Which of the following problems is not addressed by using OAuth (Open Standard to
Authorization) 2.0 to integrate a third-party identity provider for a service?

A.

Resource Servers are required to use passwords to authenticate end users.

B.

Revocation of access of some users of the third party instead of all the users from the third party.

C.

Compromise of the third party means compromise of all the users in the service.

D.

Guest users need to authenticate with the third party identity provider.

Refer to the information below to answer the question.
An organization experiencing a negative financial impact is forced to reduce budgets and
the number of Information Technology (IT) operations staff performing basic logical access
security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles.
When determining appropriate resource allocation, which of the following is MOST
important to monitor?

A.

Number of system compromises

B.

Number of audit findings

C.

Number of staff reductions

D.

Number of additional assets

Which of the following secure startup mechanisms are PRIMARILY designed to thwart attacks?

A.

Timing

B.

Cold boot

C.

Side channel

D.

Acoustic cryptanalysis

During the procurement of a new information system, it was determined that some of the security requirements were not addressed in the system specification. Which of the following is the MOST likely reason for this?

A.

The procurement officer lacks technical knowledge.

B.

The security requirements have changed during the procurement process.

C.

There were no security professionals in the vendor's bidding team.

D.

The description of the security requirements was insufficient.

Refer to the information below to answer the question.
A new employee is given a laptop computer with full administrator access. This employee
does not have a personal computer at home and has a child that uses the computer to
send and receive e-mail, search the web, and use instant messaging. The organization’s
Information Technology (IT) department discovers that a peer-to-peer program has been
installed on the computer using the employee's access.
Which of the following documents explains the proper use of the organization's assets?

A.

Human resources policy

B.

Acceptable use policy

C.

Code of ethics

D.

Access control policy

An organization decides to implement a partial Public Key Infrastructure (PKI) with only the
servers having digital certificates. What is the security benefit of this implementation?

A.

Clients can authenticate themselves to the servers.

B.

Mutual authentication is available between the clients and servers.

C.

Servers are able to issue digital certificates to the client.

D.

Servers can authenticate themselves to the client

Which of the following violates identity and access management best practices?

A.

User accounts

B.

System accounts

C.

Generic accounts

D.

Privileged accounts

An online retail company has formulated a record retention schedule for customer
transactions. Which of the following is a valid reason a customer transaction is kept beyond
the retention schedule?

A.

Pending legal hold

B.

Long term data mining needs

C.

Customer makes request to retain

D.

Useful for future business initiatives

Which of the following actions MUST be taken if a vulnerability is discovered during the
maintenance stage in a System Development Life Cycle (SDLC)?

A.

Make changes following principle and design guidelines.

B.

Stop the application until the vulnerability is fixed.

C.

Report the vulnerability to product owner.

D.

Monitor the application and review code.

Which of the following is a detective access control mechanism?

A.

Log review

B.

Least privilege

C.

Password complexity

D.

Non-disclosure agreement

Which item below is a federated identity standard?

A.

802.11i

B.

Kerberos

C.

Lightweight Directory Access Protocol (LDAP)

D.

Security Assertion Markup Language (SAML)

Which of the following is the MOST effective attack against cryptographic hardware modules?

A.

Plaintext

B.

Brute force

C.

Power analysis

D.

Man-in-the-middle (MITM)