CISSP Questions – Volume 04 – 601-800 Questions

QUESTION 601: 
Which of the following is not concerned with configuration management? 
A. Hardware 
B. Software 
C. Documentation 
D. They all are concerned with configuration management 
Answer: D 
QUESTION 602: 
Configuration Management controls what? 
A. Auditing of changes to the Trusted Computing Base 
B. Control of changes to the Trusted Computing Base 
C. Changes in the configuration access to the Trusted Computing Base 
D. Auditing and controlling any changes to the Trusted Computing Base 
Answer: D 
"Official Definition of Configuration Management 
Identifying, controlling, accounting for and auditing changes made to the baseline TCB, which 
includes changes to hardware, software, and firmware. 
A System that will control changes and test documentation through the operational life cycle of a 
system." Pg 698 Shon Harris: All-in-One CISSP Certification 
"[B3] The security administrator role is clearly defined, and the system must be able to recover 
from failures without its security level being compromised." Pg. 226 Shon Harris CISSP 
All-In-One Exam Guide
QUESTION 603: 
In addition to ensuring that changes to the computer system take place in an identifiable 
and controlled environment, configuration management provides assurance that future 
changes: 
A. The application software cannot bypass system security features. 
B. Do not adversely affect implementation of the security policy. 
C. To do the operating system are always subjected to independent validation and verification. 
D. In technical documentation maintain an accurate description of the Trusted Computer Base. 
Answer: B 
"The primary security goal of configuration management is to ensure that changes to the system 
do not unintentionally diminish security." Pg 306 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 604: 
Which set of principal tasks constitutes configuration management? 
A. Program management, system engineering, and quality assurance. 
B. Requirements verification, design, and system integration and testing. 
C. Independent validation and verification of the initial and subsequent baseline. 
D. Identification, control, status accounting, and auditing of changes. 
Answer: D 
Configuration management is the process of tracking and approving changes to a system. It 
involves identifying, controlling, and auditing all changes made to the system. 
Pg. 223 Krutz: The CISSP Prep Guide 
QUESTION 605: 
If the computer system being used contains confidential information, users must not: 
A. Leave their computer without first logging off. 
B. Share their desks. 
C. Encrypt their passwords. 
D. Communicate 
Answer: A 
Explanation: 
If the computer system being used or to which a user is connected contains sensitive or 
confidential information, users must not leave their computer, terminal, or workstation 
without first logging off. Users should be reminded frequently to follow this rule. 
QUESTION 606: 
Separation of duties is valuable in deterring: 
A. DoS 
B. external intruder 
C. fraud 
D. trojan house 
Answer: C 
Explanation: 
Separation of duties is considered valuable in deterring fraud since fraud can occur if 
an opportunity exists for collaboration between various jobs related capabilities. 
Separation of duty requires that for particular sets of transactions, no single 
individual be allowed to execute all transactions within the set. The most commonly 
used examples are the separate transactions needed to initiate a payment and to 
authorize a payment. No single individual should be capable of executing both 
transactions. 
QUESTION 607: 
What principle requires that for particular sets of transactions, no single individual be 
allowed to execute all transactions within the set? 
A. Use of rights 
B. Balance of power 
C. Separation of duties 
D. Fair use 
Answer: C 
Explanation: 
Separation of duties is considered valuable in deterring fraud since fraud can occur if 
an opportunity exists for collaboration between various jobs related capabilities. 
Separation of duty requires that for particular sets of transactions, no single 
individual be allowed to execute all transactions within the set. The most commonly 
used examples are the separate transactions needed to initiate a payment and to 
authorize a payment. No single individual should be capable of executing both 
transactions. 
QUESTION 608: 
Separation of duty can be: 
A. Dynamic only 
B. Encrypted 
C. Static only 
D. Static or dynamic 
Answer: D 
Explanation: 
Separation of duty can be either static or dynamic. Compliance with static separation 
requirements can be determined simply by the assignment of individuals to roles and 
allocation of transactions to roles. The more difficult case is dynamic separation of 
duty where compliance with requirements can only be determined during system operation. 
The objective behind dynamic separation of duty is to allow more flexibility in 
operations. 
QUESTION 609: 
What is the company benefit, in terms of risk, for people taking a vacation of a specified minimum length? 
A. Reduces stress levels, thereby lowering insurance claims. 
B. Improves morale, thereby decreasing errors. 
C. Increases potential for discovering frauds. 
D. Reduces dependence on critical individuals. 
Answer: C 
Mandatory vacations are another type of administrative control that may sound a bit odd at first. 
Chapter 3 touches on reasons to make sure that employees take their vacations; this has to do 
with being able to identify fraudulent activities and enable job rotation to take place. - Shon 
Harris All-in-one CISSP Certification Guide pg 810 
QUESTION 610: 
Which of the following would be less likely to prevent an employee from reporting 
an incident? 
A. They are afraid of being pulled into something they don't want to be involved with 
B. The process of reporting incidents is centralized 
C. They are afraid of being accused of something they didn't do 
D. They are unaware of the company's security policies and procedures 
Answer: A 
Explanation: 
Reference: ALL-IN-ONE CISSP Third Edition by Shon Harris Pg 783. 
QUESTION 611: 
Employee involuntary termination processing should include 
A. A list of all passwords used by the individual. 
B. A report on outstanding projects. 
C. The surrender of any company identification. 
D. Signing a non-disclosure agreement. 
Answer: C 
"Before the employee is released, all organization-specific identification, access, or security 
badges as well as cards, keys, and access tokens should be collected." 
Pg. 173 Tittel: CISSP Study Guide 
QUESTION 612: 
Which trusted facility management concept implies that two operators must review and 
approve the work of each other? 
A. Two-man control 
B. Dual control 
C. Double control 
D. Segregation control 
Answer: A 
Explanation: 
"In the concept of two-man control, two operators review and approve the work of each other. 
The purpose of two-man control is to provide accountability and to minimize fraud in highly 
sensitive or high-risk transactions. The concept of dual control means that both operators are 
needed to complete a sensitive task." Pg. 303 Krutz: The CISSP Prep Guide: Gold Edition. 
QUESTION 613: 
When two operators review and approve the work of each other, this is known as? 
A. Dual control 
B. Two-man control 
C. Two-fold control 
D. Twin control 
Answer: B 
QUESTION 614: 
What security procedure forces an operator into collusion with an operator of a different 
category to have access to unauthorized data? 
A. Enforcing regular password changes 
B. Management monitoring of audit logs 
C. Limiting the specific accesses of operations personnel 
D. Job rotation of people through different assignments 
Answer: C 
QUESTION 615: 
Which of the following user items can be shared? 
A. Password 
B. Home directory 
C. None of the choices. 
Answer: C 
Explanation: 
Each user assigned directory (home directory) is not to be shared with others. None of 
the choices is correct. 
QUESTION 616: 
What should you do to the user accounts as soon as employment is terminated? 
A. Disable the user accounts and erase immediately the data kept. 
B. Disable the user accounts and have the data kept for a specific period of time. 
C. None of the choices. 
D. Maintain the user accounts and have the data kept for a specific period of time. 
Answer: B 
Explanation: 
A record of user logins with time and date stamps must be kept. User accounts shall be 
disabled and data kept for a specified period of time as soon as employment is 
terminated. All users must log on to gain network access. 
QUESTION 617: 
What is the main objective of proper separation of duties? 
A. To prevent employees from disclosing sensitive information 
B. To ensure access controls are in place 
C. To ensure that no single individual can compromise a system 
D. To ensure that audit trails are not tampered with 
Answer: C 
"Separation of duties (also called segregation of duties) assigns parts of tasks to different 
personnel. Thus if no single person has total control of the system's security mechanisms, the 
theory is that no single person can completely compromise the system." 
Pg. 303 Krutz: The CISSP Prep Guide: Gold Edition 
QUESTION 618: 
What are the benefits of job rotation? 
A. All of the choices. 
B. Trained backup in case of emergencies. 
C. Protect against fraud. 
D. Cross training to employees. 
Answer: A 
Explanation: 
Job assignments should be changed periodically so that it is more difficult for users 
to collaborate to exercise complete control of a transaction and subvert it for 
fraudulent purposes. This principle is effective when used in conjunction with a 
separation of duties. Problems in effectively rotating duties usually appear in 
organizations with limited staff resources and inadequate training programs. Rotation 
pf duties will protect you against fraud; provide cross training to you employees, as 
well as assuring trained backup in case of emergencies. 
QUESTION 619: 
Which of the following control pairing include organizational policies and procedures, 
pre-employment background checks, strict hiring practices, employment agreements, 
friendly and unfriendly employee termination procedures, vacation scheduling, labeling of 
sensitive materials, increased supervision, security awareness training, behavior awareness, 
and sign-up procedures to obtain access to information systems and networks in? 
A. Preventive/Administrative Pairing 
B. Preventive/Technical Pairing 
C. Preventive/Physical Pairing 
D. Detective/Administrative Pairing 
Answer: A 
QUESTION 620: 
Which of the following are functions that are compatible in a properly segregated 
environment? 
A. Application programming and computer operation 
B. Systems programming and job control analysis 
C. Access authorization and database administration 
D. Systems development and systems maintenance 
Answer: D 
QUESTION 621: 
Which of the following are functions that are compatible in a properly segregated 
environment? 
A. Security administration and quality assurance 
B. Security administration and data entry 
C. Security administration and application programming 
D. Application programming and data entry 
Answer: A 
Explanation: 
Security Administration and Quality Assurance are the most similar tasks. 
Administrative Management: Administrative management is a very important piece of 
operational security. One aspect of administrative management is dealing with personnel issues. 
This includes separation of duties and job rotation. The objective of separation of duties is to 
ensure that one person acting alone cannot compromise the company's security in any way. 
High-risk activities should be broken up into different parts and distributed to different 
individuals. This way the company does not need to put a dangerously high level of trust on 
certain individuals and if fraud were to take place, collusion would need to be committed, 
meaning more than one person would have to be involved in the fraudulent activity. 
Separation of duties also helps to prevent many different types of mistakes that can take place if 
one person is performing a task from the beginning to the end. For instance, a programmer 
should not be the one to test her own code. A different person with a different job and agenda 
should perform functionality and integrity testing on the programmer's code because the 
programmer may have a focused view of what the program is supposed to accomplish and only 
test certain functions, input values, and in certain environments. 
Another example of separation of duties is the difference between the functions of a computer 
operator versus the functions of a system administrator. There must be clear cut lines drawn 
between system administrator duties and computer operator duties. This will vary from 
environment to environment and will depend on the level of security required within the 
environment. The system administrators usually have responsibility of performing backups and 
recovery procedures, setting permissions, adding and removing users, setting user clearance, and 
developing user profiles. The computer operator on the other hand, may be allowed to install 
software, set an initial password, alter desktop configurations, and modify certain system 
parameters. The computer operator should not be able to modify her own security profile, add 
and remove users globally, or set user security clearance. This would breach the concept of 
separation of duties. 
Pg 808-809 Shon Harris: All-In-One CISSP Certification 
QUESTION 622: 
Which of the following are functions that are compatible in a properly segregated 
environment? 
A. Data entry and job scheduling 
B. Database administration and systems security 
C. Systems analyst and application programming 
D. Security administration and systems programming 
Answer: A 
The two most similar jobs are Data Entry and Job Scheduling, so they need not be segregated. 
