[1] CISSP – MCQ – Security Management Practices

CISSP Multiple Choice Questions MCQ With Answers Techhyme

This article offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. This article is designed for readers and students who want to study for the CISSP certification exam.

The CISSP exam is governed by the International Information Systems Security Certification Consortium, Inc. (ISC)2 organization.

(ISC)2 is a global not-for-profit organization. It has four primary mission goals:

Maintain the Common Body of Knowledge for the field of information systems security
Provide certification for information systems security professionals and practitioners
Conduct certification training and administer the certification exams
Oversee the ongoing accreditation of qualified certification candidates through continued education

In this article, all the questions are related to “Security Management Practices” and are as follows:

1) Which choice below is an incorrect description of a control?

Detective controls discover attacks and trigger preventative or correcting controls.
Corrective controls reduce the likelihood of a deliberate attack.
Corrective controls reduce the effect of an attack.
Controls are the countermeasures for vulnerabilities.

2) Which statement below is accurate about the reasons to implement a layered security architecture?

A layered security approach is not necessary when using COTS products.
A good packet-filtering router will eliminate the need to implement a layered security architecture.
A layered security approach is intended to increase the work-factor for an attacker.
A layered approach doesn’t really improve the security posture of the organization.

3) Which choice below represents an application or system demonstrating a need for a high level of confidentiality protection and controls?

Unavailability of the system could result in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The system requires 24-hour access.
The application contains proprietary business information and other financial information, which if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.
Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is backed up by either paper documentation or on disk.
The mission of this system is to produce local weather forecast information that is made available to the news media forecasters and the general public at all times. None of the information requires protection against disclosure.

4) Which choice below is NOT a concern of policy development at the high level?

Identifying the key business resources
Identifying the type of firewalls to be used for perimeter security
Defining roles in the organization
Determining the capability and functionality of each role

5) Which choice below is NOT an accurate about the visibility of IT security policy?

The IT security policy should not be afforded high visibility.
The IT security policy could be visible through panel discussions with guest speakers.
The IT security policy should be afforded high visibility.
The IT security policy should be included as a regular topic at staff meetings at all levels of the organization.

6) Which question below is NOT accurate regarding the process of risk assessment?

The likelihood of a threat must be determined as an element of the risk assessment.
The level of impact of a threat must be determined as an element of the risk assessment.
Risk assessment is the first process in the risk management methodology.
Risk assessment is the final result of the risk management methodology.

7) Which choice below would NOT be considered an element of proper user account management?

Users should never be rotated out of their current duties.
The user’s accounts should be reviewed periodically.
A process for tracking access authorizations should be implemented.
Periodically re-screen personnel in sensitive positions.

8) Which choice below is NOT one of NIST’s 33 IT security principles?

Implement least privilege.
Assume that external systems are insecure.
Totally eliminate any level of risk.
Minimize the system elements to be trusted.

9) How often should an independent review of the security controls be performed, according to OMB Circular A-130?

Every year
Every three years
Every five years
Never

10) Which choice below BEST describes the difference between the System Owner and the information Owner?

There is a one-to-one relationship between system owners and information owners.
One system could have multiple information owners.
The information Owner is responsible for defining the system’s operating parameters.
The System Owner is responsible for establishing the rules for appropriate use of the information.

11) Which choice below is NOT a generally accepted benefit of security awareness, training, and education?

A security awareness program can help operators understand the value of the information.
A security education program can help system administrators recognize unauthorized intrusion attempts.
A security awareness and training program will help prevent natural disasters from occurring.
A security awareness and training program can help an organization reduce the number and severity of errors and omissions.

12) Who has the final responsibility for the preservation of the organization’s information?

Technology providers
Senior management
Users
Application owners

13) Which choice below is NOT an example of an issue-specific policy?

Email privacy policy
Virus-checking disk policy
Defined router ACLs
Unfriendly employee termination policy

14) Which statement below is NOT true about security awareness, training, and educational programs?

Awareness and training help users become more accountable for their actions.
Security education assists management in determining who should be promoted.
Security improves the users’ awareness of the need to protect information resources.
Security education assists management in developing the in-house expertise to manage security programs.

15) Which choice below is an accurate statement about standards?

Standards are the high-level statements made by senior management in support of information systems security.
Standards are the first element created in an effective security policy program.
Standards are used to describe how policies will be implemented within an organization.
Standards are senior management’s directives to create a computer security program.

16) Which choice below is a role of the information Systems Security Officer?

The ISO establishes the overall goals of the organization’s computer security program.
The ISO is responsible for day-to-day security administration.
The ISO is responsible for examining systems to see whether they are meeting stated security requirements.
The ISO is responsible for following security procedures and reporting security problems.

17) Which statement below is NOT correct about safeguard selection in the risk analysis process?

Maintenance costs need to be included in determining the total cost of the safeguard.
The best possible safeguard should always be implemented, regardless of cost.
The most commonly considered criteria is the cost effectiveness of the safeguard.
Many elements need to be considered in determining the total cost of the safeguard.

18) Which choice below is usually the number-one-used criterion to determine the classification of an information object?

Value
Useful life
Age
Personal association

19) What are high-level policies?

They are recommendations for procedural controls.
They are the instructions on how to perform a Quantitative Risk Analysis.
They are statements that indicate a senior management’s intention to support InfoSec.
They are step-by-step procedures to implement a safeguard.

20) Which policy type is MOST likely to contain mandatory or compulsory standards?

Guidelines
Advisory
Regulatory
Informative

21) What does an Exposure Factor (EF) describe?

A dollar figure that is assigned to a single event
A number that represents the estimated frequency of the occurrence of an expected threat
The percentage of loss that a realized threat event would have on a specific asset
The annual expected financial loss to an organization from a threat

22) What is the MOST accurate definition of a safeguard?

A guideline for policy recommendations
A step-by-step instructional procedure
A control designed to counteract a threat
A control designed to counteract an asset

23) Which choice MOST accurately describes the differences between standards, guidelines, and procedures?

Standards are recommended policies, whereas guidelines are mandatory policies.
Procedures are step-b-step recommendation for complying with mandatory guidelines.
Procedures are the general recommendations for compliance with mandatory guidelines.
Procedures are step-by-step instructions for compliance with mandatory standards.

24) What are the detailed instructions on how to perform or implement a control called?

Procedures
Policies
Guidelines
Standards

25) How is an SLE derived?

(Cost-benefit) * (% of Asset Value)
AV * EF
ARO * EF
% of AV – implementation cost

26) What is a noncompulsory recommendation on how to achieve compliance with published standards called?

Procedures
Policies
Guidelines
Standards

27) Which group represents the MOST likely source of an asset loss through inappropriate computer use?

Crackers
Hackers
Employees
Saboteurs

28) Which choice MOST accurately describes the difference between the role of a data owner versus the role of a data custodian?

The custodian implements the information classification scheme after the initial assignment by the owner.
The data owner implements the information classification scheme after the initial assignment by the custodian.
The custodian makes the initial information classification assignments, whereas the operations manager implements the scheme.
The custodian implements the information classification scheme after the initial assignment by the operations manager.

29) What is an ARO?

A dollar figure assigned to a single event
The annual expected financial loss to an organization from a threat
A number that represents the estimated frequency of an occurrence of an expected threat
The percentage of loss that a realized threat event would have on a specific asset

30) Which formula accurately represents an Annualized Loss Expectancy (ALE) calculation?