Question 361
An international medical organization with headquarters in the United States (US) and branches in France wants to test a drug in both countries. What is the organization allowed to do with the test subject’s data?
A. Aggregate it into one database in the US
B. Process it in the US, but store the information in France
C. Share it with a third party
D. Anonymize it and process it in the US
Question 362
Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?
A. Code quality, security, and origin
B. Architecture, hardware, and firmware
C. Data quality, provenance, and scaling
D. Distributed, agile, and bench testing
Question 363
Which of the following could be considered the MOST significant security challenge when adopting DevOps practices compared to a more traditional control framework?
A. Achieving Service Level Agreements (SLA) on how quickly patches will be released when a security flaw is found.
B. Maintaining segregation of duties.
C. Standardized configurations for logging, alerting, and security metrics.
D. Availability of security teams at the end of design process to perform last-minute manual audits and reviews.
Question 364
Which of the following combinations would MOST negatively affect availability?
A. Denial of Service (DoS) attacks and outdated hardware
B. Unauthorized transactions and outdated hardware
C. Fire and accidental changes to data
D. Unauthorized transactions and denial of service attacks
Question 365
Which of the following is the MOST efficient mechanism to account for all staff during a speedy nonemergency evacuation from a large security facility?
A. Large mantrap where groups of individuals leaving are identified using facial recognition technology
B. Radio Frequency Identification (RFID) sensors worn by each employee scanned by sensors at each exitdoor
C. Emergency exits with push bars with coordinates at each exit checking off the individual against a predefined list
D. Card-activated turnstile where individuals are validated upon exit
Question 366
Which security modes is MOST commonly used in a commercial environment because it protects the integrity of financial and accounting data?
A. Biba
B. Graham-Denning
C. Clark-Wilson
D. Beil-LaPadula
Question 367
Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution?
A. Password requirements are simplified.
B. Risk associated with orphan accounts is reduced.
C. Segregation of duties is automatically enforced.
D. Data confidentiality is increased.
Question 368
When developing solutions for mobile devices, in which phase of the Software Development Life Cycle (SDLC) should technical limitations related to devices be specified?
A. Implementation
B. Initiation
C. Review
D. Development
Question 369
The organization would like to deploy an authorization mechanism for an Information Technology (IT) infrastructure project with high employee turnover. Which access control mechanism would be preferred?
A. Attribute Based Access Control (ABAC)
B. Discretionary Access Control (DAC)
C. Mandatory Access Control (MAC)
D. Role-Based Access Control (RBAC)
Question 370
Which of the following methods of suppressing a fire is environmentally friendly and the MOST appropriate for a data center?
A. Inert gas fire suppression system
B. Halon gas fire suppression system
C. Dry-pipe sprinklers
D. Wet-pipe sprinklers
Question 371
Which of the following is a common characteristic of privacy?
A. Provision for maintaining an audit trail of access to the private data
B. Notice to the subject of the existence of a database containing relevant credit card data
C. Process for the subject to inspect and correct personal data on-site
D. Database requirements for integration of privacy data
Question 372
Which of the following is a responsibility of the information owner?
A. Ensure that users and personnel complete the required security training to access the Information System (IS)
B. Defining proper access to the Information System (IS), including privileges or access rights
C. Managing identification, implementation, and assessment of common security controls
D. Ensuring the Information System (IS) is operated according to agreed upon security requirements
Question 373
Proven application security principles include which of the following?
A. Minimizing attack surface area
B. Hardening the network perimeter
C. Accepting infrastructure security controls
D. Developing independent modules
Question 374
Which type of test would an organization perform in order to locate and target exploitable defects?
A. Penetration
B. System
C. Performance
D. Vulnerability
Question 375
Assessing a third party’s risk by counting bugs in the code may not be the best measure of an attack surface within the supply chain. Which of the following is LEAST associated with the attack surface?
A. Input protocols
B. Target processes
C. Error messages
D. Access rights
Question 376
What is the second step in the identity and access provisioning lifecycle?
A. Provisioning
B. Review
C. Approval
D. Revocation
Question 377
Which of the following is the MOST challenging issue in apprehending cyber criminals?
A. They often use sophisticated method to commit a crime.
B. It is often hard to collect and maintain integrity of digital evidence.
C. The crime is often committed from a different jurisdiction.
D. There is often no physical evidence involved.
Question 378
Which of the following MUST be scalable to address security concerns raised by the integration of third-party identity services?
A. Mandatory Access Controls (MAC)
B. Enterprise security architecture
C. Enterprise security procedures
D. Role Based Access Controls (RBAC)
Question 379
At a MINIMUM, audits of permissions to individual or group accounts should be scheduled
A. annually
B. to correspond with staff promotions
C. to correspond with terminations
D. continually
Question 380
Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege?
A. identity provisioning
B. access recovery
C. multi-factor authentication (MFA)
D. user access review