Access to a high level of
expertise
,Biyu is making arrangements to use a third-party service
provider for security services. She wants to document a
requirement for timely notification of security breaches. What
type of agreement is most likely to contain formal
requirements of this type? ---Correct precise answer---Service
level agreement
Which agreement type is typically less formal than other
agreements and expresses areas of common interest? ---
Correct precise answer---Memorandum of understanding
(MOU)
Karen is designing a process for issuing checks and decides
that one group of users will have the authority to create new
payees in the system while a separate group of users will have
the authority to issue checks to those payees. The intent of this
control is to prevent fraud. Which principle is Karen
enforcing? ---Correct precise answer---Separation of duties
Ann is creating a template for the configuration of Windows
servers in her organization. It includes the basic security
settings that should apply to all systems. What type of
,document should she create? ---Correct precise answer---
baseline
Roger's organization received a mass email message that
attempted to trick users into revealing their passwords by
pretending to be a help desk representative. What category of
social engineering is this an example of? ---Correct precise
answer---phishing
Which activity manages the baseline settings for a system or
device? ---Correct precise answer---configuration control
What is the correct order of steps in the change control
process? ---Correct precise answer---Request, impact
assessment, approval, build/test, implement, monitor
Marguerite is creating a budget for a software development
project. What phase of the system life cycle is she
undertaking? ---Correct precise answer---Project initiation
and planning
Bob is preparing to dispose of magnetic media and wishes to
destroy the data stored on it. Which method is NOT a good
, approach for destroying data? ---Correct precise answer---
Formatting
In an accreditation process, who has the authority to approve a
system for implementation? ---Correct precise answer---
Authorizing official (AO)
In what type of attack does the attacker send unauthorized
commands directly to a database? ---Correct precise answer---
SQL Injection
In what software development model does activity progress in
a lock-step sequential process where no phase begins until the
previous phase is complete? ---Correct precise answer---
Waterfall
Ricky is reviewing security logs to independently assess
security controls. Which security review process is Ricky
engaging in? ---Correct precise answer---Audit
Christopher is designing a security policy for his organization.
He would like to use an approach that allows a reasonable list
of activities but does not allow other activities. Which
Exam Study Guide 2026/2027 – Complete
Course Review and Practice Q&A Material
Introduction:
This document provides a comprehensive review of core
concepts in information security, including risk management,
security controls, networking standards, legal regulations, and
incident response. It also includes extensive practice questions
and answers covering topics such as the OSI model,
cryptography, business continuity planning, cyberattacks, and
secure software development.
Additionally, the material explores modern practices like cloud
security, microservices architecture, OWASP principles, and
SDLC security, making it highly suitable for final exam
preparation.
Exam Questions and Answers:
Mark is considering outsourcing security functions to a third-
party service provider. What benefit is he most likely to
achieve? ---Correct precise answer---Access to a high level of
expertise
,Biyu is making arrangements to use a third-party service
provider for security services. She wants to document a
requirement for timely notification of security breaches. What
type of agreement is most likely to contain formal
requirements of this type? ---Correct precise answer---Service
level agreement
Which agreement type is typically less formal than other
agreements and expresses areas of common interest? ---
Correct precise answer---Memorandum of understanding
(MOU)
Karen is designing a process for issuing checks and decides
that one group of users will have the authority to create new
payees in the system while a separate group of users will have
the authority to issue checks to those payees. The intent of this
control is to prevent fraud. Which principle is Karen
enforcing? ---Correct precise answer---Separation of duties
Ann is creating a template for the configuration of Windows
servers in her organization. It includes the basic security
settings that should apply to all systems. What type of
,document should she create? ---Correct precise answer---
baseline
Roger's organization received a mass email message that
attempted to trick users into revealing their passwords by
pretending to be a help desk representative. What category of
social engineering is this an example of? ---Correct precise
answer---phishing
Which activity manages the baseline settings for a system or
device? ---Correct precise answer---configuration control
What is the correct order of steps in the change control
process? ---Correct precise answer---Request, impact
assessment, approval, build/test, implement, monitor
Marguerite is creating a budget for a software development
project. What phase of the system life cycle is she
undertaking? ---Correct precise answer---Project initiation
and planning
Bob is preparing to dispose of magnetic media and wishes to
destroy the data stored on it. Which method is NOT a good
, approach for destroying data? ---Correct precise answer---
Formatting
In an accreditation process, who has the authority to approve a
system for implementation? ---Correct precise answer---
Authorizing official (AO)
In what type of attack does the attacker send unauthorized
commands directly to a database? ---Correct precise answer---
SQL Injection
In what software development model does activity progress in
a lock-step sequential process where no phase begins until the
previous phase is complete? ---Correct precise answer---
Waterfall
Ricky is reviewing security logs to independently assess
security controls. Which security review process is Ricky
engaging in? ---Correct precise answer---Audit
Christopher is designing a security policy for his organization.
He would like to use an approach that allows a reasonable list
of activities but does not allow other activities. Which
