During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?

1. Remove the key from the bucket.
2. Notify all customers that their data may have been exposed.
3. Request a new certificate using a new key.
4. Nothing, because the private key should be accessible for validation

Which of the following is not a common threat to access control mechanisms?

1. Fake login pages
2. Phishing
3. Dictionary attacks
4. Man-in-the-middle attacks

Which one of the following would be considered an example of infrastructure as a service cloud computing?

1. Payroll system managed by a vendor and delivered over the web
2. Application platform managed by a vendor that runs customer code
3. Servers provisioned by customers on a vendor-managed virtualization platform
4. Web-based email service provided by a vendor

Referring to the fire triangle shown here, which one of the following suppression materials attacks a fire by removing the fuel source?

Image reprinted from CISSP (ISC)² Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015. Reprinted with permission.

1. Water
2. Soda acid
3. Carbon dioxide
4. Halon

What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?

1. Hot site
2. Warm site
3. Cold site
4. Mobile site

The IP address 201.19.7.45 is what type of address?

1. A public IP address
2. An RFC 1918 address
3. An APIPA address
4. A loopback address

James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?

1. Out-of-band monitoring
2. Preventing an unpatched laptop from being exploited immediately after connecting to the network
3. Denying access when user behavior doesn’t match an authorization matrix
4. Allowing user access when user behavior is allowed based on an authorization matrix

What process adds a header and a footer to data received at each layer of the OSI model?

1. Attribution
2. Encapsulation
3. TCP wrapping
4. Data hiding

Which of the following is not one of the four canons of the (ISC)² code of ethics?

1. Avoid conflicts of interest that may jeopardize impartiality.
2. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
3. Act honorably, honestly, justly, responsibly, and legally.
4. Provide diligent and competent service to principals.

For questions 10–13, please refer to the following scenario.

Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

When the certificate authority (CA) created Renee’s digital certificate, what key was contained within the body of the certificate?

1. Renee’s public key
2. Renee’s private key
3. CA’s public key
4. CA’s private key

When the certificate authority created Renee’s digital certificate, what key did it use to digitally sign the completed certificate?

1. Renee’s public key
2. Renee’s private key
3. CA’s public key
4. CA’s private key

When Mike receives Renee’s digital certificate, what key does he use to verify the authenticity of the certificate?

1. Renee’s public key
2. Renee’s private key
3. CA’s public key
4. CA’s private key

Mike would like to send Renee a private message using the information gained during this exchange. What key should he use to encrypt the message?

1. Renee’s public key
2. Renee’s private key
3. CA’s public key
4. CA’s private key

Jim starts a new job as a system engineer, and his boss provides him with a document entitled “Forensic Response Guidelines.” Which one of the following statements is not true?

1. Jim must comply with the information in this document.
2. The document contains information about forensic examinations.
3. Jim should read the document thoroughly.
4. The document is likely based on industry best practices.

Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex’s company encountered?

1. Excessive provisioning
2. Unauthorized access
3. Privilege creep
4. Account review

RIP, OSPF, and BGP are all examples of protocols associated with what type of network device?

1. Switches
2. Bridges
3. Routers
4. Gateways

If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?

1. One
2. Two
3. Three
4. Four

What process makes TCP a connection-oriented protocol?

1. It works via network connections.
2. It uses a handshake.
3. It monitors for dropped connections.
4. It uses a complex header.

What is the goal of the BCP process?

1. RTO < MTD
2. MTD < RTO
3. RPO < MTD
4. MTD < RPO

Which one of the following is an example of an administrative control?

1. Intrusion detection system
2. Security awareness training
3. Firewalls
4. Security guards

What level of RAID is also known as disk mirroring?

1. RAID 0
2. RAID 1
3. RAID 5
4. RAID 10

Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?

1. SAML
2. SOAP
3. SPML
4. XACML

TCP and UDP both operate at what layer of the OSI model?