Administrative Management: Administratative management is a very important piece of 
operational security. One aspect of administrative management is dealing with personnel issues. 
This includes separation of duties and job rotation. The objective of separation of duties is to 
ensure that one person acting alone cannot compromise the company's security in any way. 
High-risk activities should be broken up into different parts and distributed to different 
individuals. This way the company does not need to put a dangerously high level of trust on 
certain individuals and if fraud were to take place, collusion would need to be committed, 
meaning more than one person would have to be involved in the fraudulent activity. 
Separation of duties also helps to prevent many different types of mistakes that can take place if 
one person is performing a task from the beginning to the end. For instance, a programmer 
should not be the one to test her own code. A different person with a different job and agenda 
should perform functionality and integrity testing on the programmer's code because the 
programmer may have a focused view of what the program is supposed to accomplish and only 
test certain functions, input values, and in certain environments. 
Another example of separation of duties is the difference between the functions of a computer 
operator versus the functions of a system administrator. There must be clear cut lines drawn 
between system administrator duties and computer operator duties. This will vary from 
environment to environment and will depend on the level of security required within the 
environment. The system administrators usually have responsibility of performing backups and 
recovery procedures, setting permissions, adding and removing users, setting user clearance, and 
developing user profiles. The computer operator on the other hand, may be allowed to install 
software, set an initial password, alter desktop configurations, and modify certain system 
parameters. The computer operator should not be able to modify her own security profile, add 
and remove users globally, or set user security clearance. This would breach the concept of 
separation of duties. 
Pg 808-809 Shon Harris: All-In-One CISSP Certification Exam Guide 
QUESTION 623: 
Which of the following are functions that are compatible in a properly segregated 
environment? 
A. Application programming and computer operation 
B. Systems programming and job control analysis 
C. Access authorization and database administration 
D. System development and systems maintenance 
Answer: C 
Access Authorization and Database Administration are the most similar tasks of all the choices 
so they need not be separated. 
Administrative Management: Administratative management is a very important piece of 
operational security. One aspect of administrative management is dealing with personnel issues. 
This includes separation of duties and job rotation. The objective of separation of duties is to 
ensure that one person acting alone cannot compromise the company's security in any way. 
High-risk activities should be broken up into different parts and distributed to different 
individuals. This way the company does not need to put a dangerously high level of trust on 
certain individuals and if fraud were to take place, collusion would need to be committed, 
meaning more than one person would have to be involved in the fraudulent activity. 
Separation of duties also helps to prevent many different types of mistakes that can take place if 
one person is performing a task from the beginning to the end. For instance, a programmer 
should not be the one to test her own code. A different person with a different job and agenda 
should perform functionality and integrity testing on the programmer's code because the 
programmer may have a focused view of what the program is supposed to accomplish and only 
test certain functions, input values, and in certain environments. 
Another example of separation of duties is the difference between the functions of a computer 
operator versus the functions of a system administrator. There must be clear cut lines drawn 
between system administrator duties and computer operator duties. This will vary from 
environment to environment and will depend on the level of security required within the 
environment. The system administrators usually have responsibility of performing backups and 
recovery procedures, setting permissions, adding and removing users, setting user clearance, and 
developing user profiles. The computer operator on the other hand, may be allowed to install 
software, set an initial password, alter desktop configurations, and modify certain system 
parameters. The computer operator should not be able to modify her own security profile, add 
and remove users globally, or set user security clearance. This would breach the concept of 
separation of duties. 
Pg 808-809 Shon Harris: All-In-One CISSP Certification 
QUESTION 624: 
Controls are implemented to: 
A. eliminate risk and reduce potential for loss 
B. mitigate risk and eliminate the potential for loss 
C. mitigate risk and reduce the potential for loss 
D. eliminate risk and eliminate the potential for loss 
Answer: C 
QUESTION 625: 
A timely review of system access audit records would be an example of which of the basic 
security functions? 
A. avoidance 
B. deterrence 
C. prevention 
D. detection 
Answer: D 
QUESTION 626: 
A security control should 
A. Allow for many exceptions. 
B. Cover all contingencies. 
C. Not rely on the security of its mechanism. 
D. Change frequently. 
Answer: C 
QUESTION 627: 
What set of principles is the basis for information systems controls? 
A. Authentication, audit trails, and awareness briefings 
B. Individual accountability, auditing, and separation of duties 
C. Need to know, identification, and authenticity 
D. Audit trails, limited tenure, and awareness briefings 
Answer: C 
"In addition to the CIA Triad, there is a plethora of other security-related concepts, principles, 
and tenants that should be considered and addressed when designing a security policy and 
deploying a security solution. This section discusses privacy, identification, authentication, 
authorization, accountability, nonrepudiation, and auditing." Pg. 133 Tittel: CISSP Study Guide 
QUESTION 628: 
An audit trail is a category of what control? 
A. System, Manual 
B. Detective, Technical 
C. User, Technical 
D. Detective, Manual 
Answer: B 
Explanation: 
Detective Technical Controls warn of technical Access Control violations. Under this 
category you would find the following: 
Audit trails 
Violation reports 
Intrusion detection system 
Honeypot 
QUESTION 629: 
An IDS is a category of what control? 
A. Detective, Manual 
B. Detective, Technical 
C. User, Technical 
D. System, Manual 
Answer: B 
Explanation: 
Detective Technical Controls warn of technical Access Control violations. Under this 
category you would find the following: 
Audit trails 
Violation reports 
Intrusion detection system 
Honeypot 
QUESTION 630: 
Technical controls such as encryption and access control can be built into the operating 
system, be software applications, or can be supplemental hardware/software units. Such 
controls, also known as logical controls, represent which pairing? 
A. Preventive/Administrative Pairing 
B. Preventive/Technical Pairing 
C. Preventive/Physical Pairing 
D. Detective/Technical Pairing 
Answer: B 
QUESTION 631: 
Which one of the following can be identified when exceptions occur using operations 
security detective controls? 
A. Unauthorized people seeing confidential reports. 
B. Unauthorized people destroying confidential reports. 
C. Authorized operations people performing unauthorized functions. 
D. Authorized operations people not responding to important console messages. 
Answer: C 
C is the one that makes the most sence. 
[Operation Security] Detective Controls are used to detect an error once it has occurred. Unlike 
preventative controls, these controls operate after the fact and can be used to track an 
unauthorized transaction for prosecution, or to lessen an error's impact on the system by 
identifying it quickly. An example of this type of control is an audit trail. -Ronald Krutz The 
CISSP PREP Guide (gold edition) pg 299 
QUESTION 632: 
Which of the following is not an example of an operation control? 
A. backup and recovery 
B. audit trails 
C. contingency planning 
D. operations procedures 
Answer: C 
"Operation controls are the mechanisms and daily procedures that provide protection for 
systems." 
When designing a protection scheme for resources, it is important to keep the following aspects 
or elements of the IT infrastructure in mind: 
Communication hardware/software 
Boundary devices 
Processing equipment 
Password files 
Application program libraries 
Application source code 
Vendor software 
Operating System 
System Utilities 
Directories and address tables 
Proprietary packages 
Main storage 
Removable storage 
Sensitive/critical data 
System logs/audit trails 
Violation reports 
Backup files and media 
Sensitive forms and printouts 
Isolated devices, such as printers and faxes 
Telephone network" 
Pg 406-407 Tittel: CISSP Study Guide 
QUESTION 633: 
Which of the following is not an example of an operational control? 
A. backup and recovery 
B. audit trails 
C. contingency planning 
D. operations procedures 
Answer: B 
Audit Trails are under Operations Security Auditing opposed to Operations Security Operations 
Controls. 
"Operations Controls embody the day-to-day procedures used to protect computer operations. 
The concepts of resource protection, hardware/software control, and privileged entity must be 
understood by the CISSP candidate." Pg. 311 Krutz: The CISSP Prep Guide: Gold Edition 
QUESTION 634: 
Access control allows you to exercise directing influence over which of the following aspects 
of a system? 
A. Behavior, user, and content provider. 
B. Behavior, use, and content. 
C. User logs and content. 
D. None of the choices. 
Answer: B 
Explanation: 
Access control is the collection of mechanisms that permits managers of a system to 
exercise a directing or restraining influence over the behavior, use, and content of a 
system. It permits management to specify what users can do, which resources they can 
access, and what operations they can perform on a system. 
QUESTION 635: 
____________ is the means by which the ability to do something with a computer resource 
is explicitly enabled or restricted. 
A. Access control 
B. Type of access 
C. System resource 
D. Work permit 
Answer: A 
Explanation: 
Access is the ability to do something with a computer resource (e.g., use, change, or 
view). Access control is the means by which the ability is explicitly enabled or 
restricted in some way (Usually through physical and system-based controls). 
Computer-based access controls can prescribe not only who or what process may have 
access to a specific system resource, but also the type of access that is permitted. 
These controls may be implemented in the computer system or in external devices. 
QUESTION 636: 
The ability to do something with a computer resource can be explicitly enabled or 
restricted through: 
A. Physical and system-based controls. 
B. Theoretical and system-based controls. 
C. Mental and system-based controls. 
D. Physical and trap-based controls. 
Answer: A 
Explanation: 
Access is the ability to do something with a computer resource (e.g., use, change, or 
view). Access control is the means by which the ability is explicitly enabled or 
restricted in some way (Usually through physical and system-based controls). 
Computer-based access controls can prescribe not only who or what process may have 
access to a specific system resource, but also the type of access that is permitted. 
These controls may be implemented in the computer system or in external devices. 
QUESTION 637: 
The main categories of access control do NOT include: 
A. Administrative Access Control 
B. Logical Access Control 
C. Random Access Control 
D. Physical Access Control 
Answer: C 
Explanation: 
There are several different categories of access control. The main categories are: 
--Physical Access Control 
--Administrative Access Control 
--Logical Access Control 
--Data Access Control 
QUESTION 638: 
You have very strict Physical Access controls. At the same time you have loose Logical 
Access Controls. What is true about this setting? 
Actualtests.com - The Power of Knowing 
CISSP 
A. None of the choices. 
B. It can 100% secure your environment. 
C. It may secure your environment. 
D. It may not secure your environment. 
Answer: D 
Explanation: 
Access control is a bit like the four legs of a chair. Each of the legs must be equal 
or else an imbalance will be created. If you have very strict Physical Access controls 
but very poor Logical Access Controls then you may not succeed in securing your 
environment. 
QUESTION 639: 
Which of the following is not a detective technical control? 
A. Intrusion detection system 
B. Violation reports 
C. Honeypot 
D. None of the choices. 
Answer: D 
Explanation: 
Detective Technical Controls warn of technical Access Control violations. Under this 
category you would find the following: 
Audit trails 
Violation reports 
Intrusion detection system 
Honeypot 
QUESTION 640: 
A business continuity plan is an example of which of the following? 
