Question 1
The use of encryption and digital signatures helps ensure that what was transmitted is the same as what was received. Which of the following is assured?
Question options:
Confidentiality
Availability
Integrity
Nonrepudiation

Question 2
The concept of "need to know" is most closely associated with which of the following?
Question options:
Authentication
Availability
Confidentiality
Integrity

Question 3
What is the primary goal of business process reengineering?
Question options:
To develop new security policies
To improve business processes
To implement an enterprise resource system
To determine management bonuses

Question 4
An unauthorized user accessed protected network storage and viewed personnel records. What has been lost?
Question options:
Confidentiality
Nonrepudiation
Integrity
Availability

Question 5
What does COBIT stand for?
Question options:
Control Objectives for Information and Related Technology
Common Objects for Information and Technology
Common Objectives for Information and Technology
Control Objects for Information Technology

Question 6
What does "tone at the top" refer to?
Question options:
Policies, in relation to standards, procedures, and guidelines
Confidentiality in the C-I-A triad
Regulatory bodies, in relation to security policies and controls
Company leaders

Question 7
Which of the following types of security controls stops incidents or breaches immediately?
Question options:
Preventive
Corrective
Detective
None of the above

Question 8
An encryption system is an example of which type of security control?
Question options:
Technical
Corrective
Physical
Administrative

Question 9
Security controls fall into three design types: preventive, detective, and:
Question options:
effective.
corrective.
quantitative.
qualitative.

Question 10
Which of the following is not a generally accepted principle for implementing a security awareness program?
Question options:
Competency should be measured.
Remind employees of risks.
Leaders should provide visible support.
None of the above.

Question 11
Of the following compliance laws, which focuses most heavily on personal privacy?
Question options:
FISMA
GLBA
HIPAA
SOX

Question 12
To which sector does HIPAA apply primarily?
Question options:
Financial
None of the above
Communications
Medical

Question 13
Which law was challenged by the American Library Association and the American Civil Liberties Union claiming it violated free speech rights of adults?
Question options:
CIPA
FERPA
HIPAA
GLBA

Question 14
To which sector does the Sarbanes-Oxley Act apply primarily?
Question options:
Medical
Publically traded companies
Financial
Communications

Question 15
Which compliance law concept states that only the data needed for a transaction should be collected?
Question options:
Public interest
Limited use of personal data
Full disclosure
Opt-in/opt-out

Question 16
You are on the West Coast but want to connect to your company's intranet on the East Coast. You use a program to "tunnel" through the Internet to reach the intranet. Which technology are you using?
Question options:
Role-based access control
Elevated privileges
Virtual private networking
Software as a Service

Question 17
Which of the following is not true of segmented networks?
Question options:
By limiting certain types of traffic to a group of computers, you are eliminating a number of threats.
Switches, routers, internal firewalls, and other devices restrict segmented network traffic.
A flat network has more controls than a segmented network for limiting traffic.
Network segmentation limits what and how computers are able to talk to each other.

Question 18
In which domain is virtual private networking a security control?
Question options:
WAN Domain
Remote Access Domain
Both A and B
Neither A nor B

Question 19
A security policy that addresses data loss protection, or data leakage protection, is an issue primarily in which IT domain?
Question options:
User
Workstation
WAN
System/Application

Question 20
A nurse uses a wireless computer from a patient's room to access real-time patient information from the hospital server. Which domain does this wireless connection fall under?
Question options:
System/Application
User
WAN
LAN

Question 21
Regarding security policies, what is a stakeholder?
Question options:
An individual who has an interest in the success of the security policies
A framework in which security policies are formed
A placeholder in the framework where new policies can be added
Another name for a change request

Question 22
Which personality type tends to be best suited for delivering security awareness training?
Question options:
Pleaser
Performer
Analytical
Commander

Question 23
Which of the following is typically defined as the end user of an application?
Question options:
Data owner
Data manager
Data custodian
Data user

Question 24
Which of the following is not true of auditors?
Question options:
Report to the leaders they are auditing
Are accountable for assessing the design and effectiveness of security policies
Can be internal or external
Offer opinions on how well the policies are being followed and how effective they are

Question 25
In an organization, which of the following roles is responsible for the day-to-day maintenance of data?
Question options:
Data owner
Information security office (ISO)
Compliance officer
Data custodian

Question 26
Which of the following include details of how an IT security program runs, who is responsible for day-to-day work, how training and awareness are conducted, and how compliance is handled?
Question options:
Procedures
Guidelines
Standards
Policies

Question 27
Which of the following are used as benchmarks for audit purposes?
Question options:
Policies
Guidelines
Standards
Procedures

Question 28
What does an IT security policy framework resemble?
Question options:
Narrative document
Cycle diagram
List
Hierarchy or tree

Question 29
Which of the following is not a control area of ISO/IEC 27002, "Information Technology-Security Techniques-Code of Practice for Information Security Management"?
Question options:
Security policy
Risk assessment and treatment
Asset management
Audit and accountability

Question 30
What is included in an IT policy framework?
Question options:
Procedures
Guidelines
Standards
All of the above

Question 31
Which of the following is generally not an objective of a security policy change board?
Question options:
Review requested changes to the policy framework
Coordinate requests for changes
Make and publish approved changes to policies
Assess policies and recommend changes

Question 32
When publishing an internal security policy or standard, which role or department usually gives final approval?
Question options:
Audit and Compliance Manager
Senior Executive
Legal
Human Resources

Question 33
Virus removal and closing a firewall port are examples of which type of security control?
Question options:
Corrective
Recovery
Detective or response
Preventive

Question 34
Fences, security guards, and locked doors are examples of which type of security control?
Question options:
Technical security
None of the above
Administrative
Physical security

Question 35
Which principle for developing policies, standards, baselines, procedures, and guidelines discusses a series of overlapping layers of controls and countermeasures?
Question options:
Multidisciplinary principle
Accountability principle
Proportionality principle
Defense-in-depth principle

Question 36
Who is responsible for data quality within an enterprise?
Question options:
Data steward
Data custodian
CISA
CISO

Question 37
The core requirement of an automated IT security control library is that the information is:
Question options:
alphabetized.
in a numerical sequence.
in PDF format
searchable.

Question 38
Which security policy framework focuses on concepts, practices, and processes for managing and delivering IT services?
Question options:
ITIL
COBIT
COSO
OCTAVE

Question 39
__________ refers to the degree of risk an organization is willing to accept.
Question options:
Probability
Risk aversion
Risk tolerance
Risk appetite

Question 40
A fundamental component of internal control for high-risk transactions is:
Question options:
a defense in depth.
a separation of duties.
data duplication.
following best practices.