CISSP Questions – Volume 05 – 1001-1200 Questions

QUESTION 1001: 
Which of the following tasks is not usually part of a Business Impact Analysis (BIA)? 
A. Identify the type and quantity of resources required for recovery 
B. Identify the critical processes and the dependencies between them 
C. Identify organizational risks 
D. Develop a mission statement 
Answer: D 
QUESTION 1002: 
Which of the following will a Business Impact Analysis (BIA) NOT identify? 
A. Areas that would suffer the greatest financial or operation loss in the event of a disaster 
B. Systems critical to the survival of the enterprise 
C. The names of individuals to be contacted during a disaster 
D. The outage time that can be tolerated by the enterprise as a result of a disaster 
Answer: C 
QUESTION 1003: 
Which one the following is the primary goal of Business Continuity Planning? 
A. Sustain the organization. 
B. Recover from a major data center outage. 
C. Test the ability to prevent major outages. 
D. Satisfy audit requirements. 
Answer: A 
Simply put, business continuity plans are created to prevent interruptions to normal business 
activity.-Ronald Krutz The CISSP PREP Guide (gold edition) pg 378 
QUESTION 1004: 
Most of unplanned downtime of information systems is attributed to which of the 
following? 
A. Hardware failure
B. Natural disaster 
C. Human error 
D. Software failure 
Answer: A 
QUESTION 1005: 
System reliability s increased by: 
A. A lower MTBF and a lower MTTR 
B. A higher MTBF and a lower MTTR 
C. A lower MTBF and a higher MTTR 
D. A higher MTBF and a higher MTTR 
Answer: B 
One prefers to have a higher MTBF and a lower MTTR. 
"Each device has a mean time between failure (MTBF) and a mean time to repair (MTTR). The 
MTBF estimate is used to determine the expected lifetime of a device or when an element within 
that device is expected to give out. The MTTR value is used to estimate the time it will take to 
repair the device and get it back into production." Pg 267 Shon Harris: All-in-One CISSP 
Certification 
QUESTION 1006: 
Which of the following is NOT a major element of Business Continuity Planning? 
A. Creation of a BCP committee 
B. Business Impact Assessment (BIA) 
C. Business Continuity Plan Development 
D. Scope plan initiation 
Answer: A 
QUESTION 1007: 
Which one of the following is a core infrastructure and service element of Business Continuity Planning 
(BCP) required to effectively support the business processes of an organization? 
A. Internal and external support functions. 
B. The change management process. 
C. The risk management process. 
D. Backup and restoration functions. 
Answer: C 
Pg 383 Krutz Gold Edition. Backup is not BCP. 
QUESTION 1008: 
A business continuity plan should list and prioritize the services that need to be brought 
back after a disaster strikes. Which of the following services is more likely to be of primary 
concern? 
A. Marketing/Public relations 
B. Data/Telecomm/IS facilities 
C. IS Operations 
D. Facilities security 
Answer: B 
QUESTION 1009: 
When preparing a business continuity plan, who of the following is responsible for 
identifying and prioritizing time-critical systems? 
A. Executive management staff 
B. Senior business unit management 
C. BCP committee 
D. Functional business units 
Answer: B 
QUESTION 1010: 
Classification of information systems is essential in business continuity planning. Which of 
the following system types can not be replaced by manual methods? 
A. Critical System 
B. Vital System 
C. Sensitive System 
D. Non-critical system 
Answer: A 
QUESTION 1011: 
A business continuity plan should list and prioritize the services that need to be brought 
back after a disaster strikes. Which of the following services is more likely to be of primary 
concern? 
A. Marketing/Public Relations 
B. Data/Telecomm/IS facilities 
C. IS Operations 
D. Facilities security 
Answer: B 
QUESTION 1012: 
Business Continuity Plan development depends most on: 
A. Directives of Senior Management 
B. Business Impact Analysis (BIA) 
C. Scope and Plan Initiation 
D. Skills of BCP committee 
Answer: B 
QUESTION 1013: 
Which primary element of BCP includes carrying out vulnerability analysis? 
A. Scope and Plan Initiation 
B. Business Impact Assessment 
C. Business Continuity Plan Development 
D. Plan Approval and Implementation 
Answer: B 
QUESTION 1014: 
To mitigate the impact of a software vendor going out of business, a company that uses vendor software 
should require which one of the following? 
A. Detailed credit investigation prior to acquisition. 
B. Source code held in escrow. 
C. Standby contracts with other vendors. 
D. Substantial penalties for breech of contract.' 
Answer: B 
The original answer was C however this is incorrect for this case. SLA and standby are good ideas but in this 
case B 
is right. 
"A software escrow arrangement is a unique tool used to protect a company against the failure of a software 
developer to provide adequate support for its products or against the possibility that the developer will go out of 
business and no technical support will be available for the product....Under a software escrow agreement, the 
developer provides copies of the application source code to an independent third-party organization. The third 
party 
then maintains updated backup copies of the source code in a secure fashion. The agreement between the end 
user 
and the developer specifies "trigger events", such as the failure of the developer to meet terms of a service level 
agreement (SLA) or the liquidation of the developer's firm." - Ed Tittle CISSP Study Guide (sybex) pg 550 
QUESTION 1015: 
Similarity between all recovery plans is: 
A. They need extensive testing 
B. They need to be developed by business continuity experts 
C. They become obsolete quickly 
D. The create employment opportunities 
Answer: C 
QUESTION 1016: 
Which of the following focuses on sustaining an organizations business functions during 
and after a disruption? 
A. Business continuity plan 
B. Business recovery plan 
C. Continuity of operations plan 
D. Disaster recovery plan 
Answer: A 
QUESTION 1017: 
What is not one of the drawbacks of a hot site? 
A. Need Security controls, as it usually contain mirror copies of live production data 
B. Full redundancy in hardware, software, communication lines, and applications lines is very 
expensive 
C. The hot sites are available immediately or within maximum allowable downtime (MTD) 
D. They are administratively resource intensive, as transaction redundancy controls need to be 
implemented to keep data up-to-date 
Answer: C 
QUESTION 1018: 
Which one of the following processing alternatives involves a ready-to-use computing facility with 
telecommunications equipment, but not computers? 
A. Company-owned hot site 
B. Commercial hot site 
C. Cold site 
D. Warm site 
Answer: D 
"Warm Site - These facilities are usually partially configured with some equipment, but not the 
actual computers." - Shon Harris All-in-one CISSP Certification Guide pg 613 
QUESTION 1019: 
What is a hot-site facility? 
A. A site with pre-installed computers, raised flooring, air conditioning, telecommunications, 
and networking equipment, and UPS 
B. A site is which space is reserved with pre-installed wiring and raised floors 
C. A site with raised flooring, air conditioning, telecommunications, and networking equipment, 
and UPS 
D. A site with ready made work space with telecommunications equipment, LANs, PCs, and 
terminals with work groups 
Answer: A 
QUESTION 1020: 
Contracts and agreements are unenforceable in which of the following alternate back 
facilities? 
A. hot site 
B. warm site 
C. cold site 
D. reciprocal agreement 
Answer: D 
QUESTION 1021: 
Which of the following computer recovery sites is the least expensive and the most 
difficulty to test? 
A. non-mobile hot site 
B. mobile hot site 
C. warm site 
D. cold site 
Answer: D 
QUESTION 1022: 
Which of the following is an advantage of the use of hot sites as a backup alternative? 
A. The costs associated with hot sites are low 
B. Hot sites can be made ready for operation within a short period of time 
C. Hot sites can be used for an extended amount of time 
D. Hot sites do not require that equipment and systems software be compatible with the primary 
installation being backed up 
Answer: B 
QUESTION 1023: 
What is not a benefit of Cold Sites? 
A. No resource contention with other organization 
B. Quick Recovery 
C. Geographical location that is not affected by the same disaster 
D. low cost 
Answer: B 
QUESTION 1024: 
What is the PRIMARY reason that reciprocal agreements between independent organizations for backup 
processing 
capability are seldom used? 
A. Lack of successful recoveries using reciprocal agreements. 
B. Legal liability of the host site in the event that the recovery fails. 
C. Dissimilar equipment used by disaster recovery organization members. 
D. Difficulty in enforcing the reciprocal agreement. 
Answer: D 
"Reciprocal agreements are at best a secondary option for disaster protection. The agreements 
are not enforceable, so there is no guarantee that this facility will really be available to the 
company in a time of need." Pg 615 Shon Harris CISSP All-In-One Certification Exam Guide 
QUESTION 1025: 
Which of the following alternative business recovery strategies would be LEAST 
appropriate in a large database and on-line communications network environment where 
the critical business continuity period is 7 days? 
A. Hot site 
B. Warm site 
C. Duplicate information processing facilities 
D. Reciprocal agreement 
Answer: D 
QUESTION 1026: 
A contingency plan should address: 
A. Potential risks 
B. Residual risks 
C. Identified risks 
D. All of the above 
Answer: B 
QUESTION 1027: 
Prior to a live disaster test, which of the following is most important? 
A. Restore all files in preparation for the test 
B. Document expected findings 
C. Arrange physical security for the test site 
D. Conduct a successful structured walk-through 
Answer: D 
QUESTION 1028: 
Which of the following business continuity stages ensures the continuity strategy remains 
visible? 
A. Backup, Recover and Restoration 
B. Testing Strategy Development 
C. Post Recovery Transition Data Development 
D. Implementation, Testing and Maintenance 
Answer: D 
Once the strategies have been decided upon, they need to be documented and put into place. This 
moves the efforts from a purely planning stage to an actual implementation and action 
phase...The disaster recovery and continuity plan should be tested periodically because an 
environment continually changes and each time it is tested, more improvements may be 
uncovered...The plan's maintenance can be incorporated into change management procedures so 
that any changes in the environment will be sure to be reflected in the plan itself. - Shon Harris 
All-in-one CISSP Certification Guide pg 611 
QUESTION 1029: 
During the testing of the business continuity plan (BCP), which of the following methods of 
results analysis provides the BEST assurance that the plan is workable? 
A. Measurement of accuracy 
B. Elapsed time for completion of critical tasks 
C. Quantitatively measuring the results of the test 
D. Evaluation of the observed test results 
Answer: C 
QUESTION 1030: 
Which of the following recovery plan test results would be most useful to management? 
Actualtests.com - The Power of Knowing 
CISSP 
A. elapsed time to perform various activities 
B. list of successful and unsuccessful activities 
C. amount of work completed 
D. description of each activity 
Answer: B 
QUESTION 1031: 
Failure of a contingency plan is usually: 
A. A technical failure 
B. A management failure 
C. Because of a lack of awareness 
D. Because of a lack of training 
Answer: B 
QUESTION 1032: 
The first step in contingency planning is to perform: 
A. A hardware backup 
B. A data backup 
C. An operating system software backup 
D. An application software backup 
Answer: B 
QUESTION 1033: 
Which of the following server contingency solutions offers the highest availability? 
A. System backups 
B. Electronic vaulting/remote journaling 
C. Redundant arrays of independent disks (RAID) 
D. Load balancing/disk replication 
Answer: D 
QUESTION 1034: 
Which of the following statement pertaining to the maintenance of an IT contingency plan 
is incorrect? 
A. The plan should be reviewed at least once a year for accuracy and completeness 
B. The Contingency Planning Coordinator should make sure that every employee gets an 
up-to-date copy of the plan 
C. Strict version control should be maintained 
D. Copies of the plan should be provided to recovery personnel for storage at home and office 
Answer: B 
QUESTION 1035: 
Which disaster recovery plan test involves functional representatives meeting to review the 
plan in detail? 
A. Simulation test 
B. Checklist test 
C. Parallel test 
D. Structured walkthrough test 
Answer: D 
"Structured walk-through: 
1. Functional representatives meet to review the plan in detail 
2. Strategy involves a thorough look at each of the plan steps and the procedures that are invoked 
at that point in the plan 
3. This ensures that the actual planned activities are accurately described in the plan. 
Pg 699 Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 1036: 
What is the MAIN purpose of periodically testing off-site hardware backup facilities? 
A. To eliminate the need to develop detailed contingency plans 
B. To ensure that program and system documentation remains current 
C. To ensure the integrity of the data in the database 
D. To ensure the continued compatibility of the contingency facilities 
Answer: D 
QUESTION 1037: 
Scheduled tests of application contingency plans should be based on the 
A. Size and complexity of the application. 
B. Number of changes to the application. 
C. Criticality of the application. 
D. Reliability of the application. 
Answer: C 
All though not directly answering the question a little inference lead to this 
"Priorities - It is extremely important to know what is critical versus nice to have... It is 
necessary to know which department must come online first, which second, and so on...It maybe 
more necessary to ensure that the database is up and running before working to bring the file 
server online." - Shon Harris All-in-one CISSP Certification Guide pg 604 
QUESTION 1038: 
Which of the following is less likely to accompany a contingency plan, either within the 
plan itself or in the form of an appendix? 