A. Corrective Control 
B. Detective Control 
C. Preventive Control 
D. Compensating Control 
Answer: A 
QUESTION 641: 
________ Technical Controls warn of technical Access Control violations. 
A. Elusive 
B. Descriptive 
C. Corrective 
D. Detective 
Answer: D 
Explanation: 
Detective Technical Controls warn of technical Access Control violations. Under this 
category you would find the following: 
Audit trails 
Violation reports 
Intrusion detection system 
Honeypot 
QUESTION 642: 
A two factor authentication method is considered a: 
A. Technical control 
B. Patching control 
C. Corrective control 
D. Logical control 
Answer: D 
Explanation: 
By technical controls we mean some or all of the following: 
Access Control software 
Antivirus Software 
Passwords 
Smart Cards 
Encryption 
Call-back systems 
Two factor authentication 
QUESTION 643: 
Which of the following are NOT considered technical controls? 
A. Access Control software 
B. Man trap 
C. Passwords 
D. Antivirus Software 
Answer: B 
Explanation: 
By technical controls we mean some or all of the following: 
Access Control software 
Antivirus Software 
Passwords 
Smart Cards 
Encryption 
Call-back systems 
Two factor authentication 
QUESTION 644: 
___________________ are the technical ways of restricting who or what can access system 
resources. 
A. Preventive Manual Controls 
B. Detective Technical Controls 
C. Preventive Circuit Controls 
D. Preventive Technical Controls 
Answer: D 
Explanation: 
Preventive Technical Controls are the technical ways of restricting who or what can 
access system resources and what type of access is permitted. Its purpose is to protect 
the OS and other systems from unauthorized modification or manipulation. It is usually 
built into an operating system, or it can be a part of an application or program, or an 
add-on security package, or special components to regulate communication between 
computers. It also protects the integrity and availability by limiting the number of 
users and/or processes. These controls also protect confidential information from being 
disclosed to unauthorized persons. 
QUESTION 645: 
Which of the following is not a form of detective administrative control? 
A. Rotation of duties 
B. Required vacations 
C. Separation of duties 
D. Security reviews and audits 
Answer: C 
QUESTION 646: 
Preventive Technical Controls are usually built: 
A. By using MD5. 
B. Into an operating system. 
C. By security officer. 
D. By security administrator. 
Answer: B 
Explanation: 
Preventive Technical Controls are the technical ways of restricting who or what can 
access system resources and what type of access is permitted. Its purpose is to protect 
the OS and other systems from unauthorized modification or manipulation. It is usually 
built into an operating system, or it can be a part of an application or program, or an 
add-on security package, or special components to regulate communication between 
computers. It also protects the integrity and availability by limiting the number of 
users and/or processes. These controls also protect confidential information from being 
disclosed to unauthorized persons. 
QUESTION 647: 
Preventive Technical Controls cannot: 
A. Protect the OS from unauthorized modification. 
B. Protect confidential information from being disclosed to unauthorized persons. 
C. Protect the OS from unauthorized manipulation. 
D. Protect users from being monitored. 
Answer: D 
Explanation: 
Preventive Technical Controls are the technical ways of restricting who or what can 
access system resources and what type of access is permitted. Its purpose is to protect 
the OS and other systems from unauthorized modification or manipulation. It is usually 
built into an operating system, or it can be a part of an application or program, or an 
add-on security package, or special components to regulate communication between 
computers. It also protects the integrity and availability by limiting the number of 
users and/or processes. These controls also protect confidential information from being 
disclosed to unauthorized persons. 
QUESTION 648: 
How do Preventive Technical Controls protect system integrity and availability? 
A. By limiting the number of threads only. 
B. By limiting the number of system variables. 
C. By limiting the number of function calls only. 
D. By limiting the number of users and/or processes. 
Answer: D 
Explanation: 
Preventive Technical Controls are the technical ways of restricting who or what can 
access system resources and what type of access is permitted. Its purpose is to protect 
the OS and other systems from unauthorized modification or manipulation. It is usually 
built into an operating system, or it can be a part of an application or program, or an 
add-on security package, or special components to regulate communication between 
computers. It also protects the integrity and availability by limiting the number of 
users and/or processes. These controls also protect confidential information from being 
disclosed to unauthorized persons. 
QUESTION 649: 
Which of the following is NOT a type of access control? 
A. Intrusive 
B. Deterrent 
C. Detective 
D. Preventive 
Answer: A 
Explanation: 
There are different types of access control. Access controls can be categorized as 
follows: 
Preventive (in order to avoid occurrence) 
Detective (in order to detect or identify occurrences) 
Deterrent (in order to discourage occurrences) 
Corrective (In order to correct or restore controls) 
Recovery (in order to restore resources, capabilities, or losses) 
QUESTION 650: 
As a type of access control, which of the following asks for avoiding occurrence? 
A. Preventive 
B. Deterrent 
C. Intrusive 
D. Detective 
Answer: A 
Explanation: 
There are different types of access control. Access controls can be categorized as 
follows: 
Preventive (in order to avoid occurrence) 
Detective (in order to detect or identify occurrences) 
Deterrent (in order to discourage occurrences) 
Corrective (In order to correct or restore controls) 
Recovery (in order to restore resources, capabilities, or losses) 
QUESTION 651: 
As a type of access control, which of the following asks for identifying occurrences? 
A. Deterrent 
B. Preventive 
C. Detective 
D. Intrusive 
Answer: C 
Explanation: 
There are different types of access control. Access controls can be categorized as 
follows: 
Preventive (in order to avoid occurrence) 
Detective (in order to detect or identify occurrences) 
Deterrent (in order to discourage occurrences) 
Corrective (In order to correct or restore controls) 
Recovery (in order to restore resources, capabilities, or losses)
QUESTION 652: 
As a type of access control, which of the following asks for discouraging occurrence? 
A. Detective 
B. Intrusive 
C. Deterrent 
D. Preventive 
Answer: C 
Explanation: 
There are different types of access control. Access controls can be categorized as 
follows: 
Preventive (in order to avoid occurrence) 
Detective (in order to detect or identify occurrences) 
Deterrent (in order to discourage occurrences) 
Corrective (In order to correct or restore controls) 
Recovery (in order to restore resources, capabilities, or losses) 
QUESTION 653: 
As a type of access control, which of the following asks for restoring controls? 
A. Deterrent 
B. Intrusive 
C. Corrective 
D. Preventive 
Answer: C 
Explanation: 
There are different types of access control. Access controls can be categorized as 
follows: 
Preventive (in order to avoid occurrence) 
Detective (in order to detect or identify occurrences) 
Deterrent (in order to discourage occurrences) 
Corrective (In order to correct or restore controls) 
Recovery (in order to restore resources, capabilities, or losses) 
QUESTION 654: 
What type of access control focuses on restoring resources? 
A. Recovery 
B. Preventive 
C. Intrusive 
D. Corrective 
Answer: A 
Explanation: 
There are different types of access control. Access controls can be categorized as 
follows: 
Preventive (in order to avoid occurrence) 
Detective (in order to detect or identify occurrences) 
Deterrent (in order to discourage occurrences) 
Corrective (In order to correct or restore controls) 
Recovery (in order to restore resources, capabilities, or losses) 
QUESTION 655: 
Access control is the collection of mechanisms that permits managers of a system to 
exercise influence over the use of: 
A. A man guard 
B. An IS system 
C. A threshold 
D. A Trap 
Answer: B 
Explanation: 
Access control is the collection of mechanisms that permits managers of a system to 
exercise a directing or restraining influence over the behavior, use, and content of a 
system. It permits management to specify what users can do, which resources they can 
access, and what operations they can perform on a system. 
QUESTION 656: 
What fencing height is likely to stop a determined intruder? 
A. 3' to 4' high 
B. 6' to 7' high 
C. 8' high and above with strands of barbed wire 
D. No fence can stop a determined intruder 
Answer: C 
QUESTION 657: 
Lock picking is classified under which one of the following lock mechanism attacks? 
A. Illicit key 
B. Circumvention 
C. Manipulation 
D. Shimming 
Answer: D 
QUESTION 658: 
The Physical Security domain addresses three areas that can be utilized to physically 
protect an enterprise's resources and sensitive information. Which of the following is not 
one of these areas? 
A. Threats 
B. Countermeasures 
C. Vulnerabilities 
D. Risks 
Answer: D 
QUESTION 659: 
Which issue when selecting a facility site deals with the surrounding terrain, building 
markings and signs, and high or low population in the area? 
A. surrounding area and external entities 
B. natural disasters 
C. accessibility 
D. visibility 
Answer: D 
QUESTION 660: 
Which of the following is not a physical control for physical security? 
A. lighting 
B. fences 
C. training 
D. facility construction materials 
Answer: C 
QUESTION 661: 
The main risks that physical security components combat are all of the following 
EXCEPT: 
A. SYN flood 
B. physical damage 
C. theft 
D. availability 
Answer: A 
QUESTION 662: 
What mechanism automatically causes an alarm originating in a data center to be 
transmitted over the local municipal fire or police alarm circuits for relaying to both the 
local police/fire station and the appropriate headquarters? 
A. Central station alarm 
B. Proprietary alarm 
C. A remote station alarm 
D. An auxiliary station alarm 
Answer: A 
QUESTION 663: 
Examples of types of physical access controls include all except which of the following? 
A. badges 
B. locks 
C. guards 
D. passwords 
Answer: D 
QUESTION 664: 
Which of the following is the most costly countermeasures to reducing physical security 
risks? 
A. procedural controls 
B. hardware devices 
C. electronic systems 
D. personnel 
Answer: D 
QUESTION 665: 
Which of the following protection devices is used for spot protection within a few inches of 
the object, rather than for overall room security monitoring? 
A. Wave pattern motion detectors 
B. Capacitance detectors 
C. Field-powered devices 
D. Audio detectors 
Answer: A 
QUESTION 666: 
Which of the following questions is less likely to help in assessing physical access controls? 
A. Does management regularly review the list of persons with physical access to sensitive 
facilities? 
B. Is the operating system configured to prevent circumvention of the security software and 
application controls? 
C. Are keys or other access devices needed to enter the computer room and media library? 
D. Are visitors to sensitive areas signed in and escorted? 
Answer: B 
QUESTION 667: 
The concentric circle approach is used to 
A. Evaluate environmental threats. 
B. Assess the physical security facility, 
C. Assess the communications network security. 
D. Develop a personnel security program. 
Answer: B 
The original answer for this question was C (assess the communications network security) however I think the 
concentric circle is defining what in the krutz book is know as the security perimeter. To this end this is a 
reference 
"A circular security perimeter that is under the access control defines the area or zone to be protected. 
Preventive/physical controls include fences, badges, multiple doors (man-traps that consists of two doors 
physically 
separated so that an individual can be 'trapped' in the space between the doors after entering one of the doors), 
magnetic card entry systems, biometrics (for identification), guards, dogs, environmental control systems 
(temperature, humidity, and so forth), and building and access area layout." -Ronald Krutz The CISSP PREP 
Guide (gold edition) pg 13 
This is a standard concentric circle model shown in Figure 1 . If you've never seen this, you 
haven't had a security lecture. 
On the outside is our perimeter. We are fortunate to have some defenses on our base. Although 
some bases don't have people guarding the gates and checking IDs any longer, there's still the 
perception that it's tougher to commit a crime on a Naval base than it would be at GM. 
The point is: How much control do we have over fencing and guards? The answer: Not much. 
