Question 481
A web developer is completing a new web application security checklist before releasing the application to production. The task of disabling unnecessary services is on the checklist. Which web application threat is being mitigated by this action?
A. Session hijacking
B. Security misconfiguration
C. Broken access control
D. Sensitive data exposure
Question 482
What is the BEST method to use for assessing the security impact of acquired software?
A. Threat modeling
B. Common vulnerability review
C. Software security compliance validation
D. Vendor assessment
Question 483
Which of the following ensures old log data is not overwritten?
A. Log retention
B. Implement Syslog
C. Increase log file size
D. Log preservation
Question 484
Under the General Data Protection Regulation (GDPR), what is the maximum amount of time allowed for reporting a personal data breach?
A. 24 hours
B. 48 hours
C. 72 hours
D. 96 hours
Question 485
A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to assess the security risk of the minimum viable product (MVP). Which is the MOST important activity the analyst should assess?
A. The software has been signed off for release by the product owner.
B. The software had been branded according to corporate standards.
C. The software has the correct functionality.
D. The software has been code reviewed.
Question 486
An application developer receives a report back from the security team showing their automated tools were able to successfully enter unexpected data into the organization’s customer service portal, causing the site to crash. This is an example of which type of testing?
A. Performance
B. Positive
C. Non-functional
D. Negative
Question 487
Which of the following is the MOST effective strategy to prevent an attacker from disabling a network?
A. Design networks with the ability to adapt, reconfigure, and fail over.
B. Test business continuity and disaster recovery (DR) plans.
C. Follow security guidelines to prevent unauthorized network access.
D. Implement network segmentation to achieve robustness.
Question 488
What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?
A. Policy creation
B. Information Rights Management (IRM)
C. Data classification
D. Configuration management (CM)
Question 489
Which change management role is responsible for the overall success of the project and supporting the change throughout the organization?
A. Change driver
B. Project manager
C. Program sponsor
D. Change implementer
Question 490
A company needs to provide shared access of sensitive data on a cloud storage to external business partners. Which of the following identity models is the BEST to blind identity providers (IdP) and relying parties (RP) so that subscriber lists of other parties are not disclosed?
A. Proxied federation
B. Dynamic registration
C. Federation authorities
D. Static registration
Question 491
A security professional needs to find a secure and efficient method of encrypting data on an endpoint. Which solution includes a root key?
A. Bitlocker
B. Trusted Platform Module (TPM)
C. Virtual storage array network (VSAN)
D. Hardware security module (HSM)
Question 492
Which combination of cryptographical algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems?
A. Diffie-Hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) >128 bits Digital Signature: Digital Signature Algorithm (DSA) (>=2048 bits)
B. Diffie-Hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) >128 bits Digital Signature: Rivest-Shamir-Adleman (RSA) (1024 bits)
C. Diffie-Hellman (DH) key exchange: DH (<=1024 bits) Symmetric Key: Blowfish Digital Signature: Rivest-Shamir-Adleman (RSA) (>=2048 bits)
D. Diffie-Hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) <128 bits Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) (>=256 bits)
Question 493
What is the PRIMARY purpose of creating and reporting metrics for a security awareness, training, and education program?
A. Measure the effect of the program on the organization’s workforce.
B. Make all stakeholders aware of the program’s progress.
C. Facilitate supervision of periodic training events.
D. Comply with legal regulations and document due diligence in security practices.
Question 494
In a DevOps environment, which of the following actions is MOST necessary to have confidence in the quality of the changes being made?
A. Prepare to take corrective actions quickly.
B. Automate functionality testing.
C. Review logs for any anomalies.
D. Receive approval from the change review board.
Question 495
What is the MAIN purpose of a security assessment plan?
A. Provide education to employees on security and privacy, to ensure their awareness on policies and procedures.
B. Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.
C. Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation.
D. Provide technical information to executives to help them understand information security postures and secure funding.
Question 496
What documentation is produced FIRST when performing an effective physical loss control process?
A. Deterrent controls list
B. Security standards list
C. Asset valuation list
D. Inventory list
Question 497
Which organizational department is ultimately responsible for information governance related to e-mail and other e-records?
A. Legal
B. Audit
C. Compliance
D. Security
Question 498
A cloud service provider requires its customer organizations to enable maximum audit logging for its data storage service and to retain the logs for the period of three months. The audit logging gene has extremely high amount of logs. What is the MOST appropriate strategy for the log retention?
A. Keep all logs in an online storage.
B. Keep last week’s logs in an online storage and the rest in an offline storage.
C. Keep last week’s logs in an online storage and the rest in a near-line storage.
D. Keep all logs in an offline storage.
Question 499
In Federated Identity Management (FIM), which of the following represents the concept of federation?
A. Collection, maintenance, and deactivation of user objects and attributes in one or more systems, directories or applications
B. Collection of information logically grouped into a single entity
C. Collection of information for common identities in a system
D. Collection of domains that have established trust among themselves
Question 500
Which of the following is an indicator that a company’s new user security awareness training module has been effective?
A. There are more secure connections to internal e-mail servers.
B. More incidents of phishing attempts are being reported.
C. Fewer incidents of phishing attempts are being reported.
D. There are more secure connections to the internal database servers.