Question 1

One of the methods that an organization can use to determine compliance is to perform _______________.

boundary protections
random audits
incident response
system scans

Question 2

In your Lab Report file, you wrote an IT security definition for one of the gaps you had not previously identified a
policy for by:

outlining the chain of command for the security process.

determining the most likely avenue for attack.

suggesting how to mitigate the risk involved.

recommending who would be responsible for any loss.

Question 3

In the scenario in the lab, you started working at a new bank and were creating an IT security policy framework for
the organization that:

was identical to your previous place of work.

aligned with the infrastructure and compliance needs of your previous employer.

aligned with the profitability goals and objectives of the new bank.

aligned with the infrastructure and compliance needs of the new bank.

Question 4

In which section of the security policy definition you created in the lab did you explain how the policy definition
fills the identified gap in the overall IT security policy framework definition and how it mitigates the risks, threats,
and vulnerabilities identified?

Purpose/Objectives

Scope

Standards

Guidelines
Question 5

Many organizations have a(n) ________________________, which is comprised of end user devices (including

tablets, laptops, and smartphones) on a shared network and that use distributed system software; this enables these

devices to function simultaneously, regardless of location.

executive management sponsorship

distributed infrastructure
agentless central management tool
agent

Question 6

Overlapping policies:

should be avoided.

is redundant and wastes valuable resources.

costs an organization too much money.

provides defense in depth.

Question 7

In a business impact analysis (BIA), the phase of defining the business’s components and the component priorities,

has several objectives. Which of the following is not one the objectives?

name and explain all processes and business functions

explain each BIA component
institute recovery time frames for the components with the highest priority only
ascertain the service impact and the financial impact for unavailable components

Question 8

Consider this scenario: A major software company finds that code has been executed on an infected machine in its

operating system. As a result, the company begins working to manage the risk and eliminates the vulnerability 12

days later. Which of the following statements best describes the company’s approach?

The company effectively implemented data classification.

The company effectively implemented quality control.
The company effectively implemented patch management.
The company effectively implemented quality assurance.
Question 9
In which section of the security policy definition you created in the lab did you address roles and responsibilities for
implementing the policy?

Purpose/Objectives

Scope

Standards

Guidelines

Question 10
It can be challenging for personnel in organizations to accept when significant changes are implemented. Consider
this scenario: An organization implements a baseline of security systems that has caused certain applications that
had previously worked well to suddenly fail. Which of the following steps will require time, patience, and an
environment of cooperation that will best address the problem?
The department can elect to diminish security and cease using the baseline settings.
The department can elect to stop using the application entirely.
The department could seek out an alternative method that doesn’t bypass the initial baseline settings
and permits the application to work.
The department could arrange for use of the applications to be elective based on personnel who would most
benefit from their use.

Question 11
2all automated tools have the same functions, it is important to run tests on their effectiveness before making a
financial or resource allocation investment. For example, if an organization is interested in discovery, which of the
follow questions is important to ask?
Can the system accurately locate systems on the network?
What is the length of time necessary to scan the entire network?
Can the tool solve the problem, or at least offer recommendations for how it can be resolved?
Does the tool report problems that don’t exist?

Question 12
One of the most important approaches used to secure personal data is ________________, which is the process used
to prove the identity of an individual. ______________, however, is the process used to enable a person’s access
privileges.
authentication, authorization
authorization, authentication
authentication, verification
 verification, authentication

Question 13
If an organization is creating a customized data classification scheme, it is important to keep in mind the accepted
guidelines. Which of the following is not one these guidelines?
Define the number of classification levels.
Identify each classification level.
Connect the classification to particular handling requirements.
Make recommendations for how audits can be conducted.