1. Layer 2
2. Layer 3
3. Layer 4
4. Layer 5

Linda is selecting a disaster recovery facility for her organization, and she wants to retain independence from other organizations as much as possible. She would like to choose a facility that balances cost and recovery time, allowing activation in about one week after a disaster is declared. What type of facility should she choose?

1. Cold site
2. Warm site
3. Mutual assistance agreement
4. Hot site

Which one of the following backup types does not alter the status of the archive bit on a file?

1. Full backup
2. Incremental backup
3. Partial backup
4. Differential backup

During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?

1. Reporting
2. Recovery
3. Remediation
4. Lessons Learned

Match each of the numbered services with the lettered network port commonly used by that service. Each item should be used exactly once.

What type of Windows audit record describes events like an OS shutdown or a service being stopped?

1. An application log
2. A security log
3. A system log
4. A setup log

During a log review, Karen discovers that the system she needs to gather logs from has the log setting shown here. What problem is Karen likely to encounter?

1. Too much log data will be stored on the system.
2. The system is automatically purging archived logs.
3. The logs will not contain the information needed.
4. The logs will contain only the most recent 20 MB of log data.

Microsoft’s STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue?

1. Tampering and information disclosure
2. Elevation of privilege and tampering
3. Repudiation and denial of service
4. Repudiation and tampering

Place the list of disaster recovery test types in order of their potential impact on the business, starting with the least impactful and progressing through the most impactful.

1. Checklist review
2. Parallel test
3. Tabletop exercise
4. Full interruption test

What type of access control is being used in the following permission listing?

• Storage Device X
• User1: Can read, write, list
• User2: Can read, list
• User3: Can read, write, list, delete
• User4: Can list

1. Resource-based access controls
2. Role-based access controls
3. Mandatory access controls
4. Rule-based access controls

Fred’s company wants to ensure the integrity of email messages sent via its central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?

1. Digitally sign and encrypt all messages to ensure integrity.
2. Digitally sign but don’t encrypt all messages.
3. Use TLS to protect messages, ensuring their integrity.
4. Use a hashing algorithm to provide a hash in each message to prove that it hasn’t changed.

Which one of the following goals of physical security environments occurs first in the functional order of controls?

1. Delay
2. Detection
3. Deterrence
4. Denial

Cameron is responsible for backing up his company’s primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and incremental backups on other days of the week at that same time. How many files will be copied in Wednesday’s backup?

1. 1
2. 2
3. 5
4. 6

Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?

1. Require users to create unique questions that only they will know.
2. Require new users to bring their driver’s license or passport in person to the bank.
3. Use information that both the bank and the user have such as questions pulled from their credit report.
4. Call the user on their registered phone number to verify that they are who they claim to be.

Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?

1. Code quality
2. Service vulnerabilities
3. Awareness
4. Attack surface

In the image shown here, what does system B send to system A at step 2 of the three-way TCP handshake?

1. SYN
2. ACK
3. FIN/ACK
4. SYN/ACK

Which one of the following is not a valid key length for the Advanced Encryption Standard?

1. 128 bits
2. 192 bits
3. 256 bits
4. 384 bits

Which one of the following is not a technique used by virus authors to hide the existence of their virus from anti-malware software?

1. Stealth
2. Multipartitism
3. Polymorphism
4. Encryption

For questions 41–43, please refer to the following scenario.

The company that Fred works for is reviewing the security of its company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost.

What security considerations should Fred’s company require for sending sensitive data over the cellular network?

1. They should use the same requirements as data over any public network.
2. Cellular provider networks are private networks and should not require special consideration.
3. Encrypt all traffic to ensure confidentiality.
4. Require the use of WAP for all data sent from the phone.

Fred intends to attend a major hacker conference this year. What should he do when connecting to his cellular provider’s 4G network while at the conference?

1. Continue normal usage.
2. Discontinue all usage; towers can be spoofed.
3. Only use trusted Wi-Fi networks.
4. Connect to his company’s encrypted VPN service.