A. Contact information for all personnel 
B. Vendor contract information, including offsite storage and alternate site 
C. Equipment ad system requirements lists of hardware, software, firmware, and other resources 
required to support system operations 
D. The Business Impact Analysis 
Answer: D 
Explanation: You use the BIA as a guideline to create the contingency plan. 
QUESTION 1039: 
The first step in contingency planning is to perform: 
A. A hardware backup 
B. A data backup 
C. An operating system software backup 
D. An application software backup 
Answer: B 
QUESTION 1040: 
Which of the following teams should not be included in an organization's contingency 
plan? 
A. Damage assessment team 
B. Hardware salvage team 
C. Tiger team 
D. Legal affairs team 
Answer: C 
QUESTION 1041: 
In the public sector, as opposed to the private sector, due care is usually determined by 
A. Minimum standard requirements. 
B. Legislative requirements. 
C. Insurance rates. 
D. Potential for litigation. 
Answer: B 
QUESTION 1042: 
What is the minimum and customary practice of responsible protection of assets that affects a community or 
societal norm? 
A. Due diligence 
B. Risk mitigation 
C. Asset protection 
D. Due care 
Answer: D 
"Due care and due diligence are terms that are used throughout this book. Due diligence is the 
act of investigating and understanding the risks the company faces. A company practices due 
care by developing security policies, procedures, and standards. Due care shows that a company 
has taken responsibility for the activities that take place within the corporation and has taken the 
necessary steps to help protect the company, its resources, and employees from possible risks. So 
due diligence is understanding the current threats and risks and due care is implementing 
countermeasures to provide protection from those threats. If a company does not practice due 
care and due diligence pertaining to the security of its assets, it can be legally charged with 
negligence and held accountable for any ramifications of that negligence." Pg. 85 Shon Harris: 
All-in-One CISSP Certification 
"The following list describes some of the actions required to show that due care is being properly 
practiced in a corporation: 
1. Adequate physical and logical access controls 
2. Adequate telecommunication security, which could require encryption 
3. Proper information, application, and hardware backups 
4. Disaster recovery and business continuity plans 
5. Periodic review, drills, tests, and improvement in disaster recovery and business continuity 
plans 
6. Properly informing employees of expected behavior and ramifications of not following these 
expectations 
7. Developing a security policy, standards, procedures, and guidelines 
8. Performing security awareness training 
9. Running updated antivirus software 
10. Periodically performing penetration tests from outside and inside the network 
11. Implementing dial-back or preset dialing features on remote access applications 
12. Abiding by and updating external service level agreements (SLAs) 
13. Ensuring that downstream security responsibilities are being met 
14. Implementing measures that ensure that software piracy is not taking place 
15. Ensuring the proper auditing and reviewing of those audit logs are taking place 
16. Conducting background checks on potential employees" 
Pg. 616 Shon Harris: All-in-One CISSP Certification 
QUESTION 1043: 
Under the standard of due care, failure to achieve the minimum standards would be 
considered 
A. Negligent 
B. Unethical 
C. Abusive 
D. Illegal 
Answer: A 
Due Care: care which an ordinary prudent person would have exercised under the same or 
similar circumstances. "Due Care" and "Reasonable Care" are used interchangeably. -Ronald 
Krutz The CISSP PREP Guide (gold edition) pg 896 
QUESTION 1044: 
Under the principle of culpable negligence, executives can be held liable for losses that 
result from computer system breaches if: 
A. the company is not a multi-national company 
B. they have not exercised due care protecting computing resources 
C. they have failed to properly insure computer resources against loss 
D. the company does not prosecute the hacker that caused the breach 
Answer: B 
QUESTION 1045: 
The criteria for evaluating the legal requirements for implementing safeguards is to 
evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting 
from the exploitation f the corresponding vulnerability. Therefore, a legal liability exists 
when? 
A. C < L 
B. C < L - (residual risk) 
C. C > L 
D. C > L - (residual risk) 
Answer: A 
QUESTION 1046: 
When companies come together to work in an integrated manner such as extranets, special 
care must be taken to ensure that each party promises to provide the necessary level of 
protection, liability and responsibility. These aspects should be defined in the contracts that 
each party signs. What describes this type of liability? 
A. Cascade liabilities 
B. Downstream liabilities 
C. Down-flow liabilities 
D. Down-set liabilities 
Answer: B 
"When companies come together to work in an integrated manner, such as extranets and VANs, 
special care must be taken to ensure that teach party promises to provide the necessary level of 
protection, liability, and responsibility needed, which should be clearly defined in the contracts 
that each party signs. Auditing and testing should be performed to ensure that each party is 
indeed holding up its side of the bargain and that its technology integrates properly with all other 
parties. Interoperability can become a large, frustrating, and expensive issue in these types of 
arrangements. 
If one of the companies does no provide the necessary level of protection and their negligence 
affects a partner they are working with, the affected company can sue the upstream company. 
For example, let's say company A and company B have constructed an extranet. Company A 
does not put in controls to detect and del with viruses. Company A gets infected with a 
destructive virus and it is spread to company B through the extranet. The virus corrupts critical 
data and causes massive disruption to company B's production. Company B can sue company A 
for being negligent. Both companies need to make sure that they are doing their part to ensure 
that their activities, or lack of them, will not negatively affect another company, which is 
referred to as downstream liability." Pg 616 Shon Harris: All-in-One CISSP Certification 
QUESTION 1047: 
The typical computer felons are usually persons with which of the following 
characteristics? 
A. The have had previous contact with law enforcement 
B. The conspire with others 
C. They hold a position of trust 
D. They deviate from the accepted norms of security 
Answer: D 
QUESTION 1048: 
Which of the following is responsible for the most security issues? 
A. Outside espionage 
B. Hackers 
C. Personnel 
D. Equipment Failure 
Answer: C 
QUESTION 1049: 
Hackers are most often interested in: 
A. Helping the community in securing their networks 
B. Seeing how far their skills wll take them 
C. Getting recognition for their actions 
D. Money 
Answer: B 
QUESTION 1050: 
Which of the following categories of hackers poses the greatest threat? 
A. Disgruntled employees 
B. Student hackers 
C. Criminal hackers 
D. Corporate spies 
Answer: A 
QUESTION 1051: 
Individuals who have their sole aim as breaking into a computer system are being referred to as: 
A. Crackers 
B. Sniffers 
C. Hackers 
D. None of the choices. 
Answer: A 
Explanation: 
Crackers are individuals who try to break into a computer system. The term was coined 
in the mid-80s by hackers who wanted to differentiate themselves from individuals whose 
sole purpose is to sneak through security systems. Whereas crackers sole aim is to 
break into secure systems, hackers are more interested in gaining knowledge about 
computer systems and possibly using this knowledge for playful pranks. Although hackers 
still argue that there's a big difference between what they do and what crackers do, 
the mass media has failed to understand the distinction, so the two terms -- hack and 
crack -- are often used interchangeably. 
QUESTION 1052: 
Which of the following tools is less likely to be used by a hacker? 
A. l0phtcrack 
B. Tripwire 
C. Crack 
D. John the ripper 
Answer: B 
"Other security packages, such as the popular Tripwire data integrity assurance packages, also 
provide a secondary antivirus functionality. Tripwire is designed to alert administrators of 
unauthorized file modifications. It's often used to detect web server defacements and similar 
attacks, but it also may provide some warning of virus infections if critical system executable 
files, such as COMMAND.COM, are modified unexpectedly. These systems work by 
maintaining a database of hash values for all files stored on the system. These archive hash 
values are then compared to current computed values to detect any files that were modified 
between the two periods." Pg. 224 Tittel: CISSP Study Guide 
QUESTION 1053: 
Which of the following tools is not likely to be used by a hacker? 
A. Nessus 
B. Saint 
C. Tripwire 
D. Nmap 
Answer: C 
QUESTION 1054: 
Supporting evidence used to help prove an idea of point is described as? It cannot stand on 
its own, but is used as a supplementary tool to help prove a primary piece of evidence: 
A. Circumstantial evidence 
B. Corroborative evidence 
C. Opinion evidence 
D. Secondary evidence 
Answer: B 
QUESTION 1055: 
Which of the following would best describe secondary evidence? 
A. Oral testimony by a non-expert witness 
B. Oral testimony by an expert witness 
C. A copy of a piece of evidence 
D. Evidence that proves a specific act 
Answer: C 
QUESTION 1056: 
Which of the following exceptions is less likely to make hearsay evidence admissible in 
court? 
A. Records are collected during the regular conduct of business 
B. Records are collected by senior or executive management 
C. Records are collected at or near the time of occurrence of the act being investigated 
D. Records are in the custody of the witness on a regular basis 
Answer: B 
QUESTION 1057: 
Once evidence is seized, a law enforcement officer should emphasize which of the 
following? 
A. chain of command 
B. chain of custody 
C. chain of control 
D. chain of communications 
Answer: B 
QUESTION 1058: 
Which of the following rules is less likely to allow computer evidence to be admissible in 
court? 
A. It must prove a fact that is material to the case 
B. Its reliability must be proven 
C. The process for producing it must be documented 
D. The chain of custody of evidence must show who collected, security, controlled, handled, 
transported, and tampered with the evidence 
Answer: C 
QUESTION 1059: 
A copy of evidence or oral description of this contents; not reliable as best evidence is what 
type of evidence? 
A. Direct evidence 
B. Circumstantial evidence 
C. Hearsay evidence 
D. Secondary evidence 
Answer: D 
QUESTION 1060: 
What is defined as inference of information from other, intermediate, relevant facts? 
A. Secondary evidence 
B. Conclusive evidence 
C. Hearsay evidence 
D. Circumstantial evidence 
Answer: D 
QUESTION 1061: 
In order to be able to successfully prosecute an intruder: 
A. A point of contact should be designated to be responsible for communicating with law 
enforcement and other external agencies. 
B. A proper chain of custody of evidence has to be preserved 
C. Collection of evidence has to be done following predefined procedures 
D. Whenever possible, analyze, a replica of the compromised resource, not the original, thereby 
avoiding inadvertently tamping with evidence 
Answer: B 
QUESTION 1062: 
Which of the following proves or disproves a specific act through oral testimony based on 
information gathered through the witness's five senses? 
A. direct evidence 
B. best evidence 
C. conclusive evidence 
D. hearsay evidence 
Answer: A 
QUESTION 1063: 
In order to preserver a proper chain of custody of evidence? 
A. Evidence has to be collected following predefined procedures in accordance with all laws 
and legal regulations 
B. Law enforcement officials should be contacted for advice on how and when to collect critical 
information 
C. Verifiable documentation indicating the sequence of individuals who have handled a piece of 
evidence should be available. 
D. Log files containing information regarding an intrusion are retained for at least as long as 
normal business records, and longer in the case of an ongoing investigation. 
Answer: A 
QUESTION 1064: 
What is the primary reason for the chain of custody of evidence? 
A. To ensure that no evidence is lost 
B. To ensure that all possible evidence is gathered 
C. To ensure that it will be admissible in court 
D. To ensure that incidents were handled with due care and due diligence 
Answer: C 
QUESTION 1065: 
Which element must computer evidence have to be admissible in court? 
A. It must be relevant 
B. It must be annotated 
C. It must be printed 
D. t must contain source code 
Answer: A 
QUESTION 1066: 
Which kind of evidence would printed business records, manuals, and, printouts classify 
as? 
A. Direct evidence 
B. Real evidence 
C. Documentary evidence 
D. Demonstrative evidence 
Answer: B 
QUESTION 1067: 
Since disks and other magnetic media are only copies of the actual or original evidence, 
what type of evidence are they are often considered to represent? 
A. Hearsay 
B. Irrelevant 
C. Incomplete 
D. Secondary 
Answer: A 
QUESTION 1068: 
Which of the following is LEAST necessary when creating evidence tags detailing the chain of custody for 
electronic evidence? 
A. The mode and means of transportation. 
B. Notifying the person who owns the information being seized. 
C. Complete description of the evidence, including quality if necessary. 
D. Who received the evidence. 
Answer: B 
The references indicate that transportation is important. 
Each piece of evidence should be marked in some way with the date, time, initials of the collector, and a case 
number if one has been assigned...The pieces of evidence should then be sealed in a container and the container 
should be marked with the same information. The container should be sealed with evidence tape and if possible, 
the 
writing should be on the tape so a broken seal can be detected. - Shon Harris All-in-one CISSP 
Certification Guide pg 673 
In many cases, it is not possible for a witness to uniquely identify an object in court. In those 
cases, a chain of evidence must be established. This involves everyone who handles evidence - 
including the police who originally collect it, the evidence technicians who process it, and the 
lawyers who use it in court. The location of the evidence must be fully documented from the 
moment it was collected to the moment it appears in court to ensure that it is indeed the same 
item. This requires thorough labeling of evidence and comprehensive logs noting who had access 
to the evidence at specific times and the reasons they required such access." Pg. 593 Tittel: 
CISSP Study Guide. 
