QUESTION 1

Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing?

		Identification
		Authentication
		Accountability
		Authorization

0.5 points

QUESTION 2

Which of the following would NOT be considered in the scope of organizational compliance efforts?

		Laws
		Company policy
		Internal audit
		Corporate culture

0.5 points

QUESTION 3

Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve?

		Reduced operating costs
		Access to a high level of expertise
		Developing in-house talent
		Building internal knowledge

0.5 points

QUESTION 4

Biyu is making arrangements to use a third-party service provider for security services. She wants to document a requirement for timely notification of security breaches. What type of agreement is most likely to contain formal requirements of this type?

		Service level agreement (SLA)
		Blanket purchase agreement (BPA)
		Memorandum of understanding (MOU)
		Interconnection security agreement (ISA)

0.5 points

QUESTION 5

Which agreement type is typically less formal than other agreements and expresses areas of common interest?

		Service level agreement (SLA)
		Blanket purchase agreement (BPA)
		Memorandum of understanding (MOU)
		Interconnection security agreement (ISA)

0.5 points

QUESTION 6

What is NOT a good practice for developing strong professional ethics?

		Set the example by demonstrating ethics in daily activities
		Encourage adopting ethical guidelines and standards
		Assume that information should be free
		Inform users through security awareness training

0.5 points

QUESTION 7

Which practice is NOT considered unethical under RFC 1087 issued by the Internet Architecture Board (IAB)?

		Seeking to gain unauthorized access to resources
		Disrupting intended use of the Internet
		Enforcing the integrity of computer-based information
		Compromising the privacy of users

0.5 points

QUESTION 8

What is NOT a principle for privacy created by the Organization for Economic Cooperation and Development (OECD)?

		An organization should collect only what it needs.
		An organization should share its information.
		An organization should keep its information up to date.
		An organization should properly destroy its information when it is no longer needed.

0.5 points

QUESTION 9

Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing?

		Job rotation
		Least privilege
		Need-to-know
		Separation of duties

0.5 points

QUESTION 10

What is NOT a goal of information security awareness programs?

		Teach users about security objectives
		Inform users about trends and threats in security
		Motivate users to comply with security policy
		Punish users who violate policy

0.5 points

QUESTION 11

Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create?

		Baseline
		Policy
		Guideline
		Procedure

0.5 points

QUESTION 12

Roger's organization received a mass email message that attempted to trick users into revealing their passwords by pretending to be a help desk representative. What category of social engineering is this an example of?

		Intimidation
		Name dropping
		Appeal for help
		Phishing

0.5 points

QUESTION 13

Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions?

		Value
		Sensitivity
		Criticality
		Threat

0.5 points

QUESTION 14

Which activity manages the baseline settings for a system or device?

		Configuration control
		Reactive change management
		Proactive change management
		Change control

0.5 points

QUESTION 15

What is the correct order of steps in the change control process?

		Request, approval, impact assessment, build/test, monitor, implement
		Request, impact assessment, approval, build/test, implement, monitor
		Request, approval, impact assessment, build/test, implement, monitor
		Request, impact assessment, approval, build/test, monitor, implement

0.5 points

QUESTION 16

Marguerite is creating a budget for a software development project. What phase of the system lifecycle is she undertaking?

		Project initiation and planning
		Functional requirements and definition
		System design specification
		Operations and maintenance

0.5 points

QUESTION 17

Bob is preparing to dispose of magnetic media and wishes to destroy the data stored on it. Which method is NOT a good approach for destroying data?

		Formatting
		Degaussing
		Physical destruction
		Overwriting

0.5 points

QUESTION 18

In an accreditation process, who has the authority to approve a system for implementation?

		Certifier
		Authorizing official (AO)
		System owner
		System administrator

0.5 points

QUESTION 19

In what type of attack does the attacker send unauthorized commands directly to a database?

		Cross-site scripting
		SQL injection
		Cross-site request forgery
		Database dumping

0.5 points

QUESTION 20

In what software development model does activity progress in a lock-step sequential process where no phase begins until the previous phase is complete?

		Spiral
		Agile
		Lean
		Waterfall