IAS FINAL EXAM – COMPREHENSIVE QUESTIONS
What measures the average amount of time between failures for a particular system?
A. Uptime
B. Recovery time objective (RTO)
C. Mean time to failure (MTTF)
D. Mean time to repair (MTTR) - Answers -C. Mean time to failure (MTTF)
Remote access security controls help to ensure that the user connecting to an
organization's network is who the user claims to be. A username is commonly used for
_______, whereas a biometric scan could be used for _______.
A. identification, authentication
B. authorization, accountability
C. identification, authorization
D. authentication, authorization - Answers -A. identification, authentication
A brute-force password attack and the theft of a mobile worker's laptop are risks most
likely found in which domain of a typical IT infrastructure?
A. Local Area Network (LAN) Domain
B. Workstation Domain
C. Remote Access Domain
D. User Domain - Answers -C. Remote Access Domain
In which domain of a typical IT infrastructure is the first layer of defense for a layered
security strategy?
A. Workstation Domain
B. Local Area Network (LAN) Domain
C. User Domain
D. System/Application Domain - Answers -C. User Domain
Rachel is investigating an information security incident that took place at the high school
where she works. She suspects that students may have broken into the student records
system and altered their grades. If that is correct, which one of the tenets of information
security did this attack violate?
A. Integrity
B. Nonrepudiation
C. Confidentiality
D. Availability - Answers -A. Integrity
Which network device is designed to block network connections that are identified as
potentially malicious?
A. Intrusion detection system (IDS)
B. Intrusion prevention system (IPS)
C. Router
D. Web server - Answers -B. Intrusion prevention system (IPS)
,Which security control is most helpful in protecting against eavesdropping on wide area
network (WAN) transmissions?
A. Deploying an intrusion detection system/intrusion prevention system (IDS/IPS)
B. Applying filters on exterior Internet Protocol (IP) stateful firewalls
C. Encrypting transmissions with virtual private networks (VPNs)
D. Blocking Transmission Control Protocol (TCP) synchronize (SYN) open connections
- Answers -C. Encrypting transmissions with virtual private networks (VPNs)
What is a U.S. federal government classification level that applies to information that
would cause serious damage to national security if it were disclosed?
A. Top secret
B. Confidential
C. Secret
D. Private - Answers -C. Secret
What is a primary risk to the Workstation Domain, the Local Area Network (LAN)
Domain, and the System/Application Domain?
A. Unauthorized network probing and port scanning
B. Unauthorized access to systems
C. Downtime of IT systems for an extended period after a disaster
D. Mobile worker token or other authentication stolen - Answers -B. Unauthorized
access to systems
Which term describes the level of exposure to some event that has an effect on an
asset, usually the likelihood that something bad will happen to an asset?
A. Threat
B. Countermeasure
C. Risk
D. Vulnerability - Answers -C. Risk
Which compliance obligation includes security requirements that apply specifically to the
European Union?
A. Gramm-Leach-Bliley Act (GLBA)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. Federal Information Security Management Act (FISMA) - Answers -C. General Data
Protection Regulation (GDPR)
In Mobile IP, what term describes a device that would like to communicate with a mobile
node (MN)?
A. Correspondent node (CN)
B. Foreign agent (FA)
C. Home agent (HA)
D. Care of address (COA) - Answers -A. Correspondent node (CN)
,Which of the following enables businesses to transform themselves into an Internet of
Things (IoT) service offering?
A. Store-and-forward communications
B. Remote sensoring
C. Real-time tracking and monitoring
D. Anything as a Service (AaaS) delivery model - Answers -D. Anything as a Service
(AaaS) delivery model
Which of the following is an example of a business-to-consumer (B2C) application of the
Internet of Things (IoT)?
A. Video conferencing
B. Traffic monitoring
C. Health monitoring
D. Infrastructure monitoring - Answers -C. Health monitoring
Which of the following is an example of a direct cost that might result from a business
disruption?
A. Lost market share
B. Damaged reputation
C. Facility repair
D. Lost customers - Answers -C. Facility repair
What is the main purpose of risk identification in an organization?
A. To create a disaster recovery plan (DRP)
B. To create a business continuity plan (BCP)
C. To understand threats to critical resources
D. To make the organization's personnel aware of existing risk - Answers -D. To make
the organization's personnel aware of existing risk
What is not a commonly used endpoint security technique?
