21. Janet is identifying the set of privileges that should beassigned to a new employee in her organization. Which phase of theaccess control process is she performing? A. Identification B.Authentication C. Accountability D. Authorization

22. Which of the following would NOT be considered in the scopeof organizational compliance efforts? A. Laws B. Company policy C.Internal audit D. Corporate culture

23. Mark is considering outsourcing security functions to athird-party service provider. What benefit is he most likely toachieve? A. Reduced operating costs B. Access to a high level ofexpertise C. Developing in-house talent D. Building internalknowledge

24. What is NOT a good practice for developing strongprofessional ethics? A. Set the example by demonstrating ethics indaily activities B. Encourage adopting ethical guidelines andstandards C. Assume that information should be free D. Inform usersthrough security awareness training

25. Karen is designing a process for issuing checks and decidesthat one group of users will have the authority to create newpayees in the system while a separate group of users will have theauthority to issue checks to those payees. The intent of thiscontrol is to prevent fraud. Which principle is Karen enforcing? A.Job rotation B. Least privilege C. Need-to-know D. Separation ofduties

26. What is NOT a goal of information security awarenessprograms? A. Teach users about security objectives B. Inform usersabout trends and threats in security C. Motivate users to complywith security policy D. Punish users who violate policy

27. Ann is creating a template for the configuration of Windowsservers in her organization. It includes the basic securitysettings that should apply to all systems. What type of documentshould she create? A. Baseline B. Policy C. Guideline D.Procedure

28. Aditya is attempting to classify information regarding a newproject that his organization will undertake in secret. Whichcharacteristic is NOT normally used to make these type ofclassification decisions? A. Value B. Sensitivity C. Criticality D.Threat

29. Marguerite is creating a budget for a software developmentproject. What phase of the system life cycle is she undertaking? A.Project initiation and planning B. Functional requirements anddefinition C. System design specification D. Operations andmaintenance

30. In an accreditation process, who has the authority toapprove a system for implementation? A. Certifier B. Authorizingofficial (AO) C. System owner D. System administrator