1.

Supports the principle of "least privilege" by providing that only authorized individuals,
processes, or systems should have access to information on a need-to-know basis.

A) Deterrent controls
B) Confidentiality
C) Incident
D) Availability

2. Procedures implemented to define the roles, responsibilities, policies, and administrative

functions needed to manage the control environment.

A) Integrity
B) Risk transfer
C) Compensating controls
D) Administrative controls

3. Controls that substitute for the loss of primary controls and mitigate risk down to an acceptable
level.
A) Compliance
B) Compensating controls
C) Corrective controls
D) Preventive controls

4. A security event that compromises the confidentiality, integrity, or availability of an

information asset
A) Incident
B) Breach
C) Trademark
D) Due care

5. A combination of the probability of an event and its consequence (ISO 27000) and an exception
to loss expressed as the probability that a particular threat will exploit a particular vulnerability
with a particular harmful result (RFC 2828).
A) Breach
B) Copyright
C) Patent
D) Risk

6. Preventive Controls: Authorizes the President to designate those items that shall be considered
as defense articles and defense services and control their import and the export.

A) True B) False
7. Due Care: Defined as the difference between the original value and the remaining value of an
asset after a single exploit.

A) True B) False
8. Availability: The principle that ensures that information is available and accessible to users
when needed.
A) True B) False

9. Recovery Controls: Controls implemented to restore conditions to normal after a security

incident.
A) True B) False

10. Trademark: Established to contribute to regional and international security and stability by
promoting transparency and greater responsibility in transfers of conventional arms and dual
use goods and technologies, thus preventing destabilizing accumulations.
A) True B) False

11. Detective Controls: Controls designed to signal a warning when a security control has been
breached.
A) True B) False

12. Patent: Electronic hardware and software solutions implemented to control access to
information and information networks.
A) True B) False

13. Integrity: A process designed to identify potential events that may affect the entity, manage
risk so it is within its risk appetite, and provide reasonable assurance regarding the
achievement of entity objectives.
A) True B) False

14. Risk Management: The practice of passing on the risk in question to another entity, such as an
insurance company.
A) True B) False

15. Data Disclosure: A breach for which it was confirmed that data was actually disclosed (not just
exposed) to an unauthorized party.
A) True B) False

16. You are a security consultant. A large enterprise customer hires you to ensure that their
security operations are following industry standard control frameworks. For this project, the
customer wants you to focus on technology solutions that will discourage malicious activities.
Which type of control framework should you focus on?

A) Preventive
B) Deterrent
C) Detective
D) Corrective
17. You are performing a risk analysis for an internet service provider (ISP) that has thousands of
customers on its broadband network. Over the past 5 years, some customers have been
compromised or experienced data breaches. The ISP has a large amount of monitoring and log
data for all customers. Using that data, you need to figure out the likelihood of additional
customers experiencing a security incident. Which type of approach should you use for the risk
analysis?
A) Qualitative
B) Quantitative
C) STRIDE
D) Reduction

18. You are working on a business continuity project for a company that generates a large amount
of content each day for use in social networks. Your team establishes 4 hours as the maximum
tolerable data loss in a disaster recovery or business continuity event. In which part of the
business continuity plan should you document this?

A) Recovery time objective (RTO)

B) Recovery point objective (RPO)
C) Maximum tolerable downtime (MTD)
D) Maximum data tolerance (MDT)

19. If an attacker is using Distributed Denial of Service (DDoS) attacks, which part of the CIA triad is
the attacker targeting?

A) Authentication
B) Confidentiality
C) Availability
D) Integrity
20. Our board of directors has decided our data integrity is the most important to our organization.
Which of these could we implement to prove we have data integrity?

A) Hashes
B) Multifactor authentication
C) Redundant hardware
D) None of these

21. When an attacker has obtained our sensitive data, and chooses to disclose it on a website,
which leg of the CIA triad would be MOST affected?

A) Authentication
B) Confidentiality
C) Availability
D) Integrity.
22. When authenticating against our access control systems, you are using your passphrase. Which
type of authentication are you using?

A) A possession factor
B) A knowledge factor
C) A biometric factor.
D) A location factor

23. In our identity and access management, we are talking about the IAAA model. Which of these is
NOT one of the A's of that model?

A) Authentication.
B) Availability.
C) Authorization.
D) Auditing

24. If we are wanting to implement a governance standard and control framework focused on IT
service management, which of these should we implement?

