CISSP Certified Information Systems Security Professionals Questions + Answers Part 4
Posted: Mon Mar 07, 2022 7:55 am
QUESTION 93
A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications
are sent and communications are established.
What MUST be considered or evaluated before performing the next step?
A. Notifying law enforcement is crucial before hashing the contents of the server hard drive
B. Identifying who executed the incident is more important than how the incident happened
C. Removing the server from the network may prevent catching the intruder
D. Copying the contents of the hard drive to another storage device may damage the evidence
Correct Answer: C
Section: Security Operations Explanation
QUESTION 94
Due to system constraints, a group of system administrators must share a high-level access set of credentials. Which of the following would be MOST appropriate to implement?
A. Increased console lockout times for failed logon attempts B. Reduce the group in size
C. A credential check-out process for a per-use basis
D. Full logging on affected systems
Correct Answer: C
Section: Security Operations Explanation
QUESTION 95
Which of the following is the MOST efficient mechanism to account for all staff during a speedy non-emergency evacuation from a large security facility?
A. Large mantrap where groups of individuals leaving are identified using facial recognition technology
B. Radio Frequency Identification (RFID) sensors worn by each employee scanned by sensors at each exit door
C. Emergency exits with push bars with coordinates at each exit checking off the individual against a predefined list D. Card-activated turnstile where individuals are validated upon exit
Correct Answer: B
Section: Security Operations Explanation
QUESTION 96
What does electronic vaulting accomplish?
A. It protects critical files.
B. It ensures the fault tolerance of Redundant Array of Independent Disks (RAID) systems C. It stripes all database records
D. It automates the Disaster Recovery Process (DRP)
Correct Answer: A
Section: Security Operations Explanation
QUESTION 97
A security analyst for a large financial institution is reviewing network traffic related to an incident. The analyst determines the traffic is irrelevant to the investigation but in the process of the review, the analyst also finds that an applications data, which included full credit card cardholder data, is transferred in clear text between the server and user’s desktop. The analyst knows this violates the Payment Card Industry Data Security Standard (PCI-DSS). Which of the following is the analyst’s next step?
A. Send the log file co-workers for peer review
B. Include the full network traffic logs in the incident report
C. Follow organizational processes to alert the proper teams to address the issue. D. Ignore data as it is outside the scope of the investigation and the analyst’s role.
Correct Answer: C
Section: Security Operations Explanation
QUESTION 98
What is the MAIN purpose of a change management policy?
A. To assure management that changes to the Information Technology (IT) infrastructure are necessary
B. To identify the changes that may be made to the Information Technology (IT) infrastructure
C. To verify that changes to the Information Technology (IT) infrastructure are approved
D. To determine the necessary for implementing modifications to the Information Technology (IT) infrastructure
Correct Answer: C
Section: Security Operations Explanation
QUESTION 99
Which of the following is the PRIMARY risk with using open source software in a commercial software construction?
A. Lack of software documentation
B. License agreements requiring release of modified code C. Expiration of the license agreement
D. Costs associated with support of the software
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 100
The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?
A. System acquisition and development B. System operations and maintenance C. System initiation
D. System implementation
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 101
What is the BEST approach to addressing security issues in legacy web applications?
A. Debug the security issues
B. Migrate to newer, supported applications where possible
C. Conduct a security assessment
D. Protect the legacy application with a web application firewall
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 102
Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?
A. Check arguments in function calls
B. Test for the security patch level of the environment C. Include logging functions
D. Digitally sign each application module
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 103
An Intrusion Detection System (IDS) has recently been deployed in a Demilitarized Zone (DMZ). The IDS detects a flood of malformed packets. Which of the
following BEST describes what has occurred?
A. Denial of Service (DoS) attack
B. Address Resolution Protocol (ARP) spoof C. Buffer overflow
D. Ping flood attack
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 104
Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create information leakage?
A. Transference B. Covert channel C. Bleeding
D. Cross-talk
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 105
What is an advantage of Elliptic Curve Cryptography (ECC)?
