Question 61
An application is used for funds transfer between an organization and a third party. During a security audit, an issue with the business continuity/disaster recovery policy and procedures for this application is found. Which of the following reports should the audit file with the organization?
A. Service Organization Control (SOC) 1
B. Statement on Auditing Standards (SAS) 70
C. Service Organization Control (SOC) 2
D. Statement on Auditing Standards (SAS) 70-1
Question 62
Which of the following determines how traffic should flow based on the status of the infrastructure layer?
A. Traffic plane
B. Application plane
C. Data plane
D. Control plane
Question 63
A software development company has a short timeline in which to deliver a software product. The software development team decides to use open-source software libraries to reduce the development time. What concept should software developers consider when using open-source software libraries?
A. Open-source libraries contain known vulnerabilities, and adversaries regularly exploit those vulnerabilities in the wild.
B. Open-source libraries can be used by everyone, and there is a common understanding that the vulnerabilities in these libraries will not be exploited.
C. Open-source libraries are constantly updated, making it unlikely that a vulnerability exists for an adversary to exploit.
D. Open-source libraries contain unknown vulnerabilities, so they should not be used.
Question 64
Which of the following criteria ensures information is protected relative to its importance to the organization?
A. The value of the data to the organization’s senior management
B. Legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification
C. Legal requirements determined by the organization headquarters’ location
D. Organizational stakeholders, with classification approved by the management board
Question 65
Which of the following are the BEST characteristics of security metrics?
A. They are generalized and provide a broad overview.
B. They use acronyms and abbreviations to be concise.
C. They use bar charts and Venn diagrams.
D. They are consistently measured and quantitatively expressed.
Question 66
When network management is outsourced to third parties, which of the following is the MOST effective method of protecting critical data assets?
A. Provide links to security policies
B. Log all activities associated with sensitive systems
C. Employ strong access controls
D. Confirm that confidentiality agreements are signed
Question 67
What security principle addresses the issue of “Security by Obscurity”?
A. Open design
B. Segregation of duties (SoD)
C. Role-Based Access Control (RBAC)
D. Access control
Question 68
Which of the following is a Key Performance Indicator (KPI) for a security training and awareness program?
A. The number of security audits performed
B. The number of attendees at security training events
C. The number of security training materials created
D. The number of security controls implemented
Question 69
Which of the following is a common risk with fiber-optic communications, and what is the associated mitigation measure?
A. Data emanation; deploying Category (CAT) 6 and higher cable wherever feasible
B. Light leakage; deploying shielded cable wherever feasible
C. Cable damage; deploying ring architecture wherever feasible
D. Electronic eavesdropping; deploying end-to-end encryption wherever feasible
Question 70
Why is it important that senior management clearly communicates the formal Maximum Tolerable Downtime (MTD) decision?
A. To provide each manager with precise direction on selecting an appropriate recovery alternative
B. To demonstrate to the regulatory bodies that the company takes business continuity seriously
C. To demonstrate to the board of directors that senior management is committed to continuity recovery efforts
D. To provide a formal declaration from senior management as required by internal audit to demonstrate sound business practices
Question 71
An information-technology (IT) employee who travels frequently to various sites remotely connects to an organization. Which of the following solutions BEST serves as a secure control mechanism to meet the organization’s requirements?
A. Update the firewall rules to include the static IP addresses of the locations where the employee connects from.
B. Install a third-party screen-sharing solution that provides remote connection from a public website.
C. Implement a Dynamic Domain Name Services (DDNS) account to initiate a virtual private network (VPN) using the DDNS record.
D. Install a bastion host in the demilitarized zone (DMZ) and allow multi-factor authentication (MFA) access.
Question 72
Which of the following would need to be configured to ensure a device with a specific MAC address is always assigned the same IP address from DHCP?
A. Scope options
B. Reservation
C. Dynamic assignment
D. Exclusion
Question 73
Which of the following is the MAIN difference between a network-based firewall and a host-based firewall?
A. A network-based firewall is stateful, while a host-based firewall is stateless.
B. A network-based firewall controls traffic passing through the device, while a host-based firewall controls traffic destined for the device.
C. A network-based firewall verifies network traffic, while a host-based firewall verifies processes and applications.
D. A network-based firewall blocks network intrusions, while a host-based firewall blocks malware.
Question 74
Which type of disaster recovery plan (DRP) testing carries the MOST operational risk?
A. Cutover
B. Walkthrough
C. Tabletop
D. Parallel
Question 75
A colleague who recently left the organization asked a security professional for a copy of the organization’s confidential incident management policy. Which of the following is the BEST response to this request?
A. Email the policy to the colleague as they were already part of the organization and familiar with it.
B. Do not acknowledge receiving the request from the former colleague and ignore them.
C. Access the policy on a company-issued device and let the former colleague view the screen.
D. Submit the request using company official channels to ensure the policy is okay to distribute.
Question 76
Before implementing an internet-facing router, a network administrator ensures that the equipment is baselined/hardened according to approved configurations and settings. This action provides protection against which of the following attacks?
A. Blind spoofing
B. Media Access Control (MAC) flooding
C. SQL injection (SQLi)
D. Ransomware
Question 77
Which of the following terms BEST describes a system that allows a user to log in and access multiple related servers and applications?
A. Remote Desktop Protocol (RDP)
B. Federated Identity Management (FIM)
C. Single Sign-On (SSO)
D. Multi-factor Authentication (MFA)
Question 78
Which of the following poses the GREATEST privacy risk to personally identifiable information (PII) when disposing of an office printer or copier?
A. The device could contain a document with PII on the platen glass.
B. Organizational network configuration information could still be present within the device.
C. A hard disk drive (HDD) in the device could contain PII.
D. The device transfer roller could contain imprints of PII.
Question 79
In systems security engineering, what does the security principle of modularity provide?
A. Documentation of functions
B. Isolated functions and data
C. Secure distribution of programs and data
D. Minimal access to perform a function
Question 80
Dumpster diving is a technique used in which stage of penetration testing methodology?
A. Attack
B. Discovery
C. Reporting
D. Planning