CISSP 2023 Exam with complete solutions

A. Honesty B. Ethical Behavior C. Legality D. Control - Answer- The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP: a. Preventive / Technical Pairing b. Preventive / Administrative Pairing c. Preventive / Physical Pairing d. Detective / Administrative Pairing - Answer- Which of the following control pairing places emphasis on "soft" mechanisms that support the access control objectives? Administrative Control - Answer- Soft Control is another way of referring to a. Preventive / Physical b. Detective / Technical c. Detective /Physical d. Detective / Administrative - Answer- The control measures that are intended to reveal the violations of security policy using software and hardware are associated with: a. Logon Banners b. Wall Posters c. Employee Handbook d. Written Agreement - Answer- Which of the following is most appropriate to notify an external user that session monitoring is being conducted? The detective/technical control - Answer- What measures are intended to reveal the violations of security policy using technical means? a. to detect improper or illegal acts by employees b. to lead to greater productivity through a better quality of life for the employee c. to provide proper cross training for another employee d. to allow more employees to have a better understanding of the overall system - Answer- Why do many organizations require every employee to take a mandatory vacation of a week or more? a. Establish procedures for periodically reviewing the classification and ownership b. Specify the security controls required for each classification level c. Identify the data custodian and define their responsibilities d. Specify the criteria that will determine how data is classified - Answer- You have been tasked to develop an effective information classification program. Which one of the following steps should be performed first? a. System programmer b. Legal staff c. Business unit manager d. Programmer - Answer- The IS review is focused on the controls in place related to the process of defining IT service levels. Which of the following staff member would be best suited to provide information during a review? Security Officer - Answer- Who directs, coordinates, plans, and organizes information security activities throughout the organization? Who works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. who and his or her team are responsible for the design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidelines? Executive Management/Senior Management - Answer- Who maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know. A data custodian - Answer- is an individual or function that takes care of the information on behalf of the owner. These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, by systems administrators. This group administers access rights to the information assets. Data/Information/Business/System Owners - Answer- These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible. a. Hot site b. Warm site c. Redundant or Alternate site d. Reciprocal Agreement - Answer- Which of the following alternative business recovery strategies would be LEAST reliable in a large database and on-line communications network environment where the critical business continuity period is 7 days ? Hot Site - Answer- A facility that is leased or rented and is fully configured and ready to operate within a few hours. The only missing resources are usually the data, which will be retrieved from a backup site, and the people who will be processing the data. Cold site - Answer- Leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and flooring, but none of the equipment or additional services. Warm site - Answer- • Less expensive • Available for longer timeframes because of the reduced costs • Practical for proprietary hardware or software use Warm and Cold Site Disadvantages • Operational testing not usually available • Resources for operations not immediately available a. IP spoofing b. Password sniffing c. Data diddling d. Denial of Service (DoS) - Answer- Which of the following computer crime is MORE often associated with INSIDERS? a. Monitoring of system activity b. Fencing c. Identification and authentication methods d. Logical access control measures - Answer- Which of the following is BEST defined as a physical control? a. The process of eliminating the risk b. The process of assessing the risk c. The process of reducing the risk to an acceptable level d. The process of transferring risk - Answer- What would BEST define risk management? a. The National Computer Security Center (NCSC) b. The National Institute of Standards and Technology (NIST) c. The National Security Agency (NSA) d. The American National Standards Institute (ANSI) - Answer- Which of the following organizations PRODUCES and PUBLISHES the Federal Information Processing Standards (FIPS)? a. Operations documentation b. Computer console c. Source code of applications d. Information security guidelines - Answer- Which of the following should NOT be accessible by a computer operator? a. Risk assessment b. Residual risk c. Security controls d. Business unit - Answer- Which of the following enables the person responsible for contingency planning to focus risk management efforts and resources in a prioritized manner only on the identified risks? a. Potential risks. b. Residual risks c. Identified risks d. All of the other answers are correct - Answer- A contingency plan should address: a. Damage mitigation b. Install LAN communications network and servers c. Assess damage to LAN servers d. Recover equipment - Answer- During the salvage of the Local Area Network and Servers, which of the following steps would normally be performed first? a. once a month b. at least twice a year c. once a year d. at least once every two years - Answer- A Business Continuity Plan should be tested: a. Evidence Circumstance Doctrine b. Exigent Circumstance Doctrine c. Evidence of Admissibility Doctrine d. Exigent Probable Doctrine - Answer- What is called an exception to the search warrant requirement that allows an officer to conduct a search without having the warrant in-hand if probable cause is present and destruction of the evidence is deemed imminent? a. Audit trails b Access control software c. Honeypot d. Intrusion detection system - Answer- Which of the following is NOT a form of detective technical control? a. A technical failure. b. A management failure. c. Because of a lack of awareness. d. Because of a lack of training. - Answer- Failure of a contingency plan is usually: