CISSP Prep Quiz: Domain 1

1. 3. Integrity is protection of data from all of the following EXCEPT:

Unauthorized changes

Accidental changes

Data analysis

Intentional manipulation

Answer c:
Integrity is the protection of system information or processes from intentional or accidental unauthorized changes. Data analysis would usually be associated with confidentiality.

Explanation

Answer c:
Integrity is the protection of system information or processes from intentional or accidental unauthorized changes. Data analysis would usually be associated with confidentiality.

2. 2. Masquerading is:

Attempting to hack a system through backdoors to an operatingsystem or application

Pretending to be an authorized user

Always done through IP spoofing

Applying a subnet mask to an internal IP range

Answer b:
Pretending to be the authorized user.

Explanation

Answer b:
Pretending to be the authorized user.

3. 9. The percentage or degree of damage inflicted on an asset used in the calculation of single loss expectancy can be referred to as:

Exposure Factor (EF)

Annualized Rate of Occurrence (ARO)

Vulnerability

Likelihood

Answer a:
This factor represents a measure of the magnitude of loss or
impact on the value of an asset. It is expressed as a percent, ranging from 0% to 100%, of asset value loss arising from a threat event. This factor is used in the calculation of single loss expectancy (SLE).

Explanation

Answer a:
This factor represents a measure of the magnitude of loss or
impact on the value of an asset. It is expressed as a percent, ranging from 0% to 100%, of asset value loss arising from a threat event. This factor is used in the calculation of single loss expectancy (SLE).

4. 17. A main objective of awareness training is:

Provide understanding of responsibilities

Entertaining the users through creative programs

Overcoming all resistance to security procedures

To be repetitive to ensure accountability

Answer a:
All employees must understand their basic security responsibilities.

Explanation

Answer a:
All employees must understand their basic security responsibilities.

5. 18. What is a primary target of a person employing social engineering?

An individual

A policy

Government agencies

An information system

Answer a:
Social engineering deals with individual dynamics as opposed to group dynamics, as the primary targets are help desks and/or administrative or technical support people.

Explanation

Answer a:
Social engineering deals with individual dynamics as opposed to group dynamics, as the primary targets are help desks and/or administrative or technical support people.

6. 7. In an accounting department, several people are required to complete a financial process. This is most likely an example of:

Segregation of duties

Rotation of duties

Need-to-know

Collusion

Answer a:
No single employee has control of a transaction from beginning to end; two or more people should be responsible for performing it.

Explanation

Answer a:
No single employee has control of a transaction from beginning to end; two or more people should be responsible for performing it.

7. 20. Incident response planning can be instrumental in:

Meeting regulatory requirements

Creating customer loyalty

Reducing the impact of an adverse event on the organization

Ensuring management makes the correct decisions in a crisis

Answer c:
The goals of a well-prepared incident response team are to detect potential information security breaches and provide an effective and efficient means of dealing with the situation in a manner that reduces the potential impact to the corporation.

Explanation

Answer c:
The goals of a well-prepared incident response team are to detect potential information security breaches and provide an effective and efficient means of dealing with the situation in a manner that reduces the potential impact to the corporation.

8. 4. A security program cannot address which of the following business goals?

Accuracy of information

Change control

User expectations

Prevention of fraud

A security program focuses on protecting an organization's assets, information, and resources from unauthorized access, threats, and vulnerabilities. While user expectations are important for overall user satisfaction and experience, they are not directly addressed by a security program. The other options (A, B, and D) are all aspects that a security program can address to varying degrees.

Explanation

A security program focuses on protecting an organization's assets, information, and resources from unauthorized access, threats, and vulnerabilities. While user expectations are important for overall user satisfaction and experience, they are not directly addressed by a security program. The other options (A, B, and D) are all aspects that a security program can address to varying degrees.

9. 5. In most cases, integrity is enforced through:

Physical security

Logical security

Confidentiality

Access controls

Answer d:
Integrity depends on access controls; therefore, it is necessary to positively and uniquely identify and authorize all persons who attempt access.
Answers a and b are good but not thorough enough on their own — they are portions of a complete access control system.

Explanation

Answer d:
Integrity depends on access controls; therefore, it is necessary to positively and uniquely identify and authorize all persons who attempt access.
Answers a and b are good but not thorough enough on their own — they are portions of a complete access control system.

