CISSP EXAM (Questions and Answers A+ Graded 100% Verified)

CISSP EXAM (Questions and Answers A+ Graded 100% Verified) 1. Which of the following best describes the relationship between COBIT and ITIL? A. COBIT is a model for IT governance, whereas ITIL is a model for corporate governance. B. COBIT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management. C. COBIT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them. D. COBIT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals. CORRECT ANSWER: C. The Control Objectives for Information and related Technology (COBIT) is a framework developed by ISACA (formerly the Information Systems Audit and Control Association) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure IT maps to business needs, not specifically just security needs. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. A customizable framework, ITIL provides the goals, the general activities necessary to achieve these goals, and the input and output values for each process required to meet these determined goals. In essence, COBIT addresses "what is to be achieved," and ITIL addresses "how to achieve it." 2. Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this? A. Committee of Sponsoring Organizations of the Treadway Commission B. The Organisation for Economic Co-operation and Development C. COBIT D. International Organization for Standardization CORRECT ANSWER: B. Almost every country has its own rules pertaining to what constitutes private data and how it should be protected. As the digital and information age came upon us, these different laws started to negatively affect business and international trade. Thus, the Organisation for Economic Co-operation and Development (OECD) developed guidelines for various countries so that data is properly protected and everyone follows the same rules. 3. Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining? A. Security policy committee B. Audit committee C. Risk management committee D. Security steering committee CORRECT ANSWER: D. Steve is joining a security steering committee, which is responsible for making decisions on tactical and strategic security issues within the enterprise. The committee should consist of individuals from throughout the organization and meet at least quarterly. In addition to the responsibilities listed in the question, the security steering committee is responsible for establishing a clearly defined vision statement that works with and supports the organizational intent of the business. It should provide support for the goals of availability, integrity, and confidentiality as they pertain to the organization's business objectives. This vision statement should, in turn, be supported by a mission statement that provides support and definition to the processes that will apply to the organization and allow it to reach its business goals. 4. Which of the following is not included in a risk assessment? A. Discontinuing activities that introduce risk B. Identifying assets C. Identifying threats D. Analyzing risk in order of cost or criticality CORRECT ANSWER: A. Discontinuing activities that introduce risk is a way of responding to risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) in the enterprise. If a company decides not to allow IM activity because there is not enough business need for its use, then prohibiting this service is an example of risk avoidance. Risk assessment does not include the implementation of countermeasures such as this. 5. The integrity of data is not related to which of the following? A. Unauthorized manipulation or changes to data B. The modification of data without authorization C. The intentional or accidental substitution of data D. The extraction of data to share with unauthorized entities CORRECT ANSWER: D. The extraction of data to share wi