A) COBIT.
B) ITIL.
C) COSO.
D) FRAP

25. We are in a court of law and the proof must be "beyond a reasonable doubt", which type of
court are we in?

A) Criminal court.
B) Civil court.
C) Administrative court.
D) Probation court

26. As an IT Security professional, you are expected to perform your due diligence. What does this
mean?

A) Researching and acquiring the knowledge to do your job right.

B) Do what is right in the situation and your job. Act on the knowledge.
C) Continue the security practices of your company.
D) Apply patches annually

27. You can MOST LIKELY be held liable when you display which of these?
A) Due care.
B) Due diligence.
C) Negligence.
D) Remorse
28. After a security incident, our legal counsel presents the logs from the time of the attack in
court. They constitute which type of evidence?

A) Real evidence.
B) Direct evidence.
C) Secondary evidence.
D) Circumstantial evidence

29. What is something that could make evidence inadmissible in court?

A) Complete chain of custody.

B) Alterations to the data.
C) Taking a bit level copy of the compromised hard drive, hashing both drives, hashes are
identical. Do forensics on the copy drive, hash after forensics is identical too.
D) Enticement.

30. Our organization is considering different types of intellectual protection options. Which of
these is something that can be patented?

A) Software.
B) Logos.
C) Inventions.
D) Public domain (CC0) photos

31. Who would be allowed to act in exigent circumstances?

A) Those operating under the color of law.

B) Our IT security team.
C) Our legal team.
D) Lawyers

32. Who in our organization should approve the deployment of honeypots and honeynets?

A) Our legal team.

B) Our HR and payroll team.
C) The engineer deploying it.
D) A judge

33. We have had a major security breach. We lost 10,000 credit card files from a stolen laptop. We
are in a state in the US that has a security breach notification law. What could allow us legally
to NOT disclose the breach?
A) Senior management's decision to not disclose.
B) The impact it would have on our revenue.
C) The laptop being encrypted
D) The laptop being backed up
34. When exporting our products to certain countries we need to be compliant with the Wassenaar
Arrangement. Which of these is NOT covered by the agreement?
A) Rockets.
B) Encryption.
C) Telecommunications.
D) SIEM
35. What is the difference between awareness and training?
A) Awareness is changing the behavior so they do the right thing, training is teaching them
how to do it.
B) Training is changing the behavior so they do the right thing, awareness is teaching them
how to do it.
C) Training and awareness are the same.
D) Training is employees using the knowledge we have given them, awareness is them going
to a class and getting the knowledge

36. An employee has been coached and mentored over months, but it has not improved their
performance and attitude. We are unfortunately forced to let them go immediately. When
would we lock their accounts?

A) Ahead of time.
B) As they are being told.
C) After a week.
D) At the next user account cleanup we perform monthly .

37. When we are hiring new employees, we do multiple checks to ensure they are who they say
they are. What type of control is a background checks?
A) Administrative deterrent.
B) Administrative preventative.
C) Technical deterrent.
D) Technical preventative

38. Which type of hacker would publicize a vulnerability if we do NOT make a patch to fix the
issue?
A) Black hat.
B) Gray hat.
C) White hat.
D) Red hat

39. We are seeing attacks on one of our servers. The attack is using zombies. Which type of an
attack is it?
A) DDOS.
B) Viruses.
C) Worms.
D) Trojans
40. In an implementation we are planning, we need to ensure we are HIPAA compliant. What is the
HIPAA compliance built around?

A) PHI.
B) Credit cards.
C) PII.
D) ITSM.

41. With which of these is your work NOT be protected if someone were to copy your work?
A) Trademark.
B) Patent.
C) Copyright.
D) Trade secret
42. What could be a security concern we would need to address in a procurement situation?
A) Who gets the IT Infrastructure?
B) How do we ensure their security standards are high enough?
C) Security is part of the SLA.
D) All of these.

43. Which of these could be an example of a type of corrective access control?

A) Encryption.
B) Alarms
C) Backups.
D) Patches.

44. In our risk analysis, we are looking at the risk. What would that comprise of?

A) Threat + vulnerability.
B) Threat x vulnerability.
C) Threat * vulnerability * asset value.
D) (threat * vulnerability * asset value) - countermeasures .

