ISC2 CERTIFIED IN CYBERSECURITY: PRE AND POST
COURSE ASSESSMENT
Tina is an (ISC)² member and is invited to join an online group of IT security enthusiasts. After attending a few online sessions, Tina learns that some participants in the group are sharing malware with each other, in order to use it against other organizations online. What should Tina do? (D1, L1.5.1)
A) Nothing
B) Stop participating in the group
C) Report the group to law enforcement
D) Report the group to (ISC)²
B is the best answer. The (ISC)² Code of Ethics requires that members "protect society, the common good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition against disseminating and deploying malware for offensive purposes. However, the Code does not make (ISC)² members into law enforcement officers; there is no requirement to get involved in legal matters beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for Tina's own protection) document when participation started and stopped, but no other action is necessary on Tina's part.
Triffid Corporation has a policy that all employees must receive security awareness instruction before using email; the company wants to make employees aware of potential phishing attempts that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1)
A) Administrative
B) Finite
C) Physical
D) Technical
A is correct. Both the policy and the instruction are administrative controls; rules and governance are administrative. B is incorrect; "finite" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; training is not a tangible object, so this is not a physical control. D is incorrect; training is not part of the IT environment, so it is not a technical control.
Brainpower
Read More
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization's offices. Which sort of security control would probably be best for this purpose? (D1, L1.3.1) A) Technical
B) Obverse
C) Physical
D) Administrative
C is the best answer. Because laptops are tangible objects, and Druna is trying to ensure that these objects are not moved from a certain place, physical controls are probably best for the purpose. A is incorrect; technical controls might help detect an attempt to steal a laptop, or locate the laptop after it has been stolen, but won't prevent the laptop from being taken. B is incorrect; "obverse" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. D is incorrect; administrative controls may help reduce theft, such as ensuring that laptops are not left in a place unobserved, but won't prevent the laptop from being taken.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess a particular threat, and he suggests that the best way to counter this threat would be to purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2)
A) Acceptance
B) Avoidance
C) Mitigation
D) Transference
C is correct. Applying a security solution (a type of control) is an example of mitigation. A is incorrect; if Kerpak suggested acceptance, then the threat, and the acceptance of the associated risk, only needs to be documented—no other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course of action would be to cease whatever activity was associated with the threat. D is incorrect; if Kerpak suggested transference, this would involve forming some sort of risk-sharing relationship with an external party, such as an insurance underwriter.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules that merchants must follow if the merchants choose to accept payment via credit card. These rules describe best practices for securing credit card processing technology, activities for securing credit card information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2)
A) Law
B) Policy
C) Standard
D) Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is accepted
throughout the industry. A is incorrect, because this set of rules was not issued by a governmental body. B is incorrect, because the set of rules is not a strategic, internal document published by senior leadership of a single organization. D is incorrect, because the set of rules is not internal to a given organization and is not limited to a single activity.
For which of the following systems would the security concept of availability probably be
most important? (D1, L1.1.1)
A) Medical systems that store patient data
B) Retail records of past transactions
C) Online streaming of camera feeds that display historical works of art in museums around the world
D) Medical systems that monitor patient condition in an intensive care unit
D is correct. Information that reflects patient condition is data that necessarily must be kept available in real time, because that data is directly linked to the patients' well-being (and possibly their life). This is, by far, the most important of the options listed. A is incorrect because stored data, while important, is not as critical to patient health as the monitoring function listed in answer D. B is incorrect because retail transactions do not constitute a risk to health and human safety. C is incorrect because displaying artwork does not reflect a risk to health and human safety; also because the loss of online streaming does not actually affect the asset (the artwork in the museum) in any way—
the art will still be in the museum, regardless of whether the camera is functioning.
Which of the following is an example of a "something you know" authentication factor? (D1, L1.1.1)
A) User ID
B) Password
C) Fingerprint
D) Iris scan
B is correct. A password is something the user knows and can present as an authentication factor to confirm an identity assertion. A is incorrect because a user ID is an identity assertion, not an authentication factor. C and D are incorrect as they are examples of authentication factors that are something you are, also referred to as "biometrics."
In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1)
A) Vulnerability
B) Asset
C) Threat
D) Likelihood B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C, and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk concepts, but are not things that a practitioner would protect.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit,
Olaf is asked whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not adhering to that standard in that particular situation, but that saying this to the auditors will reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1)
A) Tell the auditors the truth
B) Ask supervisors for guidance
C) Ask (ISC)² for guidance
D) Lie to the auditors
A is the best answer. The (ISC)² Code of Ethics requires that members "act honorably, honestly, justly, responsibly" and also "advance and protect the profession." Both requirements dictate that Olaf should tell the truth to the auditors. While the Code also says that Olaf should "provide diligent and competent service to principals," and Olaf's principal is Triffid in this case, lying does not serve Triffid's best long-term interests, even if the truth has some negative impact in the short term.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1)
A) Inform (ISC)²
B) Pay the parking ticket
C) Inform supervisors at Triffid
D) Resign employment from Triffid
B is the best answer. A parking ticket is not a significant crime, besmirchment of character or moral failing, and has nothing to do with Siobhan's duties for Triffid. Even though the (ISC)² Code of Ethics requires that members act "legally," and "protect the profession," a parking ticket does not reflect poorly on Siobhan, Triffid, (ISC)², or the security profession. Siobhan should, however, pay the ticket.
