2022年ISC2 CISSP 英文考试参考题库（含答案）

PAGEPAGE1652022年ISC2CISSP英文考试参考题库（含答案）一、单选题1.

Tominimizethevulnerabilitiesofaweb-basedapplication,whichofthefollowingFIRSTactionswilllockdownthesystemandminimizetheriskofanattack?A、Applythelatestvendorpatchesandupdates.B、Runavulnerabilityscanner.C、Reviewaccesscontrols.D、Installanantivirusontheserver.答案：A2.

Asecurityprofessionalhasbeenassignedtoassessawebapplication.TheassessmentreportremendsswitchingtoSecurityAssertionMarkupLanguage(SAML).WhatisthePRIMARYsecuritybenefitinswitchingtoSAML?A、Itenablessinglesign-on(SSO)forwebapplications.B、ItusesTransportLayerSecurity(TLS)toaddressconfidentiality.C、Itlimitsunnecessarydataentryonwebforms.D、Theusers'passwordisnotpassedduringauthentication.答案：D3.

Whichofthefollowingisincludedinchangemanagement?A、Technicalreviewbybusinessowner.B、UserAcceptanceTesting(UAT)beforeimplementation.C、Cost-benefitanalysis(CBA)afterimplementation.D、Businesscontinuitytesting.答案：D4.

WhichofthefollowingBESTensurestheintegrityoftransactionstointendedrecipients?A、Publickeyinfrastructure(PKI).B、Blockchaintechnology.C、Pre-sharedkey(PSK).D、Weboftrust.答案：A5.

WhichofthefollowingmeasuresservesastheBESTmeansforprotectingdataonputers,smartphones,andexternalstoragedeviceswhentravelingtohigh-riskcountries?A、Reviewapplicabledestinationcountrylaws,forensicallycleandevicespriortotravel,andonlydownloadsensitivedataoveravirtualprivatenetwork(VPN)uponarrivingatthedestination.B、LeverageaSecureSocketLayer(SSL)connectionoveravirtualprivatenetwork(VPN)todownloadsensitivedatauponarrivingatthedestination.C、Keeplaptops,externalstoragedevices,andsmartphonesinthehotelroomwhennotinuse.D、Usemulti-factorauthentication(MFA)togainaccesstodatastoredonlaptopsorexternalstorage

Devicesandbiometricfingerprintaccesscontrolmechanismstounlocksmartphones.答案：D6.

Ahealthcareinsuranceorganizationchoseavendortodevelopasoftwareapplication.Uponreviewofthedraftcontract,theinformationsecurityprofessionalnoticesthatsoftwaresecurityisnotaddressed.WhatistheBESTapproachtoaddresstheissue?A、Updatethecontracttorequirethevendortoperformsecuritycodereviews.B、Updatetheservicelevelagreement(SLA)toprovidetheorganizationtherighttoauditthevendor.C、Updatethecontractsothatthevendorisobligatedtoprovidesecuritycapabilities.D、Updatetheservicelevelagreement(SLA)torequirethevendortoprovidesecuritycapabilities.答案：B7.

Anorganizationoutgrewitsinternaldatacenterandisevaluatingthird-partyhostingfacilities.Inthisevaluation,whichofthefollowingisaPRIMARYfactorforselection?A、Facilityprovidesanacceptablelevelofrisk.B、Facilityprovidesdisasterrecovery(DR)services.C、Facilityhasphysicalaccessprotectionmeasures.D、Facilityprovidesthemostcost-effectivesolution.答案：D8.

WhatdocumentationisproducedFIRSTwhenperforminganeffectivephysicallosscontrolprocess?A、Deterrentcontrolslist.B、Securitystandardslist.C、Assetvaluationlist.D、Inventorylist.答案：D9.

AChiefInformationOfficer(CIO)hasdelegatedresponsibilityoftheirsystemsecuritytotheheadoftheinformationtechnology(IT)department.WhilecorporatepolicydictatesthatonlytheCIOcanmakedecisionsonthelevelofdataprotectionrequired,technicalimplementationdecisionsaredonebytheheadoftheITdepartment.WhichofthefollowingBESTdescribesthesecurityrolefilledbytheheadoftheITdepartment?A、Systemsecurityofficer.B、Systemprocessor.C、Systemcustodian.D、Systemanalyst.答案：C10.