The evidence life cycle covers the evidence gathering and application process. This life cycle has 
the following components: 
Discovery and recognition 
Protection 
Recording 
Collection 
Collect all relevant storage media 
Make image of hard disk before removing power 
Print out screen 
Avoid degaussing equipment 
Identification 
Preservation 
Protect magnetic media from erasure 
Store in proper environment 
Transportation 
Presentation in a court of law 
Return of evidence to owner 
Pg. 309 Krutz: The CISSP Prep Guide 
The life cycle of evidence includes 
* Collection and identification 
* Storage, preservation, and transportation 
* Presentation in court 
* Being returned to victim or owner 
Pg 677 Shon Harris: All-In-One CISSP Certification Exam Guide 
QUESTION 1069: 
To be admissible in court, computer evidence must be which of the following? 
A. relevant 
B. decrypted 
C. edited 
D. incriminating 
Answer: A 
QUESTION 1070: 
Computer-generated evidence is considered: 
A. Best evidence 
B. Second hand evidence 
C. Demonstrative evidence 
D. Direct evidence 
Answer: B 
"Most of the time, computer-related documents are considered hearsay, meaning the evidence is 
secondhand evidence. Hearsay evidence is not normally admissible in court unless it has 
firsthand evidence that can be used to prove the evidence's accuracy, trustworthiness, and 
reliability, such as a businessperson who generated the computer logs and collected them." Pg. 
630 Shon Harris: All-in-One CISSP Certification 
QUESTION 1071: 
Why would a memory dump be admissible as evidence in court? 
A. Because it is used to demonstrate the truth of the contents 
B. Because it is used to identify the state of the system 
C. Because the state of the memory cannot be used as avidence 
D. Because of the exclusionary rule 
Answer: B 
QUESTION 1072: 
Evidence corroboration is achieved by 
A. Creating multiple logs using more than one utility. 
B. Establishing secure procedures for authenticating users. 
C. Maintaining all evidence under the control of an independent source. 
D. Implementing disk mirroring on all devices where log files are stored. 
Answer: C 
Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own, 
but is 
used as a supplementary tool to help prove a primary piece of evidence. - Shon Harris All-in-one CISSP 
Certification Guide pg 678 
QUESTION 1073: 
You are documenting a possible computer attack. 
Which one of the following methods is NOT appropriate for legal record keeping? 
A. A bound paper notebook. 
B. An electronic mail document. 
C. A personal computer in "capture" mode that prints immediately. 
D. Microcassette recorder for verbal notes 
Answer: D 
QUESTION 1074: 
Which one of the following is NOT a requirement before a search warrant can be issued? 
A. There is a probable cause that a crime has been committed. 
B. There is an expectation that evidence exists of the crime. 
C. There is probable cause to enter someone's home or business. 
D. There is a written document detailing the anticipated evidence. 
Answer: D 
"If a computer crime is suspected, it is important not to alert the suspect. A preliminary 
investigation should be conducted to determine weather a crime has been committed by 
examining the audit records and system logs, interviewing witnesses, and assessing the damage 
incurred....Search warrants are issued when there is a probable cause for the search and provide 
legal authorization to search a location for specific evidence." -Ronald Krutz The CISSP PREP 
Guide (gold edition) pg 436 
QUESTION 1075: 
Once a decision is made to further investigate a computer crime incident, which one of the following is NOT 
employed? 
A. Identifying what type of system is to be seized. 
B. Identifying the search and seizure team members. 
C. Identifying the cost of damage and plan for their recover. 
D. Determining the risk that the suspect will destroy evidence. 
Answer: C 
Costs and how to recover are not considered in a computer crime scene incident. 
QUESTION 1076: 
From a legal perspective, which of the following rules must be addressed when investigating a computer 
crime? 
A. Search and seizure 
B. Data protection 
C. Engagement 
D. Evidence 
Answer: D 
"The gathering, control, storage and preservation of evidence are extremely critical in any legal investigation." 
Pg 
432 Krutz: The CISSP Prep Guide: Gold Edition. 
QUESTION 1077: 
Which of the following is not a problem regarding computer investigation issues? 
A. Information is intangible 
B. Evidence is difficult to gather 
C. Computer-generated records are only considered secondary evidence, thus are no as reliable 
as best evidence 
D. In many instances, an expert or specialist is required 
Answer: D 
QUESTION 1078: 
Why is the investigation of computer crime involving malicious damage especially 
challenging? 
A. Information stored in a computer is intangible evidence. 
B. Evidence may be destroyed in an attempt to restore the system. 
C. Isolating criminal activity in a detailed audit log is difficult. 
D. Reports resulting from common user error often obscure the actual violation. 
Answer: B 
The gathering, control, storage, and preservation of evidence are extremely critical in any legal investigation. 
Because evidence involved in a computer crime might be intangible and subject to easy modification without a 
trace, evidence must be carefully handled and controlled throughout its entire life cycle. -Ronald Krutz The 
CISSP PREP Guide (gold edition) pg 432 
QUESTION 1079: 
After law enforcement is informed of a computer crime, the organization's investigators 
constraints are 
A. removed. 
B. reduced. 
C. increased. 
D. unchanged. 
Answer: C 
"On the other hand, there are also two major factors that may cause a company to shy away from 
calling in the authorities. First, the investigation will more than likely become public and may 
embarrass the company. Second, law enforcement authorities are bound to conduct an 
investigation that complies with the Fourth Amendment and other legal requirements that may 
not apply to a private investigation." Pg. 529 Tittel: CISSP Study Guide 
QUESTION 1080: 
To understand the "whys" in crime, many times it is necessary to understand MOM. 
Which of the following is not a component of MOM? 
A.)Opportunities 
B. Methods 
C. Motivation 
D. Means 
Answer: B 
Reference: pg 600 Shon Harris: All-in-One CISSP Certification 
QUESTION 1081: 
What category of law deals with regulatory standards that regulate performance and 
conduct? Government agencies create these standards, which are usually applied to 
companies and individuals within those companies. 
A. Standards law 
B. Conduct law 
C. Compliance law 
D. Administrative law 
Answer: D 
QUESTION 1082: 
Something that is proprietary to that company and importance for its survival and 
profitability is what type of intellectual property law? 
A. Trade Property 
B. Trade Asset 
C. Patent 
D. Trade Secret 
Answer: D 
QUESTION 1083: 
Which of the following statements regarding trade secrets is false? 
A. For a company to have a resource qualify as a trade secret, it must provide the company with 
some type of competitive value or advantage 
B. The Trade Secret Law normally protects the expression of the idea of the resource. 
C. Many companies require their employees to sign nondisclosure agreements regarding the 
protection of their trade secrets 
D. A resource can be protected by law if it is not generally known and if it requires special skill, 
ingenuity, and/or expenditure of money and effort to develop it 
Answer: B 
QUESTION 1084: 
Which category of law is also referenced as a Tort law? 
A. Civil law 
B. Criminal law 
C. Administrative law 
D. Public law 
Answer: A 
QUESTION 1085: 
Which of the following European Union (EU) principles pertaining to the protection of 
information on private individuals is incorrect? 
A. Data collected by an organization can be used for any purpose and for as long as necessary, 
as long as it is never communicated outside of the organization by which it was collected 
B. Individuals have the right to correct errors contained in their personal data 
C. Transmission of personal information to locations where "equivalent" personal data 
protection cannot be assured is prohibited. 
D. Records kept on an individual should be accurate and up to date 
Answer: B 
QUESTION 1086: 
A country that fails to legally protect personal data in order to attract companies engaged 
in collection of such data is referred to as a 
A. data pirate 
B. data haven 
C. country of convenience 
D. sanctional nation 
Answer: B 
Correct answer is B. Data Haven. 
Data Haven 
A place where data that cannot legally be kept can be stashed for later use; an offshore web host. 
This is an interesting topic; companies often need information that they are not legally allowed 
to know. For example, some hospitals are not allowed to mark patients as HIV positive (because 
it stigmatizes patients); staff members create codes or other ways so can take the necessary 
steps to protect themselves. 
http://www.technovelgy.com/ct/content.asp?Bnum=279 
DATA HAVEN 
This phrase has been around for at least 15 years, but only in a specialist way. One sense is that 
of a place of safety and security for electronic information, for example where encrypted copies 
of crucial data can be stored as a backup away from one's place of business. But it can also mean 
a site in which data can be stored outside the jurisdiction of regulatory authorities. This sense has 
come to wider public notice recently as a result of Neal Stephenson's book Cryptonomicon, in 
which the establishment of such a haven in South East Asia is part of the plot. In a classic case of 
life imitating art, there is now a proposal to set up a data haven on one of the old World War 
Two forts off the east coast of Britain, which declared independence under the name of Sealand 
back in 1967 (it issues its own stamps and money, for example). The idea is to get round a 
proposed British law-the Regulation of Investigatory Powers Bill (RIP)-that would force firms to 
hand over decryption keys if a crime is suspected and make Internet providers install equipment 
to allow interception of e-mails by the security services. 
The Privacy Act doesn't protect information from being transferred from New Zealand to data 
havens-countries that don't have adequate privacy protection. 
[Computerworld, May 1999] 
The government last night poured cold water on a plan by a group of entrepreneurs to establish a 
"data haven" on a rusting iron fortress in the North Sea in an attempt to circumvent new 
anti-cryptography laws. 
[Guardian, June 2000] 
World Wide Words is copyright (c) Michael Quinion, 1996-2004. 
All rights reserved. Contact the author for reproduction requests. 
Comments and feedback are always welcome. 
Page created 17 June 2000; last updated October 2002. 
http://www.worldwidewords.org/turnsofphrase/tp-dat2.htm 
Not C: The majority google searches for 'Country of Convenience' relate to those countries 
supporting terrorism. 
Not D: the meaning of sanctioned is listed below. This would mean that countries that DON'T 
protect privacy are APPROVED 
Main Entry: 2sanction 
Function: transitive verb 
Inflected Form(s): sanc*tioned; sanc*tion*ing 
Date: 1778 
1 to make valid or binding usually by a formal procedure (as ratification) 
2 to give effective or authoritative approval or consent 
QUESTION 1087: 
Which of the following requires all communications carriers to make wiretaps possible? 
A. 1994 U.S. Communications Assistance for Law Enforcement Act 
B. 1996 U.S. Economic and Protection of Property Information Act 
C. 1996 U.S. National Information Infrastructure Protection Act 
D. 1986 U.S. Computer Security Act 
Answer: A 
QUESTION 1088: 
Which of the following U.S. federal government laws/regulations was the first to require 
the development of computer security plan? 
A. Privacy Act of 1974 
B. Computer Security Act of 1987 
C. Federal Information Resources Management Regulations 
D. Office of Management & Budget Circular A-130 
Answer: B 
Reference: pg 722 Hansche: Official (ISC)2 Guide to the CISSP Exam 
QUESTION 1089: 
Which U.S. act places responsibility on senior organizational management for prevention 
and detection programs with fines of up to $290 million for nonperformance? 
A. The 1987 U.S. Computer Security Act 
B. The 1986 U.S. Computer Fraud and Abuse Act 
C. The 1991 U.S. Federal Sentencing Guidelines 
D. The 1996 U.S. National Information Infrastructure Protection Act 
Answer: C 
Reference: pg 615 Shon Harris: All-in-One CISSP Certification 
QUESTION 1090: 
What document made theft no longer restricted to physical constraints? 
A. The Electronic Espionage Act of 1996 
B. The Gramm Leach Bliley Act of 1999 
C. The Computer Security Act of 1987 
D. The Federal Privacy Act of 1974 
Answer: A 
QUESTION 1091: 
In the US, HIPPA addresses which of the following? 
A. Availability and Accountability 
B. Accuracy and Privacy 
C. Security and Availability 
D. Security and Privacy 
Answer: D 
QUESTION 1092: 
Which of the following placed requirements of federal government agencies to conduct 
security-related training, to identify sensitive systems, and to develop a security plan for 
those sensitive systems? 
A. 1987 U.S. Computer Security Act 
B. 1996 U.S. Economic and Protection of Proprietary Information Act 
C. 1994 U.S. Computer Abuse Amendments Act 
D. 1986 (Amended in 1996) U.S. Computer Fraud and Abuse Act 
Answer: A 
QUESTION 1093: 
Which of the following cannot be undertaken in conjunction with computer incident 
handling? 
A. system development activity 
B. help-desk function 
C. system backup function 
D. risk management process 
Answer: A 
QUESTION 1094: 
What is the primary goal of incident handling? 
A. Successfully retrieve all evidence that can be used to prosecute 
B. Improve the company's ability to be prepared for threats and disasters 
C. Improve the company's disaster recovery plan 
D. Contain and repair any damage caused by an event 
Answer: D 
Reference: Page 629 of Shon Harris's All in One Exam Guide, Second Ed. 
QUESTION 1095: 
Which one of the following is NOT a factor to consider when establishing a core incident 
response team? 
