 If total device encryption is not possible, what MUST a security professional do to

protect the data on a mobile device?

 O Encrypt sensitive information.

 O Utilize Two Factor Authentication (2FA).
 O Distribute Bring Your Own Device (BYOD) policy.
 O Utilize biometric authentication.

 Which of the following roles is BEST to decide the data classification under which that
data is categorized?

 O The Data Manager

 O The Data User
 O The Data Owner
 O The Data Custodian

 Which of the following BEST describes the basic components of an information security
program policy document?

 O Purpose, scope, responsibilities, compliance

 O Confidentiality, integrity, availability, auditability
 O Access control, virus protection, accountability, security awareness
 O Plan, design, implementation, management

 A user from one organization wants to access an application, in a separate organization

with an established trust relationship utilizing one set of credentials. Which of the following
would allow the user this capability?

 O Single Sign-On (SSO)

 O Virtual directories
 O Authenticated Identity Management (IdM)
 O Federated Identity Management (FIM)

 The Security Operations Center (SOC) is implementing a new password protection

mechanism and has decided on a non-deprecated technology that uses a one-way function.
Which of the following meets the SOC's requirements?

 O Advanced Encryption Standard (AES)

 O Secure Hash Algorithm (SHA) 1
 O Elliptic Curve Cryptography (ECC)
 O Secure Hash Algorithm (SHA) 2

 An organization is establishing an asset compliance program and needs to identify any

outdated Operating Systems (OS) on the network. Which of the following is the BEST
methodology to implement?
  O Log analysis
 O Risk analysis
 O Penetration testing
 O Vulnerability scanning

 From a security perspective, which of the following assumptions MUST be made about
input to an application?

 O It is verified.
 O It is logged.
 O It is tested.
 O It is untrusted.

 Which of the following is the BEST method of destroying data in order to render the
media unusable for future applications?

 O Shredding
 O Sanitization
 O Deletion
 O Degaussing

 What is essential when developing access control policies and procedures?

 O Legacy and lifecycle requirements

 O Administration and availability requirements
 O Platform technologies and quantitative value
 O Sensitivity and criticality

 Which of the following describes a benefit of implementing a Content Delivery Network

(CDN)?

 O It can be used to host content in locations closer to the end user to reduce latency.
 O The network locations are connected by low bandwidth links, which reduces the cost to
implement it.
 O It can be used to stream media when an organization has no need for geographic
restrictions.
 O The infrastructure is leveraged with other application servers, which decreases the risk
of downtime.

 Which of the following defines the technologies and protocols that allow credentials to
be used across multiple security domains?

 O OpenID
 O Security Assertion Markup Language (SAML)
 O Multi-Factor Authentication (MFA)
 O Federated Identity Management (FIM)
 Which of the following describes a required dependency found in polyinstantiation?

 O A relation contains multiple rows with the same primary key.

 O A primary key is associated with a single relation and a single row.
 O A single primary key is associated with a single row.
 O A row is associated with multiple primary keys and a single relation.

 Which of the techniques is MOST effective for detecting a possible account

compromise?

 O Logging and reviewing account activity against a baseline

 O Logging and reviewing only unsuccessful account activity
 O Logging and reviewing all account activity
 O Logging and reviewing all account activity after business hours

 Which of the following is the BEST way to identify false positives in a security audit?

 O Manual analysis
 O Automated analysis
 O Root cause analysis
 O Tool-based analysis

 After a contract is in place for a software acquisition, which of the following can the
organization do to MINIMIZE the risks of the acquired software?

 O Mitigate software risks through terms and conditions.

 O Develop software requirements.
 O Finalize evaluation criteria.
 O Implement change control procedures.

 While searching for malicious internet traffic, a proxy engineer has difficulty scanning
Hypertext Transfer Protocol Secure (HTTPS) communication due to the encryption. How
can the engineer BEST solve this problem?