A. Cryptographic approach that does not require a fixed-length key
B. Military-strength security that does not depend upon secrecy of the algorithm C. Opportunity to use shorter keys for the same level of security
D. Ability to use much longer keys for greater security
Correct Answer: C
Section: Software Development Security
Explanation
QUESTION 106
Backup information that is critical to the organization is identified through a
A. Vulnerability Assessment (VA). B. Business Continuity Plan (BCP). C. Business Impact Analysis (BIA). D. data recovery analysis.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 107
When using Generic Routing Encapsulation (GRE) tunneling over Internet Protocol version 4 (IPv4), where is the GRE header inserted?
A. Into the options field
B. Between the delivery header and payload
C. Between the source and destination addresses D. Into the destination address
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 108
During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?
A. Calculate the value of assets being accredited.
B. Create a list to include in the Security Assessment and Authorization package. C. Identify obsolete hardware and software.
D. Define the boundaries of the information system.
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 109
When evaluating third-party applications, which of the following is the GREATEST responsibility of Information Security?
A. Accept the risk on behalf of the organization.
B. Report findings to the business to determine security gaps.
C. Quantify the risk to the business for product selection.
D. Approve the application that best meets security requirements.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 110
The goal of a Business Impact Analysis (BIA) is to determine which of the following?
A. Cost effectiveness of business recovery
B. Cost effectiveness of installing software security patches
C. Resource priorities for recovery and Maximum Tolerable Downtime (MTD) D. Which security measures should be implemented
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 111
An organization publishes and periodically updates its employee policies in a file on their intranet. Which of the following is a PRIMARY security concern?
A. Ownership
B. Confidentiality C. Availability
D. Integrity
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 112
What does the Maximum Tolerable Downtime (MTD) determine?
A. The estimated period of time a business critical database can remain down before customers are affected. B. The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning
C. The estimated period of time a business can remain interrupted beyond which it risks never recovering
D. The fixed length of time in a DR process before redundant systems are engaged
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 113
What is a characteristic of Secure Sockets Layer (SSL) and Transport Layer Security (TLS)?
A. SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP). B. SSL and TLS provide nonrepudiation by default.
C. SSL and TLS do not provide security for most routed protocols.
D. SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 114
How does a Host Based Intrusion Detection System (HIDS) identify a potential attack?
A. Examines log messages or other indications on the system. B. Monitors alarms sent to the system administrator
C. Matches traffic patterns to virus signature files
D. Examines the Access Control List (ACL)
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 115
Which of the following BEST represents the concept of least privilege?
A. Access to an object is denied unless access is specifically allowed.
B. Access to an object is only available to the owner.
C. Access to an object is allowed unless it is protected by the information security policy.
D. Access to an object is only allowed to authenticated users via an Access Control List (ACL).
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 116
Which of the following is an advantage of on-premise Credential Management Systems?
A. Lower infrastructure capital costs B. Control over system configuration C. Reduced administrative overhead D. Improved credential interoperability
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 117
Which of the following approaches is the MOST effective way to dispose of data on multiple hard drives?
A. Delete every file on each drive.
B. Destroy the partition table for each drive using the command line.
C. Degauss each drive individually.
D. Perform multiple passes on each drive using approved formatting methods.
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 118
Which of the following BEST describes Recovery Time Objective (RTO)?
A. Time of application resumption after disaster
B. Time of application verification after disaster.
C. Time of data validation after disaster.
D. Time of data restoration from backup after disaster.
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 119
The PRIMARY purpose of accreditation is to:
A. comply with applicable laws and regulations.
B. allow senior management to make an informed decision regarding whether to accept the risk of operating the system. C. protect an organization’s sensitive data.
D. verify that all security controls have been implemented properly and are operating in the correct manner.
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 120
Which of the following is a weakness of Wired Equivalent Privacy (WEP)?
A. Length of Initialization Vector (IV) B. Protection against message replay C. Detection of message tampering D. Built-in provision to rotate keys
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 121
Which of the following is the MAIN reason for using configuration management?
A. To provide centralized administration B. To reduce the number of changes
C. To reduce errors during upgrades
D. To provide consistency in security controls
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 122
Which of the following is MOST important when deploying digital certificates?
A. Validate compliance with X.509 digital certificate standards
B. Establish a certificate life cycle management framework
C. Use a third-party Certificate Authority (CA)
D. Use no less than 256-bit strength encryption when creating a certificate
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 123
A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the MOST suitable approach that the administrator should take?