What are the most likely circumstances that would cause a remote wipe of a mobile phone to fail?

1. The phone has a passcode on it.
2. The phone cannot contact a network.
3. The provider has not unlocked the phone.
4. The phone is in use.

Which one of the following is an example of risk transference?

1. Building a guard shack
2. Purchasing insurance
3. Erecting fences
4. Relocating facilities

Kyle is being granted access to a military computer system that uses System High mode. What is not true about Kyle’s security clearance requirements?

1. Kyle must have a clearance for the highest level of classification processed by the system, regardless of his access.
2. Kyle must have access approval for all information processed by the system.
3. Kyle must have a valid need to know for all information processed by the system.
4. Kyle must have a valid security clearance.

Tom is conducting a business continuity planning effort for Orange Blossoms, a fruit orchard located in Central Florida. During the assessment process, the committee determined that there is a small risk of snow in the region but that the cost of implementing controls to reduce the impact of that risk is not warranted. They elect to not take any specific action in response to the risk. What risk management strategy is Orange Blossoms pursuing?

1. Risk mitigation
2. Risk transference
3. Risk avoidance
4. Risk acceptance

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?

1. Entitlement
2. Aggregation
3. Transitivity
4. Isolation

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

1. Service-level agreement (SLA)
2. Operational-level agreement (OLA)
3. Memorandum of understanding (MOU)
4. Statement of work (SOW)

Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?

1. 65,536 TCP ports and 32,768 UDP ports
2. 1,024 common TCP ports and 32,768 ephemeral UDP ports
3. 65,536 TCP and 65,536 UDP ports
4. 16,384 TCP ports and 16,384 UDP ports

Lauren starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?

1. Privilege creep
2. Rights collision
3. Least privilege
4. Excessive privileges

Jim has been contracted to perform a penetration test of a bank’s primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?

1. A crystal-box penetration test
2. A gray-box penetration test
3. A black-box penetration test
4. A white-box penetration test

Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using?

1. A capability table
2. An access control list
3. An access control matrix
4. A subject/object rights management system

A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service?

1. PaaS
2. IDaaS
3. IaaS
4. SaaS

What is the maximum penalty that may be imposed by an (ISC)² peer review board when considering a potential ethics violation?

1. Revocation of certification
2. Termination of employment
3. Financial penalty
4. Suspension of certification

Matthew, Richard, and Christopher would like to exchange messages with each other using symmetric cryptography. They want to ensure that each individual can privately send a message to another individual without the third person being able to read the message. How many keys do they need?

1. 1
2. 2
3. 3
4. 6

What UDP port is typically used by the syslog service?

1. 443
2. 514
3. 515
4. 445

During which of the following disaster recovery tests does the team sit together and discuss the response to a scenario but not actually activate any disaster recovery controls?

1. Checklist review
2. Full interruption test
3. Parallel test
4. Tabletop exercise

Which one of the following is a detailed, step-by-step document that describes the exact actions that individuals must complete?

1. Policy
2. Standard
3. Guideline
4. Procedure

Tammy is selecting a disaster recovery facility for her organization. She would like to choose a facility that balances the time required to recover operations with the cost involved. What type of facility should she choose?

1. Hot site
2. Warm site
3. Cold site
4. Red site

Which one of the following statements about malware is correct?

1. Malware authors do not target Macintosh or Linux systems.
2. The most reliable way to detect known malware is watching for unusual system activity.
3. Signature detection is the most effective technique to combat known malware.
4. APT attackers typically use malware designed to exploit vulnerabilities identified in security bulletins.

Ben needs to verify that the most recent patch for his organization’s critical application did not introduce issues elsewhere. What type of testing does Ben need to conduct to ensure this?

1. Unit testing
2. White box
3. Regression testing
4. Black box

Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement?

1. Heartbeat sensor
2. Emanation security
3. Motion detector
4. Faraday cage

Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?