WhichofthefollowingwouldbetheBESTmitigationpracticeforman-in-the-middle(MITM)VoiceoverInternetProtocol(VoIP)attacks?A、UseSecureShell(SSH)protocol.B、UseFileTransferProtocol(FTP).C、UseTransportLayerSecurity(TLS)protocol.D、UseMediaGatewayControlProtocol(MGCP).答案：C11.

Whichofthefollowingwouldqualifyasanexceptiontothe"righttobeforgotten"oftheGeneralDataProtectionRegulation(GDPR)?A、Fortheestablishment,exercise,ordefenseoflegalclaims.B、Thepersonaldatahasbeenlawfullyprocessedandcollected.C、Forthereasonsofprivateinterest.D、Thepersonaldataremainsnecessarytothepurposeforwhichitwascollected.答案：A12.

Adatabaseserverforafinancialapplicationisscheduledforproductiondeployment.WhichofthefollowingcontrolswillBESTpreventtampering?A、Datasanitization.B、Datavalidation.C、Serviceaccountsremoval.D、Loggingandmonitoring.答案：B13.

WhatisthePRIMARYreasonforcriminallawbeingdifficulttoenforcewhendealingwithcybercrime?A、Jurisdictionishardtodefine.B、Lawenforcementagenciesareunderstaffed.C、Extraditiontreatiesarerarelyenforced.D、Numerouslanguagebarriersexist.答案：A14.

Ifthewideareanetwork(WAN)issupportingconvergedapplicationslikeVoiceoverInternetProtocol(VoIP),whichofthefollowingbeesevenMOREessentialtotheassuranceofthenetwork?A、Boundaryrouting.B、ClasslessInter-DomainRouting(CIDR).C、InternetProtocol(IP)routinglookups.D、Deterministicrouting.答案：C15.

Thequalityassurance(QA)departmentisshort-staffedandisunabletotestallmodulesbeforetheanticipatedreleasedateofanapplication.WhatsecuritycontrolisMOSTlikelytobeviolated?A、Changemanagement.B、Separationofenvironments.C、Programmanagement.D、Mobilecodecontrols.答案：A16.

Whichofthefollowingshouldbeincludedinagooddefense-in-depthstrategyprovidedbyobject-orientedprogrammingforsoftwaredevelopment?A、Polymorphism.B、Inheritance.C、Polyinstantiation.D、Encapsulation.答案：C17.

WhichofthefollowingistheBESTapproachtoimplementmultipleserversonavirtualsystem?A、Implementoneprimaryfunctionpervirtualserverandapplyindividualsecurityconfigurationforeachvirtualserver.B、Implementmultiplefunctionswithinthesamevirtualserverandapplyindividualsecurityconfigurationstoeachfunction.C、Implementoneprimaryfunctionpervirtualserverandapplyhighsecurityconfigurationonthehostoperatingsystem.D、Implementmultiplefunctionspervirtualserverandapplythesamesecurityconfigurationforeachvirtualserver.答案：A18.

UndertheGeneralDataProtectionRegulation(GDPR),whatisthemaximumamountoftimeallowedforreportingapersonaldatabreach?A、24hours.B、48hours.C、72hours.D、96hours.答案：C19.

Asoftwaredeveloperwishestowritecodethatwillexecutesafelyandonlyasintended.WhichofthefollowingprogramminglanguagetypesisMOSTlikelytoachievethisgoal?A、Weaklytyped.B、Dynamicallytyped.C、Stronglytyped.D、Staticallytyped.答案：C20.

Anorganizationwouldliketoensurethatallnewusershaveapredefineddepartmentalaccesstemplateapplieduponcreation.Theorganizationwouldalsolikeadditionalaccessforuserstobegrantedonaper-projectbasis.WhattypeofuseraccessadministrationisBESTsuitedtomeettheorganization'sneeds?A、Decentralized.B、Hybrid.C、Centralized.D、Federated.答案：B21.