The next circle, the red circle, contains your internal access controls. For our purposes, the heart 
of the red circle is the computer. That's what I want to zero in on. The internal controls are the 
things you can do to keep people out of your PCs and off your network. 
http://www.chips.navy.mil/archives/96_oct/file5.htm 
QUESTION 668: 
The MAIN reason for developing closed-circuit television (CCTV) as part of your physical security program 
is to 
A. Provide hard evidence for criminal prosecution. 
B. Apprehend criminals. 
C. Deter criminal activity. 
D. Increase guard visibility. 
Answer: D 
A CCTV enables a guard to monitor many different areas at once from a centralized location.- 
Shon Harris All-in-one CISSP Certification Guide pg 179-180 
QUESTION 669: 
Closed circuit TV is a feature of: 
A. Detective Physical Controls 
B. Corrective Physical Controls 
C. Corrective Logical Controls 
D. Logical Physical Controls 
Answer: A 
Explanation: 
Detective Physical Controls would use the following: motion detectors, closed circuit 
TV, sensors, and alarms. 
QUESTION 670: 
Motion detector is a feature of: 
A. Corrective Logical Controls. 
B. Logical Physical Controls. 
C. Corrective Physical Controls. 
D. Detective Physical Controls. 
Answer: D 
Explanation: 
Detective Physical Controls would use the following: motion detectors, closed circuit 
TV, sensors, and alarms. 
QUESTION 671: 
Which of the following is a physical control? 
A. Monitoring of system activity 
B. Environmental controls 
C. Identification and authentication methods 
D. Logical access control mechanisms 
Answer: B 
QUESTION 672: 
Which of the following is a detective control? 
A. Segregation of duties 
B. Back-up procedures 
C. Audit trails 
D. Physical access control 
Answer: C 
QUESTION 673: 
The basic Electronic Access Control (EAC) components required for access doors are an electromagnetic 
lock, 
A. A credential reader, and a door closed sensor. 
B. A card reader, and a door open sensor. 
C. A biometric reader, and a door open sensor. 
D. A card reader, and door motion detector. 
Answer: A 
We have not been able to find any reference to this question really. So we are going with A 
"In addition to smart and dumb cards, proximity readers can be used to control physical access. 
A proximity reader can be passive device, a field-powered device, or a transponder." - Ed Tittle 
CISSP Study Guide (sybex) pg 650 
QUESTION 674: 
Which of the following control pairing places emphasis on "soft" mechanisms that support 
the access control objectives? 
A. Preventive/Technical Pairing 
B. Preventive/Administrative Pairing 
C. Preventive/Physical Pairing 
D. Detective/Administrative Pairing 
Answer: B 
"Preventive-Administrative 
The following are the soft mechanisms that are put into place to enforce access control and 
protection for the company as a whole: 
Policies and procedures 
Effective hiring practices 
Pre-employment background checks 
Controlled termination processes 
Data classification and labeling 
Security awareness" 
Pg. 157 Shon Harris: All-In-One CISSP Certification Guide. 
QUESTION 675: 
Controls like guards and general steps to maintain building security, securing of server 
rooms or laptops, the protection of cables, and the backing up of files are some of the 
examples of: 
A. Administrative controls 
B. Logical controls 
C. Technical controls 
D. Physical controls 
Answer: D 
QUESTION 676: 
Which of the following is NOT a type of motion detector? 
A. photoelectric sensor 
B. wave pattern 
C. capacitance 
D. audio detector 
Answer: D 
Explanation: Audio detector detects sound not motion 
Not A: A photoelectric sensor is a motion sensor that's what it was designed to do. 
QUESTION 677: 
Which of the following measures would be the BEST deterrent to the theft of corporate 
information from a laptop which was left in a hotel room? 
A. Store all data on disks and lock them in an in-room safe 
B. Remove the batteries and power supply from the laptop and store them separately from the 
computer 
C. Install a cable lock on the laptop when it is unattended 
D. Encrypt the data on the hard drive 
Answer: D 
QUESTION 678: 
Guards are appropriate whenever the function required by the security program involves 
which of the following? 
A. The use of discriminating judgment 
B. The use of physical force 
C. The operation of access control devices 
D. The need to detect unauthorized access 
Answer: A 
QUESTION 679: 
Which of the following floors would be most appropriate to locate information processing 
facilities in a 6-stories building? 
A. Basement 
B. Ground floor 
C. Third floor 
D. Sixth floor 
Answer: C 
QUESTION 680: 
Which of the following risk will most likely affect confidentiality, integrity and availability? 
A. Physical damage 
B. Unauthorized disclosure of information 
C. Loss of control over system 
D. Physical theft 
Answer: D 
QUESTION 681: 
Which is the last line of defense in a physical security sense? 
A. people 
B. interior barriers 
C. exterior barriers 
D. perimeter barriers 
Answer: A 
QUESTION 682: 
The recording of events with a closed-circuit TV camera is considered a: 
A. Preventative control 
B. Detective control 
C. Compensating control 
D. Corrective Control 
Answer: B 
QUESTION 683: 
Sensor is: 
A. Logical, Physical 
B. Corrective, Logical 
C. Detective, Physical 
D. Corrective, Physical 
Answer: C 
Explanation: 
Detective Physical Controls would use the following: motion detectors, closed circuit 
TV, sensors, and alarms. 
QUESTION 684: 
What fencing height is likely to stop a determined intruder? 
A. 3' to 4' high 
B. 6' to 7' high 
C. 8' high and above with strands of barbed wire 
D. No fence can stop a determined intruder 
Answer: C 
Reference: "2.4 meters/8 feet with top guard: Deters determined intruder". Pg 467 Hansche: 
Official (ISC)2 Guide to the CISSP Exam 
QUESTION 685: 
A controlled light fixture mounted on a 5-meter pole can illuminate an area 30 meter in diameter. 
For security lighting purposes, what would be the proper distance between fixtures? 
A. 25 meters 
B. 30 meters 
C. 35 meters 
D. 40 meters 
Answer: B 
The National Institute of Standards and Technology (NIST) standard pertaining to perimeter 
protection states that critical areas should be illuminated eight feet high and two feet out. (It is 
referred to as two-feet candles that reach eight feet in height) - Shon Harris All-in-one CISSP 
Certification Guide pg 325 
QUESTION 686: 
Critical areas should be lighted: 
A. Eight feet high and two feet out 
B. Eight feet high and four feet out 
C. Ten feet high and four feet out 
D. Ten feet high and six feet out 
Answer: A 
QUESTION 687: 
Which of the following statements regarding an off-site information processing facility is 
TRUE? 
A. It should have the same amount of physical access restrictions as the primary processing unit 
B. It should be located in proximity to the originating site so that it can quicl be made 
operational 
C. It should be easily identified from the outside so in the event of an emergency it can be easily 
found 
D. Need not have the same level of environmental monitoring as the originating site since this 
would be cost prohibitive 
Answer: A 
QUESTION 688: 
Which of the following is electromagnetic interference (EMI) that is noise from the 
radiation generated by the difference between the hot and ground wires? 
A. common-mode noise 
B. traverse-mode noise 
C. transversal-mode noise 
D. crossover-mode noise 
Answer: A 
QUESTION 689: 
Which of the following is NOT a precaution you can take to reduce static electricity? 
A. power line conditioning 
B. anti-static sprays 
C. maintain proper humidity levels 
D. anti-static flooding 
Answer: A 
QUESTION 690: 
Devices that supply power when the commercial utility power system fails are called which 
of the following? 
A. power conditioners 
B. uninterruptible power supplies 
C. power filters 
D. power dividers 
Answer: B 
QUESTION 691: 
A prolonged high voltage is a: 
A. spike 
B. blackout 
C. surge 
D. fault 
Answer: C 
QUESTION 692: 
A prolonged power supply that is below normal voltage is a: 
A. brownout 
B. blackout 
C. surge 
D. fault 
Answer: A 
QUESTION 693: 
A prolonged power outage is a: 
A. brownout 
B. blackout 
C. surge 
D. fault 
Answer: B 
QUESTION 694: 
A momentary power outage is a: 
A. spike 
B. blackout 
C. surge 
D. fault 
Answer: D 
QUESTION 695: 
What can be defined as a momentary low voltage? 
A. Spike 
B. Sag 
C. Fault 
D. Brownout 
Answer: B 
QUESTION 696: 
Electrical systems are the lifeblood of computer operations. The continued supply of clean, 
steady power is required to maintain the proper personnel environment as well as to 
sustain data operations. Which of the following is not an element that can threaten power 
systems? 
A. Noise 
B. Humidity 
C. Brownouts 
D. UPS 
Answer: D 
QUESTION 697: 
Under what conditions would use of a "Class C" hand-held fire extinguisher be preferable 
to use of a "Class A" hand-held fire extinguisher? 
A. When the fire is in its incipient stage 
B. When the fire involves electrical equipment 
C. When the fire is located in an enclosed area 
D. When the fire is caused by flammable products 
Answer: B 
QUESTION 698: 
Which of the following is a class C fire? 
A. electrical 
B. liquid 
C. common combustibles 
D. soda acid 
Answer: A 
QUESTION 699: 
Which of the following is not a EPA-approved replacement for Halon? 
A. Water 
B. Argon 
C. NAF-S-III 
D. Bromine 
Answer: D 
QUESTION 700: 
Which of the following suppresses combustion through a chemical reaction that kills the 
fire? 
A. Halon 
B. Co2 
C. water 
D. soda acid 
Answer: A 
QUESTION 701: 
Which of the following is a class A fire? 
A. common combustibles 
B. liquid 
C. electrical 
D. Halon 
Answer: A 
QUESTION 702: 
To be in compliance with the Montreal Protocol, which of the following options can be 
taken to refill a Halon flooding system in the event that Halon is fully discharged in the 
computer room? 
A. Order an immediate refill with Halon 1201 from the manufacture 
B. Contact a Halon recycling bank to make arrangements for a refill 
C. Order a different chlorofluorocarbon compound from the manufacture 
D. Order an immediate refill with Halon 1301 from the manufacture 
Answer: B 
QUESTION 703: 
Under what conditions would the use of a Class C fire extinguisher be preferable to a Class 
A extinguisher? 
A. When the fire involves paper products 
B. When the fire is caused by flammable products 
C. When the fire involves electrical equipment 
D. When the fire is in an enclosed area 
Answer: C 
QUESTION 704: 
Which of the following is true about a "dry pipe" sprinkler system? 
A. It is a substitute for carbon dioxide systems 
B. It maximizes chances of accidental discharge of water 
C. it minimizes chances of accidental discharge of water 
D. It uses less water than "wet pipe" systems 
Answer: C 
QUESTION 705: 
Under what conditions would use of a "Class C" hand-held fire extinguisher be preferable 
to use of a "Class A" hand-held fire extinguisher? 
A. When the fire is in its incipient stage 
B. When the fire involves electrical equipment 
C. When the fire is located in an enclosed area 
D. When the fire is caused by flammable products 
Answer: B 
QUESTION 706: 
Which fire class can water be most appropriate for? 
A. Class A fires 
B. Class B fires 
C. Class C fires 
D. Class D fires 
Answer: A 
QUESTION 707: 
What category of water sprinkler system is currently the most recommended water system 
for a computer room? 
A. Dry Pipe sprinkler system 
B. Wet Pipe sprinkler system 
C. Pre-action sprinkler system 
D. Deluge sprinkler system 
Answer: C 
QUESTION 708: 
Which of the following is currently the most recommended water system for a computer 
room? 