A. Administrator should request data owner approval to the user access
B. Administrator should request manager approval for the user access
C. Administrator should directly grant the access to the non-sensitive files
D. Administrator should assess the user access need and either grant or deny the access
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 124
A proxy firewall operates at what layer of the Open System Interconnection (OSI) model?
A. Transport B. Data link C. Network D. Application
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 125
Which of the following restricts the ability of an individual to carry out all the steps of a particular process?
A. Job rotation
B. Separation of duties C. Least privilege
D. Mandatory vacations
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 126
Although code using a specific program language may not be susceptible to a buffer overflow attack,
A. most calls to plug-in programs are susceptible.
B. most supporting application code is susceptible.
C. the graphical images used by the application could be susceptible. D. the supporting virtual machine could be susceptible.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 127
What is the BEST way to encrypt web application communications?
A. Secure Hash Algorithm 1 (SHA-1)
B. Secure Sockets Layer (SSL)
C. Cipher Block Chaining Message Authentication Code (CBC-MAC) D. Transport Layer Security (TLS)
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 128
Which of the following are effective countermeasures against passive network-layer attacks?
A. Federated security and authenticated access controls
B. Trusted software development and run time integrity controls
C. Encryption and security enabled applications
D. Enclave boundary protection and computing environment defense
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 129
What is the MOST important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)?
A. Management support
B. Consideration of organizational need C. Technology used for delivery
D. Target audience
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 130
A database administrator is asked by a high-ranking member of management to perform specific changes to the accounting system database. The administrator is specifically instructed to not track or evidence the change in a ticket. Which of the following is the BEST course of action?
A. Ignore the request and do not perform the change.
B. Perform the change as requested, and rely on the next audit to detect and report the situation.
C. Perform the change, but create a change ticket regardless to ensure there is complete traceability. D. Inform the audit committee or internal audit directly using the corporate whistleblower process.
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 131
Which of the following is the MOST important goal of information asset valuation?
A. Developing a consistent and uniform method of controlling access on information assets B. Developing appropriate access control policies and guidelines
C. Assigning a financial value to an organization’s information assets
D. Determining the appropriate level of protection
Correct Answer: D
Section: Software Development Security
Explanation
A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications
are sent and communications are established.
What MUST be considered or evaluated before performing the next step?
A. Notifying law enforcement is crucial before hashing the contents of the server hard drive
B. Identifying who executed the incident is more important than how the incident happened
C. Removing the server from the network may prevent catching the intruder
D. Copying the contents of the hard drive to another storage device may damage the evidence
Correct Answer: C
Section: Security Operations Explanation
QUESTION 94
Due to system constraints, a group of system administrators must share a high-level access set of credentials. Which of the following would be MOST appropriate to implement?
A. Increased console lockout times for failed logon attempts B. Reduce the group in size
C. A credential check-out process for a per-use basis
D. Full logging on affected systems
Correct Answer: C
Section: Security Operations Explanation
QUESTION 95
Which of the following is the MOST efficient mechanism to account for all staff during a speedy non-emergency evacuation from a large security facility?
A. Large mantrap where groups of individuals leaving are identified using facial recognition technology
B. Radio Frequency Identification (RFID) sensors worn by each employee scanned by sensors at each exit door
C. Emergency exits with push bars with coordinates at each exit checking off the individual against a predefined list D. Card-activated turnstile where individuals are validated upon exit
Correct Answer: B
Section: Security Operations Explanation
QUESTION 96
What does electronic vaulting accomplish?
A. It protects critical files.
B. It ensures the fault tolerance of Redundant Array of Independent Disks (RAID) systems C. It stripes all database records
D. It automates the Disaster Recovery Process (DRP)
Correct Answer: A
Section: Security Operations Explanation
QUESTION 97
A security analyst for a large financial institution is reviewing network traffic related to an incident. The analyst determines the traffic is irrelevant to the investigation but in the process of the review, the analyst also finds that an applications data, which included full credit card cardholder data, is transferred in clear text between the server and user’s desktop. The analyst knows this violates the Payment Card Industry Data Security Standard (PCI-DSS). Which of the following is the analyst’s next step?
A. Send the log file co-workers for peer review
B. Include the full network traffic logs in the incident report
C. Follow organizational processes to alert the proper teams to address the issue. D. Ignore data as it is outside the scope of the investigation and the analyst’s role.
