C725 Practice Test
Which groups typically report to the chief security officer (CSO)? - Security engineering
and operations
A company is considering which controls to buy to protect an asset. What should the
price of the controls be in relation to the cost of the asset? - Less than the annual loss
expectancy
An employee uses a secure hashing algorithm for message integrity. The employee
sends a plain text message with the embedded hash to a colleague. A rogue device
receives and retransmits the message to its destination. Once received and checked by
the intended recipient, the hashes do not match.
Which STRIDE concept has been violated? - Tampering
An attacker accesses private emails between the company's CISO and board members.
The attacker then publishes the emails online. Which type of an attack is this, according
to the STRIDE model? - Information disclosure
A system data owner needs to give access to a new employee, so the owner formally
requests that the system administrator create an account and permit the new employee
to use systems necessary to the job. Which type of control does the system
administrator use to grant these permissions? - Access
The chief information security officer (CISO) for an organization knows that the
organization's datacenter qlacks qthe qphysical qcontrols qneeded qto qadequately qcontrol
qaccess qto qsensitive qcorporate qsystems. qThe qCEO, qCIO, qand qCFO qfeel qthat qthe
qcurrent qphysical qaccess qis qwithin qa qtolerable qrisk qlevel, qand qthey qagree qnot qto
qpay qfor qupgrades qto qthe qfacility.
Which qrisk qmanagement qstrategy qhas qthe qsenior qleadership qdecided qto qemploy? q-
qAcceptance
Which qphase qof qthe qsoftware qdevelopment qlife qcycle qfollows qsystem qdesign? q-
qDevelopment
Which qquestion qrelates qto qthe qfunctional qaspect qof qcomputer qsecurity? q- qDoes qthe
qsystem qdo qthe qright qthings qin qthe qright qway?
Which qaction qis qan qexample qof qa qloss qof qinformation qintegrity qbased qon qthe qCIA
qtriad? q- qA qsecurity qengineer qaccidentally qscrambles qinformation qin qa qdatabase.
What qis qincluded qin qquantitative qrisk qanalysis? q- qRisk qranking
What qis qa qfundamentally qobjective qconcept qin qdetermining qrisk? q- qResource qcosts
, C725 Practice Test
Which qdomain qof qthe q(ISC)² qCommon qBody qof qKnowledge qaddresses qprocedures
qand qtools qthat qeliminate qor qreduce qthe qcapability qto qexploit qcritical qinformation? q-
qOperations qSecurity
Which qdomain qof qthe q(ISC)² qCommon qBody qof qKnowledge qaddresses
qidentification, qauthentication, qauthorization, qand qlogging qand qmonitoring qtechniques
qand qtechnologies?
- qAccess qControl
Which qtype qof qpolicy qestablishes qa qsecurity qplan, qassigns qmanagement
qresponsibilities, qand qstates qan qorganization's qcomputer qsecurity qobjectives? q-
qProgram-level
A qcompany qconsults qa qbest qpractices qmanual qfrom qits qvendor qwhile qdeploying qa
qnew qIT qsystem. qWhich qtype qof qdocument qdoes qthis qexemplify? q- qGuidelines
An qorganization qhas qall qof qits qoffices qin qseveral qdifferent qbuildings qthat qare
qsituated qon qa qlarge qcity qblock. qWhich qtype qof qnetwork qis qspecifically qsuited qto
qconnect qthese qoffices qto qthe qorganization's qnetwork q- qCampus
A qnetwork qsecurity qengineer qis qtasked qwith qpreparing qaudit qreports qfor qthe
qauditor. qThe qinternal qauditor qsends qthe qreports qto qthe qexternal qauditor qwho
qdiscovers qthat qfraud qwas qcommitted qand qthat qthe qnetwork qsecurity qengineer qhas
qfalsified qthe qreports. qWhich qsecurity qprinciple qshould qbe qused qto qstop qthis qtype qof
qfraud qfrom qhappening? q- qSeparation qof qduties
An qemployee qhas qworked qfor qthe qsame qorganization qfor qyears qand qstill qhas
qaccess qto qlegal qfiles qeven qthough qthis qemployee qnow qworks qin qaccounting.
qWhich qprinciple qhas qbeen qviolated? q- qLeast qprivilege
A qsales qspecialist qis qa qnormal quser qof qa qcorporate qnetwork. qThe qcorporate
qnetwork quses qsubjects, qobjects, qand qlabels qto qgrant qusers qaccess. qWhich qaccess
qcontrol qmethodology qis qthe qcorporation qusing? q- qMandatory
What qis qconsidered qa qvalid qmethod qfor qtesting qan qorganization's qdisaster qrecovery
qplan, qaccording qto qthe qCertified qInformation qSystems qSecurity qProfessional
q(CISSP)? q- qChecklist
Who qdirects qpolicies qand qprocedures qthat qare qdesigned qto qprotect qinformation
qresources qin qan qorganization? q- qInformation qresources qsecurity qofficer
Which qtopics qshould qbe qincluded qin qemployee qsecurity qtraining qprogram? q- qSocial
qengineering, qshoulder qsurfing, qphishing, qmalware
What qis qa qthreat qto qbusiness qoperations q- qSophisticated qhacking qtools qpurchased
qby qa qdisgruntled qemployee
Which qstatement qdescribes qa qthreat? q- qSpear qfishing qattack
Which groups typically report to the chief security officer (CSO)? - Security engineering
and operations
A company is considering which controls to buy to protect an asset. What should the
price of the controls be in relation to the cost of the asset? - Less than the annual loss
expectancy
An employee uses a secure hashing algorithm for message integrity. The employee
sends a plain text message with the embedded hash to a colleague. A rogue device
receives and retransmits the message to its destination. Once received and checked by
the intended recipient, the hashes do not match.
