A large manufacturing organization arranges to buy an industrial machine system to produce a new line of products. The system includes software provided to the vendor by a third-party organization. The financial risk to the manufacturing organization starting production is high. What step should the manufacturing organization take to minimize its financial risk in the new venture prior to the purchase? A. Require that the software be thoroughly tested by an accredited independent software testing company. B. Hire a performance tester to execute offline tests on a system. C. Calculate the possible loss in revenue to the organization due to software bugs and vulnerabilities, and compare that to the system’s overall price. D. Place the machine behind a Layer 3 firewall.
Answer: C
Rationale: A cost-benefit or quantitative risk analysis determines the acceptable level of risk before major investments, minimizing financial exposure.
Question 742
Question 742
Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-systems gracefully handle invalid input? A. Unit testing B. Acceptance testing C. Integration testing D. Negative testing
Answer: C
Rationale: Integration testing ensures that combined components handle unexpected or invalid inputs gracefully within the overall system context.
Question 743
Question 743
Commercial off-the-shelf (COTS) software presents which of the following additional security concerns? A. Vendors take on the liability for COTS software vulnerabilities. B. In-house developed software is inherently less secure. C. COTS software is inherently less secure. D. Exploits for COTS software are well documented and publicly available.
Answer: D
Rationale: COTS software is widely distributed, making vulnerabilities public and increasing the likelihood of exploits being developed and shared.
Question 744
Question 744
When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles? A. Service Organization Control (SOC) 1, Type 2 B. Service Organization Control (SOC) 2, Type 2 C. International Organization for Standardization (ISO) 27001 D. International Organization for Standardization (ISO) 27002
Answer: B
Rationale: A SOC 2 Type 2 report validates the operational effectiveness of controls related to security, availability, processing integrity, confidentiality, and privacy.
Question 745
Question 745
Which of the following would be the BEST mitigation practice for man-in-the-middle (MITM) Voice over Internet Protocol (VoIP) attacks? A. Use Secure Shell (SSH) protocol B. Use File Transfer Protocol (FTP) C. Use Transport Layer Security (TLS) protocol D. Use Media Gateway Control Protocol (MGCP)
Answer: C
Rationale: TLS encrypts VoIP signaling and media streams, preventing interception and tampering by MITM attackers.
Question 746
Question 746
The Chief Information Security Officer (CISO) is concerned about business application availability. The organization was recently subject to a ransomware attack that resulted in the unavailability of applications and services for 10 working days that required paper-based running of all main business processes. There are now aggressive plans to enhance the Recovery Time Objective (RTO) and cater for more frequent data captures. Which of the following solutions should be implemented to fully comply to the new business requirements? A. Virtualization B. Antivirus C. Host-based intrusion prevention system (HIPS) D. Process isolation
Answer: A
Rationale: Virtualization enables rapid recovery of systems and data replication, reducing downtime and meeting stricter RTO objectives.
Question 747
Question 747
What is the MOST appropriate hierarchy of documents when implementing a security program? A. Policy, organization principle, standard, guideline B. Standard, policy, organization principle, guideline C. Organization principle, policy, standard, guideline D. Organization principle, guideline, policy, standard
Answer: B
Rationale: Security programs follow a hierarchy where standards implement policies, which reflect organizational principles, with guidelines providing support details.
Question 748
Question 748
Which of the following is the MOST important consideration in selecting a security testing method based on different Radio-Frequency Identification (RFID) vulnerability types? A. An understanding of the attack surface B. Adaptability of testing tools to multiple technologies C. The quality of results and usability of tools D. The performance and resource utilization of tools
Answer: A
Rationale: Understanding the attack surface ensures that testing methods address all potential RFID threat vectors accurately.
Question 749
Question 749
An organization’s internal audit team performed a security audit on the company’s system and reported that the manufacturing application is rarely updated along with other issues categorized as minor. Six months later, an external audit team reviewed the same system with the same scope but identified severe weaknesses in the manufacturing application’s security controls. What is MOST likely to be the root cause of the internal audit team’s failure in detecting these security issues? A. Inadequate security patch testing B. Inadequate test coverage analysis C. Inadequate log reviews D. Inadequate change control procedures
Answer: B
Rationale: Poor test coverage analysis means critical parts of the system were not adequately tested, causing the internal audit to miss major vulnerabilities.
Question 750
Question 750
Which of the following is a limitation of the Bell-LaPadula model? A. Segregation of duties (SoD) is difficult to implement as the “no read-up” rule limits the ability of an object to access information with a higher classification. B. Mandatory access control (MAC) is enforced at all levels making discretionary access control (DAC) impossible to implement. C. It contains no provision or policy for changing data access control and works well only with access systems that are static in nature. D. It prioritizes integrity over confidentiality which can lead to inadvertent information disclosure.
