C725 Practice Test
Which groups typically report to the chief security officer (CSO)? - Security engineering and
operations
A company is considering which controls to buy to protect an asset. What should the price
of the controls be in relation to the cost of the asset? - Less than the annual loss expectancy
An employee uses a secure hashing algorithm for message integrity. The employee sends a
plain text message with the embedded hash to a colleague. A rogue device receives and
retransmits the message to its destination. Once received and checked by the intended
recipient, the hashes do not match.
Which STRIDE concept has been violated? - Tampering
An attacker accesses private emails between the company's CISO and board members. The
attacker then publishes the emails online. Which type of an attack is this, according to the
STRIDE model? - Information disclosure
A system data owner needs to give access to a new employee, so the owner formally
requests that the system administrator create an account and permit the new employee to
use systems necessary to the job. Which type of control does the system administrator use
to grant these permissions? - Access
The chief information security officer (CISO) for an organization knows that the
organization's datacenter lacks the physical controls needed to adequately control access
to sensitive corporate systems. The CEO, CIO, and CFO feel that the current physical access
is within a tolerable risk level, and they agree not to pay for upgrades to the facility.
Which risk management strategy has the senior leadership decided to employ? -
Acceptance
Which phase of the software development life cycle follows system design? - Development
Which question relates to the functional aspect of computer security? - Does the system do
the right things in the right way?
Which action is an example of a loss of information integrity based on the CIA triad? - A
security engineer accidentally scrambles information in a database.
What is included in quantitative risk analysis? - Risk ranking
What is a fundamentally objective concept in determining risk? - Resource costs
, Which domain of the (ISC)² Common Body of Knowledge addresses procedures and tools
that eliminate or reduce the capability to exploit critical information? - Operations Security
Which domain of the (ISC)² Common Body of Knowledge addresses identification,
authentication, authorization, and logging and monitoring techniques and technologies? -
Access Control
Which type of policy establishes a security plan, assigns management responsibilities, and
states an organization's computer security objectives? - Program-level
A company consults a best practices manual from its vendor while deploying a new IT
system. Which type of document does this exemplify? - Guidelines
An organization has all of its offices in several different buildings that are situated on a
large city block. Which type of network is specifically suited to connect these offices to the
organization's network - Campus
A network security engineer is tasked with preparing audit reports for the auditor. The
internal auditor sends the reports to the external auditor who discovers that fraud was
committed and that the network security engineer has falsified the reports. Which security
principle should be used to stop this type of fraud from happening? - Separation of duties
An employee has worked for the same organization for years and still has access to legal
files even though this employee now works in accounting. Which principle has been
violated? - Least privilege
A sales specialist is a normal user of a corporate network. The corporate network uses
subjects, objects, and labels to grant users access. Which access control methodology is the
corporation using? - Mandatory
What is considered a valid method for testing an organization's disaster recovery plan,
according to the Certified Information Systems Security Professional (CISSP)? - Checklist
Who directs policies and procedures that are designed to protect information resources in
an organization? - Information resources security officer
Which topics should be included in employee security training program? - Social
engineering, shoulder surfing, phishing, malware
What is a threat to business operations - Sophisticated hacking tools purchased by a
disgruntled employee
Which statement describes a threat? - Spear fishing attack
Which type of control reduces the effect of an attack? - Corrective
Which groups typically report to the chief security officer (CSO)? - Security engineering and
operations
A company is considering which controls to buy to protect an asset. What should the price
of the controls be in relation to the cost of the asset? - Less than the annual loss expectancy
An employee uses a secure hashing algorithm for message integrity. The employee sends a
plain text message with the embedded hash to a colleague. A rogue device receives and
retransmits the message to its destination. Once received and checked by the intended
recipient, the hashes do not match.
Which STRIDE concept has been violated? - Tampering
An attacker accesses private emails between the company's CISO and board members. The
attacker then publishes the emails online. Which type of an attack is this, according to the
STRIDE model? - Information disclosure
A system data owner needs to give access to a new employee, so the owner formally
requests that the system administrator create an account and permit the new employee to
use systems necessary to the job. Which type of control does the system administrator use
to grant these permissions? - Access
The chief information security officer (CISO) for an organization knows that the
organization's datacenter lacks the physical controls needed to adequately control access
to sensitive corporate systems. The CEO, CIO, and CFO feel that the current physical access
is within a tolerable risk level, and they agree not to pay for upgrades to the facility.
Which risk management strategy has the senior leadership decided to employ? -
Acceptance
Which phase of the software development life cycle follows system design? - Development
Which question relates to the functional aspect of computer security? - Does the system do
the right things in the right way?
Which action is an example of a loss of information integrity based on the CIA triad? - A
security engineer accidentally scrambles information in a database.
What is included in quantitative risk analysis? - Risk ranking
What is a fundamentally objective concept in determining risk? - Resource costs
, Which domain of the (ISC)² Common Body of Knowledge addresses procedures and tools
that eliminate or reduce the capability to exploit critical information? - Operations Security
Which domain of the (ISC)² Common Body of Knowledge addresses identification,
authentication, authorization, and logging and monitoring techniques and technologies? -
Access Control
Which type of policy establishes a security plan, assigns management responsibilities, and
states an organization's computer security objectives? - Program-level
A company consults a best practices manual from its vendor while deploying a new IT
system. Which type of document does this exemplify? - Guidelines
An organization has all of its offices in several different buildings that are situated on a
large city block. Which type of network is specifically suited to connect these offices to the
organization's network - Campus
A network security engineer is tasked with preparing audit reports for the auditor. The
internal auditor sends the reports to the external auditor who discovers that fraud was
committed and that the network security engineer has falsified the reports. Which security
principle should be used to stop this type of fraud from happening? - Separation of duties
An employee has worked for the same organization for years and still has access to legal
files even though this employee now works in accounting. Which principle has been
violated? - Least privilege
A sales specialist is a normal user of a corporate network. The corporate network uses
subjects, objects, and labels to grant users access. Which access control methodology is the
corporation using? - Mandatory
What is considered a valid method for testing an organization's disaster recovery plan,
according to the Certified Information Systems Security Professional (CISSP)? - Checklist
Who directs policies and procedures that are designed to protect information resources in
an organization? - Information resources security officer
Which topics should be included in employee security training program? - Social
engineering, shoulder surfing, phishing, malware
What is a threat to business operations - Sophisticated hacking tools purchased by a
disgruntled employee
Which statement describes a threat? - Spear fishing attack
Which type of control reduces the effect of an attack? - Corrective