Question 14
It is important that partnership exists between the ___________________, which needs to review the standing
legislation that governs their business, and the ____________________, which needs to review all recent or
significant policy changes.
information security team, legal department
CISO, legal department
legal department, CISO
information security team, executive committee

Question 15
Based on your work in the lab, to which policy definition does the following policy statement apply?
Backups must be done in full on work nights between 12 a.m. and 5 a.m.
Business continuity and disaster recovery

Asset protection

Production data backup

Remote access Virtual Private Network (VPN)

Question 16
One of the six specifications for entities that implement SCAP is to provide particular names for operation systems,
applications, and hardware. This specification articulates a standard naming convention for systems to promote
consistency across varied products. Which of the following specifications fits this description?
Common Platform Enumeration (CPE)
eXtensible Configuration Checklist Description Format (XCCDF)
Common Configuration Enumeration (CCE)
Open Vulnerability and Assessment Language (OVAL

Question 17
In order to ensure compliance, organizations deploy both new and current technologies. Which of the following is
not one these new technologies?
COSO Internal Compliance Framework
Security Content Automation Protocol (SCAP)
Simple Network Management Protocol (SNMP)
Common Platform Enumeration (CPE)

Question 18
Even though SNMP is a part of the TCP/IP suite of protocols, it has undergone a series of improvements since its
first version. Which of the following is not one of the improvements offered in version 3?
Packets are now encrypted, which enhances confidentiality.
A message authentication code (MAC) is implemented for assurance that data has not been modified, which
enhances integrity.
HP SCAP Scanner by HP is now implemented, which enhances overall security.
Authentication has been provided in order to verify that the SNMP messages are from a trusted source.

Question 19
In policies regarding the ___________ of data, it must be guaranteed that the data that exits the private network is
secured and monitored; the data should also be encrypted while in transit.
creation
storage
use
physical transport

Question 20
Of the different IRT roles, the _______________ is head of the team and issues the ultimate call regarding how to
respond to an incident, whereas the __________________ role is to monitor and document all the activity that
unfolds during an incident.
IRT coordinator, IRT manager's
IRT manager, IRT coordinator's
IRT manager, IRT support
IRT officer, IRT manager's

Question 21
A baseline is a point of departure that guarantees that systems comply with security requirements when they are
enacted. However, it is not an uncommon occurrence that systems are changed in a way that means they are no
longer in compliance. Thus, it is necessary to use an accepted method to ensure that settings have not been changed.
Which of the following is not one of these methods?
automated systems
departmental compliance and random audits
broad organizational report cards to ensure policy compliance
patch management
Question 22
A security _____________identifies a group of fundamental configurations designed to accomplish particular
security objectives.
baseline
policy
guideline
system

Question 23
The lab demonstrated how to assess and audit an IT security policy framework definition by performing a(n)
__________ with remediation.

IT security review

domain assessment

gap analysis

risk analysis

Question 24
It is necessary to retain information for two significant reasons: legal obligation and business needs. Data that
occupies the class of ________________ is comprised of records that are required to support operations; the data
included might be customer and vendor records.
regulated
business
temporary
permanent

Question 25
In order to form an IRT, an organization is required to create a charter; this document identifies the authority,
mission, and goals of a committee or team, and there are a number of different types of IRT models for doing this.
Which of the following models permits an IRT to have the complete authority to ensure a breach is contained?
IRT that provides off-sight response
IRT that acts in a support role
IRT that provides on-site response
IRT that acts in a coordination role

Question 26
In addition to compiling the list of user access requirements, applications, and systems, the BIA also includes
processes that are ____________. These processes safeguard against any risks that might occur due to key staff
being unavailable or distracted.
automated
manual
flexible
 rigid

Question 27
One of the different manual controls necessary for managing risk is ________________, which is a type of formal
management verification. In the process, management confirms that a condition is present and that security controls
and policies are in place.
attestation
background checks
log reviews
access rights reviews

Question 28
In the lab, you aligned IT security policies throughout the seven domains of a typical IT infrastructure as part of a:

performance review.

layered security strategy.

security vulnerability analysis.

threat evaluation.

Question 29
Consider this scenario: A health insurer in Oklahoma settled a class-action lawsuit after having reported that one
laptop was stolen in 2008; this laptop contained personal data of more than 1.6 million customers. Based on the fact
that the laptop was not encrypted, and that employees were lacking in security awareness training, which of the
following statements captures the root cause of this breach?

The security measures required by HIPAA were not sufficiently observed.

The thorough implementation of security policies was not something that the executive management
prioritized.
The security policies were routinely ignored by company employees.
The HIPAA regulations were unclear and difficult to implement.
Question 30

A policy framework definition helps organizations align policies to domains throughout their IT infrastructure to
help:

mitigate the risks, threats, and vulnerabilities that are commonly found.

identify the areas of the organization that are most vulnerable to attack.

determine what attacks are most likely to adversely affect the organization.

assign organizational liability in case of a security breach.