A. Technical knowledge 
B. Communication skills 
C. The recovery capability 
D. Understanding business policy 
Answer: C 
The team should have someone from senior management, the network administrator, security 
officer, possibly a network engineer and /or programmer, and liaison for public affairs...The 
incident response team should have the following basic items 
List of outside agencies and resources to contact or report to 
List of computer or forensics experts to contact 
Steps on how to secure and preserve evidence 
Steps on how to search for evidence 
List of items that should be included on the report 
A list that indicates how the different systems should be treated in this type of situation 
(removed from internet, removed from the network, and powered down) - Shon Harris 
All-in-one CISSP Certification Guide pg 671-672 
..an investigation should involve management, corporate security, human resources, the legal 
department, and other appropriate staff members. The act of investigating may also affect critical 
operations...Thus it is important to prepare a plan beforehand on how to handle reports of 
suspected computer crimes. A committee of appropriate personnel should be set up beforehand 
to address the following issues 
Establishing a prior liaison with law enforcement 
Deciding when and whether to bring in law enforcement... 
Setting up means of reporting computer crimes 
Establishing procedures for handling and processing reports of computer crime 
Planning for and conducting investigations 
Involving senior management and the appropriate departments, such as legal, internal audit, 
information systems, and human resources 
Ensuring the proper collection of evidence, which includes identification and protection of the 
various storage media. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 435-436 
QUESTION 1096: 
Which of the following specifically addresses cyber attacks against an organization's IT 
systems? 
A. Continuity of support plan 
B. Business continuity plan 
C. Incident response plan 
D. Continuity of operations plan 
Answer: C 
QUESTION 1097: 
When should a post-mortem review meeting be held after an intrusion has been properly 
taken care of? 
A. Within the first three months after the investigation of the intrusion is completed 
B. Within the first week after prosecution of intruders have taken place, weather successful or 
not 
C. Within the first month after the investigation of the intrusion is completed 
D. Within the first week of completing the investigation of the intrusion 
Answer: D 
QUESTION 1098: 
During a review of system logs of the enterprise, a security manager discovers that a colleague working on an 
exercise ran a job to collect confidential information on the company's clients. The colleague who ran the job 
has since left the company to work for a competitor. Based on the (ISC) Code of Ethics, which one of the 
following statements is MOST correct? 
A. The manager should call the colleague and explain what has been discovered. 
The manager should then ask for the return of the information in exchange for silence. 
B. The manager should warn the competitor that a potential crime has been committed that could put their 
company 
at risk. 
C. The manager should inform his or her appropriate company management, and secure the results of the 
recover 
exercise for future review. 
D. The manager should call the colleague and ask the purpose of running the job prior to informing his or her 
company management of the situation. 
Answer: C 
In the references I have not found out anything that directly relates to this but It would be logical 
to assume the answer of going to necessary management. 
"ISC2 Code of Ethics.... 
...Not commit or be party to any unlawful or unethical act that may negatively affect their 
professional reputation or the reputation of their profession. 
...Appropriately report activity related to the profession that they believe to be unlawful and shall 
cooperate with the resulting investigations." -Ronald Krutz The CISSP PREP Guide (gold 
edition) pg 440 
QUESTION 1099: 
In what way could the use of "cookies" violate a person's privacy? 
A. When they are used to tie together a set of unconnected requests for web pages to cause an electronic map of 
where one has been. 
B. When they are used to keep logs of who is using an anonymizer to access a site instead of their regular 
userid. 
C. When the e-mail addresses of users that have registered to access the web site are sold to marketing firms. 
Answer: A 
Both A and C are correct in that they are true but from a CISSP viewpoint looking into a PC the cookies 
show a map of where the user has been. Therefore I think A is the better choice. 
"Any web site that knows your identity and has cookie for you could set up procedures to exchange their data 
with 
the companies that buy advertising space from them, synchronizing the cookies they both have on your 
computer. 
This possibility means that once your identity becomes known to a single company listed in your cookies file, 
any 
of the others might know who you are every time you visit their sites. 
The result is that a web site about gardening that you never told your name could sell not only your name to 
mail-order companies, but also the fact that you spent a lot of time one Saturday night last June reading about 
how 
to fertilize roses. More disturbing scenarios along the same lines could be imagined." 
http://www.junkbusters.com/cookies.html 
QUESTION 1100: 
Which of the following is the BEST way to prevent software license violations? 
A. Implementing a corporate policy on copyright infringements and software use 
B. Requiring that all PC's be diskless workstations 
C. Installing metering software on the LAN so applications can be accessed through the metered 
software 
D. Regularly scanning used PC's to ensure that unauthorized copies of software have not been 
loaded on the PC 
Answer: D 
QUESTION 1101: 
The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP: 
A. moral 
B. ethical 
C. legal 
D. control 
Answer: D 
QUESTION 1102: 
Where can the phrase "Discourage unsafe practice" be found? 
A. Computer Ethics Institute commandments 
B. (ISC)2 Code of Ethics 
C. Internet Activities Board's Ethics and the Internet (RFC1087) 
D. CIAC Guidelines 
Answer: B 
QUESTION 1103: 
One of the offences an individual or company can commit is decompiling vendor code. This 
is usually done in the hopes of understanding the intricate details of its functionality. What 
best describes this type of non-ethical engineering? 
A. Inverse Engineering 
B. Backward Engineering 
C. Subvert Engineering 
D. Reverse Engineering 
Answer: D 
QUESTION 1104: 
Which one of the following is an ethical consideration of computer technology? 
A. Ownership of proprietary software. 
B. Information resource management. 
C. Service level agreements. 
D. System implementation and design. 
Answer: A 
can only assume that they mean piracy or something. 
QUESTION 1105: 
The Internet Activities Board characterizes which of the following as unethical behavior 
for Internet users? 
A. Writing computer viruses 
B. Monitoring data traffic 
C. Westing computer resources 
D. Concealing unauthorized accesses 
Answer: D 
QUESTION 1106: 
Which of the following is a potential problem when creating a message digest for forensic 
purposes? 
A. The process if very slow. 
B. The file's last access time is changed. 
C. The message digest is almost as long as the data string. 
D. One-way hashing technology invalidates message digest processing. 
Answer: D 
Not C. 
"To generate a digital signature, the digital signal program passes the file to be sent through a 
one-way hash function. This hash function produces a fixed size output from a variable size 
input." Pg. 208 Krutz: The CISSP Prep Guide: Gold Edition. 
QUESTION 1107: 
A forensic examination should inspect slack space because it 
A. Contains system level access control kernel. 
B. Can contain a hidden file or data. 
C. Can contain vital system information. 
D. Can be defeted to avoid detection. 
Answer: B 
QUESTION 1108: 
Forensic imaging of a workstation is initiated by 
A. Booting the machine with the installed operating system. 
B. Booting the machine with an operating system diskette. 
C. Removing the hard drive to view the output of the forensic imaging software. 
D. Directing the output of the forensic imaging software to the small computer system interface (SCSI). 
Answer: D 
"It is very important that the person, or people, conducting the forensics investigation is skilled 
in this trade and knows what to look out for. If a person reboots the attacked system or goes 
around looking at different files, it could corrupt viable evidence, change timestamps on key 
files, and erase footprints the criminal may have left. One very good first step is to make a sound 
image of the attacked system and perform forensic analysis on this copy. This will ensure that 
the evidence stays unharmed on the original system in case some steps in the investigation 
actually corrupt or destroy data. Also the memory of the system should be dumped to a file 
before doing any work on the system or powering it down." - Shon Harris All-in-one CISSP 
Certification Guide pg 672-673 
PCMCIA to SCSI and parallel to SCSI forensic products can be found at the following vendor. 
http://www.icsforensic.com/products_cat_fr.cfm 
QUESTION 1109: 
A disk image backup is used for forensic investigation because it 
A. Is based on secured hardware technology. 
B. Creates a bit level copy of the entire disk. 
C. Time stamps the files with the date and time of the copy operation. 
D. Excludes areas that have never been used to store data. 
Answer: B 
Never conduct your investigation on an actual system that was compromised. Take the system 
offline, make a backup, and use the backup to investigate the incident. - Ed Tittle CISSP Study 
Guide (sybex) pg 595 
QUESTION 1110: 
When it comes to magnetic media sanitization, what difference can be made between 
clearing and purging information? 
A. Clearing completely erases the media whereas purging only remoes file headers, allowing 
the recovery of files 
B. Clearing renders information unrecoverable by a keyboard attack and purging renders 
information unrecoverable against laboratory attack 
C. They both involve rewriting the media 
D. Clearing renders information unrecoverable against a laboratory attack and purging renders 
information unrecoverable to a keyboard attack 
Answer: B 
Reference: pg 405 Tittel: CISSP Study Guide 
QUESTION 1111: 
What is HIPPA? 
A. The Home Insurance Portability & Accountability Act of 1996 (August 21), Public Law 
104-191, which amends the Internal Revenue Service Code of 1986. Also known as the 
Kennedy-Kassebaum Act. 
B. The Public Health Insurance Portability & Accountability Act of 1996 (August 21), Public 
Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the 
Kennedy-Kassebaum Act. 
C.)The Health Insurance Privacy & Accountability Act of 1996 (August 2), public law 104-191, 
which amends the Internal Revenue Service Code of 1986. Also known as the 
Kennedy-Kassebaum Act. 
D. The Health Insurance Privacy & Accountability Act of 1996 (August 2), Public Law 
104-191, which amends the Internal Revenue Service Code of 1986. Also known as the 
Kennedy-Kassebaum Act. 
Answer: B 
Explanation: 
"The United States Kennedy-Kassebaum Health Insurance Portability and Accountability Act 
(HIPPA-Public Law 104-191), effective August 21, 1996, addresses the issues of health care 
privacy, security, transactions and code sets, unique identifies, electronic signatures, and plan 
portability in the United States." Pg 499-500 Krutz: The CISSP Prep Guide: Gold Edition. 
QUESTION 1112: 
The privacy provisions of the federal law, the Health Insurance Portability and 
Accountability Act of 1996 (HIPPA), 
A. apply to certain types of critical health information created or maintained by health care 
providers who engage in certain electronic transactions, health plans, and health care 
clearinghouses. 
B. apply to health information created or maintained by health care providers who engage in 
certain electronic transactions, health plans, and health care clearinghouses. 
C. apply to health information created or maintained by some large health care providers who 
engage in certain electronic transactions, health plans, and health care clearinghouses. 
D. apply to health information created or maintained by health care providers regardless of 
whether they engage in certain electronic transactions, health plans, and health care 
clearinghouses. 
Answer: B 
QUESTION 1113: 
Gap analysis does not apply to 
A. Transactions 
B. availability 
C. Privacy 
D. Security 
Answer: B 
QUESTION 1114: 
A gap analysis for Privacy refers 
A. to the practice of identifying the policies and procedures you currently have in place 
regarding the availability of protected health information. 
B. to the practice of identifying the policies and procedures you currently have in place 
regarding the confidentiality of protected health information. 
C. to the practice of identifying the policies and procedures you currently have in place 
regarding the authenticity of protected health information. 
D. to the practices of identifying the legislation you currently have in place regarding the 
confidentiality of protected health information. 
Answer: B 
QUESTION 1115: 
A gap analysis for Privacy 
A. includes a comparison of your proposed policies and procedures and the requirements 
established in the Security and Privacy Regulation in order to identify any necessary 
modifications in existing policies to satisfy HIPPA regulations when they are stricter than state 
privacy laws. 
B. includes a comparison of your current policies and procedures and the requirements 
established in the Security and Privacy Regulation in order to identify any necessary 
modifications in existing policies to satisfy HIPPA regulations when they are stricter than state 
privacy laws 
C. includes a comparison of your ideal policies and procedures and the requirements established 
in the Security and Privacy Regulation in order to identify any necessary modifications in 
existing policies to satisfy HIPPA regulations when they are stricter than state privacy laws. 
D. includes a comparison of your exceptional policies and procedures and the requirements 
established in the Security and Privacy Regulation in order to identify any necessary 
modifications in existing policies to satisfy HIPPA regulations when they are stricter than state 
privacy laws 
Answer: B 
QUESTION 1116: 
What is a gap analysis in relationship to HIPPA? 
A. In terms of HIPPA, a gap analysis cannot be defined. 
B. In terms of HIPPA, a gap analysis defines what an organization currently is doing in a 
specific area of their organization and compares current operations to other requirements 
mandated by ethical standards. 
C. In terms of HIPPA, a gap analysis defines what an organization currently is doing in a 
specific area of their organization and compares current operations to other requirements 
mandated by state or federal law 
D. In terms of HIPPA, a gap analysis defines what an organization proposes to be doing in a 
specific area of their organization and compares proposed operations to other requirements 
mandated by state or federal law. 
