DOMAINS) COMPLETE STUDY GUIDE 2026
| PRACTICE QUESTIONS & ANSWERS
| GRADED A+ | GUARANTEED SUCCESS
Updated 2026 Questions and Answers
100% Verified Exam Prep and Comprehensive
Rationales Included
,1. What is the final step of a quantitative risk analysis? D.
The final step of a quantitative risk analysis is conducting a cost/benefit analysis to
A. Determine asset value. determine whether the organisation should implement proposed
B. Assess the annualized rate of occurrence. countermeasure(s).
C. Derive the annualized loss expectancy.
D. Conduct a cost.benefit analysis.
2. An evil twin attack that broadcasts a legitimate SSID for A.
an unauthorised network is an example of what category Spoofing attacks use falsified identities. Spoofing attacks may use false IP
of threat? addresses, email addresses, names, or, in the case of an evil twin attack, SSIDs.
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering
3. Under the Digital Millennium Copyright Act (DMCA), C.
what type of offenses do not require prompt action by an The DMCA states that providers are not responsible for the transitory activities of
Internet service provider after it receives a notification of their users. Transmission of information over a network would qualify for this
infringement claim from a copyright holder? exemption. The other activities listed are all nontransitory actions that require
remediation by the provider.
A. Storage of information by a customer on a provider's
server
B. Caching of information by the provider
C. Transmission of information over the provider's
network by a customer
D. Caching of information in a provider search engine
,4. FlyAway Travel has offices in both the European Union A.
and the United States and transfers personal information The Notice principle says that organizations must inform individuals of the
between those offices regularly. Which of the seven information the organization collects about individuals and how the organization
requirements for processing personal information states will use it. These principles are based upon the Safe Harbor Privacy Principles
that organizations must inform individuals about how the issued by the US Department of Commerce in 2000 to help US companies
information they collect is used? comply with EU and Swiss privacy laws when collecting, storing, processing or
transmitting data on EU or
A. Notice Swiss citizens.
B. Choice
C. Onward Transfer
D. Enforcement
5. Which one of the following is not one of the three D.
common threat modeling techniques? The three common threat modeling techniques are focused on attackers,
software,
A. Focused on assets and assets. Social engineering is a subset of attackers.
B. Focused on attackers
C. Focused on software
D. Focused on social engineering
6. Which one of the following elements of information is A.
not considered personally identifiable information that Most state data breach notification laws are modeled after California's law, which
would trigger most US state data breach laws? covers Social Security number, driver's license number, state identification card
number, credit/debit card numbers, bank account numbers (in conjunction with a
A. Student identification number PIN or password), medical records, and health insurance information.
B. Social Security number
C. Driver's license number
D. Credit card number
7. In 1991, the federal sentencing guidelines formalized a C.
rule that requires senior executives to take personal The prudent man rule requires that senior executives take personal responsibility
responsibility for information security matters. What is for ensuring the due care that ordinary, prudent individuals would exercise in the
the name of this rule? same situation. The rule originally applied to financial matters, but the Federal
Sentencing Guidelines applied them to information security matters in 1991.
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule
, 8. Which one of the following provides an authentication D.
mechanism that would be A fingerprint scan is an example of a "something you are" factor, which would be
appropriate for pairing with a password to achieve appropriate for pairing with a "something you know" password to achieve
multifactor authentication? multifactor authentication. A username is not an authentication factor. PINs and
security questions are both "something you know," which would not achieve
A. Username multifactor
B. PIN authentication when paired with a password because both methods would come
C. Security question from
D. Fingerprint scan the same category, failing the requirement for multifactor authentication.
9. What United States government agency is responsible D.
for administering the terms of safe harbor agreements The US Department of Commerce is responsible for implementing the EU-US Safe
between the European Union and the United States Harbor agreement. The validity of this agreement was in legal question in the
under the EU Data Protection Directive? wake of
the NSA surveillance disclosures.
A. Department of Defense
B. Department of the Treasury
C. State Department
D. Department of Commerce
10. Yolanda is the chief privacy officer for a financial A.
institution and is researching privacy issues related to The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of
customer checking accounts. Which one of the following customer financial information. It applies specifically to financial institutions.
laws is most
likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA
11. Tim's organization recently received a contract to A.
conduct sponsored research as a government contractor. The Federal Information Security Management Act (FISMA) specifically applies to
What law now likely applies to the information systems government contractors. The Government Information Security Reform Act
involved in this contract? (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and
PCI DSS
A. FISMA apply to healthcare and credit card information, respectively.
B. PCI DSS
C. HIPAA
D. GISRA
12. Chris is advising travelers from his organization who D.
will be visiting many different countries overseas. He is The export of encryption software to certain countries is regulated under US
concerned about compliance with export control laws. export
Which control laws.
of the following technologies is most likely to trigger
these regulations?
A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software