Clothingretaileremployeesareprovisionedwithuseraccountsthatprovideaccesstoresourcesatpartnerbusinesses.Allpartnerbusinessesusemonidentityandaccessmanagement(IAM)protocolsanddifferingtechnologies.UndertheExtendedIdentityprinciple,whatistheprocessflowbetweenpartnerbusinessestoallowthisIAMaction?A、ClothingretaileractsasUserSelfService,confirmsidentityofuserusingindustrystandards,thensendscredentialstopartnerbusinessesthatactasaServiceProviderandallowsaccesstoservices.B、Clothingretaileractsasidentityprovider(IdP),confirmsidentityofuserusingindustrystandards,thensendscredentialstopartnerbusinessesthatactasaServiceProviderandallowsaccesstoservices.C、ClothingretaileractsasServiceProvider,confirmsidentityofuserusingindustrystandards,thensendscredentialstopartnerbusinessesthatactasanidentityprovider(IdP)andallowsaccessto

Resources.D、ClothingretaileractsasAccessControlProvider,confirmsaccessofuserusingindustrystandards,thensendscredentialstopartnerbusinessesthatactasaServiceProviderandallowsaccesstoresources.答案：B22.

Apanyneedstoprovidesharedaccessofsensitivedataonacloudstoragetoexternalbusinesspartners.WhichofthefollowingidentitymodelsistheBESTtoblindidentityproviders(IdP)andrelyingparties(RP)sothatsubscriberlistsofotherpartiesarenotdisclosed?A、Proxiedfederation.B、Dynamicregistration.C、Federationauthorities.D、Staticregistration.答案：A23.

Whichtechniquehelpssystemdesignersconsiderpotentialsecurityconcernsoftheirsystemsandapplications?A、Threatmodeling.B、Manualinspectionsandreviews.C、Sourcecodereview.D、Penetrationtesting.答案：A24.

Whichofthefollowingdepartmentsinitiatestherequest,approval,andprovisioningbusinessprocess?A、Operations.B、Security.C、Humanresources(HR).D、Informationtechnology(IT).答案：A25.

Anorganizationisconsideringpartneringwithathird-partysupplierofcloudservices.Theorganizationwillonlybeprovidingthedataandthethird-partysupplierwillbeprovidingthesecuritycontrols.WhichofthefollowingBESTdescribesthisserviceoffering?A、PlatformasaService(PaaS).B、AnythingasaService(XaaS).C、InfrastructureasaService(IaaS).D、SoftwareasaService(SaaS).答案：D26.

Whenconductingathird-partyriskassessmentofanewsupplier,whichofthefollowingreportsshouldbereviewedtoconfirmtheoperatingeffectivenessofthesecurity,availability,confidentiality,andprivacytrustprinciples?A、ServiceOrganizationControl(SOC)1,Type2.B、ServiceOrganizationControl(SOC)2,Type2.C、InternationalOrganizationforStandardization(ISO)27001.D、InternationalOrganizationforStandardization(ISO)27002.答案：B27.

Aninformationsecurityprofessionalisreviewinguseraccesscontrolsonacustomer-facingapplication.Theapplicationmusthavemulti-factorauthentication(MFA)inplace.Theapplicationcurrentlyrequiresausernameandpasswordtologin.WhichofthefollowingoptionswouldBESTimplementMFA?A、Geolocatetheuserandparetopreviouslogins.B、Requireapre-selectednumberaspartofthelogin.C、Havetheuseranswerasecretquestionthatisknowntothem.D、Enteranautomaticallygeneratednumberfromahardwaretoken.答案：D28.

Whichofthefollowingissecuritycontrolvolatility?A、Areferencetotheimpactofthesecuritycontrol.B、Areferencetothelikelihoodofchangeinthesecuritycontrol.C、Areferencetohowunpredictablethesecuritycontrolis.D、Areferencetothestabilityofthesecuritycontrol.答案：B29.

WhichofthefollowingoutsourcingagreementprovisionshastheHIGHESTpriorityfromasecurityoperationsperspective?A、Conditionstopreventtheuseofsubcontractors.B、Termsforcontractrenegotiationincaseofdisaster.C、Rootcauseanalysisforapplicationperformanceissue.D、Escalationprocessforproblemresolutionduringincidents.答案：D30.

WhataretheessentialelementsofaRiskAssessmentReport(RAR)?A、Executivesummary,bodyofthereport,andappendices.B、Executivesummary,graphofrisks,andprocess.C、Tableofcontents,testingcriteria,andindex.D、Tableofcontents,chapters,andexecutivesummary.答案：A31.