A. pre-action 
B. wet pipe 
C. dry pipe 
D. deluge 
Answer: A 
Reference: pg 496 Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 709: 
According to the ISC2, what should be the fire rating for the walls of an information 
processing facility? 
A. All walls must have a one-hour minimum fire rating 
B. All walls must have a one-hour minimum fire rating, except for walls to adjacent rooms 
where records such as paper and media are stored, which should have a two-hour minimum fire 
rating 
C. All walls must have a two-hour minimum fire rating 
D. All walls must have a two-hour minimum fire rating, except for walls to adjacent rooms 
where records such as paper and media are stored, which should have a three-hour minimum fire 
rating. 
Answer: C 
QUESTION 710: 
Which of the following suppresses the fuel supply of the fire? 
A. soda acid 
B. Co2 
C. Halon 
D. water 
Answer: A 
QUESTION 711: 
Which of the following is true about a "dry pipe" sprinkler system? 
A. It is a substitute for carbon dioxide systems 
B. It maximizes chances of accidental discharge of water 
C. It minimizes chances of accidental discharge of water 
D. It uses less water than "wet pipe" systems 
Answer: C 
QUESTION 712: 
The most prevalent cause of computer center fires is which of the following? 
A. AC equipment 
B. electrical distribution systems 
C. heating systems 
D. natural causes 
Answer: B 
QUESTION 713: 
What fire suppression system can be used in computer rooms that will not 
damage computers and is safe for humans? 
A. Water 
B. FM200 
C. Halon 
D. CO2 
Answer: B 
Reference: http://www.fireline.com/fl_fm200firesuppression.html 
FM-200 Systems 
FM-200 Fire Suppression Systems - Halon Alternatives Fire Protection 
Systems 
FM200 is a fire suppression system agent manufactured by Great Lakes 
Chemical. 
How FM200 Suppresses Fire 
FM200 suppresses fire by discharging as a gas onto the surface of 
combusting materials. Large amounts of heat energy are absorbed from the 
surface of the burning material, lowering it's temperature below the 
ignition point. 
FM200 Fire Suppression Systems and the Environment 
FM200 fire suppression systems have low atmospheric lifetimes, global 
warming, and ozone depletion potentials. Unlike Halon 1301 fire 
suppression systems, FM200 systems are environmentally friendly. They 
provide an effective, safe method of special hazards fire suppression 
where a non-residue producing clean agent is essential. 
QUESTION 714: 
The following are fire detector types EXCEPT: 
A. smoke activated 
B. flame actuated 
C. acoustical-seismic detection system 
D. heat activated 
Answer: C 
QUESTION 715: 
Which fire class can water be most appropriate for? 
A. Class A fires 
B. Class B fires 
C. Class C fires 
D. Class D fires 
Answer: A 
"Fire Extinguisher Classes 
Class Type Suppression Material 
A Common combustibles Water, soda acid (dry powder) 
B Liquids CO2 , Halon, soda acid 
C Electrical CO2, Halon" 
Pg. 578 Tittel: CISSP Study Guide 
QUESTION 716: 
Which one of the following actions should be taken FIRST after a fire has been detected? 
A. Turn off power to the computers 
B. Call the fire department 
C. Notify management 
D. Evacuate all personnel 
Answer: D 
Protection of life is of the utmost importance and should be dealt with first before looking to 
save material objects. . - Shon Harris All-in-one CISSP Certification Guide pg 625 
QUESTION 717: 
Which of the following provides coordinated procedures for minimizing loss of life or 
injury and protecting property damage in response to a physical threat? 
A. Business continuity plan 
B. Incident response plan 
C. Disaster recovery plan 
D. Occupant emergency plan 
Answer: D 
"Occupant Emergency Plan (OEP). The OEP is a document providing coordinated procedures 
for minimizing loss of life or injury and protecting property damage in response to a physical 
threat. It does not necessarily deal with business systems or IT system functionality, but rather 
focuses on personnel and property at a specific facility." Pg 666 Hansche: Official (ISC)2 Guide 
to the CISSP Exam 
QUESTION 718: 
Disaster Recovery Plan emergency produces is a plan of action that commences 
immediately to prevent or minimize property damage and to: 
A. Prevent interruption of service. 
B. Minimize embarrassment. 
C. Prevent loss of life. 
D. Evacuate the facility. 
Answer: C 
Protection of life is of the utmost importance and should be dealt with first before looking to 
save material objects. - Shon Harris All-in-one CISSP Certification Guide pg 625 
QUESTION 719: 
What is the PRIMARY concern during a disaster? 
A. Recover of the critical functions. 
B. Availability of a hot site. 
C. Acceptable outage duration. 
D. Personnel safety. 
Answer: D 
Personal safety goes way above and beyond all other things, unless you're a rescue worker, and 
even then safety is still priority #1. Recovering critical functions and down time are not the 
MOST important concerns; Data can be recovered, a potential life loss cannote be Making 
Personal safety of the utmost important. 
QUESTION 720: 
Which of the following elements is not included in a Public Key Infrastructure (PKI)? 
A. Timestamping 
B. Lightweight Directory Access Protocol (LDAP) 
C. Certificate revocation 
D. Internet Key Exchange (IKE) 
Answer: D 
QUESTION 721: 
In a Public Key Infrastructure (PKI) context, which of the following is a primary concern 
with LDAP servers? 
A. Availability 
B. Accountability 
C. Confidentiality 
D. Flexibility 
Answer: A 
QUESTION 722: 
What is NOT true with pre shared key authentication within IKE/IPsec protocol: 
A. pre shared key authentication is normally based on simple passwords 
B. needs a PKI to work 
C. Only one preshared key for all VPN connections is needed 
D. Costly key management on large user groups 
Answer: B 
QUESTION 723: 
What is the role of IKE within the IPsec protocol: 
A. peer authentication and key exchange 
B. data encryption 
C. data signature 
D. enforcing quality of service 
Answer: A 
"In order to set up and manage Sas on the Internet, a standard format called the Internet Security 
Association and Key Management Protocol (ISAKMP) was established. ISAKMP provides for 
secure key exchange and data authentication. However, ISAKMP is independent of the 
authentication protocols, security protocols, and encryption algorithms. Strictly speaking, a 
combination of three protocols is used to define key management for IPSEC. These protocols are 
ISAKMP, Secure Key Exchange Mechanism (SKEME) and Oakley. When combined and 
applied to IPSEC, these protocols are called the Internet Key Exchange (IKE) protocol." Pg. 222 
Krutz: The CISSP Prep Guide: Gold Edition 
QUESTION 724: 
In a Public Key Infrastructure, how are public keys published? 
A. They are sent via e-mail 
B. Through digital certificates 
C. They are sent by owners 
D. They are not published 
Answer: B 
QUESTION 725: 
Which of the following is defined as a key establishment protocol based on the 
Diffie-Hellman algorithm proposed for IPsec but superseded by IKE? 
A. Diffie-Hellman Key Exchange Protocol 
B. Internet Security Association and Key Management Protocol (ISAKMP) 
C. Simple Key-management for Internet Protocols (SKIP) 
D. OAKLEY 
Answer: D 
QUESTION 726: 
Which of the following defines the key exchange for Internet Protocol Security (IPSEC)? 
A. Internet Security Association Key Management Protocol (ISAKMP) 
B. Internet Key Exchange (IKE) 
C. Security Key Exchange (SKE) 
D. Internet Communication Messaging Protocol (ICMP) 
Answer: A 
Because Ipsec is a framework, it does not dictate what hashing and encryption algorithms are to 
be used or how keys are to be exchanged between devices. Key management can be handled 
through manual process or automated a key management protocol. The Internet Security 
Association and Key management Protocol (ISAKMP) is an authentication and key exchange 
architecture that is independent of the type of keying mechanisms used. 
Pg 577 Shon Harris All-In-One CISSP Certification Exam Guide 
QUESTION 727: 
A network of five nodes is using symmetrical keys to securely transmit data. How many 
new keys are required to re-establish secure communications to all nodes in the event there 
is a key compromise? 
A. 5 
B. 10 
C. 20 
D. 25 
Answer: A 
In a typical vpn using secret keys there would be one key at central office and the same key 
provided for each telecommuter, in this case 4. If the key was compromised, all 5 keys would 
have to be changed. 
"Secret key cryptography is the type of encryption that is familiar to most people. In this type of 
cryptography, the sender and receiver both know a secret key. The sender encrypts the plaintext 
message with the secret key, and the receiver decrypts the message with the same secret key." 
-Ronald Krutz The CISSP PREP Guide (gold edition) pg 194 
QUESTION 728: 
What is the effective key size of DES? 
A. 56 bits 
B. 64 bits 
C. 128 bits 
D. 1024 bits 
Answer: A 
QUESTION 729: 
Matches between which of the following are important because they represent references 
from one relation to another and establish the connection among these relations? 
A. foreign key to primary key 
B. foreign key to candidate key 
C. candidate key to primary key 
D. primary key to secondary key 
Answer: A 
QUESTION 730: 
Which of the following can best be defined as a key distribution protocol that uses hybrid 
encryption to convey session keys that are used to encrypt data in IP packets? 
A. Internet Security Association and Key Management Protocol (ISKAMP) 
B. Simple Key-Management for Internet Protocols (SKIP) 
C. Diffie-Hellman Key Distribution Protocol 
D. IPsec Key Exchange (IKE) 
Answer: B 
Reference: pg 117 Krutz 
QUESTION 731: 
What is the PRIMARY advantage of secret key encryption systems as compared with 
public key systems? 
A. Faster speed encryption 
B. Longer key lengths 
C. Easier key management 
D. Can be implemented in software 
Answer: A 
"The major strength of symmetric key cryptography is the great speed at which it can operate. 
By the nature of the mathematics involved, symmetric key cryptography also naturally lends 
itself to hardware implementations, creating the opportunity for even higher-speed operations." 
Pg. 309 Tittel: CISSP Study Guide 
QUESTION 732: 
In a cryptographic key distribution system, the master key is used to exchange? 
A. Session keys 
B. Public keys 
C. Secret keys 
D. Private keys 
Answer: A 
"The Key Distribution Center (KDC) is the most import component within a Kerberos 
environment. The KDC holds all users' and services' cryptographic keys. It provides 
authentication services, as well as key distribution functionality. The clients and services trust 
the integrity of the KDC, and this trust is the foundation of Kerberos security." Pg. 148 Shon 
Harris CISSP All-In-One Certification Exam Guide 
'The basic principles of Kerberos operation are as follows: 
1.) The KDC knows the secret keys of all clients and servers on the network. 
2.) The KDC initially exchanges information with the client and server by using these secret 
keys. 
3.) Kerberos authenticates a client to a requested service on a server through TGS, and by using 
temporary symmetric session keys for communications between the client and KDC, the server 
and the KDC, and the client and server. 
4.) Communication then takes place between the client and the server using those temporary 
session keys." 
Pg. 40 Krutz: The CISSP Prep Guide 
QUESTION 733: 
Which Application Layer security protocol requires two pair of asymmetric keys and two 
digital certificates? 
A. PEM 
B. S/HTTP 
C. SET 
D. SSL 
Answer: C 
QUESTION 734: 
Which of the following can be defined as an attribute in one relation that has values 
matching the primary key in another relation? 