1. Stealth virus
2. Polymorphic virus
3. Multipartite virus
4. Encrypted virus

Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party?

1. Internal auditors
2. Penetration testers
3. External auditors
4. Employees who design, implement, and monitor the controls

In virtualization platforms, what name is given to the module that is responsible for controlling access to physical resources by virtual resources?

1. Guest machine
2. SDN
3. Kernel
4. Hypervisor

Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?

1. PKI
2. Federation
3. Single sign-on
4. Provisioning

Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs?

1. ASLR
2. Sandboxing
3. Clipping
4. Process isolation

What type of attack would the following precautions help prevent?

• Requesting proof of identity
• Requiring callback authorizations on voice-only requests
• Not changing passwords via voice communications

1. DoS attacks
2. Worms
3. Social engineering
4. Shoulder surfing

Mike has been tasked with preventing an outbreak of malware like Mirai. What type of systems should be protected in his organization?

1. Servers
2. SCADA
3. Mobile devices
4. Internet of Things (IoT) devices

What type of risk assessment uses tools such as the one shown here?

1. Quantitative
2. Loss expectancy
3. Financial
4. Qualitative

Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords:

hash (password1 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) =

10B222970537B97919DB36EC757370D2

hash (password2 + 07C98BFE4CF67B0BFE2643B5B22E2D7D) =

F1F16683F3E0208131B46D37A79C8921

What flaw has Ben introduced with his hashing implementation?

1. Plaintext salting
2. Salt reuse
3. Use of a short salt
4. Poor salt algorithm selection

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

1. Password
2. Retinal scan
3. Username
4. Token

Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?

1. Separation of duties
2. Two-person control
3. Least privilege
4. Job rotation

NIST Special Publication 800-92, the Guide to Computer Security Log Management, describes four types of common challenges to log management:

• Many log sources
• Inconsistent log content
• Inconsistent timestamps
• Inconsistent log formats

Which of the following solutions is best suited to solving these issues?

1. Implement SNMP for all logging devices.
2. Implement a SIEM.
3. Standardize on the Windows event log format for all devices and use NTP.
4. Ensure that logging is enabled on all endpoints using their native logging formats and set their local time correctly.

Which one of the following components should be included in an organization’s emergency response guidelines?

1. Secondary response procedures for first responders
2. Long-term business continuity protocols
3. Activation procedures for the organization’s cold sites
4. Contact information for ordering equipment

Grace is considering the use of new identification cards in her organization that will be used for physical access control. She comes across the sample card shown here and is unsure of the technology it uses. What type of card is this?

1. Smart card
2. Phase-two card
3. Proximity card
4. Magnetic stripe card

Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?

1. Repudiation
2. Information disclosure
3. Tampering
4. Elevation of privilege

After scanning all the systems on his wireless network, Mike notices that one system is identified as an iOS device running a massively out-of-date version of Apple’s mobile operating system. When he investigates further, he discovers that the device is an original iPad and that it cannot be updated to a current secure version of the operating system. What should Mike recommend?

1. Retire or replace the device.
2. Isolate the device on a dedicated wireless network.
3. Install a firewall on the tablet.
4. Reinstall the OS.

What type of access control scheme is shown in the following table?

1. RBAC
2. DAC
3. MAC
4. TBAC

Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What type of cloud computing environment is this service?

1. SaaS
2. PaaS
3. IaaS
4. CaaS

During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?

1. A brute-force attack
2. A pass-the-hash attack
3. A rainbow table attack
4. A salt recovery attack

Kay is selecting an application management approach for her organization. Employees need the flexibility to install software on their systems, but Kay wants to prevent them from installing certain prohibited packages. What type of approach should she use?

1. Antivirus
2. Whitelist
3. Blacklist
4. Heuristic

Owen recently designed a security access control structure that prevents a single user from simultaneously holding the role required to create a new vendor and the role required to issue a check. What principle is Owen enforcing?