Question 31
A major defense corporation rolls out a campaign to manage persistent threats to its infrastructure. The corporation
decides to institute a ___________________ to identify and evaluate the knowledge gaps that can be addressed
through additional training for all employees, even administrators and management.
needs assessment
new policy
communications plan
branding campaign

Question 32
Based on your work in the lab, to which policy definition does the following policy statement apply?
The company’s most critical business processes and functions must be identified and assessed to facilitate disaster
recovery and business continuity planning.
Business continuity: Business impact analysis (BIA)

Business continuity and disaster recovery

Asset protection

Production data backup

Question 33
In order to build security policy implementation awareness across the organization, there should be
____________________ who partner with other team and departments to promote IT security through different
communication channels.
many HR
department
personnel
numerous marketing
department
professionals
multiple executive
supporters
several IT
department
specialists

Question 34
If a vulnerability is not fixed at the root cause, there is a possibility that another route of attack
can emerge. This route is known as the ____________________.
vulnerability vector
attack vector
risk vector
root vector

Question 35

Based on your work in the lab, to which policy definition does the following policy statement
apply?
All the company’s encryption must employ at least Triple Data Encryption Standard Secure
Hash Algorithm (DES SHA) III and Secure Sockets Layer/Transport Layer Security
(SSL/TLS). Symmetric keys must be 128 bits in length.
Data classification standard and encryption

Internet ingress/egress traffic and Web content filter

Production data backup

Audit and monitoring

Question 36

In information security, the individual responsible for setting goals for implementing security

policies is the _________________.

chief information security officer

supervisor
human resources manager
executive manager

Question 37

A policy should be simple, concise, and clearly written because you are writing not only the
policy statement, but also the __________ for mitigating your chosen type of risk.

vulnerability assessment

procedural “how-to”

traffic filter

overarching company objective

Question 38

Consider this scenario: A sales organization with an onsite IT staff experiences a major outage

due to a minor change to a printer. Though systems were working successfully, the printer

stopped working when a new server was added to the network. The new server that was added

to the network shared the same IP address as the printer. Which of the following statements

captures a contributing cause of the problem with the IP compatibility?

The IP address conflict prevented the printer from printing and prohibited the new
 server from communicating on the network.
The IP address conflict demonstrates that the organization failed to comply with

change management policies.

The IP address conflict should have been fixed by a technician hired as an outside

consultant.
The IP address conflict was a sign of another conflict in the default gateway, so none of

the servers on the subnet were able to move traffic out of the subnet.

Question 39

An organization’s _______________________ is a particular group of differently skilled

individuals who are responsible for attending to serious security situations.

incident response team (IRT)

business impact analysis team (BIAT)
disaster recovery plan team (DRPT)
information technology subject matter experts (ITSME)

Question 40

In order to enhance the training experience and emphasize the core security goals and mission,

it is recommended that the executives _______________________.

issue a written welcome letter to new employees

remove themselves from the process because it doesn’t concern them
schedule multiple training sessions with new employees for face-to-face interaction
video record a message from one the leaders in a senior role to share with new

employees

Question 41

Based on your work in the lab, to which policy definition does the following policy statement
apply?
The company’s most critical business functions should not be allowed to remain interrupted
for more than two days. Given adequate planning, testing, and failure-ready infrastructure,
the company should resume operations as soon as possible after a catastrophic outage.
Business continuity: Business impact analysis (BIA)

Business continuity and disaster recovery

Asset protection

Production data backup

Question 42

Which of the following statements is true regarding a security policy framework?

Your policies should be born from a well-thought-out framework.

The process of writing policies for your business ends with crafting a framework.

The framework should outline how a single policy addresses every risk to the business.

The framework is only used for writing new policies and does not apply to existing IT
policies.