Correct Answer: C
Section: Security Operations Explanation
QUESTION 98
What is the MAIN purpose of a change management policy?
A. To assure management that changes to the Information Technology (IT) infrastructure are necessary
B. To identify the changes that may be made to the Information Technology (IT) infrastructure
C. To verify that changes to the Information Technology (IT) infrastructure are approved
D. To determine the necessary for implementing modifications to the Information Technology (IT) infrastructure
Correct Answer: C
Section: Security Operations Explanation
QUESTION 99
Which of the following is the PRIMARY risk with using open source software in a commercial software construction?
A. Lack of software documentation
B. License agreements requiring release of modified code C. Expiration of the license agreement
D. Costs associated with support of the software
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 100
The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?
A. System acquisition and development B. System operations and maintenance C. System initiation
D. System implementation
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 101
What is the BEST approach to addressing security issues in legacy web applications?
A. Debug the security issues
B. Migrate to newer, supported applications where possible
C. Conduct a security assessment
D. Protect the legacy application with a web application firewall
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 102
Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?
A. Check arguments in function calls
B. Test for the security patch level of the environment C. Include logging functions
D. Digitally sign each application module
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 103
An Intrusion Detection System (IDS) has recently been deployed in a Demilitarized Zone (DMZ). The IDS detects a flood of malformed packets. Which of the
following BEST describes what has occurred?
A. Denial of Service (DoS) attack
B. Address Resolution Protocol (ARP) spoof C. Buffer overflow
D. Ping flood attack
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 104
Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create information leakage?
A. Transference B. Covert channel C. Bleeding
D. Cross-talk
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 105
What is an advantage of Elliptic Curve Cryptography (ECC)?
A. Cryptographic approach that does not require a fixed-length key
B. Military-strength security that does not depend upon secrecy of the algorithm C. Opportunity to use shorter keys for the same level of security
D. Ability to use much longer keys for greater security
Correct Answer: C
Section: Software Development Security
Explanation
QUESTION 106
Backup information that is critical to the organization is identified through a
A. Vulnerability Assessment (VA). B. Business Continuity Plan (BCP). C. Business Impact Analysis (BIA). D. data recovery analysis.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 107
When using Generic Routing Encapsulation (GRE) tunneling over Internet Protocol version 4 (IPv4), where is the GRE header inserted?
A. Into the options field
B. Between the delivery header and payload
C. Between the source and destination addresses D. Into the destination address
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 108
During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?
A. Calculate the value of assets being accredited.
B. Create a list to include in the Security Assessment and Authorization package. C. Identify obsolete hardware and software.
D. Define the boundaries of the information system.
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 109
When evaluating third-party applications, which of the following is the GREATEST responsibility of Information Security?
A. Accept the risk on behalf of the organization.
B. Report findings to the business to determine security gaps.
C. Quantify the risk to the business for product selection.
D. Approve the application that best meets security requirements.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 110
The goal of a Business Impact Analysis (BIA) is to determine which of the following?
A. Cost effectiveness of business recovery
B. Cost effectiveness of installing software security patches
C. Resource priorities for recovery and Maximum Tolerable Downtime (MTD) D. Which security measures should be implemented
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 111
An organization publishes and periodically updates its employee policies in a file on their intranet. Which of the following is a PRIMARY security concern?
A. Ownership
B. Confidentiality C. Availability
D. Integrity
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 112
What does the Maximum Tolerable Downtime (MTD) determine?
A. The estimated period of time a business critical database can remain down before customers are affected. B. The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning
C. The estimated period of time a business can remain interrupted beyond which it risks never recovering
D. The fixed length of time in a DR process before redundant systems are engaged
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 113
What is a characteristic of Secure Sockets Layer (SSL) and Transport Layer Security (TLS)?
A. SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP). B. SSL and TLS provide nonrepudiation by default.
C. SSL and TLS do not provide security for most routed protocols.
D. SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 114
How does a Host Based Intrusion Detection System (HIDS) identify a potential attack?
A. Examines log messages or other indications on the system. B. Monitors alarms sent to the system administrator
C. Matches traffic patterns to virus signature files
D. Examines the Access Control List (ACL)
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 115
Which of the following BEST represents the concept of least privilege?
