Multi-Factor Authentication (MFA) is necessary in many systems given common types of
password attacks. Which of the following is a correct list of password attacks?

A.

Masquerading, salami, malware, polymorphism

B.

Brute force, dictionary, phishing, keylogger

C.

Zeus, netbus, rabbit, turtle

D.

Token, biometrics, IDS, DLP

A large university needs to enable student access to university resources from their homes.
Which of the following provides the BEST option for low maintenance and ease of
deployment?

A.

Provide students with Internet Protocol Security (IPSec) Virtual Private Network (VPN) client software.

B.

Use Secure Sockets Layer (SSL) VPN technology.

C.

Use Secure Shell (SSH) with public/private keys.

D.

Require students to purchase home router capable of VPN.

A business has implemented Payment Card Industry Data Security Standard (PCI-DSS)
compliant handheld credit card processing on their Wireless Local Area Network (WLAN)
topology. The network team partitioned the WLAN to create a private segment for credit
card processing using a firewall to control device access and route traffic to the card
processor on the Internet. What components are in the scope of PCI-DSS?

A.

The entire enterprise network infrastructure.

B.

The handheld devices, wireless access points and border gateway.

C.

The end devices, wireless access points, WLAN, switches, management console, and
firewall.

D.

The end devices, wireless access points, WLAN, switches, management console, and
Internet

Refer to the information below to answer the question.
In a Multilevel Security (MLS) system, the following sensitivity labels are used in increasing
levels of sensitivity: restricted, confidential, secret, top secret. Table A lists the clearance
levels for four users, while Table B lists the security classes of four different files.

In a Bell-LaPadula system, which user cannot write to File 3?

A.

User A

B.

User B

C.

User C

D.

User D

Refer to the information below to answer the question.
A new employee is given a laptop computer with full administrator access. This employee
does not have a personal computer at home and has a child that uses the computer to
send and receive e-mail, search the web, and use instant messaging. The organization’s
Information Technology (IT) department discovers that a peer-to-peer program has been
installed on the computer using the employee's access.
Which of the following methods is the MOST effective way of removing the Peer-to-Peer
(P2P) program from the computer?

A.

Run software uninstall

B.

Re-image the computer

C.

Find and remove all installation files

D.

Delete all cookies stored in the web browser cache

What is the BEST first step for determining if the appropriate security controls are in place for protecting data at rest?

A.

Identify regulatory requirements

B.

Conduct a risk assessment

C.

Determine business drivers

D.

Review the security baseline configuration

What is the MOST critical factor to achieve the goals of a security program?

A.

Capabilities of security resources

B.

Executive management support

C.

Effectiveness of security management

D.

Budget approved for security resources

Refer to the information below to answer the question.
A large, multinational organization has decided to outsource a portion of their Information
Technology (IT) organization to a third-party provider’s facility. This provider will be
responsible for the design, development, testing, and support of several critical, customerbased
applications used by the organization.
The third party needs to have

A.

processes that are identical to that of the organization doing the outsourcing.

B.

access to the original personnel that were on staff at the organization.

C.

the ability to maintain all of the applications in languages they are familiar with.

D.

access to the skill sets consistent with the programming languages used by the
organization.

When is security personnel involvement in the Systems Development Life Cycle (SDLC) process MOST beneficial?

A.

Testing phase

B.

Development phase

C.

Requirements definition phase

D.

Operations and maintenance phase

Which of the following BEST describes Recovery Time Objective (RTO)?

A.

Time of data validation after disaster

B.

Time of data restoration from backup after disaster

C.

Time of application resumption after disaster

D.

Time of application verification after disaster

Refer to the information below to answer the question.
An organization experiencing a negative financial impact is forced to reduce budgets and
the number of Information Technology (IT) operations staff performing basic logical access
security administration functions. Security processes have been tightly integrated into
normal IT operations and are not separate and distinct roles.
Which of the following will MOST likely allow the organization to keep risk at an acceptable
level?

A.

Increasing the amount of audits performed by third parties

B.

Removing privileged accounts from operational staff

C.

Assigning privileged functions to appropriate staff

D.

Separating the security function into distinct roles

Refer to the information below to answer the question.
An organization experiencing a negative financial impact is forced to reduce budgets and
the number of Information Technology (IT) operations staff performing basic logical access
security administration functions. Security processes have been tightly integrated into
normal IT operations and are not separate and distinct roles.
Which of the following will indicate where the IT budget is BEST allocated during this time?

A.

Policies

B.

Frameworks

C.

Metrics

D.

Guidelines