45. During our risk analysis, we are rating our incident likelihood as rare, unlikely, possible, likely,
and certain. Which type of risk analysis are we using?
A) Quadratic risk analysis.
B) Cumulative risk analysis.
C) Quantitative risk analysis.
D) Qualitative risk analysis

46. We are discussing our risk responses and we are considering not issuing our employees
laptops. What type of risk response would that be?
A) Risk transference.
B) Risk rejection.
C) Risk avoidance.
D) Risk mitigation
47. What would we call social engineering through emails that target specific individuals, where
the attacker has specific knowledge about the company?
A) Spear phishing.
B) Whale phishing.
C) Phishing.
D) Vishing

48. If we are using a qualitative risk analysis approach, which of these would we use?
A) Risk analysis matrix.
B) Cost per incident.
C) Exposure factor.
D) Asset value

49. Prior to us deploying honeypots and honeynets, who should sign off on the deployment?
A) Our HR and payroll team.
B) Senior management.
C) The engineer deploying it.
D) A judge

50. In quantitative risk analysis, what does the ALE tell us?
A) The value of the asset.
B) How often that asset type is compromised per year.
C) What it will cost us per year if we do nothing.
D) How much of the asset is lost per incident?

51. In a risk analysis, we are looking at the upfront cost and ongoing support of a mitigation
solution. What would that be called?

A) ALE.
B) ARO.
C) TCO.
D) SLE

52. Jane is doing quantitative risk analysis for our senior management team. They want to know
what a data center flooding will cost us. The data center is valued at $20,000,000. We would
lose 10% of our infrastructure and the flooding happens on average every 4 years. How much
would the annualized loss expectancy be?

A) 1000000
B) 100000
C) 2500000
D) 250000
53. Jane has determined our Annualized Loss Expectancy (ALE) for laptops is $250,000. She is
recommending we implement full disk encryption and remote wiping capabilities on all our
laptops. The $2,000 laptop value is still lost, but the $9,000 value loss from Personally
identifiable information (PII) exposure would be mitigated. How many laptops do we lose per
year?

A) 25
B) 50
C) 10
D) 15

54. In our risk analysis, we know there is a risk, but we do not analyze how bad an impact would
be. Which type of risk response is that an example of?

A) Risk transference.
B) Risk mitigation.
C) Risk avoidance.
D) Risk rejection

55. Using highly targeted emails to senior management, an attacker has sent an email threatening
a lawsuit if attached documents are not filled out and returned by a certain date. What is this
an example of?

A) Vishing.
B) Social engineering.
C) Whale phishing.
D) MITM

56. We have applied for a trademark and it has been approved. How are we protected?

A) Protected for 70 years after the creators’ death or 95 years for corporations.
B) You tell no one, if discovered you are not protected.
C) Protected for 20 years after filing.
D) Protected 10 years at a time, and it can be renewed indefinitely

57. Which of these are COMMON attacks on trade secrets?

A) Software piracy.
B) Industrial espionage, trade secrets are security through obscurity, if discovered nothing
can be done.
C) Counterfeiting.
D) Someone using your protected design in their products.
58. You are talking to a new manager of our helpdesk. You are explaining how we do disk analysis.
They ask you: "How do you define a vulnerability?"

A) How bad is it if we are compromised?

B) A potential harmful incident.
C) A weakness that can possibly be exploited.
D) The total risk after we have implemented our countermeasures.

59. Which of these could be a countermeasure we have in place that could help us recover after an
incident?

A) Encryption.
B) Backups.
C) Patches.
D) Intrusion detection systems

60. John has installed a backdoor to your system and he is using it to send spam emails to
thousands of people. He is using a C&C structure. What is your system?

A) A bot herder in a botnet.

B) A bot in a botnet.
C) A botnet.
D) A standalone bot

61. We have been using hashing with salting for our passwords for some years. One of our
executives has just heard about the CIA triad and asks, "Which leg of the CIA triad does that
support?". What do you answer?

A) Integrity.
B) Availability.
C) Confidentiality.
D) None of these.

62. Which of these would be COMMON attacks focused on compromising our availability?

A) DDOS.
B) Social engineering.
C) Viruses.
D) All of these

63. We are considering how we should protect our intellectual property. Which of these do you
need to apply for to be protected? (Select all that apply).

A) Copyright.
B) Trademarks.
C) Patents.
D) Trade Secrets.
64. As part of a management level training class we are teaching all staff with manager or director
in their title about basic IT Security. We are covering the CIA triad, which of these attacks
focuses on compromising our confidentiality?

A) Wireless jamming.
B) Social engineering.
C) Malware.
D) All of these

65. There are many risks in today’s increasing complex IT world, how we deal with them should be
part of an overarching strategy. We could for instance be risk neutral or averse. Who would
decide our organization's risk appetite?

A) The IT security team.

