Читать книгу (ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests - Mike Chapple - Страница 9

THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

 Domain 1.0: Security Operations and Administration1.1 Comply with codes of ethics(ISC)2 Code of EthicsOrganizational code of ethics1.2 Understand security conceptsConfidentialityIntegrityAvailabilityAccountabilityPrivacyNon-repudiationLeast privilegeSegregation of duties (SoD)1.3 Identify and implement security controlsTechnical controls (e.g., session timeout, password aging)Physical controls (e.g., mantraps, cameras, locks)Administrative controls (e.g., security policies, standards, procedures, baselines)Assessing compliancePeriodic audit and review1.4 Document and maintain functional security controlsDeterrent controlsPreventative controlsDetective controlsCorrective controlsCompensating controls1.5 Participate in asset management lifecycle (hardware, software, and data)Process, planning, design, and initiationDevelopment/AcquisitionInventory and licensingImplementation/AssessmentOperation/MaintenanceArchiving and retention requirementsDisposal and destruction1.6 Participate in change management lifecycleChange management (e.g., roles, responsibilities, processes)Security impact analysisConfiguration management (CM)1.7 Participate in implementing security awareness and training (e.g., social engineering/phishing)1.8 Collaborate with physical security operations (e.g., data center assessment, badging)

1 Maddox is conducting an information audit for his organization. Which one of the following elements that he discovered is least likely to be classified as PII when used in isolation?Street addressesItem codesMobile phone numbersSocial Security numbers

2 Carl recently assisted in the implementation of a new set of security controls designed to comply with legal requirements. He is concerned about the long-term maintenance of those controls. Which one of the following is a good way for Carl to ease his concerns?Firewall rulesPolicy documentsSecurity standardsPeriodic audits

3 Darlene was recently offered a consulting opportunity as a side job. She is concerned that the opportunity might constitute a conflict of interest. Which one of the following sources is most likely to provide her with appropriate guidance?Organizational code of ethics(ISC)2 code of ethicsOrganizational security policy(ISC)2 security policy

4 Which one of the following is an administrative control that can protect the confidentiality of information?EncryptionNondisclosure agreementFirewallFault tolerance

5 Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?His supply chainHis vendor contractsHis post-purchase build processThe original equipment manufacturer (OEM)

6 The (ISC)2 code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code?Protect society, the common good, the necessary public trust and confidence, and the infrastructure.Disclose breaches of privacy, trust, and ethics.Provide diligent and competent service to the principles.Advance and protect the profession.

7 Which one of the following control categories does not accurately describe a fence around a facility?PhysicalDetectiveDeterrentPreventive

8 Which one of the following actions might be taken as part of a business continuity plan?Restoring from backup tapesImplementing RAIDRelocating to a cold siteRestarting business operations

9 Which one of the following is an example of physical infrastructure hardening?Antivirus softwareHardware-based network firewallTwo-factor authenticationFire suppression system

10 Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?AvailabilityConfidentialityDisclosureDistributed

11 The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?Mandatory vacationSeparation of dutiesDefense in depthJob rotation

12 Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?IntegrityAvailabilityConfidentialityDenial

For questions 13–15, please refer to the following scenario.

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks.

Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.

You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization’s security.

1 Users in the two offices would like to access each other’s file servers over the Internet. What control would provide confidentiality for those communications?Digital signaturesVirtual private networkVirtual LANDigital content management

2 You are also concerned about the availability of data stored on each office’s server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What integrity control allows you to add robustness without adding additional servers?Server clusteringLoad balancingRAIDScheduled backups

3 Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?HashingACLsRead-only attributesFirewalls

4 An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?Separation of dutiesLeast privilegeDefense in depthMandatory vacation

5 Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?PolicyBaselineGuidelineProcedure

6 Frank discovers a keylogger hidden on the laptop of his company’s chief executive officer. What information security principle is the keylogger most likely designed to disrupt?ConfidentialityIntegrityAvailabilityDenial

7 Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce?AvailabilityDenialConfidentialityIntegrity

8 Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce?DenialConfidentialityIntegrityAvailability

9 Which one of the following is not an example of a technical control?Session timeoutPassword agingEncryptionData classification

For questions 22–25, please refer to the following scenario.

Jasper Diamonds is a jewelry manufacturer that markets and sells custom jewelry through their website. Bethany is the manager of Jasper’s software development organization, and she is working to bring the company into line with industry standard practices. She is developing a new change management process for the organization and wants to follow commonly accepted approaches.

1 Jasper would like to establish a governing body for the organization’s change management efforts. What individual or group within an organization is typically responsible for reviewing the impact of proposed changes?Chief information officerSenior leadership teamChange control boardSoftware developer

2 During what phase of the change management process does the organization conduct peer review of the change for accuracy and completeness?RecordingAnalysis/Impact AssessmentApprovalDecision Making and Prioritization

3 Who should the organization appoint to manage the policies and procedures surrounding change management?Project managerChange managerSystem security officerArchitect

4 Which one of the following elements is not a crucial component of a change request?Description of the changeImplementation planBackout planIncident response plan

5 Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?AuthenticationAuthorizationIntegrityNonrepudiation

6 What principle of information security states that an organization should implement overlapping security controls whenever possible?Least privilegeSeparation of dutiesDefense in depthSecurity through obscurity

7 Which one of the following is not a goal of a formal change management program?Implement change in an orderly fashion.Test changes prior to implementation.Provide rollback plans for changes.Inform stakeholders of changes after they occur.