Answer: D
Rationale: MAC uses labels/clearances (e.g., Bell‑LaPadula) and primarily enforces confidentiality to prevent unauthorized disclosure.
Question 751
Question 751
Which of the following vulnerability assessment activities BEST exemplifies the Examine method of assessment? A. Asking the Information System Security Officer (ISSO) to describe the organization’s patch management processes B. Ensuring that system audit logs capture all relevant data fields required by the security controls baseline C. Logging into a web server using the default administrator account and a default password D. Performing Port Scans of selected network hosts to enumerate active services
Answer: B
Rationale: The “Examine” method involves reviewing configurations, logs, or documentation to verify compliance or effectiveness without executing active testing.
Question 752
Question 752
Which of the following BEST ensures the integrity of transactions to intended recipients? A. Public key infrastructure (PKI) B. Blockchain technology C. Pre-shared key (PSK) D. Web of trust
Answer: A
Rationale: PKI ensures integrity, authenticity, and nonrepudiation of digital transactions through certificates and cryptographic signatures.
Question 753
Question 753
Recently, an unknown event has disrupted a single Layer-2 network that spans between two geographically diverse data centers. The network engineers have asked for assistance in identifying the root cause of the event. Which of the following is the MOST likely cause? A. Smurf attack B. Misconfigured routing protocol C. Broadcast domain too large D. Address spoofing
Answer: D
Rationale: Address spoofing at Layer 2 can disrupt traffic between network segments, especially in bridged environments across data centers.
Question 754
Question 754
A company is moving from the V model to Agile development. How can the information security department BEST ensure that secure design principles are implemented in the new methodology? A. Information security requirements are captured in mandatory user stories. B. All developers receive a mandatory targeted information security training. C. The information security department performs an information security assessment after each sprint. D. The non-financial information security requirements remain mandatory for the new model.
Answer: A
Rationale: Integrating security requirements directly into Agile user stories ensures security is built into the development lifecycle rather than added later.
Question 755
Question 755
Which of the (ISC)² Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest? A. Provide diligent and competent service to principles. B. Act honorably, honestly, justly, responsibly, and legally. C. Advance and protect the profession. D. Protect society, the commonwealth, and the infrastructure.
Answer: B
Rationale: Acting honorably and responsibly ensures ethical management of entrusted information and avoidance of conflicts of interest.
Question 756
Question 756
Which of the following should exist in order to perform a security audit? A. Neutrality of the auditor B. Industry framework to audit against C. External (third-party) auditor D. Internal certified auditor
Answer: B
Rationale: A standardized framework (e.g., ISO 27001, NIST) provides an objective benchmark for evaluating controls during a security audit.
Question 757
Question 757
When telephones in a city are connected by a single exchange, the caller can only connect with the switchboard operator. The operator then manually connects the call. This is an example of which type of network topology? A. Point-to-Point Protocol (PPP) B. Bus C. Star D. Tree
Answer: B
Rationale: A bus topology features a single communication path where all connections share a common link — like a manual switchboard setup.
Question 758
Question 758
A firm within the defense industry has been directed to comply with contractual requirements for encryption of a government client’s Controlled Unclassified Information (CUI). What encryption strategy represents how to protect data at rest in the MOST efficient and cost-effective manner? A. Perform logical separation of program information, using virtualized storage solutions with encryption management in the back-end disk systems B. Perform logical separation of program information, using virtualized storage solutions with built-in encryption at the virtualization layer C. Perform physical separation of program information and encrypt only information deemed critical by the defense client D. Implement data at rest encryption across the entire storage area network (SAN)
Answer: D
Rationale: Encrypting data at rest at the SAN level provides full coverage for storage and backup data efficiently, ensuring compliance and scalability.
Question 759
Question 759
Which audit type is MOST appropriate for evaluating the effectiveness of a security program? A. Analysis B. Threat C. Assessment D. Validation
Answer: C
Rationale: A security assessment evaluates program effectiveness by analyzing current controls, processes, and their alignment with objectives.
Question 760
Question 760
Before allowing a web application into the production environment, the security practitioner performs multiple types of tests to confirm that the web application performs as expected. To test the username field, the security practitioner creates a test that enters more characters into the field than is allowed. Which of the following BEST describes the type of test performed? A. Misuse case testing B. Interface testing C. Web session testing D. Penetration testing
Answer: A
Rationale: Misuse case testing validates how an application behaves when input is intentionally incorrect or malicious, simulating real misuse scenarios.