A. Full device encryption
B. Network firewall
C. Application control
D. Remote wiping - Answers -B. Network firewall
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will
handle credit card transactions. Which one of the following governs the privacy of
information handled by those point-of-sale terminals?
A. Health Insurance Portability and Accountability Act (HIPAA)
B. Payment Card Industry Data Security Standard (PCI DSS)
C. Federal Information Security Management Act (FISMA)
D. Federal Financial Institutions Examination Council (FFIEC) - Answers -B. Payment
Card Industry Data Security Standard (PCI DSS)
Aditya recently assumed an information security role for a financial institution located in
the United States. He is tasked with assessing the institution's risk profile and
, cybersecurity maturity level. What compliance regulation applies specifically to Aditya's
institution?
A. FFIEC
B. FISMA
C. PCI DSS
D. HIPAA - Answers -A. FFIEC
What is the first priority when responding to a disaster recovery effort?
A. Ensuring that everyone is safe
B. Determining the cause of the event
C. Communicating with all affected parties
D. Following the disaster recovery plan (DRP) - Answers -A. Ensuring that everyone is
safe
Which of the following is not true of gap analysis?
A. One important aspect of a gap analysis is determining the cause of the gap.
B. The difference between the security controls that are in place and the controls that
are necessary to address all vulnerabilities is called the security gap.
C. A gap analysis can be performed only through a formal investigation.
D. Threats that you do not address through at least one control indicate gaps in the
security. - Answers -C. A gap analysis can be performed only through a formal
investigation.
As a follow-up to her annual testing, Isabella would like to conduct quarterly disaster
recovery tests. These tests should include role-playing and introduce as much realism
as possible without affecting live operations. What type of test should Isabella conduct?
A. Parallel test
B. Structured walk-through
C. Checklist test
D. Simulation test - Answers -D. Simulation test
What firewall approach is shown in the figure, assuming the firewall has three network
cards?
A. Screened subnet
B. Bastion host
C. Unified threat management
D. Border firewall - Answers -A. Screened subnet
What network port number is used for unencrypted web-based communication by
default?
A. 3389
B. 443
C. 80
D. 143 - Answers -C. 80
What measures the average amount of time between failures for a particular system?
A. Uptime
B. Recovery time objective (RTO)
C. Mean time to failure (MTTF)
D. Mean time to repair (MTTR) - Answers -C. Mean time to failure (MTTF)
Remote access security controls help to ensure that the user connecting to an
organization's network is who the user claims to be. A username is commonly used for
_______, whereas a biometric scan could be used for _______.
A. identification, authentication
B. authorization, accountability
C. identification, authorization
D. authentication, authorization - Answers -A. identification, authentication
A brute-force password attack and the theft of a mobile worker's laptop are risks most
likely found in which domain of a typical IT infrastructure?
A. Local Area Network (LAN) Domain
B. Workstation Domain
C. Remote Access Domain
D. User Domain - Answers -C. Remote Access Domain
In which domain of a typical IT infrastructure is the first layer of defense for a layered
security strategy?
A. Workstation Domain
B. Local Area Network (LAN) Domain
C. User Domain
D. System/Application Domain - Answers -C. User Domain
Rachel is investigating an information security incident that took place at the high school
where she works. She suspects that students may have broken into the student records
system and altered their grades. If that is correct, which one of the tenets of information
security did this attack violate?
A. Integrity
B. Nonrepudiation
C. Confidentiality
D. Availability - Answers -A. Integrity
Which network device is designed to block network connections that are identified as
potentially malicious?
A. Intrusion detection system (IDS)
B. Intrusion prevention system (IPS)
C. Router
D. Web server - Answers -B. Intrusion prevention system (IPS)
,Which security control is most helpful in protecting against eavesdropping on wide area
network (WAN) transmissions?
A. Deploying an intrusion detection system/intrusion prevention system (IDS/IPS)
B. Applying filters on exterior Internet Protocol (IP) stateful firewalls
C. Encrypting transmissions with virtual private networks (VPNs)
D. Blocking Transmission Control Protocol (TCP) synchronize (SYN) open connections
- Answers -C. Encrypting transmissions with virtual private networks (VPNs)
What is a U.S. federal government classification level that applies to information that
would cause serious damage to national security if it were disclosed?