Aphrodite is a member of (ISC)² and a data analyst for Triffid Corporation. While Aphrodite is reviewing user log data, Aphrodite discovers that another Triffid employee is violating the acceptable use policy and watching streaming videos during work hours. What should Aphrodite do? (D1, L1.5.1)
A) Inform (ISC)²
B) Inform law enforcement
C) Inform Triffid management
COURSE ASSESSMENT
Tina is an (ISC)² member and is invited to join an online group of IT security enthusiasts. After attending a few online sessions, Tina learns that some participants in the group are sharing malware with each other, in order to use it against other organizations online. What should Tina do? (D1, L1.5.1)
A) Nothing
B) Stop participating in the group
C) Report the group to law enforcement
D) Report the group to (ISC)²
B is the best answer. The (ISC)² Code of Ethics requires that members "protect society, the common good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition against disseminating and deploying malware for offensive purposes. However, the Code does not make (ISC)² members into law enforcement officers; there is no requirement to get involved in legal matters beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for Tina's own protection) document when participation started and stopped, but no other action is necessary on Tina's part.
Triffid Corporation has a policy that all employees must receive security awareness instruction before using email; the company wants to make employees aware of potential phishing attempts that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1)
A) Administrative
B) Finite
C) Physical
D) Technical
A is correct. Both the policy and the instruction are administrative controls; rules and governance are administrative. B is incorrect; "finite" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. C is incorrect; training is not a tangible object, so this is not a physical control. D is incorrect; training is not part of the IT environment, so it is not a technical control.
Brainpower
Read More
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization's offices. Which sort of security control would probably be best for this purpose? (D1, L1.3.1) A) Technical
B) Obverse
C) Physical
D) Administrative
C is the best answer. Because laptops are tangible objects, and Druna is trying to ensure that these objects are not moved from a certain place, physical controls are probably best for the purpose. A is incorrect; technical controls might help detect an attempt to steal a laptop, or locate the laptop after it has been stolen, but won't prevent the laptop from being taken. B is incorrect; "obverse" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor. D is incorrect; administrative controls may help reduce theft, such as ensuring that laptops are not left in a place unobserved, but won't prevent the laptop from being taken.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess a particular threat, and he suggests that the best way to counter this threat would be to purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2)
A) Acceptance
B) Avoidance
C) Mitigation
D) Transference
C is correct. Applying a security solution (a type of control) is an example of mitigation. A is incorrect; if Kerpak suggested acceptance, then the threat, and the acceptance of the associated risk, only needs to be documented—no other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course of action would be to cease whatever activity was associated with the threat. D is incorrect; if Kerpak suggested transference, this would involve forming some sort of risk-sharing relationship with an external party, such as an insurance underwriter.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules that merchants must follow if the merchants choose to accept payment via credit card. These rules describe best practices for securing credit card processing technology, activities for securing credit card information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2)
A) Law
B) Policy
C) Standard
D) Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is accepted
throughout the industry. A is incorrect, because this set of rules was not issued by a governmental body. B is incorrect, because the set of rules is not a strategic, internal document published by senior leadership of a single organization. D is incorrect, because the set of rules is not internal to a given organization and is not limited to a single activity.
For which of the following systems would the security concept of availability probably be
most important? (D1, L1.1.1)
A) Medical systems that store patient data
B) Retail records of past transactions
C) Online streaming of camera feeds that display historical works of art in museums around the world
D) Medical systems that monitor patient condition in an intensive care unit
D is correct. Information that reflects patient condition is data that necessarily must be kept available in real time, because that data is directly linked to the patients' well-being (and possibly their life). This is, by far, the most important of the options listed. A is incorrect because stored data, while important, is not as critical to patient health as the monitoring function listed in answer D. B is incorrect because retail transactions do not constitute a risk to health and human safety. C is incorrect because displaying artwork does not reflect a risk to health and human safety; also because the loss of online streaming does not actually affect the asset (the artwork in the museum) in any way—
the art will still be in the museum, regardless of whether the camera is functioning.
Which of the following is an example of a "something you know" authentication factor? (D1, L1.1.1)
A) User ID
B) Password
C) Fingerprint
D) Iris scan
B is correct. A password is something the user knows and can present as an authentication factor to confirm an identity assertion. A is incorrect because a user ID is an identity assertion, not an authentication factor. C and D are incorrect as they are examples of authentication factors that are something you are, also referred to as "biometrics."
In risk management concepts, a(n) _________ is something a security practitioner might need to protect. (D1, L1.2.1)
A) Vulnerability
B) Asset
C) Threat
D) Likelihood B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C, and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk concepts, but are not things that a practitioner would protect.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit,
Olaf is asked whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not adhering to that standard in that particular situation, but that saying this to the auditors will reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1)
A) Tell the auditors the truth
B) Ask supervisors for guidance
C) Ask (ISC)² for guidance
D) Lie to the auditors
A is the best answer. The (ISC)² Code of Ethics requires that members "act honorably, honestly, justly, responsibly" and also "advance and protect the profession." Both requirements dictate that Olaf should tell the truth to the auditors. While the Code also says that Olaf should "provide diligent and competent service to principals," and Olaf's principal is Triffid in this case, lying does not serve Triffid's best long-term interests, even if the truth has some negative impact in the short term.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1)
A) Inform (ISC)²
B) Pay the parking ticket
C) Inform supervisors at Triffid
D) Resign employment from Triffid
B is the best answer. A parking ticket is not a significant crime, besmirchment of character or moral failing, and has nothing to do with Siobhan's duties for Triffid. Even though the (ISC)² Code of Ethics requires that members act "legally," and "protect the profession," a parking ticket does not reflect poorly on Siobhan, Triffid, (ISC)², or the security profession. Siobhan should, however, pay the ticket.
Aphrodite is a member of (ISC)² and a data analyst for Triffid Corporation. While Aphrodite is reviewing user log data, Aphrodite discovers that another Triffid employee is violating the acceptable use policy and watching streaming videos during work hours. What should Aphrodite do? (D1, L1.5.1)
A) Inform (ISC)²
B) Inform law enforcement
C) Inform Triffid management