Answer: C 
QUESTION 1117: 
The privacy provisions of the federal law, the Health Insurance Portability and 
Accountability Act of 1996 (HIPPA), apply to certain types of health information created 
or maintained by health care providers 
A. who engage in certain electronic transactions, health plans, and health care clearinghouses 
B. who do not engage in certain electronic transactions, health plans, and health care 
clearinghouses 
C. regardless of whether they engage in certain electronic transactions, health plans, and health 
care clearinghouses 
D. if they engage for a majority of days in a year in certain electronic transactions, health plans, 
and health care clearinghouses. 
Answer: A 
QUESTION 1118: 
HIPPA preempts state laws 
A. except to the extent that the state law is less stringent 
B. regardless of the extent that the state law is more stringent 
C. except to the extent that the state law more stringent 
D. except to the extent that the state law is legislated later than HIPPA 
Answer: C 
QUESTION 1119: 
The Implementation Guides 
A. are referred to in the Static Rule 
B. are referred to in the Transaction Rule 
C. are referred to in the Transitional Rule 
D. are referred to in the Acquision Rule 
Answer: B 
QUESTION 1120: 
The HIPPA task force must first 
A. inventory the organization's systems, processes, policies, procedures and data to determine 
which elements are critical to patient care and central to the organization's business 
B. inventory the organization's systems, processes, policies, procedures and data to determine 
which elements are non critical to patient care and central to the organization's business 
C. inventory the organization's systems, processes, policies, procedures and data to determine 
which elements are critical to patient complaints and central to the organization's peripheral 
businesses 
D. modify the organization's systems, processes, policies, procedures and data to determine 
which elements are critical to patient care and central to the organization's business 
Answer: A 
QUESTION 1121: 
A covered healthcare provider which a direct treatment relationship with an individual 
need not: 
A. provide the notice no later than the date of the first service delivery, including service 
delivered electronically 
B. have the notice available at the service delivery site for individuals to request and keep 
C. get a acknowledgement of the notice from each individual on stamped paper 
D. post the notice in a clear and prominent location where it is reasonable to expect individuals 
seeking service from the covered healthcare provider to be able to read it 
Answer: C 
QUESTION 1122: 
A health plan may conduct its covered transactions through a clearinghouse, and may 
require a provider to conduct covered transactions with it through a clearinghouse. The 
incremental cost of doing so must be borne 
A. by the HIPPA authorities 
B. by the health plan 
C. by any other entity but the health plan 
D. by insurance companies 
Answer: B 
QUESTION 1123: 
Covered entities (certain health care providers, health plans, and health care 
clearinghouses) are not required to comply with the HIPPA Privacy Rule until the 
compliance date. Covered entities may, of course, decide to: 
A. unvoluntarily protect patient health information before this date 
B. voluntarily protect patient health information before this date 
C. after taking permission, voluntarily protect patient health information before this date 
D. compulsorily protect patient health information before this date 
Answer: B 
QUESTION 1124: 
The confidentiality of alcohol and drug abuse patient records maintained by this program 
is protected by federal law and regulations. Generally, the program may not say to a 
person outside the program that a patient attends the program, or disclose any information 
identifying a patient as an alcohol or drug abuser even if: 
A.)The person outside the program gives a written request for the information 
B. the patient consent in writing 
C. the disclosure is allowed by a court order 
D. the disclosure is made to medical personnel in a medical emergency or to qualified personnel 
for research, audit, or program evaluation. 
Answer: D 
Explanation: 
Incident handling is not related to disaster recovery, it is related to security incidents. 
QUESTION 1125: 
What is a Covered Entity? The term "Covered Entity" is defined in 160.103 of the 
regulation. 
A. The definition is complicate and long. 
B. The definition is referred to in the Secure Computing Act 
C. The definition is very detailed. 
D. The definition is deceptively simple and short 
Answer: D 
QUESTION 1126: 
Are employers required to submit enrollments by the standard transactions? 
A. Though Employers are not CEs and they have to send enrollment using HIPPA standard 
transactions. However, the employer health plan IS a CE and must be able to conduct applicable 
transactions using the HIPPA standards 
B. Employers are not CEs and do not have to send enrollment using HIPPA standard 
transactions. However, the employer health plan IS a CE and must be able to conduct applicable 
transactions using the HIPPA standards. 
C. Employers are CEs and have to send enrollment using HIPPA standard transactions. 
However, the employer health plan IS a CE and must be able to conduct applicable transactions 
using the HIPPA standards. 
D. Employers are CEs and do not have to send enrollment using HIPPA standard transactions. 
Further, the employer health plan IS also a CE and must be able to conduct applicable 
transactions using the HIPPA standards. 
Answer: B 
QUESTION 1127: 
Employers 
A. often advocate on behalf of their employees in benefit disputes and appeals, answer 
questions with regard to the health plan, and generally help them navigate their health benefits. 
B. sometimes advocate on behalf of their employees in benefit disputes and appeals, answer 
questions with regard to the health plan, and generally help them navigate their health benefits. 
C. never advocate on behalf of their employees in benefit disputes and appeals, answer 
questions with regard to health plan, and generally help them navigate their health benefits. 
D. are prohibited by plan sponsors from advocating on behalf of group health plan participants 
or providing assistance in understanding their health plan. 
Answer: A 
QUESTION 1128: 
Employers 
A. are covered entities if they do not use encryption 
B. are covered entities 
C. are not legal entities 
D. are not covered entities 
Answer: D 
QUESTION 1129: 
The HIPPA task force must inventory the organization's systems, processes, policies, 
procedures and data to determine which elements are critical to patient care and central to 
the organizations business. All must be inventoried and listed by 
A. by priority as well as encryption levels, authenticity, storage-devices, availability, reliability, 
access and use. The person responsible for criticality analysis must remain mission-focused and 
carefully document all the criteria used. 
B. by priority and cost as well as availability, reliability, access and use. The person responsible 
for criticality analysis must remain mission-focused and carefully document all the criteria used. 
C. by priority as well availability, reliability, access and use. The person responsible for 
criticality analysis must remain mission-focused but need not document all the criteria used. 
D. by priority as well as availability, reliability, access and use. The person responsible for 
criticality analysis must remain mission-focused and carefully document all the criteria used. 
Answer: D 
QUESTION 1130: 
Are there penalties under HIPPA? 
A. No penalties 
B. HIPPA calls for severe civil and criminal penalties for noncompliance, including: -- fines up 
to $25k for multiple violations of the same standard in a calendar year -- fines up to $250k 
and/or imprisonment up to 10 years for knowing misuse of individually identifiable health 
information. 
C. HIPPA calls for severe civil and criminal penalties for noncompliance, includes: -- fines up 
to 50k for multiple violations of the same standard in a calendar year -- fines up to $500k and/or 
imprisonment up to 10 years for knowing misuse of individually identifiable health information 
D. HIPPA calls for severe civil and criminal penalties for noncompliance, including: -- fines up 
to $100 for multiple violations of the same standard in a calendar year -- fines up to $750k 
and/or imprisonment up to 20 years for knowing misuse of individually identifiable health 
information 
Answer: B 
QUESTION 1131: 
HIPPA gave the option to adopt other financial and administrative transactions standards, 
"consistent with the goals of improving the operation of health care system and reducing 
administrative costs" to 
A. ASCA prohibits HHS from paying Medicare claims that are not submitted electronically 
after October 16, 2003. 
B. ASCA prohibits HHS from paying Medicare claims that are not submitted on paper after 
October 16, 2003 
C. ASCA prohibits HHS from paying Medicare claims that are not submitted electronically 
after October 16, 2003, unless the Secretary grants a waiver from this requirement 
D. No 
Answer: C 
QUESTION 1132: 
May a health plan require a provider to use a health care clearinghouse to conduct a 
HIPPA-covered transaction, or must the health plan acquire the ability to conduct the 
transaction directly with those providers capable of conducting direct transactions? 
A. A health plan may conduct its covered transactions through a clearinghouse, and may require 
a provider to conduct covered transactions with it through a clearinghouse. But the incremental 
cost of doing so must be borne by the health plan. It is a cost-benefit decision on the part of the 
health plan whether to acquire the ability to conduct HIPPA transactions directly with other 
entities, or to require use of a clearinghouse. 
B. A health plan may not conduct it's covered transactions through a clearinghouse 
C. A health plan may after taking specific permission from HIPPA authorities conduct its 
covered transactions through a clearinghouse 
D. is not as per HIPPA allowed to require provider to conduct covered transactions with it 
through a clearinghouse 
Answer: A 
QUESTION 1133: 
Business Associate Agreements are required by the regulation whenever a business 
associate relationship exists. This is true even when the business associates are both 
covered entities. 
A. There are no specific elements which must be included in a Business Associate Agreement. 
However some recommended but not compulsory elements are listed in 164.504(e) (2) 
B. There are specific elements which must be included in a Business Associate Agreement. 
These elements are listed Privacy Legislation 
C. There are no specific elements which must be included in a Business Associate Agreement. 
D. There are specific elements which must be included in a Business Associate Agreement. 
These elements are listed in 164.504(e) (2) 
Answer: D 
QUESTION 1134: 
The implementation Guides 
A. are referred to in the Transaction Rule 
B. are not referred to in the Transaction Rule 
C. are referred to in the Compliance Rules 
D. are referred to in the Confidentiality Rule 
Answer: A 
QUESTION 1135: 
Business Associates 
A. are entities that perform services that require the use of Protected Health Information on 
behalf of Covered Entities. One covered entity may be a business partner of another covered 
entity 
B. are entities that do not perform services that require the use of Protected Health Information 
on behalf of Covered Entities. One covered entity may be a business partner of another covered 
entity 
C. are entities that perform services that require the use of Encrypted Insurance Information on 
behalf of Covered Entities. One covered entity may be a business partner of another covered 
entity 
D. are entities that perform services that require the use of Protected Health Information on 
behalf of Covered Entities. One covered entity cannot be a business partner of another covered 
entity. 
Answer: A 
QUESTION 1136: 
Health Care Providers, however, 
A. become the business associates of health plans even without joining a network 
B. become the business associates of health plans by simply joining a network 
C. do not become the business associates of health plans by simply joining a network 
D. do not become the HIPPA associates of health plans by simply joining a network 
Answer: C 
QUESTION 1137: 
In terms of HIPPA what an organization currently is doing in a specific area of their 
organization and compared current operations to other requirements mandated by state or 
federal law is called 
A. HIPPA status analysis 
B. gap analysis 
C. comparison analysis 
D. stop-gap analysis 
Answer: B 
QUESTION 1138: 
Group Health Plans sponsored or maintained by employers, however, 
A. ARE SOMETIMES covered entities. 
B. ARE NOT covered entities. 
C. ARE covered entities 
D. ARE called uncovered entities 
Answer: C 
QUESTION 1139: 
Employers often advocate on behalf of their employees in benefit disputes and appeals, 
answer questions with regard to the health plan, and generally help them navigate their 
health benefits. Is this type of assistance allowed under the regulation? 
A. The final rule does nothing to hinder or prohibit plan sponsors from advocating on behalf of 
group health plan participants or providing assistance in understanding their health plans. 
B. The final rule prohibits plan sponsors from advocating on behalf of group health plan 
participants or providing assistance in understanding their health plans 
C. The final rule does hinder but does not prohibit plan sponsors from advocating on behalf of 
group health plan participants or providing assistance in understanding their health plans 
D. The final rule does no advocating on behalf of group health plan participants or provide 
assistance in understanding their health plan. 
Answer: A 
QUESTION 1140:
HIPPA does not call for: 
A. Standardization of electronic patient health, administrative and financial data 
B. Unique health identifiers for individuals, employers, health plans, and health care providers. 
C. Common health identifiers for individuals, employers, health plans and health care providers. 
D. Security standards protecting the confidentiality and integrity of "individually identifiable 
health information," past, present or future. 
Answer: C 
QUESTION 1141: 
A gap analysis for the Transactions set refer to the practice of identifying the data content 
you currently have available 
A. through your medical software 
B. through your accounting software 
C. through competing unit medical software 
D. based on the statutory authorities report 
Answer: A 
QUESTION 1142: 
A gap analysis for the Transactions set does not refer to 
A. the practice of identifying the data content you currently have available through your 
medical software 
B. the practice of and comparing that content to what is required by HIPPA, and ensuring there 
is a match. 
C. and requires that you study the specific format of a regulated transaction to ensure that the 
order of the information when sent electronically matches the order that is mandated in the 
Implementation Guides. 
D. but does not require that you study the specific format of a regulated transaction to ensure 
that the order of information when sent electronically matches the order that is mandated in the 
Implementation Guides. 
Answer: D 
QUESTION 1143: 
Health Information Rights although your health record is the physical property of the 
healthcare practitioner or facility that compiled it, the information belongs to you. You do 
not have the right to: 
A. obtain a paper copy of the notice of information practices upon request inspect and obtain a 
copy of your health record as provided for in 45 CFR 164.524 
B. request a restriction on certain uses and disclosures of your information outside the terms as 
provided by 45 CFR 164.522 
C. amend your health record as provided in 45 CFR 164.528 obtain an accounting of disclosures 
of your health information as provided in 45 CFR 164.528 
D. revoke your authorization to use or disclose health information except to the extent that 
action has already been taken 
Answer: B 
QUESTION 1144: 
Employers often advocate on behalf of their employees in benefit disputes and appeals, 
answer questions with regard to the health plan, and generally help them navigate their 
health benefits. Is individual consent required? 