Question 43

A __________________________ is a term that refers to the original image that is duplicated

for deployment. Using this image saves times by eradicating the need for repeated changes to

configuration and tweaks to performance.

digital signature
public key infrastructure
certificate authority
gold master

Question 44

Consider this scenario: A company is notified that its servers have been compromised to be
the point of departure to attack a host of other companies. The company then initiates an IRT,
which is unable to locate the breach. The company then seeks the services of an outside firm
that specializes in forensic analysis and intrusions. The outside firm locates the source of the
breach and wants to monitor the actions of the intruder. However, the outside firm is informed
by its internal legal counsel that the company does not agree with this course of action. Which
of the following statements best captures the effectiveness of the company’s IRT policies?
The IRT is completely ineffective because the firm it contracted is not cross-functional.
The IRT is completely ineffective because the company didn’t agree with the firm’s
recommendations.
The IRT is moderately effective because a breach was found without seeking
external counsel.
The IRT is highly effective because it was activated quickly.

Question 45

Of the many tools that can be used in training to connect with an audience of employees,

_______________ can inspire a sense of fun that leads to community and commitment.
 case studies
humor
brainstorming
training videos

Question 46

Of the risk management strategies, _________________ refers to the act of not engaging in

actions that lead to risk, whereas ____________________refers to acquiescence in regard to

the risks of particular actions as well as their potential results .

risk avoidance, risk transference

risk acceptance, risk transference
risk mitigation, risk acceptance
risk avoidance, risk acceptance

Question 47

A ________________________ is a string of data associated with a file that provides added

security, authentication, and nonrepudiation.

digital signature
public key infrastructure
certificate authority
gold master

Question 48

It is important to conduct a nearly continuous evaluation of possible ______________ to

guarantee that recovery estimates provided to customers are accurate and maintain credibility

with customers.

resources
vulnerabilities
downtimes
risks

Question 49
It is important that security policies establish a concrete distinction between work life and

home life. Such a distinction requires that employees understand that they have no expectation

of _______________.

job security
using company devices after hours
vulnerability from threats
privacy with respect to personal devices connected to the network

Question 50

The risk-based approach to developing policies begins with focusing on the:

most frequent threats to the business.

worst threats to the business.

employees most likely to be at risk.

cost of each individual risk.

Question 51

In the lab, you only provided a policy relevant to a risk, threat, or vulnerability of the seven
domains of a typical IT infrastructure. However, normally a __________ would be the
necessary next steps.

threat monitor or vulnerability monitor

risk assessment or suggested control

service agreement or user license

delegation table or authority chart

Question 52

In general, the IRT is comprised of a team with individuals that have different specialties; one

such individual is the ___________________, who offers analytical skills and risk

management. This specialist has focused forensic skills necessary for the collection and

analysis of evidence.

information security representative

legal representative
 information technology subject matter experts
human resources (HR) representative

Question 53

At Stanford University, data is labeled according to a classification scheme that identifies

information in the following way: prohibited, restricted, confidential, and unrestricted. Which

of the following schemes has Stanford adopted?

customized classification
business classification
legal classification
military classification

Question 54

The policy statement you wrote in the lab outlined how you would expect to address a(n):

newly discovered risk at the policy and guideline level.

newly discovered risk at the executive level.

existing risk at the policy and guideline level.

existing risk at the scope level.

Question 55

Because risk management is a both a governance process and a model that seeks consistent

improvement, there is a series of steps to be followed every time a new risk emerges. Which

of the following is not one of these steps?

Make the risk a priority and connect it to strategic objectives.

Establish an appropriate response to risk, which might mandate policy adjustment.
Identify the prior risks; it is not necessary to determine the cause.
Ascertain risk to assess how it impacts the organization.

Question 56

Microsoft domains offer _______________ in order to enhance security for certain

departments or users in an organization. This method allows security gaps to close and

security settings to be increased for some computers or users.

 group policy
change management policies
configuration management policies
Simple Network Management Protocol (SNMP)

Question 57

During the process of developing a communications plan, it is necessary to ask the question,

__________________.

“Who is communicating?”
“What is the intended message?”
“What is the target audience?”
“How is it communicated?”

Question 58

Of all the needs that an organization might have to classify data, there are three that are most

prevalent. Which of the following is not one of the reasons?

protect information
retain information
recover information
transfer information

Question 59

A risk exposure is defined as the impact to the organization when a situation transpires. The

widely accepted formula for calculating exposure is as follows:

Risk exposure =________________ the event will occur + ____________ if the event occurs

where, outcome
likelihood, impact
how, impact
likelihood, cost

Question 60
A policy framework helps organize and identify __________ in the overall layered security
strategy.

budgetary restraints

policy domains

persistent threats

potential gaps

Question 61

Depending on staffing availability, the complexity of implementation, backlog, and how many

approvals are needed, manual access requests can take weeks or days. Thus, automation can

make the process far more efficient and minimize the time required. Which of the following is

not one of the areas in which the time required can be reduced through automation?

