1 Jasper would like to establish a governing body for the organization’s change management efforts. What individual or group within an organization is typically responsible for reviewing the impact of proposed changes?Chief information officerSenior leadership teamChange control boardSoftware developer

      2 During what phase of the change management process does the organization conduct peer review of the change for accuracy and completeness?RecordingAnalysis/Impact AssessmentApprovalDecision Making and Prioritization

      3 Who should the organization appoint to manage the policies and procedures surrounding change management?Project managerChange managerSystem security officerArchitect

      4 Which one of the following elements is not a crucial component of a change request?Description of the changeImplementation planBackout planIncident response plan

      5 Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?AuthenticationAuthorizationIntegrityNonrepudiation

      6 What principle of information security states that an organization should implement overlapping security controls whenever possible?Least privilegeSeparation of dutiesDefense in depthSecurity through obscurity

      7 Which one of the following is not a goal of a formal change management program?Implement change in an orderly fashion.Test changes prior to implementation.Provide rollback plans for changes.Inform stakeholders of changes after they occur.

      8 Ben is assessing the compliance of his organization with credit card security requirements. He finds payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?Purchasing insuranceEncrypting the database contentsRemoving the dataObjecting to the exception

      9 You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?IntegrityDenialAvailabilityConfidentiality

      10 Which one of the following is the first step in developing an organization’s vital records program?Identifying vital recordsLocating vital recordsArchiving vital recordsPreserving vital records

      11 Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?AwarenessTrainingEducationIndoctrination

      12 Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding?TrainingEducationIndoctrinationAwareness

      13 Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?ErasingClearingSanitizationDestruction

      14 What term is used to describe a set of common security configurations, often provided by a third party?Security policyBaselineDSSNIST SP 800-53

      15 Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information?Information classificationRemanenceTransmitting dataClearing

      16 Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?Source: NIST SP 800-88Destroy, validate, documentClear, purge, documentPurge, document, validatePurge, validate, document

      17 Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?It applies in all circumstances, allowing consistent security controls.They are approved by industry standards bodies, preventing liability.They provide a good starting point that can be tailored to organizational needs.They ensure that systems are always in a secure state.

      18 Retaining and maintaining information for as long as it is needed is known as what?Data storage policyData storageAsset maintenanceRecord retention

      19 Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it?Image reprinted from CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.IncipientSmokeFlameHeat

      20 What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water?Wet pipeDry pipeDelugePreaction

      21 Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs?CCTVIPSTurnstilesFaraday cages

      22 Referring to the figure shown here, what is the name of the security control indicated by the arrow?Image reprinted from CISSP (ISC) 2 Certified Information Systems Security Professional Official Study Guide, 7th Edition © John Wiley & Sons 2015, reprinted with permission.MantrapTurnstileIntrusion prevention systemPortal

      23 Which one of the following does not describe a standard physical security requirement for wiring closets?Place only in areas monitored by security guards.Do not store flammable items in the closet.Use sensors on doors to log entries.Perform regular inspections of the closet.

      24 Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks?FirewallIntrusion detection systemParameter checkingVulnerability scanning

      25 Juan is retrofitting an existing door to his facility to include a lock with automation capabilities. Which one of the following types of lock is easiest to install as a retrofit to the existing door?MantrapElectric lockMagnetic lockTurnstile

      26 Rhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown here. What type of card is this?Smart cardProximity cardMagnetic stripe cardPhase three card

      27 Which one of the following facilities would have the highest level of physical security requirements?Data centerNetwork closetSCIFCubicle work areas

      28 Glenda is investigating a potential privacy violation within her organization. The organization notified users that it was collecting data for product research that would last for six months and then disposed of the data at the end of that period. During the time that they had the data, they also used it to target a marketing campaign. Which principle of data privacy was most directly violated?Data minimizationAccuracyStorage limitationsPurpose limitations

      29 What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?CorrectiveLogicalCompensatingAdministrative

      30 Match each of the numbered security controls listed with exactly one of the lettered categories shown. Choose the category that best describes each control. You may use each control category once, more than once, or not at all.ControlsPasswordAccount reviewsBadge readersMFAIDPCategoriesAdministrativeTechnicalPhysical

      31 Which of the following access control categories would not include a door lock?PhysicalCorrectivePreventativeDeterrent