A. No 
B. Sometimes 
C. Yes 
D. The answer is indeterminate 
Answer: C 
QUESTION 1145: 
Who enforces HIPPA? 
A. The Office of Civil Rights of the Department of Confidentiality Services is responsible for 
enforcement of these rules 
B. The Office of Civil Rights of the Department of Health and Human Services is responsible 
for enforcement of these rules 
C. The Office of Health Workers Rights of the Department of Health and Human Services in 
responsible for enforcement of these rules 
D. The Department of Civil Rights of the Office of Health and Human Services is responsible 
for enforcement of these rules 
Answer: B 
QUESTION 1146: 
Gap analysis does not apply to 
A. Transactions 
B. availability 
C. Privacy 
D. Security 
Answer: B 
QUESTION 1147: 
A gap analysis for Security 
A. refers to the practice of trusting the security policies and practices currently in place in your 
organization designed to protect all your data from unauthorized access, alternation or 
inadvertent disclose. 
B. refers to the practice of modifying the security policies and practices currently in place in 
your organization designed to protect all your data from unauthorized access, alteration or 
inadvertent disclosure. 
C. refers to the practice of identifying the security policies and practices currently in place in 
your organization designed to protect all your data from unauthorized access, alteration or 
inadvertent disclosure. 
D. refers to the practice of improving the security policies and practices currently in place in 
your organization designed to protect all your data from unauthorized access alteration or 
inadvertent disclosure. 
Answer: C 
QUESTION 1148: 
The Implementation Guides are referred to in the Transaction Rule. The manuals are 
Actualtests.com - The Power of Knowing 
CISSP 
A. non-technical in nature and do not specifically state what the data content should be for each 
HIPPA transaction. They also do not state the order in which this data must appear when 
transmitted electronically. 
B. theoretical in nature and specifically state what the data content should be for each HIPPA 
transaction. They also state the order in which this data must appear when transmitted 
electronically. 
C. technical in nature and specifically state what the data content should be for each HIPPA 
transaction. They do not state the order in which this data must appear when transmitted 
electronically. 
D. technical in nature and specifically state what the data content should be for each HIPPA 
transaction. They also state the order in which this data must appear when transmitted 
electronically. 
Answer: D 
QUESTION 1149: 
Title II of HIPPA includes a section, Administrative Simplification, not requiring: 
A. Improved efficiency in healthcare delivery by standardizing electronic data interchange 
B. Protection of confidentiality of health data through setting and enforcing standards 
C. Protection of security of health data through setting and enforcing standards 
D. Protection of availability of health data through setting and enforcing standards 
Answer: D 
QUESTION 1150: 
Who is not affected by HIPPA? 
A. clearing houses 
B. banks 
C. universities 
D. billing agencies 
Answer: B 
QUESTION 1151: 
HIPPA results in 
A. sweeping changed in some healthcare transaction and administrative information systems 
B. sweeping changes in most healthcare transaction and administrative information systems 
C. minor changes in most healthcare transaction and administrative information systems 
D. no changes in most healthcare transaction and minor changes in administrative information 
systems 
Answer: B 
QUESTION 1152: 
Which one is an example of a man-in-the-middle attack? 
A. Buffer overflow 
B. DoS attack 
C. All of the above 
D. None of the above 
Answer: D 
Explanation: Wrong: Both A and B could be the result of a man-in-the-middle 
attack, but neither are man-in-the-middle attacks. For example someone who uses a 
packet capturing device, such as a "sniffer" to obtain an unencrypted user ID and 
password to one or more PCs or servers and then the platforms to launch a DOS 
attach or create a Buffer Overflow by exploiting an application flaw or OS 
Vulnerability. 
QUESTION 1153: 
Which one of these is a basic firewall? 
A. Packet Filtering Firewalls 
B. Proxy Firewalls 
C. All of the above 
D. None of the above 
Answer: A 
Explanation: Packet Filtering Firewall - only examines an IP packet based on 
Source IP (SIP), Destination IP (DIP), Source Port and Destination Port for both 
UDP and TCP by subjecting each IP packet to an Access Control List. 
QUESTION 1154: 
Why is there an exception area in a policy? 
A. Policy isn't valid without it 
B. Management has to deal with various issues that may 
require exceptions 
C. All of the above 
D. None of the above 
Answer: B 
Explanation: Polices are ever evolving process that requires updating. Polices must 
change as the goals, functions and responsibilities of a company, government or 
employee changes. A simple policy exception could be - No unauthorized person or 
persons can enter the computer room. The Exception would be - Unless cleared by 
management and escorted by an authorized individual. In some cases there are NO 
exceptions - An example: Military TOP Secret information can ONLY be handled 
by someone with a TOP secret Clearanve;thus answer A is incorrect. 
QUESTION 1155: 
Which is a characteristic of IDEA? 
A. 56 bytes 
B. 64 bits 
C. 64 bytes 
D. All of the above 
E. None of the above 
Answer: B 
Explanation: From Wikipedia: International Data Encryption Algorithm (IDEA) 
operates on 64-bit blocks using a 128-bit key, and consists of a series of eight 
identical transformations (a round, see the illustration) and an output 
transformation (the half-round). The processes for encryption and decryption are 
similar. IDEA derives much of its security by interleaving operations from different 
groups - modular addition and multiplication, and bitwise eXclusive OR (XOR) - 
which are algebraically "incompatible" in some sense. 
QUESTION 1156: 
Which of the following can be used to raise awareness of the importance of security and 
risk? 
A. Money 
B. All of the above 
C. None of the above 
Answer: C 
Explanation: C is the only logical choice. Awareness and the importance of security 
and risk can not be improved or awareness be increased with only money. 
Awareness is produced by providing employees with education and training. 
Reference the Training and Education Triad. Exam Cram 2 CISSP Page 52 
QUESTION 1157: 
Which mechanism complements an IDS? 
A. Activating the built in VPN capabilities 
B. Configuring built in alerts 
C. All of the above 
D. None of the above 
Answer: B 
Explanation: A network security engineer or other security personal must configure 
the IDS to detect alerts for specified security events, so the IDS will log the threat 
event. An IDS can either be a Network or Host based. Both have default settings and 
allow the administrator to configure triggers for alerts. 
QUESTION 1158: 
A programmer creates a virus producing tool in order to test the performance of a new 
virus diction product. 
A. This is ethical because it was created to test and enhance the performance of a virus 
protection tool 
B. It's unethical because the virus creating tool may become available to the public. 
C. All of the above 
D. None of the above 
Answer: B 
Explanation: As a CISSP, one needs to discourage unsafe practices and/or bad 
practices, and preserve and strengthen the integrity of the public infrastructures. 
See "All-in-One Exam Guide" Third Edition by Shon Harris page 753 or 
www.isc2.org. 
QUESTION 1159: 
A product cost $20,000. The cost to restore information is $1,000,000. The product is 60% 
effective. What is the value of the product in 2 years? 
Answer: 
Explanation: This question makes no sense. There are some questions on the actual 
CISSP exam that are not used for research only purposes and are not used to grade 
the exam.. This problem is not a SLE, because SLE pertains to a one year period of 
time. Based on the information provided the value of the product could be lower or 
higher due to market demands. This question has more to do with economics then 
SLE. 
QUESTION 1160: 
What is the SLE? 
Answer: 
Explanation: Single Loss Expectancy (SLE) 
Estimate potential losses (SLE)-this step involves determining the single loss expectancy 
(SLE). SLE is calculated as follows: 
Single loss expectancy x Asset value = Exposure factor 
Items to consider when calculating the SLE include the physical destruction or theft of assets, the loss of 
data, the theft of information, and threats that might cause a delay in processing. The exposure factor is the 
measure or percent of damage that a realized threat would have on a specific asset. 
QUESTION 1161: 
What is the ALE? 
Answer: 
Explanation: 
Determine annual loss expectancy (ALE)-This third and final step of the quantitative 
assessment seeks to combine the potential loss and rate per year to determine the 
magnitude of the risk. This is expressed as annual loss expectancy (ALE). ALE is 
calculated as follows: 
Annualized loss expectancy (ALE) x Single loss expectancy (SLE) = Annualized rate of occurrence (ARO) 
QUESTION 1162: 
In a discretionary mode, which of the following entities is authorized to grant information access 
to other people? 
A. Manager 
B. Group leader 
C. Security manager 
D. User 
Answer: D 
Explanation: Discretionary control is the most common type of access control mechanism 
implemented in computer systems today. The basis of this kind of security is that an 
individual user, or program operating on the user's behalf, is allowed to specify explicitly 
the types of access other users (or programs executing on their behalf) may have to 
information under the user's control. Discretionary security differs from mandatory 
security in that it implements the access control decisions of the user. Mandatory controls 
are driven by the results of a comparison between the user's trust level or clearance and 
the sensitivity designation of the information. 
QUESTION 1163: 
Which DES mode of operation is best suited for database encryption? 
A. Cipher Block Chaining (CBC) mode 
B. Cycling Redundancy Checking (CRC) mode 
C. Electronic Code Book (ECB) mode 
D. Cipher Feedback (CFB) mode 
Answer: C 
Explanation: The DES algorithm in Electronic Codebook (ECB) mode is used for DEK and 
MIC encryption when symmetric key management is employed. The character string 
"DES-ECB" within an encapsulated PEM header field indicates use of this algorithm/mode 
combination. 
A compliant PEM implementation supporting symmetric key management shall support this 
algorithm/mode combination. This mode of DES encryption is the best suited for database 
encryption because of its low overhead. 
ECB Mode has some weakness, here they are: 
1. ECB Mode encrypts a 64-bit block independently of all other 64-bit blocks 
2. Given the same key, identical plaintext will encrypt the same way 
3. Data compression prior to ECB can help (as with any mode) 
4. Fixed block size of 64 bits therefore incomplete block must be padded 
QUESTION 1164: 
Within the realm of IT security, which of the following combinations best defines risk? 
A. Threat coupled with a breach. 
B. Threat coupled with a vulnerability. 
C. Vulnerability coupled with an attack. 
D. Threat coupled with a breach of security. 
Answer: B 
Explanation: This is the main concept, when we talk about a possible risk we always have a 
possible vulnerability in the system attacked. This vulnerability can make a threat to be 
successful. We can say that the level of risk can be measures through the level of 
vulnerabilities in our current systems and the ability of the attackers to exploit them to 
make a threat successful. 
QUESTION 1165: 
Which of the following would be the best reason for separating the test and development 
environments? 
A. To restrict access to systems under test. 
B. To control the stability of the test environment. 
C. To segregate user and development staff. 
D. To secure access to systems under development. 
Answer: B 
Explanation: This is the right answer, with a separation of the two environments (Test and 
development), we can get a more stable and more "in control" environment, Since we are 
making tests in the development environment, we don't want our production processes 
there, we don't want to experiment things in our production processes. With a separation 
of the environments we can get a more risk free production environment and more control 
and flexibility over the test environment for the developers. 
QUESTION 1166: 
Which of the following statements pertaining to dealing with the media after a disaster occurred 
and disturbed the organizations activities is incorrect? 
A. The CEO should always be the spokesperson for the company during a disaster. 
B. The disaster recover plan must include how the media is to be handled during the disaster. 
C. The organization's spokesperson should report bad news before the press gets a hold of it 
through another channel. 
D. An emergency press conference site should be planned ahead. 
Answer: A 
Explanation: This is not a good practice, we cannot involves the CEO of the company to 
deal with the media in every case we have a disaster, depending on the severity of the 
disaster we can make the CEO talk, but the best practice in the real world is to have a 
well-known person with that role, with special speaking capabilities and knowledge about 
press methods. In general, the CEO always gets news of what happened, and he decides the 
company politics, then another designed employee (Usually from the disaster recovery 
team) deals with the media. 
QUESTION 1167: 
Which Orange book security rating introduces security labels? 
A. C2 
B. B1 
C. B2 
D. B3 
Answer: B 
Explanation: Class (B1) or "Labeled Security Protection" systems require all the features 
required for class (C2). In addition, an informal statement of the security policy model, 
data labeling, and mandatory access control over named subjects and objects must be 
present. The capability must exist for accurately labeling exported information. Any flaws 
identified by testing must be removed. 