10. 8. Risk Management is commonly understood as all of the following EXCEPT:

Analyzing and assessing risk

Identifying risk

Accepting or mitigation of risk

Likelihood of a risk occurring

Answer d:
The processes of identifying, analyzing, and assessing, mitigating, or transferring risk is generally characterized as risk management.

Explanation

Answer d:
The processes of identifying, analyzing, and assessing, mitigating, or transferring risk is generally characterized as risk management.

11. 13. Data classification can assist an organization in:

Eliminating regulatory mandates

Lowering accountability of data classifiers

Reducing costs for protecting data

Normalization of databases

Answer c:
Data classification is intended to lower the cost of overprotecting all data.

Explanation

Answer c:
Data classification is intended to lower the cost of overprotecting all data.

12. 10. The absence of a fire-suppression system would be best characterized as a(n):

Exposure

Threat

Vulnerability

Risk

Answer c:
This term characterizes the absence or weakness of a risk-reducing safeguard.

Explanation

Answer c:
This term characterizes the absence or weakness of a risk-reducing safeguard.

13. 16. The role of an information custodian should NOT include:

Restoration of lost or corrupted data

Regular backups of data

Establishing retention periods for data

Ensuring the availability of data

Answer c:
Ensure record retention requirements are met based on the information owner’s analysis.

Explanation

Answer c:
Ensure record retention requirements are met based on the information owner’s analysis.

14. 11. Risk Assessment includes all of the following EXCEPT:

Implementation of effective countermeasures

Ensuring that risk is managed

Analysis of the current state of security in the target environment

Strategic analysis of risk

Answer a:
Fundamental applications of risk assessment to be addressed
include (1) determining the current status of information security in the target environment(s) and ensuring that associated risk is managed (accepted, mitigated, or transferred) according to policy, and (2) assessing risk strategically.

Explanation

Answer a:
Fundamental applications of risk assessment to be addressed
include (1) determining the current status of information security in the target environment(s) and ensuring that associated risk is managed (accepted, mitigated, or transferred) according to policy, and (2) assessing risk strategically.

15. Who “owns” an organization’s data?

Information technology group

Users

Data custodians

Business units

Answer d:
The business units, not IT (information technology), own the
data. Decisions regarding who has what access, what classification the data should be assigned, etc., are decisions that rest solely with the business data owner and based on organization policy.

Explanation

Answer d:
The business units, not IT (information technology), own the
data. Decisions regarding who has what access, what classification the data should be assigned, etc., are decisions that rest solely with the business data owner and based on organization policy.

16. 15. An information security policy does NOT usually include:

Authority for information security department

Guidelines for how to implement policy

Basis for data classification

Recognition of information as an asset of the organization

Answer b:
Policy is written at a very high level and is intended to describe the “whats” of information security. Procedures, standards, baselines, and guidelines are the “hows” for implementation of the policy.

Explanation

Answer b:
Policy is written at a very high level and is intended to describe the “whats” of information security. Procedures, standards, baselines, and guidelines are the “hows” for implementation of the policy.

17. 12. A risk management project may be subject to overlooking certain types of threats. What can assist the risk management team to prevent that?

Automated tools

Adoption of qualitative risk assessment processes

Increased reliance on internal experts for risk assessment

Recalculation of the work factor

Answer a:
The best automated tools currently available include a well researched threat population and associated statistics. Using one of these tools virtually assures that no relevant threat is overlooked.

Explanation

Answer a:
The best automated tools currently available include a well researched threat population and associated statistics. Using one of these tools virtually assures that no relevant threat is overlooked.

18. 19. Social engineering can take many forms EXCEPT:

Dumpster diving

Coercion or intimidation

Sympathy

Eavesdropping

Social engineering is a manipulation tactic used to deceive individuals into divulging confidential information or taking certain actions. While it can involve tactics like dumpster diving (searching through trash for information), coercion, or sympathy, eavesdropping typically refers to the act of secretly listening to conversations, which is a different method of information gathering rather than manipulation.

Explanation

Social engineering is a manipulation tactic used to deceive individuals into divulging confidential information or taking certain actions. While it can involve tactics like dumpster diving (searching through trash for information), coercion, or sympathy, eavesdropping typically refers to the act of secretly listening to conversations, which is a different method of information gathering rather than manipulation.