CISSP PRACTICE TESTS Chapter 1▪Security & Risk
Management (Domain 1) 100 Q&A
1. What is the final step of quantitative?
A. Determine asset value.
B.Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost/benefit analysis.
D. Conduct a cost/benefit analysis.
2. An evil twin attack that broadcasts a legitimate SSID for an unauthorized
network is an example of what category of threat?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering
A. Spoofing
3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do
not require prompt action by an Internet service provider after it receives a
notification of infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's server
B. Caching of information by the provider
C. Transmission of information over the provider's network by a customer
D. Caching of information in a provider search engine
C. Transmission of information over the provider's network by a customer
4. FlyAway Travel has offices in both the European Union and the United States
and transfers personal information between those offices regularly. Which of the
seven requirements for processing personal information states that organizations
must inform individuals about how the information they collect is used?
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement
A. Notice
5. Which one of the following is not one of the three common threat modeling
techniques?
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering
D. Focused on social engineering
6. Which one of the following elements of information is not considered
personally identifiable information that would trigger most US state data breach
laws?
A. Student identification number
B. Social Security number
,C. Driver's license number
D. Credit card number
A. Student identification number
7. In 1991, the federal sentencing guidelines formalized a rule that requires senior
executives to take personal responsibility for information security matters. What
is the name of this rule?
A. Due dilidence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule
C. Prudent man rule
8. Which one of the following provides an authentication mechanism that would
be appropriate for pairing with a password to achieve multifactor authentication?
A. Username
B. PIN
C. Security question
D. Fingerprint scan
D. Fingerprint scan
9. What United States government agency is responsible for administering the
terms of safe harbor agreements between the European Union and the United
States under the EU Data Protection Directive?
A. Department of Defense
B. Department of the Treasury
C. State Department
D. Department of Commerce
D. Department of Commerce
10. Yolanda is the cheif privacy officer for a financial institution and is
researching privacy issues related to customer checking accounts. Which one of
the following laws is most likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA
A. GLBA
11. Tim's organization recently recieved a contract to conduct sponsored
research as a government contractor. What law now likely applies to the
information system involved in this contract?
A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA
A. FISMA
12. Chris is advising travelers from his organization who will be visiting many
different countries overseas. He is concerned about compliiance with export
control laws. Which of the following technologies is most likely to trigger these
regulations?
, A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software
D. Encryption software
13. Bobbi is investigating a security incident and discovers that an attacker
began with a normal user account but managed to exploit a system vulnerability
to provide that account with administrative rights. What type of attack took place
under the STRIDE model?
A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege
A. D. Elevation of privilege
14. You are completing your business continuity planning effort and have
decided that you wish to accept one of the risks. What should you do next?
A. Implement new security control to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.
D. Document your decision-making process.
15. Which one of the following control categories does not accurately describe a
fence around a facility?
A. Physical
B. Detective
C. Deterrent
D. Preventive
B. Detective
16. Tony is developing a business continuity plan and is having difficulty
prioritizing resources because of the difficulty of combining information about
tangible and intangible assets. What would be the most effective risk assessment
approach for him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
17. What law provides intellectual property proctection to the holders of trade
secrets?
A. Copyright Law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act
D. Economic Espionage Act
18. Which one of the following principles imposes a standard of care upon an
individual that is broad and equivalent to what one would expect from a
Management (Domain 1) 100 Q&A
1. What is the final step of quantitative?
A. Determine asset value.
B.Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost/benefit analysis.
D. Conduct a cost/benefit analysis.
2. An evil twin attack that broadcasts a legitimate SSID for an unauthorized
network is an example of what category of threat?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering
A. Spoofing
3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do
not require prompt action by an Internet service provider after it receives a
notification of infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's server
B. Caching of information by the provider
C. Transmission of information over the provider's network by a customer
D. Caching of information in a provider search engine
C. Transmission of information over the provider's network by a customer
4. FlyAway Travel has offices in both the European Union and the United States
and transfers personal information between those offices regularly. Which of the
seven requirements for processing personal information states that organizations
must inform individuals about how the information they collect is used?
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement
A. Notice
5. Which one of the following is not one of the three common threat modeling
techniques?
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering
D. Focused on social engineering
6. Which one of the following elements of information is not considered
personally identifiable information that would trigger most US state data breach
laws?
A. Student identification number
B. Social Security number
,C. Driver's license number
D. Credit card number
A. Student identification number
7. In 1991, the federal sentencing guidelines formalized a rule that requires senior
executives to take personal responsibility for information security matters. What
is the name of this rule?
A. Due dilidence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule
C. Prudent man rule
8. Which one of the following provides an authentication mechanism that would
be appropriate for pairing with a password to achieve multifactor authentication?
A. Username
B. PIN
C. Security question
D. Fingerprint scan
D. Fingerprint scan
9. What United States government agency is responsible for administering the
terms of safe harbor agreements between the European Union and the United
States under the EU Data Protection Directive?
A. Department of Defense
B. Department of the Treasury
C. State Department
D. Department of Commerce
D. Department of Commerce
10. Yolanda is the cheif privacy officer for a financial institution and is
researching privacy issues related to customer checking accounts. Which one of
the following laws is most likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA
A. GLBA
11. Tim's organization recently recieved a contract to conduct sponsored
research as a government contractor. What law now likely applies to the
information system involved in this contract?
A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA
A. FISMA
12. Chris is advising travelers from his organization who will be visiting many
different countries overseas. He is concerned about compliiance with export
control laws. Which of the following technologies is most likely to trigger these
regulations?
, A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software
D. Encryption software
13. Bobbi is investigating a security incident and discovers that an attacker
began with a normal user account but managed to exploit a system vulnerability
to provide that account with administrative rights. What type of attack took place
under the STRIDE model?
A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege
A. D. Elevation of privilege
14. You are completing your business continuity planning effort and have
decided that you wish to accept one of the risks. What should you do next?
A. Implement new security control to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.
D. Document your decision-making process.
15. Which one of the following control categories does not accurately describe a
fence around a facility?
A. Physical
B. Detective
C. Deterrent
D. Preventive
B. Detective
16. Tony is developing a business continuity plan and is having difficulty
prioritizing resources because of the difficulty of combining information about
tangible and intangible assets. What would be the most effective risk assessment
approach for him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
17. What law provides intellectual property proctection to the holders of trade
secrets?
A. Copyright Law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act
D. Economic Espionage Act
18. Which one of the following principles imposes a standard of care upon an
individual that is broad and equivalent to what one would expect from a
