(ISC)2 Practice Exam 2 Questions and
Answers
When an attacker has obtained our sensitive data, and chooses to disclose it on a
website, which leg of the CIA triad would be MOST affected? - ANSWER-
Confidentiality.
When we use single-use passwords and one-time pads, we are using which type of
authentication? - ANSWER-Something you have.
Who would determine the risk appetite of our organization? - ANSWER-Senior
management.
In IT Security we are talking about something as an event, what does that mean? -
ANSWER-Something changed, neither negative or positive.
We are discussing our risk responses and we are considering not issuing our
employees laptops. What type of risk response would that be? - ANSWER-Risk
avoidance.
We are looking at our risk responses. We are considering buying insurance to cover
the gaps we have. Which type of response would that be? - ANSWER-Risk
transference
Which of these describes Type 1 authentication? - ANSWER-Something you know.
When we have our users hold their employee ID cards close to a reader, we are
using which technology? - ANSWER-Contactless cards.
Which of these is an example of a detective access control type? - ANSWER-Alarms
When we give our employees their annual corporate security training, which type of
control is that? - ANSWER-Administrative control.
In our access management, we would NEVER want to use group user accounts.
Why is that? - ANSWER-No accountability
When we are talking about the governance part of our organization, who are we
referring to? - ANSWER-Senior management.
In our organization we have a lot of policies, procedures, standards, and guidelines
we use to make our decisions. Which of them is non-mandatory? - ANSWER-
Guidelines.
, Looking at our information security governance, who would approve and sign off on
our policies? - ANSWER-Senior management.
After a disaster at our primary site, we are restoring functionality at our Disaster
Recovery (DR) site. Which applications would we get up and running LAST? -
ANSWER-Least critical.
When would be a time we should update our Business Continuity Plan (BCP) and its
sub plans outside of our annual cycle? - ANSWER-We had a disaster and we had a
lot of gaps in our plans.
We have updated our old Business Continuity Plan (BCP) and the new one is
approved and ready. What should we do next? - ANSWER-Distribute the new ones
and destroy the old ones.
As part of our Business Continuity Plan (BCP) and its sub-plans we want to ensure
we are redundant. Which of these is something we want to be redundant on? -
ANSWER-People.
Internet connections.
Power.
All of these.
Which subplan would we look at in our Business Continuity Plan (BCP) for dealing
with the press and alerting employees about disasters? - ANSWER-Crisis
Communications Plan (CCP)
When should we update our Business Continuity Plan (BCP) and its sub plans
outside of our annual cycle? - ANSWER-We changed major components of our
systems (new backup solution, new IP scheme).
Our main facility has been hit with a complete power outage and we need to set up a
temporary command and control center. What would we be deploying? - ANSWER-
Emergency Operations Center (EOC)
Within our organization, it is important that we have a layered defense strategy.
Which of these would be an example of a recovery access control? - ANSWER-
Backups.
When we list the Minimum Operating Requirements (MOR) for a system in our
business impact analysis (BIA), what should it contain? - ANSWER-Minimum specs
for the system to function.
As part of our disaster recovery planning, we are looking at an alternate site. We
would want it to take us somewhere between 4 hours and 2-3 days to be back up
operating on critical applications. Which type of Disaster Recovery site are we
considering? - ANSWER-Warm site.
We need to physically store sensitive data in a secure way. Which of these could be
an option that can easily be hidden? - ANSWER-Wall safe.
Answers
When an attacker has obtained our sensitive data, and chooses to disclose it on a
website, which leg of the CIA triad would be MOST affected? - ANSWER-
Confidentiality.
When we use single-use passwords and one-time pads, we are using which type of
authentication? - ANSWER-Something you have.
Who would determine the risk appetite of our organization? - ANSWER-Senior
management.
In IT Security we are talking about something as an event, what does that mean? -
ANSWER-Something changed, neither negative or positive.
We are discussing our risk responses and we are considering not issuing our
employees laptops. What type of risk response would that be? - ANSWER-Risk
avoidance.
We are looking at our risk responses. We are considering buying insurance to cover
the gaps we have. Which type of response would that be? - ANSWER-Risk
transference
Which of these describes Type 1 authentication? - ANSWER-Something you know.
When we have our users hold their employee ID cards close to a reader, we are
using which technology? - ANSWER-Contactless cards.
Which of these is an example of a detective access control type? - ANSWER-Alarms
When we give our employees their annual corporate security training, which type of
control is that? - ANSWER-Administrative control.
In our access management, we would NEVER want to use group user accounts.
Why is that? - ANSWER-No accountability
When we are talking about the governance part of our organization, who are we
referring to? - ANSWER-Senior management.
In our organization we have a lot of policies, procedures, standards, and guidelines
we use to make our decisions. Which of them is non-mandatory? - ANSWER-
Guidelines.
, Looking at our information security governance, who would approve and sign off on
our policies? - ANSWER-Senior management.
After a disaster at our primary site, we are restoring functionality at our Disaster
Recovery (DR) site. Which applications would we get up and running LAST? -
ANSWER-Least critical.
When would be a time we should update our Business Continuity Plan (BCP) and its
sub plans outside of our annual cycle? - ANSWER-We had a disaster and we had a
lot of gaps in our plans.
We have updated our old Business Continuity Plan (BCP) and the new one is
approved and ready. What should we do next? - ANSWER-Distribute the new ones
and destroy the old ones.
As part of our Business Continuity Plan (BCP) and its sub-plans we want to ensure
we are redundant. Which of these is something we want to be redundant on? -
ANSWER-People.
Internet connections.
Power.
All of these.
Which subplan would we look at in our Business Continuity Plan (BCP) for dealing
with the press and alerting employees about disasters? - ANSWER-Crisis
Communications Plan (CCP)
When should we update our Business Continuity Plan (BCP) and its sub plans
outside of our annual cycle? - ANSWER-We changed major components of our
systems (new backup solution, new IP scheme).
Our main facility has been hit with a complete power outage and we need to set up a
temporary command and control center. What would we be deploying? - ANSWER-
Emergency Operations Center (EOC)
Within our organization, it is important that we have a layered defense strategy.
Which of these would be an example of a recovery access control? - ANSWER-
Backups.
When we list the Minimum Operating Requirements (MOR) for a system in our
business impact analysis (BIA), what should it contain? - ANSWER-Minimum specs
for the system to function.
As part of our disaster recovery planning, we are looking at an alternate site. We
would want it to take us somewhere between 4 hours and 2-3 days to be back up
operating on critical applications. Which type of Disaster Recovery site are we
considering? - ANSWER-Warm site.
We need to physically store sensitive data in a secure way. Which of these could be
an option that can easily be hidden? - ANSWER-Wall safe.