CMIT 425 Security and Risk Management Domain Practice Answers

1. Which of the following is NOT an example of security control that ensures confidentiality? a. Data classification b. Encryption c. Restricting changes d. Network traffic padding 2. Which of the following is an administrative security control? a. Personnel screening b. Encryption c. Authorization d. Security guards 3. Which of the following is a technical security control? a. Standards b. Security devices c. Door locks d. Personnel screening 4. Which of the following is a physical security control? a. Logical access controls b. Security awareness training c. Identification d. Environmental controls 5. Which of the following is the best personnel arrangement for the design and management of security for an organization? a. A single security professional from within the organization b. A team of security professionals from the organization c. A team of employees representing every department within the organization d. An outside consultant 6. Which of the following is an example of an administrative security control? a. security guards b. policies c. locks d. intrusion detection systems 7. Which of the following is NOT one of the fundamental principles of security included in the CIA triad? a. Confidentiality b. Integrity c. Accountability d. Availability 8. The ability of a computer system to provide adequate capacity for predictable performance represents which of the fundamental security principles of the CIA triad? a. Confidentiality b. Integrity c. Accountability d. Availability 9. Which of the following is an example of a technical security control? a. procedures b. awareness training c. perimeter lighting d. encryption 10. Which of the following is an example of a physical security control? a. Rules based access controls b. CCTV c. Exit interviews d. Traffic tunneling 11. Which of the following is an example of a security control that focuses on maintaining availability? a. Encrypted transport of data b. Quick recovery from faults c. Fixed packet length transmissions d. User awareness training 12. What security best practice requires that a user be given no more rights than are necessary to perform a task? a. Job rotation b. Mandatory vacations c. Principle of least privilege d. Separation of powers/duties 13. Which type of access control is focused on avoiding occurrence? a. Compensating b. Detective c. Deterrent d. Preventive 14. A security awareness program’s primary function is to: a. Improve the organization’s attitude about protecting data b. Improve the performance of the organization’s intranet c. Improve the security of vendor relations d. Provide career opportunities to security personnel 15. In terms of the concept of due care, which of the following statements is NOT correct? a. It may and usually does require extraordinary care b. It implies that a person has been guilty of a violation of law in regard to a transaction or subject matter c. It is defined as that care with which a prudent person would have acted in the same or similar conditions or situation d. It involves just, sufficient and proper care provided the circumstances demand it 16. Which of the following is NOT one of the three security control types that a security administrator can employ to manage and impose security? a. Administrative b. Technical c. Strategic d. Physical 17. A is the absence or weakness in a system that could possibly be exploited by an attacker. a. countermeasure b. risk c. threat d. vulnerability 18. Which of the following is NOT a form of administrative detective controls? a. Job rotation b. Mandatory vacations c. Separation of powers d. Security reviews and audits 19. Which of the following is a valid definition for confidentiality? a. Unauthorized disclosure is prevented. b. Unauthorized modification is prevented c. Resources are accessible at all times by authorized users. d. Disasters can be recovered from quickly. 20. A security administrator may employ all but which of the following types of controls to implement a security solution? a. executive b. administrative c. technical d. physical 21. Which of the following is NOT an example of an administrative security control? a. Standards b. Guidelines c. Identification d. Personnel screening