MISY 5325 FINAL EXAM 2025 UPDATED ACTUAL EXAM WITH CORRECT SOLUTIONS.
Procedures, policies - (ANSWER)__________ provide the detailed steps needed to carry out
___________.
right, permission - (ANSWER)A __________ grants the authority to perform an action on a system. A
__________ grants access to a resource.
security plan - (ANSWER)A business continuity plan (BCP) is an example of a(n):
a packet analyzer - (ANSWER)A hacker wants to launch an attack on an organization. The hacker uses a
tool to capture data sent over the network in cleartext, hoping to gather information that will help make
the attack successful. What tool is the hacker using?
assessments - (ANSWER)A threat is any activity that represents a possible danger, which includes any
circumstances or events with the potential to cause an adverse impact on all of the following, except:
exploit - (ANSWER)A(n) ____________ assessment attempts to identify vulnerabilities that can be
exploited.
Social engineering - (ANSWER)An access control such as a firewall or intrusion prevention system cannot
protect against which of the following?
input validation - (ANSWER)Another term for data range and reasonableness checks is:
procedural controls. - (ANSWER)Background checks, software testing, and awareness training are all
categories of:
Public key infrastructure (PKI) - (ANSWER)Bill is a security professional. He is in a meeting with co-
workers and describes a system that will make web sessions more secure. He says when a user connects
to the web server and starts a secure session, the server sends a certificate to the user. The certificate
includes a public key. The user can encrypt data with the public key and send it to the server. Because
,MISY 5325 FINAL EXAM 2025 UPDATED ACTUAL EXAM WITH CORRECT SOLUTIONS.
the server holds the private key, it can decrypt the data. Because no other entity has the private key, no
one else can decrypt the data. What is Bill describing?
Insurance - (ANSWER)Bonding is a type of __________ that covers against losses by theft, fraud, or
dishonesty.
Vulnerability × Threat . - (ANSWER)Complete the equation for the relationship between risk,
vulnerabilities, and threats: Risk equals:
Software Development - (ANSWER)Functionality testing is primarily used with:
Before writing an application or deploying a system - (ANSWER)Ideally, when should you perform threat
modeling?
read sections of a database or a whole database without authorization. - (ANSWER)In a SQL injection
attack, an attacker can:
Tailgating - (ANSWER)Piggybacking is also known as:
Weather Conditions; Natural Disasters - (ANSWER)Primary considerations for assessing threats based on
historical data in your local area are __________ and ___________.
share, transfer - (ANSWER)Purchasing insurance is the primary way for an organization to __________
or ___________ risk.
Preventative, detective, corrective - (ANSWER)Some controls are identified based on the function they
perform. What are the broad classes of controls based on function?
technical - (ANSWER)System logs and audit trails are a type of ________ control.
, MISY 5325 FINAL EXAM 2025 UPDATED ACTUAL EXAM WITH CORRECT SOLUTIONS.
technical, procedural - (ANSWER)The actual methods used to protect against data loss are __________
controls, but the program that identifies which data to protect is a ___________ control.
Contingency Planning(CP) - (ANSWER)The National Institute of Standards and Technology (NIST)
publishes SP 800-53. This document describes a variety of IT security controls, such as access control,
incident response, and configuration management. Controls are grouped into families. Which NIST
control family helps an organization recover from failures and disasters?
Mitigate - (ANSWER)To _________ risk means to reduce or neutralize threats or vulnerabilities to an
acceptable level.
encryption - (ANSWER)What changes plaintext data to ciphered data?
They are both performed for a specific time. - (ANSWER)What characteristic is common to risk
assessments and threat assessments?
They both specify that users be granted access only to what they need to perform their jobs. -
(ANSWER)What does the principle of least privilege have in common with the principle of need to
know?
A group of statements that either succeed or fail as a whole - (ANSWER)What is a transaction in a
database?