QUESTION 1168: 
A Business Impact Analysis (BIA) does not: 
A. Recommend the appropriate recovery solution. 
B. Determine critical and necessary business functions and their resource dependencies. 
C. Identify critical computer applications and the associated outage tolerance. 
D. Estimate the financial impact of a disruption. 
Answer: A 
Explanation: Remember that when we talk about a BIA (Business Impact Analysis), we are 
analyzing and identifying possible issues about our infrastructure, in this kind of analysis 
we don't make suggestions about what to do to recover from them. This is not an action 
plan, It's an analysis about the business, the process that it relays on, the level of the 
systems and a estimative of the financial impact, or in other words, how much many we 
loose with our systems down. 
QUESTION 1169: 
Which access control model enables the owner of the resource to specify what subjects can 
access specific resources? 
A. Discretionary Access Control 
B. Mandatory Access Control 
C. Sensitive Access Control 
D. Role-based Access Control 
Answer: A 
Explanation: Discretionary Access Control (DAC) is used to control access by restricting a 
subject's access to an object. It is generally used to limit a user's access to a file. In this type 
of access control it is the owner of the file who controls other users' accesses to the file. 
Using a DAC mechanism allows users control over access rights to their files. When these rights 
are managed correctly, only those users specified by the owner may have some combination of 
read, write, execute, etc. permissions to the file. 
QUESTION 1170: 
What type of cable is used with 100Base-TX Fast Ethernet? 
A. Fiber-optic cable 
B. Four pairs of Category 3, 4 or 5 unshielded twisted-par (UTP) wires. 
C. Two pairs of Category 5 unshielded twisted-pair (UTP) or Category 1 shielded twisted-pair 
(STP) wires. 
D. RG.58 cable. 
Answer: C 
Explanation: 100BaseTX is a 100-Mbps baseband Fast Ethernet specification using two 
pairs of either UTP or STP wiring. The first pair of wires is used to receive data; the 
second is used to transmit. To guarantee proper signal timing, a 100BaseTX segment 
cannot exceed 100 meters in length. This specification of Ethernet is based on the IEEE 
802.3 standard. 
QUESTION 1171: 
Which of the following best describes the Secure Electronic Transaction (SET) protocol? 
A. Originated by VISA and MasterCard as an Internet credit card protocol. 
B. Originated by VISA and MasterCard as an Internet credit card protocol using digital 
signatures. 
C. Originated by VISA and MasterCard as an Internet credit card protocol using the transport 
layer. 
D. Originated by VISA and MasterCard as an Internet credit card protocol using SSL. 
Answer: B 
Explanation: This protocol was created by VISA and MasterCard as a common effort to 
make the buying process over the Internet secure through the distribution line of those 
companies. It is located in layer 7 of the OSI model. 
SET uses a system of locks and keys along with certified account IDs for both consumers and 
merchants. Then, through a unique process of "encrypting" or scrambling the information 
exchanged between the shopper and the online store, SET ensures a payment process that is 
convenient, private and most of all secure. Specifically, SET: 
1. Establishes industry standards to keep your order and payment information confidential. 
2. Increases integrity for all transmitted data through encryption. 
3. Provides authentication that a cardholder is a legitimate user of a branded payment card 
account. 
4. Provides authentication that a merchant can accept branded payment card transactions through 
its relationship with an acquiring financial institution. 
5. Allows the use of the best security practices and system design techniques to protect 
all legitimate parties in an electronic commerce transaction. 
The SET process relies strongly on the use of certificates and digital signatures for the process of 
authentication and integrity of the information. 
QUESTION 1172: 
At which of the following phases of a software development life cycle are security and access 
controls normally designed? 
A. Coding 
B. Product design 
C. Software plans and requirements 
D. Detailed design 
Answer: D 
Explanation: Security controls and access controls are normally designed in the "Detailed" 
phase of design. In this phase you have the design of many of the security features of your 
development like authentication, confidentiality functionality, non repudiation capabilities. 
In this phase you can also define what is going to be the access control method for the 
software, we can make it discretionary (less restrictive), mandatory (more restrictive), role 
based and others. 
QUESTION 1173: 
Which type of control would password management classify as? 
A. Compensating control 
B. Detective control 
C. Preventive control 
D. Technical control 
Answer: C 
Explanation: Preventive technical controls are used to prevent unauthorized personnel or 
programs from gaining remote access to computing resources. Examples of these controls 
include: 
Access control software. 
Antivirus software. 
Library control systems. 
Password and Password management 
Smart cards. 
Encryption. 
Dial-up access control and callback sytems 
About Passwords: Passwords are used to verify that the user of an ID is the owner of the ID. The 
ID-password combination is unique to each user and therefore provides a means of holding users 
accountable for their activity on the system. 
Fixed passwords that are used for a defined period of time are often easy for hackers to 
compromise; therefore, great care must be exercised to ensure that these passwords do not 
appear in any dictionary. Fixed passwords are often used to control access to specific data bases. 
In this use, however, all persons who have authorized access to the data base use the same 
password; therefore, no accountability can be achieved. 
Currently, dynamic or one-time passwords, which are different for each log-on, are preferred 
over fixed passwords. Dynamic passwords are created by a token that is programmed to generate 
passwords randomly. 
The management of those passwords is part of Preventive control. 
QUESTION 1174: 
Due are is not related to: 
A. Good faith 
B. Prudent man 
C. Profit 
D. Best interest 
Answer: C 
Explanation: This is obviously a term not related to Profit, a "due" is not going to give us 
profit, its going to give us the opposite. Its always a good practice to pay your due. This can 
be learned in the real life. A Prudent man always pays its due, also a Good faith men pays 
them. This term is not related to profit. 
QUESTION 1175: 
Which of the following is not an Orange Book-defined life cycle assurance requirement? 
A. Security testing 
B. Design specification and testing 
C. Trusted distribution 
D. System integrity 
Answer: D 
Explanation: Life cycle assurance is more than configuration management. 
Reference: "Operational assurance focuses on the basic features and architecture of a system that 
lend themselves to supporting security. There are five requirements or elements of operation 
assurance: 
* System architecture 
* System integrity 
* Covert channel analysis 
* Trusted facility management 
* Trusted Recovery 
Life cycle assurance focuses on the controls and standards that are necessary for designing, 
building, and maintaining a system. The following are the four requirements or elements of life 
cycle assurance: 
* Security testing 
* Design specification and testing 
* Configuration Management 
* Trusted distribution" 
Pg 398 Tittel 
QUESTION 1176: 
What is another name for the Orange Book? 
A. The Trusted Computer System Evaluation Criteria (TCSEC) 
B. The Trusted Computing Base (TCB) 
C. The Information Technology Security Evaluation Criteria (ITSEC) 
D. The Common Criteria 
Answer: A 
Explanation: 
The Trusted Computer System Evaluation Criteria (TCSEC) is a collection of criteria 
used to grade or rate the security offered by a computer system product. The TCSEC is 
sometimes referred to as "the Orange Book" because of its orange cover. The current 
version is dated 1985 (DOD 5200.28-STD, Library No.S225,711) The TCSEC, its 
interpretations and guidelines all have different color covers, and are sometimes known as 
the "Rainbow Series". 
QUESTION 1177: 
A password that is the same for each log-on session is called a? 
A. "one-time password" 
B. "two-time password" 
C. static password 
D. dynamic password 
Answer: C 
Explanation: A Static password is one that remains the same until its changed. Its like the 
password that we use in the operating systems, you set it, and then you always use the same 
password to logon to the system for the time of the session. This password will give us 
access to the system and will be the vehicle to create our access token in a successful way to 
get our privileges. A one-time password is only valid for one use, dynamic ones change 
every certain condition is met, and two-time passwords can only be used two times. We can 
provide certain times of access with this kind of passwords. 
QUESTION 1178: 
Which of the following backup methods is most appropriate for off-site archiving? 
A. Incremental backup method. 
B. Off-site backup method. 
C. Full backup method. 
D. Differential backup method. 
Answer: C 
Explanation: 
Since we want to maintain the backups offsite, its always better to send FULL-Backups 
because they contain a consistent base of the system. We perform the beginning of a restore 
through a full backup. Remember that the backups stored offsite are in most cases in a 
secure place, full backup in there are a best practice for any network administrator. With 
incremental or differential backups we don't have all we need to restore a system to a 
consistent state. We need to start from the full backup. "Offsite Backup" is not a valid 
backup method. 
QUESTION 1179: 
Which of the following is not a weakness of symmetric cryptography? 
A. Limited security 
B. Key distribution 
C. Speed 
D. Scalability 
Answer: C 
Explanation: In secret key cryptography, a single key is used for both encryption and 
decryption. The sender uses the key (or some set of rules) to encrypt the plaintext and 
sends the cipher text to the receiver. The receiver applies the same key (or rule set) to 
decrypt the message and recover the plaintext. Because a single key is used for both 
functions, secret key cryptography is also called symmetric encryption. 
With this form of cryptography, it is obvious that the key must be known to both the sender and 
the receiver ; that in fact, is the secret. The biggest difficulty with this approach, of course, is the 
distribution of the key. 
Symmetric encryption is around 1000 times faster than Asymmetric encryption, the second is 
commonly used just to encrypt the keys for Symmetric Cryptography. 
QUESTION 1180: 
Which of the following is not a defined layer in the TCP/IP protocol model? 
A. Application layer 
B. Session layer 
C. Internet layer 
D. Network access layer 
Answer: B 
Explanation: The TCP/IP reference model is the network model used in the current 
Internet architecture. It has its origins back in the 1960's with the grandfather of the 
Internet, the ARPANET. This was a research network sponsored by the Department of 
Defense in the United States. 
The reference model was named after two of its main protocols, TCP (Transmission Control 
Protocol) and IP (Internet Protocol). They choose to build a packet-switched network based on a 
connectionless internet layer. Here is a representation of it: 
"The TCP/IP Protocol Model is similar to the OSI model, but it defines only the following four 
layers instead of seven: 
Application Layer. Consists of the applications and processes that use the network. 
Host-to-Host Transport Layer. Provides end-to-end data delivery service to the Application 
Layer. 
Internet Layer. Defines the IP datagram and handles the routing of data across networks. 
Network Access or Link Layer. Consists of routines for accessing physical networks and the 
electrical connection." 
Pg 112 Krutz: The CISSP Prep Guide: Gold Edition. 
QUESTION 1181: 
Rewritable and erasable (CDR/W) optical disk are sometimes used for backups that require short 
time storage for changeable data, but require? 
A. Faster file access than tape. 
B. Slower file access than tape. 
C. Slower file access than drive. 
D. Slower file access than scale. 
Answer: A 
Explanation: This is true, when we use optical media like CD´s to make our backups we 
need a constant throughput on the file access and data transfer inside the disk because of 
the risk to get a buffer overrun error in the CD writer. If the buffer user by the CD burner 
is empty and the Hard disk does not provide data for that time, the Backup will be 
unsuccessful. This can be solved with a Technology known as "Burn Proof". 
QUESTION 1182: 
Which one of the following is not a primary component or aspect of firewall systems? 
A. Protocol filtering 
B. Packet switching 
C. Rule enforcement engine 
D. Extended logging capability 
Answer: B 
Explanation: This is not a main function of a firewall, packet switching is a main feature of 
a Switch (working only in the layer 2 of the OSI model). Firewall are network security 
devices that can function through layer 2 to layer 7 of the OSI model. They usually include 
rule engine that enforce the enterprise security policy of the company. They provide 
protocol filtering to enforce our requirements through the forwarded or deny of traffic. 
They also provide logging capabilities so we can analyze what is happening in a very low 
level in our network. 
QUESTION 1183: 
What are database views used for? 
A. To ensure referential integrity. 
B. To allow easier access to data in a database. 
C. To restrict user access to data in a database. 
D. To provide audit trails. 
Answer: C 
Explanation: Through the use of a view we can provide security for the organization 
restricting users access to certain data or to the real tables containing the information in 
our database. For example, we can create a view that brings data from 3 tables, only 
showing 2 of the 4 columns in each. Instead of giving access to the tables that contain the 
information, we give access to the view, so the user can access this fixed information but 
does not have privileges over the tables containing it. This provides security. 
QUESTION 1184: 
Which of the following Common Data Network Services is used to send and receive email 
internally or externally through an email gateway device? 
A. File services 
B. Mail services 
C. Print services 
D. Client/Server services 
Answer: B 
Explanation: This functionality is provided through mail services, this service permits 
collaboration between users in an internal and external level. We usually use two protocols, 
"SMTP" in port TCP 25 to send the emails and "POP3" in port TCP 110 to receive them. 
Currently there is another protocol that is gaining popularity, it is "IMAP4". Print 
services are used for printing documents and file services are used to share and access files 
and folders inside the infrastructure. 
QUESTION 1185: 
Intrusion detection has which of the following sets of characteristics. 
A. It is adaptive rather than preventive. 
B. It is administrative rather than preventive. 
C. It is disruptive rather than preventative. 
D. It is detective rather than preventative. 
Answer: D 
Explanation: This is one of the features of intrusion detections, instead of being pro-active, 
it has a reactive behavior. When we set an IDS system inside of our network or hosts, the 
IDS agent is constantly monitoring in real time what activities are being performed in the 
infrastructure. If the IDS founds a malicious activity taking place it can take actions 
against it like disabling interfaces, alerting the administrators or sending network attacks 
to the source to put it out of service. 