A. foreign key 
B. candidate key 
C. Primary key 
D. Secondary key 
Answer: A 
Reference: pg 243 Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 735: 
What key size is used by the Clipper Chip? 
A. 40 bits 
B. 56 bits 
C. 64 bits 
D. 80 bits 
Answer: D 
"Each Clipper Chip has a unique serial number and an 80-bit unique unit or secret key. The unit 
key is divided into tow parts and is stored at two separate organizations with the serial number 
that uniquely identifies that particular Clipper Chip." Pg 166 Krutz: The CISSP Prep Guide 
QUESTION 736: 
What uses a key of the same length as the message? 
A. Running key cipher 
B. One-time pad 
C. Steganography 
D. Cipher block chaining 
Answer: B 
Reference: 
"A one-time pad is an extremely powerful type of substitution cipher. One-time pads use a 
different alphabet for each letter of the plaintext message. 
Normally, one-time pads are written as a very long series of numbers to be plugged into the 
function. 
The great advantage to one-time pads is that, when used properly, they are an unbreakable 
encryption scheme. There is no repeating pattern of alphabetic substitution, redering 
cryptanalytic efforts useless. However, several requirements must be met to ensure the integrity 
of the algorithm: 
The encryption key must be randomly generated. Using a phrase or a passage from a book would 
introduce the possibility of cryptanalysts breaking the code. 
The one-time pad must be physically secured against disclosure. If the enemy has a copy of the 
pad, they can easily decrypt the enciphered messages. 
Each one-time pad must be used only once. If pads are reused, cryptanalysts can compare 
similarities in multiple messages encrypted with the same pad and possibly determine the key 
values used. 
The key must be at least as long as the message to be encrypted. This is because each key 
element is used to encode only one character of the message. 
Pg. 304-305 Tittel: CISSP Study Guide 
QUESTION 737: 
Which of the following statements related to a private key cryptosystem is FALSE? 
A. The encryption key should be secure 
B. Data Encryption Standard (DES) is a typical private key cryptosystem 
C. The key used for decryption is known to the sender 
D. Two different keys are used for the encryption and decryption 
Answer: D 
"In symmetric key cryptography, a single secret key is used between entities, wheareas in public 
key systems, each entity has different keys, or asymmetric keys." Pg 476 Shon Harris CISSP 
Certification All-in-One Exam Guide 
QUESTION 738: 
Simple Key Management for Internet Protocols (SKIP) is similar to Secure Sockets Layer 
(SSL), except that it requires no prior communication in order to establish or exchange 
keys on a: 
A. Secure Private keyring basis 
B. response-by-session basis 
C. Remote Server basis 
D. session-by-session basis 
Answer: D 
Reference: pg 117 Krutz: CISSP Prep Guide: Gold Edition 
QUESTION 739: 
A weak key of an encryption algorithm has which of the following properties? 
A. It is too short, and thus easily crackable 
B. It facilitates attacks against the algorithm 
C. It has much more zeroes than ones 
D. It can only be used as a public key 
Answer: B 
QUESTION 740: 
Security measures that protect message traffic independently on each communication path are called: 
A. Link oriented 
B. Procedure oriented 
C. Pass-through oriented 
D. End-to-end oriented 
Answer: A 
Link encryption encrypts all the data along a specific communication path like a satellite link, T3 line, or 
telephone 
circuit. Not only is the user information encrypted, but the header, trailers, addresses, and routing data hat are 
part 
of the packets are also encrypted. This provides extra protection against packet sniffers and eavesdroppers. - 
Shon 
Harris All-in-one CISSP Certification Guide pg 560 
QUESTION 741: 
Who is responsible for the security and privacy of data during a transmission on a public communications 
link? 
A. The carrier 
B. The sending 
C. The receiving party 
D. The local service provider 
Answer: B 
The sender of an email is responsible for encryption if security is desired. A bank that sends data 
across web is responsible to utilize a secure protocol. 
QUESTION 742: 
Which of the following best provides e-mail message authenticity and confidentiality? 
A. Signing the message using the sender's public key and encrypting the message using the 
receiver's private key 
B. Signing the message using the sender's private key and encrypting the message using the 
receiver's public key 
C. Signing the message using the receiver's private key and encrypting the message using the 
sender's public key 
D. Signing the message using the receiver's public key and encrypting the message with the 
sender's private key 
Answer: B 
QUESTION 743: 
Cryptography does not help in: 
A. Detecting fraudulent insertion 
B. Detecting fraudulent deletion 
C. Detecting fraudulent modifications 
D. Detecting fraudulent disclosure 
Answer: D 
QUESTION 744: 
Which of the following is NOT a property of a one-way hash function? 
A. It converts a message of a fixed length into a message digest of arbitrary length 
B. It is computationally infeasible to construct two different messages with the same digest 
C. It converts a message of arbitrary length into a message digest of a fixed length 
D. Given a digest value, it is computationally infeasible to find the corresponding message 
Answer: A 
QUESTION 745: 
How much more secure is 56 bit encryption opposed to 40 bit encryption? 
A. 16 times 
B. 256 times 
C. 32768 times 
D. 65,536 times 
Answer: D 
2 to the power of 40 = 1099511627776 
2 to the power of 56 = 72057594037927936 
72057594037927936 / 1099511627776 = 65,536 
QUESTION 746: 
Which of the following statements is true about data encryption as a method of protecting 
data? 
A. It should sometimes be used for password files 
B. It is usually easily administered 
C. It makes few demands on system resources 
D. It requires careful key Management 
Answer: D 
"Cryptography can be used as a security mechanism to provide confidentiality, integrity, and 
authentication, but not if the keys are compromised in any way. The keys can be captured, 
modified, corrupted, or disclosed to unauthorized individuals. Cryptography is based on a trust 
mode. Individuals trust each other to protect their own keys, they trust the administrator who is 
maintaining the keys, and they trust a server that holds, maintains and distributes the keys. 
Many administrators know that key management causes one of the biggest headaches in 
cryptographic implementation. There is more to key maintenance than using them to encrypt 
messages. The keys have to be distributed securely to the right entities and updated 
continuously. The keys need to be protected as they are being transmitted and while they are 
being stored on each workstation and server. The keys need to be generated, destroyed, and 
recovered properly, Key management can be handled through manual or automatic processes. 
Unfortunately, many companies use cryptographic keys, but rarely if ever change them. This is 
because of the hassle of key management and because the network administrator is already 
overtaxed with other tasks or does not realize the task actually needs to take place. The 
frequency of use of a cryptographic key can have a direct correlation to often the key should be 
changed. The more a key is used, the more likely it is to be captured and compromised. If a key 
is used infrequently, then this risk drops dramatically. The necessary level of security and the 
frequency of use can dictate the frequency of the key updates. 
Key management is the most challenging part of cryptography and also the most crucial. It is one 
thing to develop a very complicated and complex algorithm and key method, but if the keys are 
not securely stored and transmitted, it does not really matter how strong the algorithm is. 
Keeping keys secret is a challenging task." Pg 512-513 Shon Harris CISSP Certification 
All-In-One Exam Guide 
QUESTION 747: 
The primary purpose for using one-way encryption of user passwords within a system is 
which of the following? 
A. It prevents an unauthorized person from trying multiple passwords in one logon attempt 
B. It prevents an unauthorized person from reading or modifying the password list 
C. It minimizes the amount of storage required for user passwords 
D. It minimizes the amount of processing time used for encrypting password 
Answer: B 
QUESTION 748: 
Which of the following is not a known type of Message Authentication Code (MAC)? 
A. Hash function-based MAC 
B. Block cipher-based MAC 
C. Signature-based MAC 
D. Stream cipher-based MAC 
Answer: C 
QUESTION 749: 
Which of the following was developed in order to protect against fraud in electronic fund 
transfers (EFT)? 
A. Secure Electronic Transaction (SET) 
B. Message Authentication Code (MAC) 
C. Cyclic Redundency Check (CRC) 
D. Secure Hash Standard (SHS) 
Answer: B 
Reference: pg 218 Krutz: CISSP Prep Guide: Gold Edition 
QUESTION 750: 
Where parties do not have a shared secret and large quantities of sensitive information 
must be passed, the most efficient means of transferring information is to use a hybrid 
encryption technique. What does this mean? 
A. Use of public key encryption to secure a secret key, and message encryption using the secret 
key 
B. Use of the recipient's public key for encryption and decryption based on the recipient's 
private key 
C. Use of software encryption assisted by a hardware encryption accelerator 
D. Use of elliptic curve encryption 
Answer: A 
QUESTION 751: 
One-way hash provides: 
A. Confidentiality 
B. Availability 
C. Integrity 
D. Authentication 
Answer: C 
"Hash Functions 
....how cryptosystems implement digital signatures to provide proof that a message originated 
from a particular user of a cryptosystem and to ensure that the message was not modified while 
in transit between the two parties." 
Pg. 292 Tittel: CISSP Study Guide Second Edition 
"integrity A state characterized by the assurance that modifications are not made by 
unauthorized users and authorized users do not make unauthorized modifications." 
Pg. 616 Tittel: CISSP Study Guide Second Edition 
QUESTION 752: 
What size is an MD5 message digest (hash)? 
A. 128 bits 
B. 160 bits 
C. 256 bits 
D. 128 bytes 
Answer: A 
"MD4 
MD4 is a one-way hash function designed by Ron Rivest. It produces 128-bit hash, or message 
digest, values. It is used for high-speed computation in software implementations and is 
optimized for microprocessors. 
MD5 
MD5 is the newer version of MD4. It still produces a 128-bit hash, but the algorithm is more 
complex, which makes it harder to break. MD5 added a fourth round of operations to be 
performed during the hashing functions and makes several of it mathematical operations carry 
out more steps or more complexity to provide a higher level of security. 
MD2 
MD2 is also a 128-bit one-way hash designed by Ron Rivest. It is not necessarily any weaker 
than the previously mentioned hash functions, but is much slower. 
SHA 
SHA was designed by NIST and NSA to be used with DSS. The SHA was designed to be used 
with digital signatures and was developed when a more secure hashing algorithm was required 
for federal application. 
SHA produces a 160-bit hash value, or message digest. This is then inputted into the DSA, 
which computes the signature for a message. The message digest is signed instead of the whole 
message because it is a much quicker process. The sender computes a 160-bit hash value, 
encrypts it with his private key (signs it), appends it to the message, and sends it. The receiver 
decrypts the value with the sender's public key, runs the same hashing function, and compares 
the two values. If the values are the same, the receiver can be sure that the message has not been 
tampered with in transit. 
SHA is similar to MD4. It has some extra mathematical functions and produces a 160-bit hash 
instead of 128-bit, which makes it more resistant to brute force attacks, including birthday 
attacks. 
HAVAL 
HAVAL is a variable-length one-way hash function and is the modification of MD5. It processes 
message blocks twice the size of those used in MD5; thus it processes blocks of 1,024 bits. 
Pg. 508-509 Shon Harris CISSP Certification All-In-One Exam Guide 
QUESTION 753: 
Which of the following is NOT a property of a one-way hash function? 
