Refer to the information below to answer the question.
A new employee is given a laptop computer with full administrator access. This employee does not have a personal computer at home and has a child that uses the computer to send and receive e-mail, search the web, and use instant messaging. The organization’s Information Technology (IT) department discovers that a peer-to-peer program has been installed on the computer using the employee's access.
Which of the following documents explains the proper use of the organization's assets? A. Human resources policy B. Acceptable use policy C. Code of ethics D. Access control policy
Answer: B
Rationale: The acceptable use policy defines appropriate use of company devices and resources.
Question 262
Question 262
Which of the following is the BEST solution to provide redundancy for telecommunications links? A. Provide multiple links from the same telecommunications vendor. B. Ensure that the telecommunications links connect to the network in one location. C. Ensure that the telecommunications links connect to the network in multiple locations. D. Provide multiple links from multiple telecommunications vendors.
Answer: D
Rationale: Using multiple vendors and paths ensures true redundancy and avoids single points of failure.
Question 263
Question 263
Refer to the information below to answer the question.
An organization experiencing a negative financial impact is forced to reduce budgets and the number of Information Technology (IT) operations staff performing basic logical access security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles.
Which of the following will indicate where the IT budget is BEST allocated during this time? A. Policies B. Frameworks C. Metrics D. Guidelines
Answer: C
Rationale: Metrics provide objective performance data to prioritize resource allocation.
Question 264
Question 264
During the procurement of a new information system, it was determined that some of the security requirements were not addressed in the system specification. Which of the following is the MOST likely reason for this? A. The procurement officer lacks technical knowledge. B. The security requirements have changed during the procurement process. C. There were no security professionals in the vendor's bidding team. D. The description of the security requirements was insufficient.
Answer: D
Rationale: Vague or incomplete requirement descriptions lead to gaps in vendor system specifications.
Question 265
Question 265
Which of the following BEST describes Recovery Time Objective (RTO)? A. Time of data validation after disaster B. Time of data restoration from backup after disaster C. Time of application resumption after disaster D. Time of application verification after disaster
Answer: C
Rationale: RTO defines the maximum acceptable time before critical applications must be restored post-disruption.
Question 266
Question 266
Which of the following MUST system and database administrators be aware of and apply when configuring systems used for storing personal employee data? A. Secondary use of the data by business users B. The organization's security policies and standards C. The business purpose for which the data is to be used D. The overall protection of corporate resources and data
Answer: B
Rationale: Admins must align system configurations with defined organizational security standards and policies.
Question 267
Question 267
Refer to the information below to answer the question.
A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classification. The organization is subject to periodic independent reviews of access controls and violations. The organization uses wired and wireless networks and remote access. The organization also uses secure connections to branch offices and secure backup and recovery strategies for selected information and processes.
Which of the following BEST describes the access control methodology used? A. Least privilege B. Lattice Based Access Control (LBAC) C. Role Based Access Control (RBAC) D. Lightweight Directory Access Control (LDAP)
Answer: C
Rationale: Access determined by job classification aligns with RBAC principles.
Question 268
Question 268
The use of proximity card to gain access to a building is an example of what type of security control? A. Legal B. Logical C. Physical D. Procedural
Refer to the information below to answer the question.
A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classification. The organization is subject to periodic independent reviews of access controls and violations. The organization uses wired and wireless networks and remote access. The organization also uses secure connections to branch offices and secure backup and recovery strategies for selected information and processes.
In addition to authentication at the start of the user session, best practice would require re-authentication A. periodically during a session. B. for each business process. C. at system sign-off. D. after a period of inactivity.
Answer: D
Rationale: Re-authenticating after inactivity reduces risk from unattended sessions.
Question 270
Question 270
For a service provider, which of the following MOST effectively addresses confidentiality concerns for customers using cloud computing? A. Hash functions B. Data segregation C. File system permissions D. Non-repudiation controls
Answer: C
Rationale: Lack of change control is the most common cause of operational and security failures; it leads to unauthorized or poorly tested modifications.