A. Access to an object is denied unless access is specifically allowed.
B. Access to an object is only available to the owner.
C. Access to an object is allowed unless it is protected by the information security policy.
D. Access to an object is only allowed to authenticated users via an Access Control List (ACL).
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 116
Which of the following is an advantage of on-premise Credential Management Systems?
A. Lower infrastructure capital costs B. Control over system configuration C. Reduced administrative overhead D. Improved credential interoperability
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 117
Which of the following approaches is the MOST effective way to dispose of data on multiple hard drives?
A. Delete every file on each drive.
B. Destroy the partition table for each drive using the command line.
C. Degauss each drive individually.
D. Perform multiple passes on each drive using approved formatting methods.
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 118
Which of the following BEST describes Recovery Time Objective (RTO)?
A. Time of application resumption after disaster
B. Time of application verification after disaster.
C. Time of data validation after disaster.
D. Time of data restoration from backup after disaster.
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 119
The PRIMARY purpose of accreditation is to:
A. comply with applicable laws and regulations.
B. allow senior management to make an informed decision regarding whether to accept the risk of operating the system. C. protect an organization’s sensitive data.
D. verify that all security controls have been implemented properly and are operating in the correct manner.
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 120
Which of the following is a weakness of Wired Equivalent Privacy (WEP)?
A. Length of Initialization Vector (IV) B. Protection against message replay C. Detection of message tampering D. Built-in provision to rotate keys
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 121
Which of the following is the MAIN reason for using configuration management?
A. To provide centralized administration B. To reduce the number of changes
C. To reduce errors during upgrades
D. To provide consistency in security controls
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 122
Which of the following is MOST important when deploying digital certificates?
A. Validate compliance with X.509 digital certificate standards
B. Establish a certificate life cycle management framework
C. Use a third-party Certificate Authority (CA)
D. Use no less than 256-bit strength encryption when creating a certificate
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 123
A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the MOST suitable approach that the administrator should take?
A. Administrator should request data owner approval to the user access
B. Administrator should request manager approval for the user access
C. Administrator should directly grant the access to the non-sensitive files
D. Administrator should assess the user access need and either grant or deny the access
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 124
A proxy firewall operates at what layer of the Open System Interconnection (OSI) model?
A. Transport B. Data link C. Network D. Application
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 125
Which of the following restricts the ability of an individual to carry out all the steps of a particular process?
A. Job rotation
B. Separation of duties C. Least privilege
D. Mandatory vacations
Correct Answer: B
Section: Software Development Security Explanation
QUESTION 126
Although code using a specific program language may not be susceptible to a buffer overflow attack,
A. most calls to plug-in programs are susceptible.
B. most supporting application code is susceptible.
C. the graphical images used by the application could be susceptible. D. the supporting virtual machine could be susceptible.
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 127
What is the BEST way to encrypt web application communications?
A. Secure Hash Algorithm 1 (SHA-1)
B. Secure Sockets Layer (SSL)
C. Cipher Block Chaining Message Authentication Code (CBC-MAC) D. Transport Layer Security (TLS)
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 128
Which of the following are effective countermeasures against passive network-layer attacks?
A. Federated security and authenticated access controls
B. Trusted software development and run time integrity controls
C. Encryption and security enabled applications
D. Enclave boundary protection and computing environment defense
Correct Answer: C
Section: Software Development Security Explanation
QUESTION 129
What is the MOST important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)?
A. Management support
B. Consideration of organizational need C. Technology used for delivery
D. Target audience
Correct Answer: A
Section: Software Development Security Explanation
QUESTION 130
A database administrator is asked by a high-ranking member of management to perform specific changes to the accounting system database. The administrator is specifically instructed to not track or evidence the change in a ticket. Which of the following is the BEST course of action?
A. Ignore the request and do not perform the change.
B. Perform the change as requested, and rely on the next audit to detect and report the situation.
C. Perform the change, but create a change ticket regardless to ensure there is complete traceability. D. Inform the audit committee or internal audit directly using the corporate whistleblower process.
Correct Answer: D
Section: Software Development Security Explanation
QUESTION 131
Which of the following is the MOST important goal of information asset valuation?
A. Developing a consistent and uniform method of controlling access on information assets B. Developing appropriate access control policies and guidelines
C. Assigning a financial value to an organization’s information assets
D. Determining the appropriate level of protection
Correct Answer: D
Section: Software Development Security
Explanation