A. It converts a message of a fixed length into a message digest of arbitrary length. 
B. It is computationally infeasible to construct two different messages with the same digest 
C. It converts a message of arbitrary length into a message digest of a fixed length 
D. Given a digest value, it is computationally infeasible to find the corresponding message 
Answer: A 
QUESTION 754: 
Which of the following would best describe a Concealment cipher? 
A. Permutation is used, meaning that letters are scrambled 
B. Every X number of words within a text, is a part of the real message 
C. Replaces bits, characters, or blocks of characters with different bits, characters, or blocks. 
D. Hiding data in another message so that the very existence of the data is concealed. 
Answer: B 
Reference: pg 468 Shon Harris: All-in-One CISSP Certification 
QUESTION 755: 
Which of the following ciphers is a subset of the Vignere polyalphabetic cipher? 
A. Caesar 
B. Jefferson 
C. Alberti 
D. SIGABA 
Answer: A 
"The Caesar Cipher,...., is a simple substitution cipher that involves shifting the alphabet three 
positions to the right. The Caesar Cipher is a subset of the Vigenere polyalphabetic cipher. In the 
Caesar cipher, the message's characters and repetitions of the key are added together, modulo 26. 
In modulo 26, the letters A to Z of the alphabet are given a value of 0 to 25, respectively." 
Pg. 189 Krutz: The CISSP Prep Guide: Gold Edition 
QUESTION 756: 
Which of the following is not a property of the Rijndael block cipher algorithm? 
A. Resistance against all known attacks 
B. Design simplicity 
C. 512 bits maximum key size 
D. Code compactness on a wide variety of platforms 
Answer: C 
QUESTION 757: 
What are two types of ciphers? 
A. Transposition and Permutation 
B. Transposition and Shift 
C. Transposition and Substitution 
D. Substitution and Replacement 
Answer: C 
"Classical Ciphers: 
Substitution 
Transposition (Permutation) 
Vernam (One-Time Pad) 
Book or Running Key 
Codes 
Steganography" 
Pg 189-193 Krutz: CISSP Prep Guide: Gold Edition. 
QUESTION 758: 
Which one of the following, if embedded within the ciphertext, will decrease the likelihood 
of a message being replayed? 
A. Stop bit 
B. Checksum 
C. Timestamp 
D. Digital signature 
Answer: C 
CBC is the CBC mode of some block cipher, HMAC is a keyed message digest, MD 
is a plain message digest, and timestamp is to protect against replay attacks. From the OpenSSL 
project http://www.mail-archive.com/openssl-users@openssl.org/msg23576.html 
QUESTION 759: 
Which of the following statements pertaining to block ciphers is incorrect? 
A. it operates on fixed-size blocks of plaintext 
B. it is more suitable for software than hardware implementation 
C. Plain text is encrypted with a public key and decrypted with a private key 
D. Block ciphers can be operated as a stream 
Answer: C 
"Strong and efficient block cryptosystems use random key values so an attacker cannot find a 
pattern as to which S-boxes are chosen and used." Pg. 481 Shon Harris CISSP Certification 
All-in-One Exam Guide 
Not A: 
"When a block cipher algorithm is used for encryption and decryption purposes, the message is 
divided into blocks of bits. These blocks are then put through substitution, transposition, and 
other mathematical functions, on block at a time." Pg. 480 Shon Harris CISSP Certification 
All-in-One Exam Guide 
Not B: 
"Block ciphers are easier to implement in software because they work with blocks of data that 
the software is used to work with." Pg 483 Shon Harris CISSP Certification All-in-One Exam 
Guide 
Not D: 
"This encryption continues until the plaintext is exhausted." Pg. 196 Krutz The CISSP Prep 
Guide. 
Not A or D: 
"When a block a block cipher algorithm is used for encryption and decryption purposes, the 
message is divided into blocks of bits. These blocks are then put through substitution, 
transposition, and other mathematical functions, one block at a time." Pg 480 Shon Harris: 
All-in-One CISSP Certification 
QUESTION 760: 
The repeated use of the algorithm to encipher a message consisting of many blocks is called 
A. Cipher feedback 
B. Elliptical curve 
C. Cipher block chaining 
D. Triple DES 
Answer: C 
"There are two main types of symmetric algorithms: stream and block ciphers. Like their names 
sound, block ciphers work on blocks of plaintext and ciphertext, whereas stream ciphers work on 
streams of plaintext and ciphertext, on bit or byte at a time. Pg 521. Shon Harris CISSP 
All-In-One Certification Exam Guide 
Cipher Block Chaining (CBC) operates with plaintext blocks of 64 bits. ....Note that in this 
mode, errors propogate." Pg 149 Krutz: The CISSP Prep Guide 
QUESTION 761: 
When block chaining cryptography is used, what type of code is calculated and appended to the data to 
ensure authenticity? 
A. Message authentication code. 
B. Ciphertext authentication code 
C. Cyclic redundancy check 
D. Electronic digital signature 
Answer: A 
The original Answer was B. This is incorrect as cipthertext is the result not an authentication 
code. 
"If meaningful plaintext is not automatically recognizable, a message authentication code 
(MAC) can be computed and appended to the message. The computation is a function of the 
entire message and a secret key; it is practically important to find another message with the 
same authenticator. The receiver checks the authenticity of the message by computing the MAC 
using the same secret key and then verifying that the computed value is the same as the one 
transmitted with the message. A MAC can be used to provide authenticity for unencrypted 
messages as well as for encrypted ones. The National Institute of Standards and Technology 
(NIST) has adopted a standard for computing a MAC. (It is found in Computer Data 
Authentication, Federal Information Processing Standards Publication (FIPS PUB) 113.)" 
http://www.cccure.org/Documents/HISM/637-639.html from the Handbook of Information 
Security Management by Micki Krause 
QUESTION 762: 
Which of the following statements pertaining to block ciphers is incorrect? 
A. It operates on fixed-size blocks of plaintext 
B. It is more suitable for software than hardware implementations 
C. Plain text is encrypted with a public key and decrypted with a private key 
D. Block ciphers can be operated as a stream 
Answer: C 
"Strong and efficient block cryptosystems use random key values so an attacker cannot find a 
pattern as to which S-boxes are chosen and used." Pg. 481 Shon Harris CISSP Certification 
All-in-One Exam Guide 
Not A: 
"When a block cipher algorithm is used for encryption and decryption purposes, the message is 
divided into blocks of bits. These blocks are then put through substitution, transposition, and 
other mathematical functions, on block at a time." Pg. 480 Shon Harris CISSP Certification 
All-in-One Exam Guide 
Not B: 
"Block ciphers are easier to implement in software because they work with blocks of data that 
the software is used to work with." Pg 483 Shon Harris CISSP Certification All-in-One Exam 
Guide 
Not D: 
"This encryption continues until the plaintext is exhausted." Pg. 196 Krutz The CISSP Prep 
Guide. 
QUESTION 763: 
Which of the following is a symmetric encryption algorithm? 
A. RSA 
B. Elliptic Curve 
C. RC5 
D. El Gamal 
Answer: C 
QUESTION 764: 
How many bits is the effective length of the key of the Data Encryption Standard 
Algorithm? 
A. 16 
B. 32 
C. 56 
D. 64 
Answer: C 
QUESTION 765: 
Compared to RSA, which of the following is true of elliptic curse cryptography? 
A. It has been mathematically proved to be the more secure 
B. It has been mathematically proved to be less secure 
C. It is believed to require longer keys for equivalent security 
D. It is believed to require shorter keys for equivalent security 
Answer: D 
CISSP All-In-One - page 491: "In most cases, the longer the key length, the more protection provided, but 
ECC can provide the same level of protection with a key size that is smaller than what RSA requires." 
CISSP Prep Guide (not Gold edition) - page 158: "... smaller key sizes in the elliptic curve implementation 
can yield higher levels of security. For example, an elliptic curve key of 160 bits is equivalent to 1024-bit 
RSA key." 
QUESTION 766: 
Which of the following is not a one-way algorithm? 
A. MD2 
B. RC2 
C. SHA-1 
D. DSA 
Answer: B 
Not: A, C or D. 
"Hash Functions 
SHA 
MD2 
MD4 
MD5" 
Pg. 337- 340 Tittel: CISSP Study Guide 
DSA, Digital Signature Algorithm, is a approved standard for Digital Signatures that utilizes 
SHA-1 hashing function. 
Pg. 342-343 Tittel: CISSP Study Guide 
QUESTION 767: 
A public key algorithm that does both encryption and digital signature is which of the 
following? 
A. RSA 
B. DES 
C. IDEA 
D. DSS 
Answer: A 
"RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key 
algorithm that is the most popular when it comes to asymmetric algorithms. RSA is a worldwide 
de facto standard and can be used for digital signatures, key exchange, and encryption." 
Pg. 489 Shon Harris: All-In-One CISSP Certification Exam Guide 
QUESTION 768: 
Which of the following encryption algorithms does not deal with discrete logarithms? 
A. El Gamal 
B. Diffie-Hellman 
C. RSA 
D. Elliptic Curve 
Answer: C 
QUESTION 769: 
The RSA algorithm is an example of what type of cryptography? 
A. Asymmetric key 
B. Symmetric key 
C. Secret Key 
D. Private Key 
Answer: A 
QUESTION 770: 
How many rounds are used by DES? 
A. 16 
B. 32 
C. 64 
D. 48 
Answer: A 
"When the DES algorithm is applied to data, it divides the message into blocks and operates on 
them one at a time. A block is made of 64 bits and is divided in half and each character is 
encrypted one at a time. The characters are put through 16 rounds of transposition and 
substitution functions. The order and type of transposition and substitution function depend on 
the value of the key that is inputted into the algorithm. The result is the 64-bit block of 
ciphertext." Pg. 526 Shon Harris: CISSSP All-In-One Certification Guide 
QUESTION 771: 
Which of the following is the most secure form of triple-DES encryption? 
A. DES-EDE3 
B. DES-EDE1 
C. DES-EEE4 
D. DES-EDE2 
Answer: A 
QUESTION 772: 
Which of the following algorithms does *NOT* provide hashing? 
A. SHA-1 
B. MD2 
C. RC4 
D. MD5 
Answer: C 
"Hashed Algorithms 
SHA-1 
HMAC-SHA-1 
MD5 
HMAC-MD5" 
Pg 426 Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 773: 
Which of the following is unlike the other three? 
A. El Gamal 
B. Teardrop 
C. Buffer Overflow 
D. Smurf 
Answer: A 
QUESTION 774: 
Which of the following is not an encryption algorithm? 
A. Skipjack 
B. SHA-1 
C. Twofish 
D. DEA 
Answer: B 
SHA-1 is a hash algorithm opposed to encryption algorithm. 
Reference: pg 293 Tittel: CISSP Study Guide 
QUESTION 775: 
Which one of the following is an asymmetric algorithm? 
A. Data Encryption Algorithm. 
B. Data Encryption Standard 
C. Enigma 
D. Knapsack 
Answer: D 
Merkle-Hellman Knapsack is a Public Key Algorithm Pg 206 Krutz: CISSP Prep Guide: Gold 
Edition. 
Not A: 
"DES describes the Data Encryption Algorithm (DEA) and is the name of the Federal 
Information Processing Standard (FIPS) 46-1 that was adopted in 1977..." pg 195 Krutz: CISSP 
Prep Guide: Gold Edition. 