B) The IT leadership team.
C) Senior management.
D) Rules and regulations

66. Looking at our information security governance, who would approve and sign off on our
policies?

A) Senior management.
B) The IT teams.
C) IT security.
D) IT management.

67. Jane is working on strengthening our preventative controls. What could she look at to do that?

A) Drug tests.
B) IDS.
C) Backups.
D) Patches
68. Mary recently read about a new hacking group that is using advanced tools to break into the
database servers of organizations running public websites. In risk management language, how
would she describe this group of hackers?

A) Threat - Given
B) Vulnerability
C) Risk
D) Standard
69. Yellow Submarine Enterprises recently conducted a risk assessment of their IT systems and
decided to implement a new data loss prevention system to reduce the likelihood of an
accidental data breach. What risk management strategy did they adopt?

A) Risk acceptance
B) Risk mitigation
C) Risk transference
D) Risk avoidance

70. Bob is conducting a business impact assessment as part of his organization's business
continuity program. He identified the longest period of time that a service can be unavailable
without causing damage to the business. What BIA variable did Bob identify?

A) MTD
B) ALE
C) RPO
D) RTO

71. Acme Systems recently developed a new technology for constructing integrated circuit boards.
They would like to protect this technology but want to make certain that competitors do not
learn how the technology works. What intellectual property protection technique is best suited
for Acme\'s situation?

A) Copyright
B) Trademark
C) Trade Secret
D) Patents

72. The MilTech defense contracting company would like to add an administrative security control
that protects against insider attacks. Which one of the following controls best meets those
criteria?

A) Vulnerability scans
B) Penetration tests
C) Background checks
D) Data loss preventions system

73. Ben is planning to deploy a new firewall on his organization\'s network. What category of
control does the firewall fit into?

A) Preventive
B) Corrective
C) Detective
 D) Administrative

74. Jack is conducting a risk assessment for his firm and is evaluating the risks associated with a
flood inundating the firm\'s data center. Consulting FEMA maps, he determines that the data
center is located in a 100-year flood plain. He estimates that a flood would cause $5 million of
damage to his $40 million facility. What is the annualized loss expectancy?

A) $5,000,000
B) $50,000
C) $500,000,000
D) $500,000

75. Orwell Systems is one of the nation's largest publicly traded companies. Annie is Orwell's IT
compliance program manager and she wants to ensure the accuracy of the company's financial
statements. What regulation most likely applies in this scenario?

A) HIPPA
B) GLBA
C) COPPA
D) SOX

76. Mountain Sports is a major outdoor sports retailer with locations around the United States.
They engage in credit card transactions throughout the country and are concerned about
compliance issues surrounding credit card processing. What regulation applies in this situation?

A) PCI DSS
B) FERPA
C) GLBA
D) SB 1386

77. Tom is completing an asset valuation exercise for his company's two-year-old Storage Area
Network (SAN). He gathers the invoices from the equipment purchases and adds them up to
determine the asset value. What method is Tom using?

A) Replacement value
B) Estimated value
C) Original value
D) Depreciated value

78. Laws, regulations, and standards should not be confused. Which of these are NOT a law?

A) HIPAA.
B) PCI-DSS.
C) Homeland security act.
 D) Gramm-Leach-Bliley act

79. When we are authenticating our employees, which of these would NOT be considered useful?

A) Something you are.

B) Something you know.
C) Something you believe.
D) Something you have.

80. Which type of companies are subject to the Sarbanes-Oxley act (SOX)?

A) Private companies.
B) Publicly traded companies.
C) Healthcare companies.
D) Startup companies

81. We are looking at lowering our risk profile and we are doing our quantitative risk analysis.
What would EF tell us?

A) How many times it happens per year?

B) How much many percent of the asset is lost?
C) What will it cost us if it happens once?
D) What will it cost us per year if we do nothing?

82. We are in a court where the evidence must be "the majority of the proof." Which type of law
does that relate to?

A) Civil law.
B) Criminal law.
C) Administrative law.
D) Private regulations

83. In our risk management, how would we define residual risk?

A) How bad is it if we are compromised?

B) A potential harmful incident.
C) A weakness that can possibly be exploited.
D) The total risk after we have implemented our countermeasures

84. Which of these would be a type of corrective access control?

A) Encryption.
B) Backups.
C) Patches.
D) Intrusion detection systems
85. We are training some of our new employees in our policies, procedures, and guidelines. Our
guidelines are which of these?

A) Non-specific, but can contain patches, updates, strong encryption.