Question 271
Question 271
From a security perspective, which of the following is a best practice to configure a Domain Name Service (DNS) system? A. Configure secondary servers to use the primary server as a zone forwarder. B. Block all Transmission Control Protocol (TCP) connections. C. Disable all recursive queries on the name servers. D. Limit zone transfers to authorized devices.
Answer: D
Rationale: Restricting zone transfers prevents DNS data leakage to unauthorized hosts.
Question 272
Question 272
An organization's data policy MUST include a data retention period which is based on A. application dismissal. B. business procedures. C. digital certificates expiration. D. regulatory compliance.
Answer: D
Rationale: Retention policies must comply with laws governing how long data can be stored.
Question 273
Question 273
Without proper signal protection, embedded systems may be prone to which type of attack? A. Brute force B. Tampering C. Information disclosure D. Denial of Service (DoS)
Answer: C
Rationale: Poor signal shielding can lead to electromagnetic information leakage.
Question 274
Question 274
Refer to the information below to answer the question.
An organization experiencing a negative financial impact is forced to reduce budgets and the number of Information Technology (IT) operations staff performing basic logical access security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles.
When determining appropriate resource allocation, which of the following is MOST important to monitor? A. Number of system compromises B. Number of audit findings C. Number of staff reductions D. Number of additional assets
Answer: B
Rationale: Audit findings reflect compliance and control effectiveness, guiding resource prioritization.
Question 275
Question 275
Which of the following is the PRIMARY benefit of a formalized information classification program? A. It drives audit processes. B. It supports risk assessment. C. It reduces asset vulnerabilities. D. It minimizes system logging requirements.
Answer: B
Rationale: Classification supports risk assessment by defining sensitivity and protection requirements.
Question 276
Question 276
When using third-party software developers, which of the following is the MOST effective method of providing software development Quality Assurance (QA)? A. Retain intellectual property rights through contractual wording. B. Perform overlapping code reviews by both parties. C. Verify that the contractors attend development planning meetings. D. Create a separate contractor development environment.
Answer: B
Rationale: Dual code reviews ensure quality and reduce security vulnerabilities.
Question 277
Question 277
Which of the following is the BEST countermeasure to brute force login attacks? A. Changing all canonical passwords B. Decreasing the number of concurrent user sessions C. Restricting initial password delivery only in person D. Introducing a delay after failed system access attempts
Answer: D
Rationale: Login delays after failed attempts slow brute force attacks effectively.
Question 278
Question 278
What is the MOST important reason to configure unique user IDs? A. Supporting accountability B. Reducing authentication errors C. Preventing password compromise D. Supporting Single Sign On (SSO)
Answer: A
Rationale: Unique IDs ensure accountability by linking actions to specific users.
Question 279
Question 279
Refer to the information below to answer the question.
Desktop computers in an organization were sanitized for re-use in an equivalent security environment. The data was destroyed in accordance with organizational policy and all marking and other external indications of the sensitivity of the data that was formerly stored on the magnetic drives were removed.
Organizational policy requires the deletion of user data from Personal Digital Assistant (PDA) devices before disposal. It may not be possible to delete the user data if the device is malfunctioning. Which destruction method below provides the BEST assurance that the data has been removed? A. Knurling B. Grinding C. Shredding D. Degaussing
Answer: C
Rationale: Shredding physically destroys the device, eliminating any chance of data recovery.
Question 280
Question 280
Which of the following statements is TRUE regarding state-based analysis as a functional software testing technique? A. It is useful for testing communications protocols and graphical user interfaces. B. It is characterized by the stateless behavior of a process implemented in a function. C. Test inputs are obtained from the derived boundaries of the given functional specifications. D. An entire partition can be covered by considering only one representative value from that partition.
Answer: A
Rationale: State-based testing validates system responses to input sequences, ideal for protocols and GUIs.