Auserisallowedtoaccessthefilelabeled"FinancialForecast,"butonlybetween9:00am.and5:00p.m.,MondaythroughFriday.Whichtypeofaccessmechanismshouldbeusedtoacplishthis?A、Minimumaccesscontrol.B、Limitedrole-basedaccesscontrol(RBAC).C、Accesscontrollist(ACL).D、Rule-basedaccesscontrol.答案：D32.

WhichofthefollowingistheBESTwaytoprotectanorganization'sdataassets?A、Encryptdataintransitandatrestusingup-to-datecryptographicalgorithms.B、Monitorandenforceadherencetosecuritypolicies.C、RequireMulti-FactorAuthentication(MFA)andSeparationofDuties(SoD).D、CreatetheDemilitarizedZone(DMZ)withproxies,firewallsandhardenedbastionhosts.答案：B33.

Buildingblocksforsoftware-definednetworks(SDN)requirewhichofthefollowing?A、TheSDNisposedentirelyofclient-serverpairs.B、Random-accessmemory(RAM)isusedinpreferencetovirtualmemory.C、TheSDNismostlyposedofvirtualmachines(VM).D、Virtualmemoryisusedinpreferencetorandom-accessmemory(RAM).答案：C34.

Asecurityprofessionalneedstofindasecureandefficientmethodofencryptingdataonanendpoint.Whichsolutionincludesarootkey?A、Bitlocker.B、TrustedPlatformModule(TPM).C、Virtualstoragearraynetwork(VSAN).D、Hardwaresecuritymodule(HSM).答案：B35.

WhichfactorsMUSTbeconsideredwhenclassifyinginformationandsupportingassetsforriskmanagement,legaldiscovery,andpliance?A、Systemownerrolesandresponsibilities,datahandlingstandards,storageandsecuredevelopmentlifecyclerequirements.B、plianceofficerolesandresponsibilities,classifiedmaterialhandlingstandards,storagesystemlifecyclerequirements.C、Datastewardshiproles,datahandlingandstoragestandards,datalifecyclerequirements.D、Systemauthorizationrolesandresponsibilities,cloudputingstandards,lifecyclerequirements.答案：A36.

WhatisthePRIMARYpurposeofcreatingandreportingmetricsforasecurityawareness,training,andeducationprogram?A、Measuretheeffectoftheprogramontheorganization'sworkforce.B、Makeallstakeholdersawareoftheprogram'sprogress.C、Facilitatesupervisionofperiodictrainingevents.D、plywithlegalregulationsanddocumentduediligenceinsecuritypractices.答案：A37.

Anorganizationhasdevelopedawayforcustomerstoshareinformationfromtheirwearabledeviceswitheachother.Unfortunately,theuserswerenotinformedastowhatinformationcollectedwouldbeshared.Whattechnicalcontrolsshouldbeputinplacetoremedytheprivacyissuewhilestilltryingtoacplishtheorganization'sbusinessgoals?A、Shareonlywhattheorganizationdecidesisbest.B、Stopsharingdatawiththeotherusers.C、Defaulttheusertonotshareanyinformation.D、Informtheuserofthesharingfeaturechangesafterimplemented.答案：C38.

WhichofthefollowingcontributesMOSTtotheeffectivenessofasecurityofficer?A、Developingpreciseandpracticalsecurityplans.B、Integratingsecurityintothebusinessstrategies.C、Understandingtheregulatoryenvironment.D、Analyzingthestrengthsandweaknessoftheorganization.答案：C39.

mercialoff-the-shelf(COTS)softwarepresentswhichofthefollowingadditionalsecurityconcerns?A、VendorstakeontheliabilityforCOTSsoftwarevulnerabilities.B、In-housedevelopedsoftwareisinherentlylesssecure.C、COTSsoftwareisinherentlylesssecure.D、ExploitsforCOTSsoftwarearewelldocumentedandpubliclyavailable.答案：D40.

Usingtheciphertextandresultantcleartextmessagetoderivethemonoalphabeticcipherkeyisanexampleofwhichmethodofcryptanalyticattack?A、Known-plaintextattack.B、Ciphertext-onlyattack.C、Frequencyanalysis.D、Probable-plaintextattack.答案：A41.

Acorporationdoesnothaveaformaldatadestructionpolicy.DuringwhichphaseofacriminallegalproceedingwillthishavetheMOSTimpact?A、Sentencing.B、Trial.C、Discovery.D、Arraignment.答案：C42.