B) Specific, all laptops are W10, 64bit, 8GB memory, etc.
C) Low level step-by-step guides.
D) Recommendations

86. Jane is looking at the CIA triad and working on mitigating our availability vulnerabilities. Select
all the threats against our availability:

A) Distributed Denial of Service (DDoS)

B) Hardware failure.
C) Key loggers.
D) Code injections.

87. At a meeting with upper management, we are looking at different types of intellectual property
materials. How is copyright protected?

A) Protected for 70 years after the creators’ death or 95 years for corporations.
B) You tell no one, if discovered you are not protected.
C) Protected for 20 years after filing.
D) protected 10 years at a time, can be renewed indefinitely

88. We are in a court of law presenting our case from a security incidence. What constitutes
collaborative or corroborative evidence?

A) Testimony from a first-hand witness.

B) Tangible objects.
C) Logs and system documents from the time of the attack.
D) Supporting facts and elements

89. Under which type of law can incarceration, financial penalty, and death penalty be the
punishment?

A) Civil law.
B) Criminal law.
C) Administrative law.
D) Private regulations

90. You hear that senior management is looking at the ISO 27005 standard, and a colleague asks
you, "What is that focused on?"

A) ITSM.
B) Protecting PHI.
C) Risk management.
 D) HIPAA

91. Who would determine the risk appetite of our organization?

A) Middle management.
B) The users.
C) Senior management.
D) The IT leadership team

92. Looking at the CIA triad, when we have TOO MUCH availability, which other controls can
suffer?

A) Confidence.
B) Integrity.
C) Confidentiality and Integrity.
D) confidentiality

93. Which would NOT be a factor to protect our integrity?

A) Missing database injection protection.

B) Digital signatures.
C) Message digests.
D) Database injection protection through input validation

94. When an attacker is using code injections, it is MOSTLY targeting which leg of the CIA triad?

A) Authentication.
B) Confidentiality.
C) Availability.
D) Integrity

95. Which of these could be something we would use to ensure data availability?

A) Hashes.
B) Multifactor authentication.
C) Redundant hardware.
D) None of these

96. During an attack, some of our data was deleted. Which leg of the CIA triad would be MOSTLY
affected?

A) Authentication.
B) Confidentiality.
C) Availability.
D) Integrity.
97. When authenticating against our access control systems, you present your fingerprint. Which
type of authentication are you using?

A) A possession factor.
B) A knowledge factor.
C) A biometric factor.
D) A location factor

98. You are explaining the IAAA model to one of the directors from payroll. Which of these is NOT
is not one of the A's from the model?

A) Authentication.
B) Access.
C) Authorization.
D) Accountability

99. We are implementing governance standard and control frameworks focused on goals for the
entire organization. Which of these would be something we would consider?

A) COBIT.
B) ITIL.
C) COSO.
D) FRAP

100. We are in a court, where the proof must be "the Majority of Proof". Which type of court
are we in?

A) Criminal court.
B) Civil court.
C) Administrative court.
D) Probation court

101. We have had a security incident. After our forensics is completed, we present the
compromised hard drive in court. Which type of evidence does the actual hard drive
represent?

A) Real evidence.
B) Direct evidence.
C) Secondary evidence.
D) Circumstantial evidence

102. Which of these would be something that could get the case dismissed, or at least make
our evidence inadmissible in court?

A) Entrapment.
B) Complete chain of custody.
 C) Taking a bit level copy of the compromised hard drive, hashing both drives, hashes are
identical. Do forensics on the copy drive, hash after forensics is identical too.
D) Enticement

103. As a part of being a CISSP certified individual you promise to follow the (ISC)² code of
ethics. Which of these are part of that? (Select all that apply).

A) Prevent unauthorized use of internet resources.

B) Protect society, the common good, necessary public trust and confidence, and the
infrastructure.
C) Always act in accordance with the CISSP curriculum, regardless of your organizations
policies.
D) Provide diligent and competent service to principles.
E) Advance and protect the profession.

104. Which of these is automatically granted, you do NOT have to apply for it?

A) Trademark.
B) Patent.
C) Copyright.
D) Legal immunity.

105. Which of these would be a security concern we need to address in an acquisition?

A) Who gets the IT Infrastructure?

B) How do we ensure their security standards are high enough?
C) Security is part of the SLA.
D) All of these

106. Which of these is an example of a detective access control type?

A) Encryption.
B) Alarms
C) Backups.
D) Patches

107. In our risk analysis we are looking at the residual risk. What would that comprise of?

A) Threat + vulnerability.
B) Threat * vulnerability.
C) Threat * vulnerability * asset value.