Not B: 
"The best-known symmetric key system is probably the Data Encryption Standard (DES)." pg 
195 Krutz: CISSP Prep Guide: Gold Edition. 
Not C: 
"The German military used a polyalphabetic substitution cipher machine called the Enigma as its 
principal encipherment system during World War II." Pg 185 Krutz: CISSP Prep Guide: Gold 
Edition. 
QUESTION 776: 
Which of the following is *NOT* a symmetric key algorithm? 
A. Blowfish 
B. Digital Signature Standard (DSS) 
C. Triple DES (3DES) 
D. RC5 
Answer: B 
Reference: pg 489 Shon Harris 
QUESTION 777: 
Which of the following layers is not used by the Rijndael algorithm? 
A. Non-linear layer 
B. Transposition layer 
C. Key addition layer 
D. The linear mixing layer 
Answer: B 
Reference: pg 201 Krutz: CISSP Prep Guide: Gold Edition 
QUESTION 778: 
What is the basis for the Rivest-Shamir-Adelman (RSA) algorithm scheme? 
A. Permutations 
B. Work factor 
C. Factorability 
D. Reversivibility 
Answer: C 
This algorithm is based on the difficulty of factoring a number, N, which is the product of two 
large prime numbers. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 204 
QUESTION 779: 
Which of the following encryption algorithms does not deal with discrete logarithms? 
A. El Gamal 
B. Diffie-Hellman 
C. RSA 
D. Elliptic Curve 
Answer: C 
Reference: pg 416 Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 780: 
The RSA Algorithm uses which mathematical concept as the basis of its encryption? 
A. Geometry 
B. Irrational numbers 
C. PI (3.14159...) 
D. Large prime numbers 
Answer: D 
QUESTION 781: 
PGP provides which of the following?(Choose three) 
A. Confidentiality 
B. Accountability 
C. Accessibility 
D. Integrity 
E. Interest 
F. Non-repudiation 
G. Authenticity 
Answer: A,D,G 
PGP provides confidentiality, integrity, and authenticity. 
QUESTION 782: 
PGP uses which of the following to encrypt data? 
A. An asymmetric scheme 
B. A symmetric scheme 
C. a symmetric key distribution system 
D. An asymmetric key distribution 
Answer: B 
QUESTION 783: 
Which of the following mail standards relies on a "Web of Trust"? 
A. Secure Multipurpose Internet Mail extensions (S/MIME) 
B. Pretty Good Privacy (PGP) 
C. MIME Object Security Services (MOSS) 
D. Privacy Enhanced Mail (PEM) 
Answer: B 
"PGP does not use a hierarchy of Cas, or any type of formal trust certificates, but relies on a 
"web of trust" in its key management approach. Each user generates and distributes his or her 
public key, and users sign each other's public keys, which creates a community of users who 
trust each other. This is different than the CA approach where no one trusts each other, they only 
trust the CA. 
QUESTION 784: 
Which of the following offers confidentiality to an e-mail message? 
A. The sender encrypting it with it's private key 
B. The sender encrypting it with it's public key 
C. The sender encrypting it with it's receiver's public key 
D. The sender encrypting it with the receiver's private key 
Answer: C 
QUESTION 785: 
Which of the following items should not be retained in an E-mail directory? 
A. drafts of documents 
B. copies of documents 
C. permanent records 
D. temporary documents 
Answer: C 
QUESTION 786: 
In a Secure Electronic Transaction (SET), how many certificates are required for a payment gateway to 
support multiple acquires? 
A. Two certificates for the gateway only. 
B. Two certificates for the gateway and two for the acquirers. 
C. Two certificates for each acquirer. 
D. Two certificates for the gateway and two for each acquirer. 
Answer: B 
I think it may be D two for each acquirer. Which unless I read it wrong it means each person must have 2 
certificates exchanged with the gateway. 
"SET uses a des symmetric key system for encryption of the payment information and uses rsa for the 
symmetric 
key exchange and digital signatures. SET covers the end-to-end transaction from the cardholder to the financial 
institution". -Ronald Krutz The CISSP PREP Guide (gold edition) pg 219-220 
In the SET environment, there exists a hierarchy of Certificate Authorities. The SET protocol 
specifies a method of entity authentication referred to as trust chaining. This method entails the 
exchange of digital certificates and verification of the public keys by validating the digital 
signatures of the issuing C 
A. This trust chain method continues all the way up to the CA at the 
top of the hierarchy, which is referred to as the SET Root C 
A. The SET Root CAis owned and 
maintained by SET Secure Electronic Transaction LLC. http://setco.org/certificates.html 
QUESTION 787: 
Which protocol makes use of an electronic wallet on a customer's PC and sends encrypted 
credit card information to merchant's Web server, which digitally signs it and sends it on 
to its processing bank? 
A. SSH 
B. S/MIME 
C. SET 
D. SSL 
Answer: C 
QUESTION 788: 
Which of the following best describes the Secure Electronic Transaction (SET) protocol? 
A. Originated by VISA and MasterCard as an Internet credit card protocol 
B. Originated by VISA and MasterCard as an Internet credit card protocol using digital 
signatures 
C. Originated by VISA and MasterCard as an Internet credit card protocol using the transport 
layer 
D. Originated by VISA and MasterCard as an Internet credit card protocol using SSL 
Answer: B 
QUESTION 789: 
Which of the following would best define the "Wap Gap" security issue? 
A. The processing capability gap between wireless devices and PC's 
B. The fact that WTLS transmissions have to be decrypted at the carrier's WAP gateway to be 
re-encrypted with SSL for use over wired networks. 
C. The fact that Wireless communications are far easier to intercept than wired communications 
D. The inability of wireless devices to implement strong encryption 
Answer: B 
QUESTION 790: 
What encryption algorithm is best suited for communication with handheld wireless 
devices? 
A. ECC 
B. RSA 
C. SHA 
D. RC4 
Answer: A 
"Eliptic curves are rich mathematical structures that have shown usefulness in many different 
types of applications. An Elliptic Curve Cryptosystem (ECC) provides much of the same 
functionality that RSA provides: digital signatures, secure key distribution, and encryption. One 
differing factor is ECC's efficiency. Some devices have limited processing capacity, storage, 
power supply, and bandwidth like wireless devices and cellular telephones. With these types of 
devices, efficiency of resource use is very important. ECC provides encryption functionality 
requiring a smaller percentage of resources required by RSA and other algorithms, so it is used 
in these types of devices. In most cases, the longer the key length, the protection provided, but 
ECC can provide the same level of protection with a key size that is smaller than what RSA 
requires. Because longer keys require more resources to perform mathematical tasks, the smaller 
keys used in ECC require fewer resources of the device." Pg. 491 Shon Harris: All-In-One 
CISSP Certification Guide. 
QUESTION 791: 
Which security measure BEST provides non-repudiation in electronic mail? 
A. Digital signature 
B. Double length Key Encrypting Key (KEK) 
C. Message authentication 
D. Triple Data Encryption Standard (DES) 
Answer: A 
A tool used to provide the authentication of the sender of a message. It can verify the origin of 
the message along with the identity of the sender. IT is unique for every transaction and created 
with a private key. - Shon Harris All-in-one CISSP Certification Guide pg 930 
"Secure Multipurpose Internet Mail Extensions (S/MIME) offers authentication and privacy to 
e-mail through secured attachments. Authentication is provided through X.509 digital 
certificates. Privacy is provided through the use of Public Key Cryptography Standard (PKCS) 
Enryption. Two types of messages can be formed using S/MIME: signed messages and 
enveloped messages. A signed message provides integrity and sender authentication. An 
enveloped message provides ntegrity, sender authentication, and confidentiality." Pg 123 Tittle: 
CISSP Study Guide 
QUESTION 792: 
Which of the following services is not provided by the digital signature standard (DSS)? 
A. Encryption 
B. Integrity 
C. Digital signature 
D. Authentication 
Answer: A 
QUESTION 793: 
Public key cryptography provides integrity verification through the use of public key 
signature and? 
A. Secure hashes 
B. Zero knowledge 
C. Private key signature 
D. Session key 
Answer: C 
Pg 213 Krutz Gold Edition 
QUESTION 794: 
Electronic signatures can prevent messages from being: 
A. Erased 
B. Disclosed 
C. Repudiated 
D. Forwarded 
Answer: C 
QUESTION 795: 
Why do vendors publish MD5 hash values when they provide software patches for their 
customers to download from the Internet? 
A. Recipients can verify the software's integrity after downloading. 
B. Recipients can confirm the authenticity of the site from which they are downloading the 
patch. 
C. Recipients can request future updates to the software by using the assigned hash value. 
D. Recipients need the hash value to successfully activate the new software. 
Answer: A 
If the two values are different, Maureen knows that the message was altered, either intentionally 
or unintentionally, and she discards the message...As stated in an earlier section, the goal of 
using a one-way hash function is to provide a fingerprint of the message. MD5 is the newer 
version of MD4. IT still produces a 128-bit hash, but the algorithm is a bit more complex to 
make it harder to break than MD4. The MD5 added a fourth round of operations to be performed 
during the hash functions and makes several of its mathematical operations carry steps or more 
complexity to provide a higher level of security . - Shon Harris All-in-one CISSP Certification 
Guide pg 182-185 
QUESTION 796: 
What attribute is included in a X.509-certificate? 
A. Distinguished name of subject 
B. Telephone number of the department 
C. secret key of the issuing CA 
D. the key pair of the certificate holder 
Answer: A 
The key word is 'In create the certificate.." Certificates that conform to X.509 contain the 
following data: Version of X.509 to which the certificate conforms; Serial number (from 
the certificate creator);Signature algorithm identifier (specifies the technique used by the 
certificate authority to digitally sign the contents of the certificate); Issuer name 
(identification of the certificate authority that issues the certificate) Validity period 
(specifies the dates and times - a starting date and time and an ending date and time - 
during which the certificate is valid); Subject's name (contains the distinguished name, or 
DN, of the entity that owns the public key contained in the certificate); Subject's 
key (the meat of the certificate - the actual public key of the certificate owner used to 
setup secure communications) pg 343-344 CISSP Study Guide byTittel 
QUESTION 797: 
What is used to bind a document to it's creation at a particular time? 
A. Network Time Protocol (NTP) 
B. Digital Signature 
C. Digital Timestamp 
D. Certification Authority (CA) 
Answer: C 
QUESTION 798: 
What attribute is included in a X-509-certificate? 
A. Distinguished name of the subject 
B. Telephone number of the department 
C. Secret key of the issuing CA 
D. The key pair of the certificate holder 
Answer: A 
"Certificates that conform to X.509 contain the following data: 
Version of X.509 to which the certificate conforms 
Serial number 
Signature algorithm identifier 
Issuer name 
Validity period 
Subject's name (contains the distinguished name, or DN of the entity that owns the public key 
contained in the certificate) 
Subjects Public Key" 
Pg. 297 Tittel: CISSP Study Guide 
QUESTION 799: 
Which of the following standards concerns digital certificates? 
A. X.400 
B. X.25 
C. X.509 
D. X.75 
Answer: C 
QUESTION 800: 
What level of assurance for a digital certificate only requires an e-mail address? 
A. Level 0 
B. Level 1 
C. Level 2 
D. Level 3 
Answer: B

Leave a Reply

Your email address will not be published. Required fields are marked *