A. Top secret
B. Confidential
C. Secret
D. Private - Answers -C. Secret
What is a primary risk to the Workstation Domain, the Local Area Network (LAN)
Domain, and the System/Application Domain?
A. Unauthorized network probing and port scanning
B. Unauthorized access to systems
C. Downtime of IT systems for an extended period after a disaster
D. Mobile worker token or other authentication stolen - Answers -B. Unauthorized
access to systems
Which term describes the level of exposure to some event that has an effect on an
asset, usually the likelihood that something bad will happen to an asset?
A. Threat
B. Countermeasure
C. Risk
D. Vulnerability - Answers -C. Risk
Which compliance obligation includes security requirements that apply specifically to the
European Union?
A. Gramm-Leach-Bliley Act (GLBA)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. Federal Information Security Management Act (FISMA) - Answers -C. General Data
Protection Regulation (GDPR)
In Mobile IP, what term describes a device that would like to communicate with a mobile
node (MN)?
A. Correspondent node (CN)
B. Foreign agent (FA)
C. Home agent (HA)
D. Care of address (COA) - Answers -A. Correspondent node (CN)
,Which of the following enables businesses to transform themselves into an Internet of
Things (IoT) service offering?
A. Store-and-forward communications
B. Remote sensoring
C. Real-time tracking and monitoring
D. Anything as a Service (AaaS) delivery model - Answers -D. Anything as a Service
(AaaS) delivery model
Which of the following is an example of a business-to-consumer (B2C) application of the
Internet of Things (IoT)?
A. Video conferencing
B. Traffic monitoring
C. Health monitoring
D. Infrastructure monitoring - Answers -C. Health monitoring
Which of the following is an example of a direct cost that might result from a business
disruption?
A. Lost market share
B. Damaged reputation
C. Facility repair
D. Lost customers - Answers -C. Facility repair
What is the main purpose of risk identification in an organization?
A. To create a disaster recovery plan (DRP)
B. To create a business continuity plan (BCP)
C. To understand threats to critical resources
D. To make the organization's personnel aware of existing risk - Answers -D. To make
the organization's personnel aware of existing risk
What is not a commonly used endpoint security technique?
A. Full device encryption
B. Network firewall
C. Application control
D. Remote wiping - Answers -B. Network firewall
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will
handle credit card transactions. Which one of the following governs the privacy of
information handled by those point-of-sale terminals?
A. Health Insurance Portability and Accountability Act (HIPAA)
B. Payment Card Industry Data Security Standard (PCI DSS)
C. Federal Information Security Management Act (FISMA)
D. Federal Financial Institutions Examination Council (FFIEC) - Answers -B. Payment
Card Industry Data Security Standard (PCI DSS)
Aditya recently assumed an information security role for a financial institution located in
the United States. He is tasked with assessing the institution's risk profile and
, cybersecurity maturity level. What compliance regulation applies specifically to Aditya's
institution?
A. FFIEC
B. FISMA
C. PCI DSS
D. HIPAA - Answers -A. FFIEC
What is the first priority when responding to a disaster recovery effort?
A. Ensuring that everyone is safe
B. Determining the cause of the event
C. Communicating with all affected parties
D. Following the disaster recovery plan (DRP) - Answers -A. Ensuring that everyone is
safe
Which of the following is not true of gap analysis?
A. One important aspect of a gap analysis is determining the cause of the gap.
B. The difference between the security controls that are in place and the controls that
are necessary to address all vulnerabilities is called the security gap.
C. A gap analysis can be performed only through a formal investigation.
D. Threats that you do not address through at least one control indicate gaps in the
security. - Answers -C. A gap analysis can be performed only through a formal
investigation.
As a follow-up to her annual testing, Isabella would like to conduct quarterly disaster
recovery tests. These tests should include role-playing and introduce as much realism
as possible without affecting live operations. What type of test should Isabella conduct?
A. Parallel test
B. Structured walk-through
C. Checklist test
D. Simulation test - Answers -D. Simulation test
What firewall approach is shown in the figure, assuming the firewall has three network
cards?
A. Screened subnet
B. Bastion host
C. Unified threat management
D. Border firewall - Answers -A. Screened subnet
What network port number is used for unencrypted web-based communication by
default?
A. 3389
B. 443
C. 80
D. 143 - Answers -C. 80