WhatisthePRIMARYbenefitofincidentreportingandputercrimeinvestigations?A、plyingwithsecuritypolicy.B、Repairingthedamageandpreventingfutureoccurrences.C、Providingevidencetolawenforcement.D、Appointingaputeremergencyresponseteam.答案：C43.

Whenreviewingvendorcertificationsforhandlingandprocessingofpanydata,whichofthefollowingistheBESTServiceOrganizationControls(SOC)certificationforthevendortopossess?A、SOC1Type1B、SOC2Type1C、SOC2Type2D、SOC3答案：C44.

WhichWideAreaNetwork(WAN)technologyrequiresthefirstrouterinthepathtodeterminethefullpaththepacketwilltravel,removingtheneedforotherroutersinthepathtomakeindependentdeterminations?A、SynchronousOpticalNetworking(SONET).B、MultiprotocolLabelSwitching(MPLS).C、FiberChannelOverEthernet(FCoE).D、SessionInitiationProtocol(SIP).答案：B45.

Asubscriptionservicewhichprovidespower,climatecontrol,raisedflooring,andtelephonewiringbutNOTtheputerandperipheralequipmentisBESTdescribedasa:A、coldsite.B、warmsite.C、hotsite.D、reciprocalsite.答案：A46.

Aninformationsecurityadministratorwishestoblockpeer-to-peer(P2P)trafficoverHypertextTransferProtocol(HTTP)tunnels.WhichofthefollowinglayersoftheOpenSystemsInterconnection(OSI)modelrequiresinspection?A、Application.B、Transport.C、Session.D、Presentation.答案：A47.

WhenconfiguringExtensibleAuthenticationProtocol(EAP)inaVoiceoverInternetProtocol(VoIP)network,whichofthefollowingauthenticationtypesistheMOSTsecure?A、EAP-ProtectedExtensibleAuthenticationProtocol(PEAP).B、EAP-TransportLayerSecurity(TLS).C、EAP-TunneledTransportLayerSecurity(TLS).D、EAP-FlexibleAuthenticationviaSecureTunneling.答案：B48.

Asecurityengineerisrequiredtointegratesecurityintoasoftwareprojectthatisimplementedbysmallgroupsthatquickly,continuously,andindependentlydevelop,test,anddeploycodetothecloud.TheengineerwillMOSTlikelyintegratewithwhichsoftwaredevelopmentprocess?A、DevopsIntegratedProductTeam(IPT).B、StructuredWaterfallProgrammingDevelopment.C、Service-orientedarchitecture(SOA).D、SpiralMethodology.答案：D49.

Ahospital'sbuildingcontrolssystemmonitorsandoperatestheenvironmentalequipmenttomaintainasafeandfortableenvironment.Whichofthefollowingcouldbeusedtominimizetheriskofutilitysupplyinterruption?A、Digitalprotectionandcontroldevicescapableofminimizingtheadverseimpacttocriticalutility.B、Standardizedbuildingcontrolssystemsoftwarewithhighconnectivitytohospitalnetworks.C、Lockoutmaintenancepersonnelfromthebuildingcontrolssystemaccessthatcanimpactcriticalutilitysupplies.D、Digitaldevicesthatcanturnequipmentoffandcontinuouslycyclerapidlyinordertoincreasesuppliesandconcealactivityonthehospitalnetwork.答案：A50.

Whichsectionoftheassessmentreportaddressesseparatevulnerabilities,weaknesses,andgaps?A、Findingsdefinitionsection.B、Riskreviewsection.C、Executivesummarywithfulldetails.D、Keyfindingssection.答案：B51.

Whichofthefollowingtechniquesevaluatesthesecuredesignprinciplesofnetworkorsoftwarearchitectures?A、Riskmodeling.B、Waterfallmethod.C、Threatmodeling.D、Fuzzing.答案：C52.

WhichofthefollowingBESTdescribesthepurposeofthereferencemonitorwhendefiningaccesscontroltoenforcethesecuritymodel?A、Strongoperationalsecuritytokeepunitmemberssafe.B、Policiestovalidateorganizationrules.C、Cyberhygienetoensureorganizationscankeepsystemshealthy.D、Qualitydesignprinciplestoensurequalitybydesign.答案：B53.