Which STRIDE concept has been violated? - Tampering
An attacker accesses private emails between the company's CISO and board members.
The attacker then publishes the emails online. Which type of an attack is this, according
to the STRIDE model? - Information disclosure
A system data owner needs to give access to a new employee, so the owner formally
requests that the system administrator create an account and permit the new employee
to use systems necessary to the job. Which type of control does the system
administrator use to grant these permissions? - Access
The chief information security officer (CISO) for an organization knows that the
organization's datacenter qlacks qthe qphysical qcontrols qneeded qto qadequately qcontrol
qaccess qto qsensitive qcorporate qsystems. qThe qCEO, qCIO, qand qCFO qfeel qthat qthe
qcurrent qphysical qaccess qis qwithin qa qtolerable qrisk qlevel, qand qthey qagree qnot qto
qpay qfor qupgrades qto qthe qfacility.
Which qrisk qmanagement qstrategy qhas qthe qsenior qleadership qdecided qto qemploy? q-
qAcceptance
Which qphase qof qthe qsoftware qdevelopment qlife qcycle qfollows qsystem qdesign? q-
qDevelopment
Which qquestion qrelates qto qthe qfunctional qaspect qof qcomputer qsecurity? q- qDoes qthe
qsystem qdo qthe qright qthings qin qthe qright qway?
Which qaction qis qan qexample qof qa qloss qof qinformation qintegrity qbased qon qthe qCIA
qtriad? q- qA qsecurity qengineer qaccidentally qscrambles qinformation qin qa qdatabase.
What qis qincluded qin qquantitative qrisk qanalysis? q- qRisk qranking
What qis qa qfundamentally qobjective qconcept qin qdetermining qrisk? q- qResource qcosts
, C725 Practice Test
Which qdomain qof qthe q(ISC)² qCommon qBody qof qKnowledge qaddresses qprocedures
qand qtools qthat qeliminate qor qreduce qthe qcapability qto qexploit qcritical qinformation? q-
qOperations qSecurity
Which qdomain qof qthe q(ISC)² qCommon qBody qof qKnowledge qaddresses
qidentification, qauthentication, qauthorization, qand qlogging qand qmonitoring qtechniques
qand qtechnologies?
- qAccess qControl
Which qtype qof qpolicy qestablishes qa qsecurity qplan, qassigns qmanagement
qresponsibilities, qand qstates qan qorganization's qcomputer qsecurity qobjectives? q-
qProgram-level
A qcompany qconsults qa qbest qpractices qmanual qfrom qits qvendor qwhile qdeploying qa
qnew qIT qsystem. qWhich qtype qof qdocument qdoes qthis qexemplify? q- qGuidelines
An qorganization qhas qall qof qits qoffices qin qseveral qdifferent qbuildings qthat qare
qsituated qon qa qlarge qcity qblock. qWhich qtype qof qnetwork qis qspecifically qsuited qto
qconnect qthese qoffices qto qthe qorganization's qnetwork q- qCampus
A qnetwork qsecurity qengineer qis qtasked qwith qpreparing qaudit qreports qfor qthe
qauditor. qThe qinternal qauditor qsends qthe qreports qto qthe qexternal qauditor qwho
qdiscovers qthat qfraud qwas qcommitted qand qthat qthe qnetwork qsecurity qengineer qhas
qfalsified qthe qreports. qWhich qsecurity qprinciple qshould qbe qused qto qstop qthis qtype qof
qfraud qfrom qhappening? q- qSeparation qof qduties
An qemployee qhas qworked qfor qthe qsame qorganization qfor qyears qand qstill qhas
qaccess qto qlegal qfiles qeven qthough qthis qemployee qnow qworks qin qaccounting.
qWhich qprinciple qhas qbeen qviolated? q- qLeast qprivilege
A qsales qspecialist qis qa qnormal quser qof qa qcorporate qnetwork. qThe qcorporate
qnetwork quses qsubjects, qobjects, qand qlabels qto qgrant qusers qaccess. qWhich qaccess
qcontrol qmethodology qis qthe qcorporation qusing? q- qMandatory
What qis qconsidered qa qvalid qmethod qfor qtesting qan qorganization's qdisaster qrecovery
qplan, qaccording qto qthe qCertified qInformation qSystems qSecurity qProfessional
q(CISSP)? q- qChecklist
Who qdirects qpolicies qand qprocedures qthat qare qdesigned qto qprotect qinformation
qresources qin qan qorganization? q- qInformation qresources qsecurity qofficer
Which qtopics qshould qbe qincluded qin qemployee qsecurity qtraining qprogram? q- qSocial
qengineering, qshoulder qsurfing, qphishing, qmalware
What qis qa qthreat qto qbusiness qoperations q- qSophisticated qhacking qtools qpurchased
qby qa qdisgruntled qemployee
Which qstatement qdescribes qa qthreat? q- qSpear qfishing qattack
