WGU C725 TEST BANK 2023 MASTER'S COURSE
INFORMATION SECURITY AND ASSURANCE 2023 TEST
BANK 300 REAL EXAM QUESTIONS AND CORRECT
ANSWERS|AGRADE
An employee has worked for the same organization for years and still has access to
legal files even though this employee now works in accounting. Which principle
has been violated? - ANSWER- Least privilege
A sales specialist is a normal user of a corporate network. The corporate network
uses subjects, objects, and labels to grant users access. Which access control
methodology is the corporation using? - ANSWER- Mandatory
What is considered a valid method for testing an organization's disaster recovery
plan, according to the Certified Information Systems Security Professional
(CISSP)? - ANSWER- Checklist
Who directs policies and procedures that are designed to protect information
resources in an organization? - ANSWER- Information resources security officer
Which topics should be included in employee security training program? -
ANSWER- Social engineering, shoulder surfing, phishing, malware
What is a threat to business operations - ANSWER- Sophisticated hacking tools
purchased by a disgruntled employee
Which statement describes a threat? - ANSWER- Spear fishing attack
Which type of control reduces the effect of an attack? - ANSWER- Corrective
Which security control should be included in a risk management policy? -
ANSWER- Exception process
,The organization applies comprehensive hardening to all its computer assets. Due
to the high cost of accomplishing this, the security manager decides to withhold
any further spending on IT security for the remainder of the year. The manager
believes that because of the complexity and secrecy of the organization's security
configuration, these computer assets are relatively safe. Which flawed security
principle is the security manager relying on - ANSWER- Security through
obscurity
The company receives notification from its security monitoring service that an
unauthorized physical breach of its datacenter occurred. The perpetrator was able
to guess the correct code to the keypad device that controls access. Which type of
risk management control could have prevented this breach from occurring? -
ANSWER- Multifactor authentication
The company identifies a risk with an asset that has relatively low value. The cost
to secure the asset is $2 million. An insurance company will insure the loss of the
asset for $150,000 a year. The company decides not to take any action to protect
the asset. Which risk management strategy did the company choose to follow? -
ANSWER- 45
Acceptance
Which type of system controls preserves the state of the system before a crash and
prevents further damage or unauthorized access to a system? - ANSWER- Fail
secure
A software development company follows a process where software is moved from
the development environment, to the testing environment for quality assurance,
and then on to production. Which individual should be restricted from migrating
the software to the production environment? - ANSWER- Lead programmer
After an audit of user access, a CIO is concerned about improperly granted
permissions. Which type of user access should the CIO be most concerned with? -
ANSWER- Elevated
Which attack uses common words and phrases to guess passwords? - ANSWER-
Dictionary
,What is a disadvantage of discretionary access control (DAC)? - ANSWER-
Empowers owners to decide access levels
Which password problem persists when accessing information and systems even
with a strong password management and creation policy? - ANSWER- Passwords
are repudiable.
An organization wants to update its policies that govern email acceptable use,
internet acceptable use, laptop security, and wireless security. Which type of
policies should the organization update to accomplish this? - ANSWER- Issue
Specific
Which type of documents do organizations use to explain step-by-step
instructions? - ANSWER- Procedures
Data entry specialists at a hospital are only supposed to be able to enter new patient
records into the database but not be able to access existing records. Because the
permissions were not set correctly, some data entry specialists have been accessing
existing patient records and making unauthorized changes. Hospital administrators
want be able to easily grant permissions based on job type. Which security
principle should the organization implement to solve this problem? - ANSWER-
RBAC
A company was the victim of a phishing attack. This attack occurred because a
cybercriminal recovered employee company email addresses from a stolen laptop.
How should employee company email addresses be classified? - ANSWER-
Business sensitive
An accountant finds an error in the way interest is credited to customer accounts.
The IT department traces the error to a patch that IT put on the software used to
track customer accounts. The error cost the organization about $100,000 in
overpayments. What is the IT department's role in this case? - ANSWER-
Custodian
Which type of hypervisor installs directly onto the hardware where the host OS
would normally reside? - ANSWER- Type 1
Management is concerned that data will be lost when using virtual machines (VM).
What are two ways to preserve data in VMs? Choose 2 answers. - ANSWER- Full
and hypervisor updates
, Which type of investigation is completed internally and examines either
operational issues or a violation of the organization's policies? - ANSWER-
Administrative
Which two types of information about evidence are required to preserve the chain
of custody? - ANSWER- Relevant circumstances surrounding the collection of the
evidence
Name of the person collecting the evidenc
You must ensure that a complete inventory of your organization's assets is
maintained. Which components are necessary in the asset management inventory?
firmware versions
operating system versions
application versions
hardware devices installed - ANSWER- All the points
Question 2 :What is the primary function of portable storage media, such as Zip,
Jaz, and flash drives? - ANSWER- to exchange data
___________is the process of wiping out data from storage media to ensure that
the data is not recoverable and cannot be reused. - ANSWER- Sanitization
What defines the minimum level of security? - ANSWER- Baselines
Question 4 :As a security professional, you have been asked to determine the
appropriate retention policies for media, hardware, data, and personnel. You decide
to first document the appropriate data retention policies. Which of the following
statements is NOT true of developing these policies? - ANSWER- You should
work with data custodians to develop the appropriate data retention policy for each
type of data the organization owns.
You have been asked to provide scoping and tailoring guidance for an
organization's security controls. Which of the following guidelines is NOT true
regarding this process? - ANSWER- Scoping and tailoring are closely tied to
access control lists.