D) (threat * vulnerability * asset value) - countermeasures

108. In our risk analysis, we are looking at the risks, vulnerabilities, and threats. Which type of risk
analysis are we using?

A) Quadratic risk analysis.

B) Cumulative risk analysis.
C) Quantitative risk analysis.
D) Qualitative risk analysis

109. We are looking at our risk responses. We are choosing to ignore an identified risk. What
type of response would that be?

A) Risk transference.
B) Risk rejection.
C) Risk avoidance.
D) Risk mitigation.

110. In which type of an attack is the attacker sending hundreds of thousands of untargeted
emails?

A) Spear phishing.
B) Whale phishing.
C) Phishing.
D) Vishing

111. What is the PRIMARY focus of the PCI-DSS standard?

A) PHI.
B) Credit cards.
C) PII.
D) ITSM

112. Who can act in exigent circumstances?

A) Law enforcement.
B) Our IT security team.
C) Our legal team.
D) Lawyers.

113. When we are doing quantitative risk analysis, what does the Asset Value (AV) tell us?

A) How much something is worth.

B) How often that asset type is compromised per year.
C) What it will cost us per year if we do nothing.
D) How much of the asset is lost per incident?
114. At the quarterly leadership conference, you are talking about threats to our
environments, and one of the participants asks you to define what a threat is. Which of these
could be your answer?

A) How bad is it if we are compromised?

B) A potential harmful incident.
C) A weakness that can possibly be exploited.
D) The total risk after we have implemented our countermeasures.

115. When we design our defense in depth we use multiple overlapping controls. Which of
these is a type of preventative access control?

A) Encryption.
B) Backups.
C) Patches.
D) Intrusion detection systems.

116. Looking at the governance of our organization, we can use policies, standards,
procedures, or other frameworks. Which of these characteristics would BEST describe our
policies?

A) Non-specific, but can contain patches, updates, strong encryption.

B) Specific, all laptops are W10, 64 bit, 8GB memory, etc.
C) Low level step-by-step guides.
D) Recommendations

117. There are many different types of attacks on intellectual property. Which of these is a
COMMON type of attack on trademarks

A) Software piracy.
B) There are none. This is security through obscurity. If discovered, anyone is allowed to use
it.
C) Counterfeiting.
D) Someone using your protected design in their products

118. When an attacker is using DDOS attacks, which leg of the CIA Triad is that meant to
disrupt?

A) Confidentiality.
B) Accountability.
C) Availability.
D) Integrity

119. We use different risk analysis approaches and tools in our risk assessments. In which type
of risk analysis would you see these terms? Exposure factor (EF), Asset Value (AV), and Annual
Rate of Occurrence (ARO)?
 A) Quantitative
B) Qualitative.
C) Quadratic.
D) Residual.

120. 6 months ago, we had an attacker trying to gain access to one of our servers. The attack
was not successful, and the authorities were able to find the attacker using our forensics. In
court, the attacker claims we used entrapment. Which of these options describes entrapment?

A) A solid legal defense strategy for the attacker; entrapment is illegal and unethical.
B) Not a solid legal defense strategy for the attacker.
C) Something we can do without consulting our legal department.
D) Legal and unethical.

121. The US HIPAA laws have 3 core rules. Which of these is NOT one of them?

A) Privacy rule.
B) Security rule.
C) Breach notification rule.
D) Encryption rule

122. Health care systems in the US must be HIPAA compliant. What is HIPAA an abbreviation
of?

A) Health Information Portability and Authorization Act.

B) Health Insurrection Portability and Accountability Act.
C) Health Information Portability and Accountability Act.
D) Health Insurance Portability and Accountability Act

123. Jane has written a book on IT security. With books, copyright is automatically granted,
and Jane owns all the rights to her materials. How long is copyrighted materials protected after
the creator’s death?

A) 20 years.
B) 70 years.
C) 95 years.
D) 10 years

124. Acting ethically is very important, especially for IT security professionals. If we look at the
IAB's "Ethics and the Internet," which of these behaviors does it NOT consider unethical?

A) Disrupts the intended use of the internet.

B) Seeks to gain unauthorized access to resources of the internet.
C) Compromises the privacy of users.
D) Having fake social media profiles and accounts
125. You have been tasked with looking at PURELY physical security controls for a new
implementation. Which of these would you consider using?

A) Regulations.
B) Dogs.
C) Biometric authentication.
D) Access lists