Informationsecuritypractitionersareinthemidstofimplementinganewfirewall.WhichofthefollowingfailuremethodswouldBESTprioritizesecurityintheeventoffailure?A、Failover.B、Fail-Closed.C、Fail-Safe.D、Fail-Open.答案：B54.

Beforeallowingawebapplicationintotheproductionenvironment,thesecuritypractitionerperformsmultipletypesofteststoconfirmthatthewebapplicationperformsasexpected.Totesttheusernamefield,thesecuritypractitionercreatesatestthatentersmorecharactersintothefieldthanisallowed.WhichofthefollowingBESTdescribesthetypeoftestperformed?A、Misusecasetesting.B、Interfacetesting.C、Websessiontesting.D、Penetrationtesting.答案：A55.

Whatprocessfacilitatesthebalanceofoperationalandeconomiccostsofprotectivemeasureswithgainsinmissioncapability?A、Performancetesting.B、Riskassessment.C、Securityaudit.D、Riskmanagement.答案：D56.

WhichofthefollowingBESTdescribesthepurposeofBorderGatewayProtocol(BGP)?A、ProvideRoutingInformationProtocol(RIP)version2advertisementstoneighboringlayer3devices.B、Maintainalistofnetworkpathsbetweeninternetrouters.C、Providefirewallservicestocloud-enabledapplications.D、Maintainalistofefficientnetworkpathsbetweenautonomoussystems.答案：D57.

WhatistheMOSTeffectivemethodtoenhancesecurityofasinglesign-on(SSO)solutionthatinterfaceswithcriticalsystems?A、Two-factorauthentication.B、Reusabletokensforapplicationlevelauthentication.C、Highperformanceencryptionalgorithms.D、SecureSocketsLayer(SSL)forallmunications.答案：A58.

Adeveloperiscreatinganapplicationthatrequiressecureloggingofalluseractivity.WhatistheBESTpermissionthedevelopershouldassigntothelogfiletoensurerequirementsaremet?A、Execute.B、Read.C、Write.D、Append.答案：D59.

WhatHypertextTransferProtocol(HTTP)responseheadercanbeusedtodisabletheexecutionofinlineJavaScriptandtheexecutionofeval()-typefunctions?A、X-XSS-Protection.B、Content-Security-Policy.C、X-Frame-Options.D、Strict-Transport-Security.答案：B60.

Afirmwithinthedefenseindustryhasbeendirectedtoplywithcontractualrequirementsforencryptionofagovernmentclient'sControlledUnclassifiedInformation(CUI).WhatencryptionstrategyrepresentshowtoprotectdataatrestintheMOSTefficientandcost-effectivemanner?A、Performlogicalseparationofprograminformation,usingvirtualizedstoragesolutionswithencryptionmanagementintheback-enddisksystems.B、Performlogicalseparationofprograminformation,usingvirtualizedstoragesolutionswithbuilt-inencryptionatthevirtualizationlayer.C、Performphysicalseparationofprograminformationandencryptonlyinformationdeemedcritical

Bythedefenseclient.D、Implementdataatrestencryptionacrosstheentirestorageareanetwork(SAN).答案：D61.

WhichofthefollowingistheBESToptiontoreducethenetworkattacksurfaceofasystem?A、Disablingunnecessaryportsandservices.B、Ensuringthattherearenogroupaccountsonthesystem.C、Uninstallingdefaultsoftwareonthesystem.D、Removingunnecessarysystemuseraccounts.答案：A62.

Inaquarterlysystemaccessreview,anactiveprivilegedaccountwasdiscoveredthatdidnotexistinthepriorreviewontheproductionsystem.Theaccountwascreatedonehourafterthepreviousaccessreview.WhichofthefollowingistheBESToptiontoreduceoverallriskinadditiontoquarterlyaccessreviews?A、Implementbi-annualreviews.B、Createpoliciesforsystemaccess.C、Implementandreviewrisk-basedalerts.D、Increaselogginglevels.答案：B63.

SecuritySoftwareDevelopmentLifeCycle(SDLC)expectsapplicationcodetobewritteninaconsistentmannertoalloweaseofauditingandwhichofthefollowing?A、Protecting.B、Copying.C、Enhancing.D、Executing.答案：A64.