INFORMATION SECURITY AND ASSURANCE 2023 TEST
BANK 300 REAL EXAM QUESTIONS AND CORRECT
ANSWERS|AGRADE
An employee has worked for the same organization for years and still has access to
legal files even though this employee now works in accounting. Which principle
has been violated? - ANSWER- Least privilege
A sales specialist is a normal user of a corporate network. The corporate network
uses subjects, objects, and labels to grant users access. Which access control
methodology is the corporation using? - ANSWER- Mandatory
What is considered a valid method for testing an organization's disaster recovery
plan, according to the Certified Information Systems Security Professional
(CISSP)? - ANSWER- Checklist
Who directs policies and procedures that are designed to protect information
resources in an organization? - ANSWER- Information resources security officer
Which topics should be included in employee security training program? -
ANSWER- Social engineering, shoulder surfing, phishing, malware
What is a threat to business operations - ANSWER- Sophisticated hacking tools
purchased by a disgruntled employee
Which statement describes a threat? - ANSWER- Spear fishing attack
Which type of control reduces the effect of an attack? - ANSWER- Corrective
Which security control should be included in a risk management policy? -
ANSWER- Exception process
,The organization applies comprehensive hardening to all its computer assets. Due
to the high cost of accomplishing this, the security manager decides to withhold
any further spending on IT security for the remainder of the year. The manager
believes that because of the complexity and secrecy of the organization's security
configuration, these computer assets are relatively safe. Which flawed security
principle is the security manager relying on - ANSWER- Security through
obscurity
The company receives notification from its security monitoring service that an
unauthorized physical breach of its datacenter occurred. The perpetrator was able
to guess the correct code to the keypad device that controls access. Which type of
risk management control could have prevented this breach from occurring? -
ANSWER- Multifactor authentication
The company identifies a risk with an asset that has relatively low value. The cost
to secure the asset is $2 million. An insurance company will insure the loss of the
asset for $150,000 a year. The company decides not to take any action to protect
the asset. Which risk management strategy did the company choose to follow? -
ANSWER- 45
Acceptance
Which type of system controls preserves the state of the system before a crash and
prevents further damage or unauthorized access to a system? - ANSWER- Fail
secure
A software development company follows a process where software is moved from
the development environment, to the testing environment for quality assurance,
and then on to production. Which individual should be restricted from migrating
the software to the production environment? - ANSWER- Lead programmer
After an audit of user access, a CIO is concerned about improperly granted
permissions. Which type of user access should the CIO be most concerned with? -
ANSWER- Elevated
Which attack uses common words and phrases to guess passwords? - ANSWER-
Dictionary
,What is a disadvantage of discretionary access control (DAC)? - ANSWER-
Empowers owners to decide access levels
Which password problem persists when accessing information and systems even
with a strong password management and creation policy? - ANSWER- Passwords
are repudiable.
An organization wants to update its policies that govern email acceptable use,
internet acceptable use, laptop security, and wireless security. Which type of
policies should the organization update to accomplish this? - ANSWER- Issue
Specific
Which type of documents do organizations use to explain step-by-step
instructions? - ANSWER- Procedures
Data entry specialists at a hospital are only supposed to be able to enter new patient
records into the database but not be able to access existing records. Because the
permissions were not set correctly, some data entry specialists have been accessing
existing patient records and making unauthorized changes. Hospital administrators
want be able to easily grant permissions based on job type. Which security
principle should the organization implement to solve this problem? - ANSWER-
RBAC
A company was the victim of a phishing attack. This attack occurred because a
cybercriminal recovered employee company email addresses from a stolen laptop.
How should employee company email addresses be classified? - ANSWER-
Business sensitive
An accountant finds an error in the way interest is credited to customer accounts.
The IT department traces the error to a patch that IT put on the software used to
track customer accounts. The error cost the organization about $100,000 in
overpayments. What is the IT department's role in this case? - ANSWER-
Custodian
Which type of hypervisor installs directly onto the hardware where the host OS
would normally reside? - ANSWER- Type 1
Management is concerned that data will be lost when using virtual machines (VM).
What are two ways to preserve data in VMs? Choose 2 answers. - ANSWER- Full
and hypervisor updates
, Which type of investigation is completed internally and examines either
operational issues or a violation of the organization's policies? - ANSWER-
Administrative
Which two types of information about evidence are required to preserve the chain
of custody? - ANSWER- Relevant circumstances surrounding the collection of the
evidence
Name of the person collecting the evidenc
You must ensure that a complete inventory of your organization's assets is
maintained. Which components are necessary in the asset management inventory?
firmware versions
operating system versions
application versions
hardware devices installed - ANSWER- All the points
Question 2 :What is the primary function of portable storage media, such as Zip,
Jaz, and flash drives? - ANSWER- to exchange data
___________is the process of wiping out data from storage media to ensure that
the data is not recoverable and cannot be reused. - ANSWER- Sanitization
What defines the minimum level of security? - ANSWER- Baselines
Question 4 :As a security professional, you have been asked to determine the
appropriate retention policies for media, hardware, data, and personnel. You decide
to first document the appropriate data retention policies. Which of the following
statements is NOT true of developing these policies? - ANSWER- You should
work with data custodians to develop the appropriate data retention policy for each
type of data the organization owns.
You have been asked to provide scoping and tailoring guidance for an
organization's security controls. Which of the following guidelines is NOT true
regarding this process? - ANSWER- Scoping and tailoring are closely tied to
access control lists.