 O Use Secure Sockets Layer (SSL) inspection

 O Redirect traffic using host files
 O Use Network Address Translation (NAT)
 O Install a virtual proxy

 A company is enrolled in a hard drive reuse program where decommissioned equipment

is sold back to the vendor when it is no longer needed. The vendor pays more money for
functioning drives than equipment that is no longer operational. Which method of data
sanitization would provide the most secure means of preventing unauthorized data loss,
while also receiving the most money from the vendor?

 O Pinning
  O Degaussing
 O Single-pass wipe
 O Multi-pass wipes

 Which of the following is MOST important when onboarding a new employee?

 O Ensure the new employee completes an extensive security awareness training exercise.
 O Require the new employee reviews all corporate security policies and procedures
immediately.
 O Ensure the new employee understands the importance of security and their role in
security within the organization.
 O Require the new employee immediately use Two Factor Authentication (2FA).

 What component BEST describes an effective endpoint security strategy for an

enterprise?

 O Centralized administration of endpoints

 O Antivirus software on endpoints
 O Endpoint Detection and Response (EDR)
 O Data Loss Prevention (DLP) on endpoints

 Which of the following is a covert channel type?

 O Monitoring
 O Storage
 O Memory
 O Pipe

 After a recent failure to deliver an order fulfillment goal, the Chief Information Officer
(CIO) has been asked to implement new Key Performance Indicators (KPI) and Key Risk
Indicators (KRI). Which of the following is a KRI?

 O Customer complaint increase for credit card information loss

 O Supplier agreement effectiveness in ordered systems
 O On-time delivery of suppliers
 O Service quality of suppliers

 What type of attributes does the Attribute Based Access Control (ABAC) model use to
evaluate access rules?

 O Attributes related to user's role in the organization

 O Attributes related to assets the user needs to access
 O Attributes relevant to entities, operations, and environment
 O Attributes relevant to user's position in the organization
 An organization was recently compromised, and the Chief Information Officer (CIO)
has ordered an independent review of the root cause. A third-party evaluation determined
administrative credentials were compromised through a man-in-the-middle (MITM)
attack. The CIO is now requiring all internal communication channels be encrypted. What
is the BEST encryption method to prevent MITM attacks?

 O Secure Sockets Layer (SSL)

 O Triple Data Encryption Algorithm (3DES)
 O Advanced Encryption Standard (AES)
 O Transport Layer Security (TLS)

 Which of the following risks could occur with an external enterprise patch management
tool?

 O The tool could provide a percentage of vulnerable hosts to a third-party

 O Patches can be verified for use by external testing
 O Patch integrity can be maintained throughout the upgrade process
 O An entity could monitor tool communications to identify vulnerabilities

 An application team is running tests to ensure that user entry fields will not accept
invalid input of any length. What type of negative testing is this an example of?

 O Session testing
 O Reasonable data
 O Allowed number of characters
 O Population of required fields

 The acquisition of personal data being obtained by a lawful and fair means is an
example of what principle?

 O Data Quality Principle

 O Openness Principle
 O Purpose Specification Principle
 O Collection Limitation Principle

 What is the PRIMARY purpose of a records retention program?

 O Provide a reference for future records development.

 O Satisfy compliance requirements for the appropriate region.
 O Assist forensic investigations.
 O Protect the availability of information.

 An online shopping organization is reviewing their corporate security policies. During

the review it is noticed that administrative user accounts are only required to be reviewed
every year. Which is the BEST reason why this policy should be changed?
  O International Organization for Standardization (ISO) 27001's best practice is to review
administrative accounts every six months.
 O The current policy is compliant with Sarbanes-Oxley (SOX) and does not need to be
changed.
 O The Center for Internet Security (CIS) top 20's best practice is to review administrative
accounts every six months.
 O Payment Card Industry Data Security Standard (PCI-DSS) states that

 Which of the following should be included in a good defense-in-depth strategy provided

by object-oriented programming for software development?

 O Inheritance
 O Encapsulation
 O Polymorphism
 O Polyinstantiation