WhichofthefollowingdescribestheBESTmethodofmaintainingtheinventoryofsoftwareandhardwarewithintheorganization?A、Maintainingtheinventorythroughabinationofassetownerinterviews,open-sourcesystemmanagement,andopen-sourcemanagementtools.B、Maintainingtheinventorythroughabinationofdesktopconfiguration,administrationmanagement,andprocurementmanagementtools.C、Maintainingtheinventorythroughabinationofonpremisestorageconfiguration,cloudmanagement,andpartnermanagementtools.D、Maintainingtheinventorythroughabinationofsystemconfiguration,networkmanagement,andlicensemanagementtools.答案：D65.

WhichofthefollowingistheMOSTsignificantkeymanagementproblemduetothenumberofkeyscreated?A、Exponentialgrowthwhenusingsymmetrickeys.B、Exponentialgrowthwhenusingasymmetrickeys.C、Storageofthekeysrequireincreasedsecurity.D、Keysaremoredifficulttoprovisionandrevoke.答案：A66.

AsecurityprofessionalhasreviewedarecentsiteassessmentandhasnotedthataserverroomonthesecondfloorofabuildinghasHeating,Ventilation,andAirConditioning(HVAC)intakesonthegroundlevelthathaveultravioletlightfiltersinstalled,Aero-KFiresuppressionintheserverroom,andpre-actionfiresuppressiononfloorsabovetheserverroom.Whichofthefollowingchangescanthesecurityprofessionalremendtoreduceriskassociatedwiththeseconditions?A、RemovetheultravioletlightfiltersontheHVACintakeandreplacethefiresuppressionsystemontheupperfloorswithadrysystem.B、ElevatetheHVACintakebyconstructingaplenumorexternalshaftoveritandconverttheserverroomfiresuppressiontoapre-actionsystem.C、AddadditionalultravioletlightfilterstotheHVACintakesupplyandreturnductsandchangeserverroomfiresuppressiontoFM-200D、ApplyadditionalphysicalsecurityaroundtheHVACintakesandupdateupperfloorfiresuppressiontoFM-200答案：A67.

WhatistheFIRSTstepinreducingtheexposureofanetworktoInternetControlMessageProtocol(ICMP)basedattacks?A、Implementnetworkaccesscontrollists(ACL).B、Implementanintrusionpreventionsystem(IPS).C、Implementawebapplicationfirewall(WAF).D、Implementegressfilteringattheorganization'snetworkboundary.答案：A68.

Acloudserviceproviderrequiresitscustomerorganizationstoenablemaximumauditloggingforitsdatastorageserviceandtoretainthelogsfortheperiodofthreemonths.Theauditlogginggenehasextremelyhighamountoflogs.WhatistheMOSTappropriatestrategyforthelogretention?A、Keepalllogsinanonlinestorage.B、Keeplastweek'slogsinanonlinestorageandtherestinanofflinestorage.C、Keeplastweek'slogsinanonlinestorageandtherestinanear-linestorage.D、Keepalllogsinanofflinestorage.答案：B69.

WhichofthefollowinggoalsrepresentsamodernshiftinriskmanagementaccordingtoNationalInstituteofStandardsandTechnology(NIST)?A、Provideanimprovedmissionacplishmentapproach.B、Focusonoperatingenvironmentsthatarechanging,evolving,andfullofemergingthreats.C、Enablemanagementtomakewell-informedrisk-baseddecisionsjustifyingsecurityexpenditure.D、Secureinformationtechnology(IT)systemsthatstore,mass,ortransmitorganizationalinformation.答案：B70.

WhyisitimportantthatseniormanagementclearlymunicatestheformalMaximumTolerableDowntime(MTD)decision?A、Toprovideeachmanagerwithprecisedirectiononselectinganappropriaterecoveryalternative.B、Todemonstratetotheboardofdirectorsthatseniormanagementismittedtocontinuity

Recoveryefforts.C、Toprovideaformaldeclarationfromseniormanagementasrequiredbyinternalaudittodemonstratesoundbusinesspractices.D、Todemonstratetotheregulatorybodiesthatthepanytakesbusinesscontinuityseriously.答案：A71.

WhichofthefollowingmethodsprovidestheMOSTprotectionforusercredentials?A、Forms-basedauthentication.B、Self-registration.C、Basicauthentication.D、Digestauthentication.答案：D72.

Employeetraining,riskmanagement,anddatahandlingproceduresandpoliciescouldbecharacterizedaswhichtypeofsecuritymeasure?A、Preventative.B、Management.C、Non-essential.D、Administrative.答案：D73.