Appropriate request—automated controls can verify request completion and that no

policy requirements have been violated.

Employee verifications—automated controls can be put in place to verify

information on a employee’s background.

Implementation—automated controls can implement a change upon its approval.
Approval workflow—automated controls can put a request in route so that it reaches

those who need to grant approval in as expedient a manner as possible.

Question 62

As part of the National Institute of Standards and Technology (NIST) program, the Security

Content Automation Protocol (SCAP) identifies standards and protocol implemented to

establish a range of different automated compliance tools and scanners. One of the different

tools available is the ______________________, which deploys a privileged account to

authenticate on the target system, and it eventually scans the system to ascertain compliance

with an identified set of configuration requirements.

authenticated configuration scanner

unauthenticated vulnerability scanner
patch remediation
misconfiguration remediation
Question 63

In order to assess policy compliance, many organizations will use a report card. The

evaluation tools are comprised of criteria based on an organization’s requirements. Which of

the following is not one the elements that would be included on a report card?

patch compliance
security settings
number of unauthorized changes
number of random audits performed

Question 64

A ______________________ is an apparatus for risk management that enables the

organization to comprehend its risks and how those risks might impact the business.

risk and control self-assessment (RCSA)

risk avoidance self-assessment (RASA)
risk transference self-assessment (RTSA)
risk mitigation assess self-assessment (RMASA)

Question 65

After management has created and agreed upon its policies, it must then determine how these

policies will be implemented. Which of the following is not one the processes that line

management will follow in order to make the new policies operational?

It will ensure that all members on the front-line team have received training.
It will take on the responsibility of being the point person for contact.
It will ensure that users with the most sensitive security access especially adhere to

the policies.
It will apply the policies in an even and consistent manner.

Question 66

One of the many roles of the security compliance committee is to focus on controls that are

widely used across a large population of applications, systems, and operations. These types of

controls are known as ___________________.

 compliance controls
pervasive controls
operations controls
automated controls

Question 67

If a gap analysis finds deficiencies in an organization’s policies, it is necessary to:

amend both the security policy framework and the policies.

increase the budget for security incident response.

determine the likelihood of the potential threats.

identify the employees responsible for the deficiencies.

Question 68

Which of the following statements is true regarding a security policy framework?

A framework should be considered static and should not be revised.

If written well from the outset, a framework and policies will not need to be revised.

A framework should be updated when you discover new or evolving risks.

Performing a gap analysis will not aid in the revision of a framework.

Question 69

Based on your work in the lab, to which policy definition does the following policy statement
apply?
Users are not allowed to connect personal devices which are not issued by the company.
Users are not allowed to run applications without business justification and expressed written
authorization. Users are permitted to access Internet content during non-working hours.
Internet ingress/egress traffic and Web content filter

Access control

Asset protection

Remote access Virtual Private Network (VPN)

Question 70

A(n) ______________________ is a centrally located device that is capable and permitted to

extend and connect to distributed services.

 malware tool
inventory assessment
agentless central management tool
distributed infrastructure

Question 71

Based on your work in the lab, to which policy definition does the following policy statement
apply?
Security mandates should govern the company’s resources to stop access by unauthorized
users, but still permit full access for authorized users.
Internet ingress/egress traffic and Web content filter

Access control

Asset protection

Audit and monitoring

Question 72

An occurrence that transgresses an organization’s security policies is known as an incident.

Which of the following is not an example of a security incident?

non-permitted access to any computer system

a server crash that was accidentally caused
duplicating customer information derived from a database
non-permitted use of computer systems for purpose of gaming

Question 73

A ________________ is a technological term used in security policy to describe a future state

in which specific goals and objectives have been achieved and which processes, resources,
and tools are needed to achieve those goals and objectives.
threat vector
target state
agent
communications plan

Question 74

Despite the fact that there exists no mandatory scheme of data classification for private
industry, there are four classifications used most frequently. Which of the following is not one

of the four?

highly sensitive
moderately sensitive
sensitive
internal

10 points  

10 points