As a difference to the detective behavior of IDS, we can also increase the security with practices 
like hardening our systems ,this is considered a preventive practice. 
QUESTION 1186: 
Which type of password provides maximum security because a new password is required 
for each now log-on is defined to as? 
A. One-time or dynamic password 
B. Cognitive password 
C. Static password 
D. Pass phrase 
Answer: A 
Explanation: "One-time" or "dynamic" password technology concept is having your 
remote host already know a password that is not going to go over insecure channels and 
when you connect, you get a challenge. You take the challenge information and password 
and plug it into an algorithm which generates the response that should get the same answer 
if the password is the same on the both sides. Therefore the password never goes over the 
network, nor is the same challenge used twice. Unlike SecurID or SNK, with S/key you do 
not share a secret with the host. 
Other one time password technology is card systems where each user gets a card that generates 
numbers that allow access to their account. Without the card, it is improbable to guess the 
numbers. 
QUESTION 1187: 
They in form of credit card-size memory cards or smart cards, or those resembling small 
calculators, are used to supply static and dynamic passwords are called? 
A. Token Ring 
B. Tokens 
C. Token passing networks 
D. Coupons 
Answer: B 
Explanation: Tokens are usually used to provide authentication through "What we have", 
is most commonly implemented to provide two-factor authentication. For example, 
SecurID requires two pieces of information, a password and a token. The token is usually 
generated by the SecurID token - a small electronic device that users keep with them that 
display a new number every 60 seconds. Combining this number with the users password 
allows the SecurID server to determine whatever or not the user should be granted access. 
QUESTION 1188: 
Which of the following uses a directed graph to specify the rights that a subject can transfer to an 
object, or that a subject can take from another subject? 
A. Take-Grant model 
B. Access Matrix model 
C. Biba model 
D. Bell-Lapadula model 
Answer: A 
Explanation: The Take-Grant System is a model that helps in determining the protection 
rights (e.g., read or write) in a computer system. The Take-Grant system was introduced 
by Jones, Lipton, and Snyder to show that it is possible to decide on the safety of a 
computer system even when the number of subjects and objects are very large, or 
unbound. This can be accomplished in linear time based on the initial size of the system. 
The take-grant system models a protection system which consists of a set of states and state 
transitions. A directed graph shows the connections between the nodes of this system. 
These nodes are representative of the subjects or objects of the model. The directed edges 
between the nodes represent the rights that one node has over the linked node. 
QUESTION 1189: 
Which of the following is the BEST way to prevent software license violations? 
A. Implementing a corporate policy on copyright infringements and software use. 
B. Requiring that all PCs be diskless workstations. 
C. Installing metering software on the LAN so applications can be accessed through the metered 
software. 
D. Regularly scanning used PCs to ensure that unauthorized copies of software have not been 
loaded on the PC. 
Answer: D 
Explanation: Since its impossible to control all the efforts of the users to install software 
without the proper licenses in their PC´s (Specially downloaded from the Internet), the best 
way to prevent licenses violations is through regular audit to every single user PC to see 
what's the installed programs are and what's the nature of them (Shareware, freeware, 
licensed). We cant use LAN monitoring software because not all the applications are 
network enabled, also, there is usually a policy about software installation, but the users do 
not rely on them many times. It also a very nice practice to punish the users making 
software license violations. 
QUESTION 1190: 
Zip/Jaz drives, SyQuest, and Bemoulli boxes are very transportable and are often the 
standard for? 
A. Data exchange in many businesses. 
B. Data change in many businesses. 
C. Data compression in many businesses. 
D. Data interchange in many businesses. 
Answer: A 
Explanation: This is the primary use of this kind of devices, since they are very portable (a 
medium-size external box) and they provide standard interfaces to the PC, they are usually 
used in data exchange because of their high capacity in comparison to the 3.5 floppy 
diskettes. We can make changes in the media used by this devices, but is not their primary 
use. Compression is not the best feature of this devices, their usually depend on File system 
compression. Absolutely, the best use of this boxes is for data exchange. 
QUESTION 1191:
What are two types of system assurance? 
A. Operational Assurance and Architecture Assurance. 
B. Design Assurance and Implementation Assurance. 
C. Architecture Assurance and Implementation Assurance. 
D. Operational Assurance and Life-Cycle Assurance. 
Answer: D 
Explanation: 
Software Systems Quality Assurance (SQA) is defined as a planned and systematic 
approach to the evaluation of the quality of and adherence to software product standards, 
processes, andprocedures. SQA includes the process of assuring that standards and 
procedures are established and are followed throughout the software acquisition life cycle. 
Compliance with agreed-upon standards and procedures is evaluated through process 
monitoring, product evaluation, and audits. Software development and control processes 
should include quality assurance approval points, where an SQA evaluation of the product 
may be done in relation to the applicable standards. The 2 types available are : Operational 
assurance (that specified that the operation compiles with the required) and Life-Cycle 
assurance (that specifies that the system has passed through all the Software life-cycle). 
QUESTION 1192: 
Why does compiled code pose more risk than interpreted code? 
A. Because malicious code can be embedded in the compiled code and can be difficult to detect. 
B. Because the browser can safely execute all interpreted applets. 
C. Because compilers are not reliable. 
D. It does not. Interpreted code poses more risk than compiled code. 
Answer: A 
Explanation: Since the compiled code has already been translated to binary language (the 
language understanded natively by the computers), its very difficult for us (the humans) to 
detect malicious code inside an application, this is because its not apparently visible, you 
have to find that malicious code through the behavior of the program. Instead, when we 
talk about Interpreted code, we use a language interpreter, that is a piece of software that 
allows the end-user to write a program in some human-readable language, and have this 
program executed directly by the interpreter. 
This is in contrast to language compilers, that translate the human-readable code into 
machine-readable code, so that the end-user can execute the machine-readable code at a later 
time.This is far more easier to detect malicious code inside the programs, you just need to see 
what piece of code produced the undesired action. 
QUESTION 1193: 
Which model, based on the premise that the quality of a software product is a direct function of 
the quality of its associated software development and maintenance processes, introduced five 
levels with which the maturity of an organization involved in the software process is evaluated? 
A. The Total Quality Model (TQM) 
B. The IDEAL Model 
C. The Software Capability Maturity Model 
D. The Spiral Model 
Answer: C 
Explanation: The Capability Maturity Model for Software describes the principles and 
practices underlying software process maturity and is intended to help software 
organizations improve the maturity of their software processes in terms of an evolutionary 
path from ad hoc, chaotic processes to mature, disciplined software processes. The CMM is 
organized into five maturity levels:1) Initial. The software process is characterized as ad 
hoc, and occasionally even chaotic. Few processes are defined, and success depends on 
individual effort and heroics.2) Repeatable. Basic project management processes are 
established to track cost, schedule, and functionality. The necessary process discipline is in 
place to repeat earlier successes on projects with similar applications.3)Defined. The 
software process for both management and engineering activities is documented, 
standardized, and integrated into a standard software process for the organization. All 
projects use an approved, tailored version of the organization's standard software process 
for developing and maintaining software.4) Managed. Detailed measures of the software 
process and product quality are collected. Both the software process and products are 
quantitatively understood and controlled.5) Optimizing. Continuous process improvement 
is enabled by quantitative feedback from the process and from piloting innovative ideas 
and technologies. 
QUESTION 1194: 
Phreakers are hackers who specialize in telephone fraud. What type of telephone fraud simulates 
the tones of coins being deposited into a payphone? 
A. Red Boxes 
B. Blue Boxes 
C. White Boxes 
D. Black Boxes 
Answer: A 
Explanation: 
The Red box basically simulates the sounds of coins being dropped into the coin slot of a 
payphone. The traditional Red Box consisting of a pair of Wien-bridge oscillators with the 
timing controlled by 555 timer chips.The Blue Box, The mother of all boxes, The first box 
in history, which started the whole phreaking scene. Invented by John Draper (aka 
"Captain Crunch") in the early 60s, who discovered that by sending a tone of 2600Hz over 
the telephone lines of AT&T, it was possible to make free calls.A Black Box is a device that 
is hooked up to your phone that fixes your phone so that when you get a call, the caller 
doesn't get charged for the call. This is good for calls up to 1/2 hour, after 1/2 hour the 
Phone Co. gets suspicious, and then you can guess what happens.The White Box turns a 
normal touch tone keypad into a portable unit. This kind of box can be commonly found in 
a phone shop. 
QUESTION 1195: 
What is the proper term to refer to a single unit of Ethernet data? 
A. Ethernet segment 
B. Ethernet datagram 
C. Ethernet frame 
D. Ethernet packet 
Answer: C 
Explanation: Ethernet traffic is transported in units of a frame, where each frame has a 
definite beginning and end. Here is an Ethernet frame: 
In this picture we define: 
1. Preamble Field used for synchronization, 64-bits 
2. Destination Address Ethernet address of the destination host, 48-bits 
3. Source Address Ethernet address of the source host, 48-bits 
4. Type of data encapsulated, e.g. IP, ARP, RARP, etc, 16-bits. 
5. Data Field Data area, 46-1500 bytes, which has 
Destination Address Internet address of destination host 
Source Address Internet address of source host 
6. CRC Cyclical Redundancy Check, used for error detection 
QUESTION 1196: 
Which of the following represents an ALE calculation? 
A. Singe loss expectancy x annualized rate of occurrence. 
B. Gross loss expectancy x loss frequency. 
C. Actual replacement cost - proceeds of salvage. 
D. Asset value x loss expectancy. 
Answer: A 
Explanation: ALE (Annualized Loss Expectancy) calculations are a component of every 
risk analysis process. ALE calculations when done properly portray risk accurately. ALE 
calculations provide meaningful cost/benefit analysis. ALE calculations are used to: 
1. Identify risks 
2. Plan budgets for information risk management 
3. Calculate loss expectancy in annualized terms 
SLE x ARO = ALE 
QUESTION 1197: 
IF an operating system permits executable objects to be used simultaneously by multiple users 
without a refresh of the objects, what security problem is most likely to exist? 
A. Disclosure of residual data. 
B. Unauthorized obtaining of a privileged execution state. 
C. Data leakage through covert channels. 
D. Denial of service through a deadly embrace. 
Answer: A 
Explanation: This is a well known issue knew by many programmers, since the operating 
system is allowing the executables to be used by many users in different sessions at the 
same time, and there is not refreshing every certain time, there will be a disclosure of 
residual data. To fix this we need to get sure that objects are refreshed frequently, for 
added security its better an OS that does not allow the use of an executable object by many 
users at the same time. 
QUESTION 1198: 
Tape arrays use a large device with multiple (sometimes 32 or 64) tapes that are configured 
as a? 
A. Single array 
B. Dual array 
C. Triple array 
D. Quadruple array 
Answer: A 
Explanation: This is the function of a tape robot/changer working on a media library / 
jukebox. We can get as many as 32 / 64 or even more tapes action as a single logical unit. 
You can have a robot that changes and retrieves the different tapes when they are needed, 
so you see the whole bunch of tapes as it's a single logical storage solution for you. This 
kind of solutions are very expensive. 
QUESTION 1199: 
Why would anomaly detection IDSs often generate a large number of false positives? 
A. Because they can only identify correctly attacks they already know about. 
B. Because they are application-based are more subject to attacks. 
C. Because they cant identify abnormal behavior. 
D. Because normal patterns of user and system behavior can vary wildly. 
Answer: D 
Explanation: One of the most obvious reasons why false alarms occur is because tools are 
stateless. To detect an intrusion, simple pattern matching of signatures is often insufficient. 
However, that's what most tools do. Then, if the signature is not carefully designed, there 
will be lots of matches. For example, tools detect attacks in sendmail by looking for the 
words "DEBUG" or "WIZARD" as the first word of a line. If this is in the body of the 
message, it's in fact innocuous, but if the tool doesn't differentiate between the header and 
the body of the mail, then a false alarm is generated. 
Finally, there are many events happening in the course of the normal life of any system or 
network that can be mistaken for attacks. A lot of sysadmin activity can be catalogued as 
anomalous. Therefore, a clear correlation between attack data and administrative data should be 
established to cross-check that everything happening on a system is actually desired. 
Normal patterns and user activities are usually confused with attacks by IDS devices, its 
expected that the 2nd generations IDS systems will decrease the percent of false positives. 
QUESTION 1200: 
According to private sector data classification levels, how would salary levels and medical 
information be classified? 
A. Public 
B. Sensitive 
C. Private 
D. Confidential 
Answer: C 
Explanation: According to the classification levels of the private sector, this information is 
classified as Private because this information is from a personal nature. There is no need 
for other employees to see details about your health or you salary range, this can lead to 
internal problems inside the company, problems like jealous employees.

Leave a Reply

Your email address will not be published. Required fields are marked *