1. Two-person control
2. Least privilege
3. Separation of duties
4. Job rotation

IP addresses like 10.10.10.10 and 172.19.24.21 are both examples of what type of IP address?

1. Public IP addresses
2. Prohibited IP addresses
3. Private IP addresses
4. Class B IP ranges

Fran’s company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran’s company considering?

1. SaaS
2. IaaS
3. CaaS
4. PaaS

Match each of the numbered cable types with exactly one of the lettered maximum cable lengths.

Which component of IPsec provides authentication, integrity, and nonrepudiation?

1. L2TP
2. Encapsulating Security Payload
3. Encryption Security Header
4. Authentication Header

Alex’s job requires him to see protected health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?

1. Separation of duties
2. Constrained interfaces
3. Context-dependent control
4. Need to know

Which one of the following investigation types has the loosest standards for collecting and preserving information?

1. Civil investigation
2. Operational investigation
3. Criminal investigation
4. Regulatory investigation

Susan is working to improve the strength of her organization’s passwords by changing the password policy. The password system that she is using allows uppercase and lowercase letters as well as numbers but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?

1. 26 times more complex
2. 62 times more complex
3. 36 times more complex
4. 2^62 times more complex

Purchasing insurance is a form of what type of risk response?

1. Transfer
2. Avoid
3. Mitigate
4. Accept

Which one of the following metrics specifies the amount of time that business continuity planners find acceptable for the restoration of service after a disaster?

1. MTD
2. RTO
3. RPO
4. MTO

Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?

1. Retina scans can reveal information about medical conditions.
2. Retina scans are painful because they require a puff of air in the user’s eye.
3. Retina scanners are the most expensive type of biometric device.
4. Retina scanners have a high false positive rate and will cause support issues.

What is the best way to ensure email confidentiality in motion?

1. Use TLS between the client and server.
2. Use SSL between the client and server.
3. Encrypt the email content.
4. Use a digital signature.

What layer of the OSI model is associated with datagrams?

1. Session
2. Transport
3. Network
4. Data Link

What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?

1. Authenticated scans
2. Web application scans
3. Unauthenticated scans
4. Port scans

What term is used to describe a starting point for a minimum security standard?

1. Outline
2. Baseline
3. Policy
4. Configuration guide

Full disk encryption like Microsoft’s BitLocker is used to protect data in what state?

1. Data in transit
2. Data at rest
3. Unlabeled data
4. Labeled data

Gwen comes across an application that is running under a service account on a web server. The service account has full administrative rights to the server. What principle of information security does this violate?

1. Need to know
2. Separation of duties
3. Least privilege
4. Job rotation

Using the OSI model, what format does the Data Link layer use to format messages received from higher up the stack?

1. A data stream
2. A frame
3. A segment
4. A datagram

What type of forensic investigation typically has the highest evidentiary standards?

1. Administrative
2. Criminal
3. Civil
4. Industry

Lauren’s healthcare provider maintains such data as details about her health, treatments, and medical billing. What type of data is this?

1. Protected health information
2. Personally identifiable information
3. Protected health insurance
4. Individual protected data

In Jen’s job as the network administrator for an industrial production facility, she is tasked with ensuring that the network is not susceptible to electromagnetic interference due to the large motors and other devices running on the production floor. What type of network cabling should she choose if this concern is more important than cost and difficulty of installation?

1. 10Base2
2. 100BaseT
3. 1000BaseT
4. Fiber-optic

What type of penetration testing provides detail on the scope of a penetration test—including items like what systems would be targeted—but does not provide full visibility into the configuration or other details of the systems or networks the penetration tester must test?

1. Crystal box
2. White box
3. Black box
4. Gray box

You are the CISO for a major hospital system and are preparing to sign a contract with a software as a service (SaaS) email vendor and want to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?

1. SOC 1
2. FISMA
3. PCI DSS
4. SOC 2

Which of the following types of controls does not describe a mantrap?