8 Ben is assessing the compliance of his organization with credit card security requirements. He finds payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?Purchasing insuranceEncrypting the database contentsRemoving the dataObjecting to the exception

9 You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?IntegrityDenialAvailabilityConfidentiality

10 Which one of the following is the first step in developing an organization’s vital records program?Identifying vital recordsLocating vital recordsArchiving vital recordsPreserving vital records

11 Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?AwarenessTrainingEducationIndoctrination

12 Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding?TrainingEducationIndoctrinationAwareness

13 Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?ErasingClearingSanitizationDestruction

14 What term is used to describe a set of common security configurations, often provided by a third party?Security policyBaselineDSSNIST SP 800-53

15 Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information?Information classificationRemanenceTransmitting dataClearing

16 Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?Source: NIST SP 800-88Destroy, validate, documentClear, purge, documentPurge, document, validatePurge, validate, document

17 Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?It applies in all circumstances, allowing consistent security controls.They are approved by industry standards bodies, preventing liability.They provide a good starting point that can be tailored to organizational needs.They ensure that systems are always in a secure state.

18 Retaining and maintaining information for as long as it is needed is known as what?Data storage policyData storageAsset maintenanceRecord retention

19 Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.IncipientSmokeFlameHeat

20 What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water?Wet pipeDry pipeDelugePreaction

21 Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?CCTVIPSTurnstilesFaraday cages

22 Referring to the figure shown here, what is the name of the security control indicated by the arrow?Image reprinted from CISSP (ISC) 2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.MantrapTurnstileIntrusion prevention systemPortal

23 Which one of the following does not describe a standard physical security requirement for wiring closets?Place only in areas monitored by security guards.Do not store flammable items in the closet.Use sensors on doors to log entries.Perform regular inspections of the closet.

24 Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks?FirewallIntrusion detection systemParameter checkingVulnerability scanning

25 Juan is retrofitting an existing door to his facility to include a lock with automation capabilities. Which one of the following types of lock is easiest to install as a retrofit to the existing door?MantrapElectric lockMagnetic lockTurnstile

26 Rhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown here. What type of card is this?Smart cardProximity cardMagnetic stripe cardPhase three card

27 Which one of the following facilities would have the highest level of physical security requirements?Data centerNetwork closetSCIFCubicle work areas

28 Glenda is investigating a potential privacy violation within her organization. The organization notified users that it was collecting data for product research that would last for six months and then disposed of the data at the end of that period. During the time that they had the data, they also used it to target a marketing campaign. Which principle of data privacy was most directly violated?Data minimizationAccuracyStorage limitationsPurpose limitations

29 What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?CorrectiveLogicalCompensatingAdministrative

30 Match each of the numbered security controls listed with exactly one of the lettered categories shown. Choose the category that best describes each control. You may use each control category once, more than once, or not at all.ControlsPasswordAccount reviewsBadge readersMFAIDPCategoriesAdministrativeTechnicalPhysical

31 Which of the following access control categories would not include a door lock?PhysicalCorrectivePreventativeDeterrent

For questions 53–54, please refer to the following scenario.

Gary was recently hired as the first chief information security officer (CISO) for a local government agency. The agency recently suffered a security breach and is attempting to build a new information security program. Gary would like to apply some best practices for security operations as he is designing this program.

1 As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?Separation of dutiesLeast privilegeAggregationSeparation of privileges

2 As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?Segregation of dutiesAggregationTwo-person controlDefense in depth

3 Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?Need to knowLeast privilegeSeparation of dutiesTwo-person control

4 Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?Least privilegeTwo-person controlJob rotationSeparation of duties

5 Which of the following is not true about the (ISC)2 code of ethics?Adherence to the code is a condition of certification.Failure to comply with the code may result in revocation of certification.The code applies to all members of the information security profession.Members who observe a breach of the code are required to report the possible violation.

6 Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?Need to knowLeast privilegeTwo-person controlTransitive trust

7 Connor’s company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?EspionageConfidentiality breachSabotageIntegrity breach

8 Which one of the following is not a canon of the (ISC)2 code of ethics?Protect society, the common good, necessary public trust and confidence, and the infrastructure.Promptly report security vulnerabilities to relevant authorities.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.

9 When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?Least privilegeSeparation of dutiesJob rotationSecurity through obscurity

10 Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications?Security guidelinesSecurity policyBaseline configurationRunning configuration

11 Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?Unit testingAcceptance testingRegression testingVulnerability testing

12 Which one of the following security practices suggests that an organization should deploy multiple, overlapping security controls to meet security objectives?Defense in depthSecurity through obscurityLeast privilegeSeparation of duties

13 What technology asset management practice would an organization use to ensure that systems meet baseline security standards?Change managementPatch managementConfiguration managementIdentity management

14 The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack best ensure accountability for actions taken on systems in his environment?Review the logs and require digital signatures for each log.Require authentication for all actions taken and capture logs centrally.Log the use of administrative credentials and encrypt log data in transit.Require authorization and capture logs centrally.

15 Veronica is responsible for her organization’s asset management program. During what stage of the process would she select the controls that will be used to protect assets from theft?Implementation/assessmentOperation/maintenanceInventory and licensingProcess, planning, design, and initiation

16 Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?GNU Public LicenseFreewareOpen sourcePublic domain

17 When an attacker called an organization’s help desk and persuaded them to reset a password due to the help desk employee’s trust and willingness to help, what type of attack succeeded?Trojan horseSocial engineeringPhishingWhaling