To prevent people from denying they took actions - (ANSWER)What is the purpose of nonrepudiation
techniques
Where a system is manufactured - (ANSWER)When performing threat assessments, it's important to
ensure you understand the system or application you are evaluating. To understand a given system or
application, you need to understand all of the following, except:
Procedures, policies - (ANSWER)__________ provide the detailed steps needed to carry out
___________.
right, permission - (ANSWER)A __________ grants the authority to perform an action on a system. A
__________ grants access to a resource.
security plan - (ANSWER)A business continuity plan (BCP) is an example of a(n):
a packet analyzer - (ANSWER)A hacker wants to launch an attack on an organization. The hacker uses a
tool to capture data sent over the network in cleartext, hoping to gather information that will help make
the attack successful. What tool is the hacker using?
assessments - (ANSWER)A threat is any activity that represents a possible danger, which includes any
circumstances or events with the potential to cause an adverse impact on all of the following, except:
exploit - (ANSWER)A(n) ____________ assessment attempts to identify vulnerabilities that can be
exploited.
Social engineering - (ANSWER)An access control such as a firewall or intrusion prevention system cannot
protect against which of the following?
input validation - (ANSWER)Another term for data range and reasonableness checks is:
procedural controls. - (ANSWER)Background checks, software testing, and awareness training are all
categories of:
Public key infrastructure (PKI) - (ANSWER)Bill is a security professional. He is in a meeting with co-
workers and describes a system that will make web sessions more secure. He says when a user connects
to the web server and starts a secure session, the server sends a certificate to the user. The certificate
includes a public key. The user can encrypt data with the public key and send it to the server. Because
,MISY 5325 FINAL EXAM 2025 UPDATED ACTUAL EXAM WITH CORRECT SOLUTIONS.
the server holds the private key, it can decrypt the data. Because no other entity has the private key, no
one else can decrypt the data. What is Bill describing?
Insurance - (ANSWER)Bonding is a type of __________ that covers against losses by theft, fraud, or
dishonesty.
Vulnerability × Threat . - (ANSWER)Complete the equation for the relationship between risk,
vulnerabilities, and threats: Risk equals:
Software Development - (ANSWER)Functionality testing is primarily used with:
Before writing an application or deploying a system - (ANSWER)Ideally, when should you perform threat
modeling?
read sections of a database or a whole database without authorization. - (ANSWER)In a SQL injection
attack, an attacker can:
Tailgating - (ANSWER)Piggybacking is also known as:
Weather Conditions; Natural Disasters - (ANSWER)Primary considerations for assessing threats based on
historical data in your local area are __________ and ___________.
share, transfer - (ANSWER)Purchasing insurance is the primary way for an organization to __________
or ___________ risk.
Preventative, detective, corrective - (ANSWER)Some controls are identified based on the function they
perform. What are the broad classes of controls based on function?
technical - (ANSWER)System logs and audit trails are a type of ________ control.
, MISY 5325 FINAL EXAM 2025 UPDATED ACTUAL EXAM WITH CORRECT SOLUTIONS.
technical, procedural - (ANSWER)The actual methods used to protect against data loss are __________
controls, but the program that identifies which data to protect is a ___________ control.
Contingency Planning(CP) - (ANSWER)The National Institute of Standards and Technology (NIST)
publishes SP 800-53. This document describes a variety of IT security controls, such as access control,
incident response, and configuration management. Controls are grouped into families. Which NIST
control family helps an organization recover from failures and disasters?
Mitigate - (ANSWER)To _________ risk means to reduce or neutralize threats or vulnerabilities to an
acceptable level.
encryption - (ANSWER)What changes plaintext data to ciphered data?
They are both performed for a specific time. - (ANSWER)What characteristic is common to risk
assessments and threat assessments?
They both specify that users be granted access only to what they need to perform their jobs. -
(ANSWER)What does the principle of least privilege have in common with the principle of need to
know?
A group of statements that either succeed or fail as a whole - (ANSWER)What is a transaction in a
database?
To prevent people from denying they took actions - (ANSWER)What is the purpose of nonrepudiation
techniques
Where a system is manufactured - (ANSWER)When performing threat assessments, it's important to
ensure you understand the system or application you are evaluating. To understand a given system or
application, you need to understand all of the following, except:
