TESTS ALL DOMAINS WITH
REVIEWED ANSWERS
1. What is the final step of a quantitative risk analysis?
k k k k k k k k k k
A. Determine asset value.
k k k
B. Assess the annualized rate of occurrence.
k k k k k k
C. Derive the annualized loss expectancy.
k k k k k
D. Conduct a cost.benefit analysis. - CORRECT ANSWER-D.
k k k k k k k
The final step of a quantitative risk analysis is conducting a cost/b
k k k k k k k k k k k
enefit analysis to
k k
determine whether the organisation should implement proposed
k k k k k k k
countermeasure(s).
2. An evil twin attack that broadcasts a legitimate SSID for an una
k k k k k k k k k k k k
uthorised network is an example of what category of threat?
k k k k k k k k k
A. Spoofing
k
B. Information disclosure
k k
C. Repudiation
k
D. Tampering - CORRECT ANSWER-A.
k k k k
Spoofing attacks use falsified identities. Spoofing attacks may us
k k k k k k k k
e false IP addresses, email addresses, names, or, in the case of a
k k k k k k k k k k k k
n evil twin attack, SSIDs.
k k k k
3. Under the Digital Millennium Copyright Act (DMCA), what type
k k k k k k k k k k
of offenses do not require prompt action by an Internet service pr
k k k k k k k k k k k
ovider after it receives a notification of
k k k k k k
infringement claim from a copyright holder? k k k k k
A. Storage of information by a customer on a provider's server
k k k k k k k k k k
B. Caching of information by the provider
k k k k k k
,C. Transmission of information over the provider's network by a c
k k k k k k k k k k
ustomer
D. Caching of information in a provider search engine -
k k k k k k k k k
kCORRECT ANSWER-C. k
The DMCA states that providers are not responsible for the transi
k k k k k k k k k k
tory activities of
k k
their users. Transmission of information over a network would qu
k k k k k k k k k
alify for this exemption. The other activities listed are all nontransi
k k k k k k k k k k
tory actions that require
k k k
remediation by the provider. k k k
4. FlyAway Travel has offices in both the European Union and the
k k k k k k k k k k k
kUnited States and transfers personal information between those
k k k k k k k k
offices regularly. Which of the seven
k k k k k
requirements for processing personal information states that orgk k k k k k k
anizations must inform individuals about how the information they
k k k k k k k k
kcollect is used? k k
A. Notice
k
B. Choice
k
C. Onward Transfer
k k
D. Enforcement - CORRECT ANSWER-A.
k k k k
The Notice principle says that organizations must inform individu
k k k k k k k k
als of the information the organization collects about individuals a
k k k k k k k k k
nd how the organization will use it. These principles are based up
k k k k k k k k k k k
on the Safe Harbor Privacy Principles issued by the US Departm
k k k k k k k k k k
ent of Commerce in 2000 to help US companies comply with EU
k k k k k k k k k k k k
and Swiss privacy laws when collecting, storing, processing or tra
k k k k k k k k k
nsmitting data on EU or k k k k
Swiss citizens. k
5. Which one of the following is not one of the three common thre
k k k k k k k k k k k k k
at modeling techniques?
k k
A. Focused on assets
k k k
B. Focused on attackers
k k k
C. Focused on software
k k k
,D. Focused on social engineering - CORRECT ANSWER-D.
k k k k k k k
The three common threat modeling techniques are focused on att
k k k k k k k k k
ackers, software, k
and assets. Social engineering is a subset of attackers.
k k k k k k k k
6. Which one of the following elements of information is not consi
k k k k k k k k k k k
dered personally identifiable information that would trigger most
k k k k k k k k
US state data breach laws?
k k k k
A. Student identification number
k k k
B. Social Security number
k k k
C. Driver's license number
k k k
D. Credit card number - CORRECT ANSWER-A.
k k k k k k
Most state data breach notification laws are modeled after Califor
k k k k k k k k k
nia's law, which k k
covers Social Security number, driver's license number, state ide
k k k k k k k k
ntification card number, credit/debit card numbers, bank account
k k k k k k k k
numbers (in conjunction with a PIN or password), medical record
k k k k k k k k k
s, and health insurance information.
k k k k
7. In 1991, the federal sentencing guidelines formalized a rule tha
k k k k k k k k k k
t requires senior executives to take personal responsibility for info
k k k k k k k k k
rmation security matters. What is k k k k
the name of this rule?
k k k k
A. Due diligence rule
k k k
B. Personal liability rule
k k k
C. Prudent man rule
k k k
D. Due process rule - CORRECT ANSWER-C.
k k k k k k
The prudent man rule requires that senior executives take person
k k k k k k k k k
al responsibility
k
for ensuring the due care that ordinary, prudent individuals would
k k k k k k k k k k
exercise in the same situation. The rule originally applied to finan
k k k k k k k k k k
cial matters, but the Federal Sentencing Guidelines applied them
k k k k k k k k k
to information security matters in 1991.
k k k k k
, 8. Which one of the following provides an authentication mechani
k k k k k k k k k
sm that would be
k k k
appropriate for pairing with a password to achieve multifactor aut
k k k k k k k k k
hentication?
A. Username
k
B. PIN
k
C. Security question
k k
D. Fingerprint scan - CORRECT ANSWER-D.
k k k k k
A fingerprint scan is an example of a "something you are" factor,
k k k k k k k k k k k k
which would be k k
appropriate for pairing with a "something you know" password to
k k k k k k k k k k
achieve multifactor authentication. A username is not an authenti
k k k k k k k k
cation factor. PINs and security questions are both "something yo
k k k k k k k k k
u know," which would not achieve multifactor
k k k k k k
authentication when paired with a password because both metho k k k k k k k k
ds would come from
k k k
the same category, failing the requirement for multifactor authenti
k k k k k k k k
cation.
9. What United States government agency is responsible for adm
k k k k k k k k k
inistering the terms of safe harbor agreements between the Euro
k k k k k k k k k
pean Union and the United States under the EU Data Protection
k k k k k k k k k k k
Directive?
A. Department of Defense
k k k
B. Department of the Treasury
k k k k
C. State Department
k k
D. Department of Commerce - CORRECT ANSWER-D.
k k k k k k
The US Department of Commerce is responsible for implementin
k k k k k k k k
g the EU-US Safe
k k k
Harbor agreement. The validity of this agreement was in legal qu
k k k k k k k k k k
estion in the wake of k k k k
the NSA surveillance disclosures.
k k k