Ahospitalhasallowedvirtualprivatenetworking(VPN)accesstoremotedatabasedevelopers.Uponauditingtheinternalconfiguration,thenetworkadministratordiscoveredthatsplit-tunnelingwasenabled.Whatistheconcernwiththisconfiguration?A、Thenetworkintrusiondetectionsystem(NIDS)willfailtoinspectSecureSocketsLayer(SSL)traffic.B、Remotesessionswillnotrequiremulti-layerauthentication.C、Remoteclientsarepermittedtoexchangetrafficwiththepublicandprivatenetwork.D、MultipleInternetProtocolSecurity(IPSec)tunnelsmaybeexploitableinspecificcircumstances.答案：C74.

Whichofthefollowingattacktypescanbeusedtopromisetheintegrityofdataduringtransmission?A、Synchronizationflooding.B、Sessionhijacking.C、Keylogging.D、Packetsniffing.答案：B75.

ASimplePowerAnalysis(SPA)attackagainstadevicedirectlyobserveswhichofthefollowing?A、Magnetism.B、Generation.C、Consumption.D、Staticdischarge.答案：C76.WhatisthebenefitofusingNetworkAdmissionControl(NAC)?A、NAConlysupportsWindowsoperatingsystems(OS).B、NACsupportsvalidationoftheendpoint'ssecurityposturepriortoallowingthesessiontogointoanauthorizedstate.C、NACcanrequiretheuseofcertificates,passwords,orabinationofbothbeforeallowingnetworkadmission.D、Operatingsystem(OS)versionscanbevalidatedpriortoallowingnetworkaccess.答案：B77.

WhichofthefollowingisMOSTappropriatetocollectevidenceofazero-dayattack?A、Honeypot.B、Antispam.C、Antivirus.D、Firewall.答案：A78.

Theacquisitionofpersonaldatabeingobtainedbyalawfulandfairmeansisanexampleofwhatprinciple?A、CollectionLimitationPrinciple.B、OpennessPrinciple.C、PurposeSpecificationPrinciple.D、DataQualityPrinciple.答案：A79.

InwhichprocessMUSTsecuritybeconsideredduringtheacquisitionofnewsoftware?A、Requestforproposal(RFP).B、Implementation.C、Vendorselection.D、Contractnegotiation.答案：A80.

WhichsecurityauditstandardprovidestheBESTwayforanorganizationtounderstandavendor'sInformationSystems(IS)inrelationtoconfidentiality,integrity,andavailability?A、ServiceOrganizationControl(SOC)2.B、StatementonStandardsforAttestationEngagements(SSAE)18.C、StatementonAuditingStandards(SAS)70.D、ServiceOrganizationControl(SOC)1.答案：A81.

Thesecurityoperationscenter(SOC)hasreceivedcredibleintelligencethatathreatactorisplanningtoattackwithmultiplevariantsofadestructivevirus.Afterobtainingasamplesetofthisvirus'variantsandreverseengineeringthemtounderstandhowtheywork,amonalitywasfound.Allvariantsarecodedtowritetoaspecificmemorylocation.Itisdeterminedthisvirusisofnothreattotheorganizationbecausetheyhadtheforesighttoenablewhatfeatureonallendpoints?A、AddressSpaceLayoutRandomization(ASLR).B、TrustedPlatformModule(TPM).C、Virtualization.D、Processisolation.答案：A82.

WhatistheMOSTimportantcriterionthatneedstobeadheredtoduringthedatacollectionprocessofanactiveinvestigation?A、Maintainingthechainofcustody.B、Capturinganimageofthesystem.C、Outliningallactionstakenduringtheinvestigation.D、plyingwiththeorganization'ssecuritypolicy.答案：A83.

Ascanreportreturnedmultiplevulnerabilitiesaffectingseveralproductionserversthataremissioncritical.Attemptstoapplythepatchesinthedevelopmentenvironmenthavecausedtheserverstocrash.WhatistheBESTcourseofaction?A、Mitigatetheriskswithpensatingcontrols.B、Upgradethesoftwareaffectedbythevulnerability.C、Removetheaffectedsoftwarefromtheservers.D、Informmanagementofpossiblerisks.答案：A84.

Afinancialorgani