1. Deterrent
2. Preventive
3. Compensating
4. Physical

Match each one of the numbered protocols with the most accurate lettered description. Use each answer exactly once.

What should be true for salts used in password hashes?

1. A single salt should be set so passwords can be de-hashed as needed.
2. A single salt should be used so the original salt can be used to check passwords against their hash.
3. Unique salts should be stored for each user.
4. Unique salts should be created every time a user logs in.

STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling?

1. Vulnerability assessment
2. Misuse case testing
3. Threat categorization
4. Penetration test planning

Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?

1. Implement intrusion detection and prevention systems.
2. Maintain current patch levels on all operating systems and applications.
3. Remove unnecessary accounts and services.
4. Conduct forensic imaging of all systems.

You are conducting a qualitative risk assessment for your organization. The two important risk elements that should weigh most heavily in your analysis of risk are probability and ___________.

1. Likelihood
2. History
3. Impact
4. Cost

Fred needs to transfer files between two servers on an untrusted network. Since he knows the network isn’t trusted, he needs to select an encrypted protocol that can ensure that his data remains secure. What protocol should he choose?

1. SSH
2. TCP
3. SFTP
4. IPsec

Which one of the following investigation types always uses the beyond-a-reasonable-doubt standard of proof?

1. Civil investigation
2. Criminal investigation
3. Operational investigation
4. Regulatory investigation

Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose?

1. Full interruption test
2. Parallel test
3. Tabletop exercise
4. Checklist review

Ed is tasked with protecting information about his organization’s customers, including their name, Social Security number, birthdate, and place of birth, as well as a variety of other information. What is this information known as?

1. PHI
2. PII
3. Personal protected data
4. PID

Susan is conducting a STRIDE threat assessment by placing threats into one or more of the following categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. As part of her assessment, she has discovered an issue that allows transactions to be modified between a web browser and the application server that it accesses. What STRIDE categorization(s) best fit this issue?

1. Tampering and Information Disclosure
2. Spoofing and Tampering
3. Tampering and Repudiation
4. Information Disclosure and Elevation of Privilege

Tamara recently decided to purchase cyber-liability insurance to cover her company’s costs in the event of a data breach. What risk management strategy is she pursuing?

1. Risk acceptance
2. Risk mitigation
3. Risk transference
4. Risk avoidance

Referring to the figure shown here, what is the name of the security control indicated by the arrow?

1. Mantrap
2. Intrusion prevention system
3. Turnstile
4. Portal

Elaine is developing a business continuity plan for her organization. What value should she seek to minimize?

1. AV
2. SSL
3. RTO
4. MTO

Chris is deploying a gigabit Ethernet network using Category 6 cable between two buildings. What is the maximum distance he can run the cable according to the Category 6 standard?

1. 50 meters
2. 100 meters
3. 200 meters
4. 300 meters

What type of alternate processing facility includes all of the hardware and data necessary to restore operations in a matter of minutes or seconds?

1. Hot site
2. Warm site
3. Cold site
4. Mobile site

For questions 122–124, please refer to the following scenario.

The organization that Ben works for has a traditional on-site Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using software as a service applications to replace their internally developed software stack.

Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following questions about the identity recommendations Ben should make.

If availability of authentication services is the organization’s biggest priority, what type of identity platform should Ben recommend?

1. On-site
2. Cloud-based
3. Hybrid
4. Outsourced

If Ben needs to share identity information with the business partner shown, what should he investigate?

1. Single sign-on
2. Multifactor authentication
3. Federation
4. IDaaS

What technology is likely to be involved when Ben’s organization needs to provide authentication and authorization assertions to their cloud e-commerce application?

1. Active Directory
2. SAML
3. RADIUS
4. SPML

Norm is configuring an RSA cryptosystem for use within his organization and is selecting the key lengths that he will support. Which one of the following key lengths is not both supported by the RSA algorithm and generally considered secure?

1. 512 bits
2. 1,024 bits
3. 2,048 bits
4. 4,096 bits