1 As Gary decides what access permissions he should grant to each user, what principle should guide his decisions about default permissions?Separation of dutiesLeast privilegeAggregationSeparation of privileges

      2 As Gary designs the program, he uses the matrix shown here. What principle of information security does this matrix most directly help enforce?Segregation of dutiesAggregationTwo-person controlDefense in depth

      3 Lydia is processing access control requests for her organization. She comes across a request where the user does have the required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following?Need to knowLeast privilegeSeparation of dutiesTwo-person control

      4 Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee’s manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing?Least privilegeTwo-person controlJob rotationSeparation of duties

      5 Which of the following is not true about the (ISC)2 code of ethics?Adherence to the code is a condition of certification.Failure to comply with the code may result in revocation of certification.The code applies to all members of the information security profession.Members who observe a breach of the code are required to report the possible violation.

      6 Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing?Need to knowLeast privilegeTwo-person controlTransitive trust

      7 Connor’s company recently experienced a denial-of-service attack that Connor believes came from an inside source. If true, what type of event has the company experienced?EspionageConfidentiality breachSabotageIntegrity breach

      8 Which one of the following is not a canon of the (ISC)2 code of ethics?Protect society, the common good, necessary public trust and confidence, and the infrastructure.Promptly report security vulnerabilities to relevant authorities.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.

      9 When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following?Least privilegeSeparation of dutiesJob rotationSecurity through obscurity

      10 Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications?Security guidelinesSecurity policyBaseline configurationRunning configuration

      11 Tracy is preparing to apply a patch to her organization’s enterprise resource planning system. She is concerned that the patch may introduce flaws that did not exist in prior versions, so she plans to conduct a test that will compare previous responses to input with those produced by the newly patched application. What type of testing is Tracy planning?Unit testingAcceptance testingRegression testingVulnerability testing

      12 Which one of the following security practices suggests that an organization should deploy multiple, overlapping security controls to meet security objectives?Defense in depthSecurity through obscurityLeast privilegeSeparation of duties

      13 What technology asset management practice would an organization use to ensure that systems meet baseline security standards?Change managementPatch managementConfiguration managementIdentity management

      14 The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. How can Jack best ensure accountability for actions taken on systems in his environment?Review the logs and require digital signatures for each log.Require authentication for all actions taken and capture logs centrally.Log the use of administrative credentials and encrypt log data in transit.Require authorization and capture logs centrally.

      15 Veronica is responsible for her organization’s asset management program. During what stage of the process would she select the controls that will be used to protect assets from theft?Implementation/assessmentOperation/maintenanceInventory and licensingProcess, planning, design, and initiation

      16 Under what type of software license does the recipient of software have an unlimited right to copy, modify, distribute, or resell a software package?GNU Public LicenseFreewareOpen sourcePublic domain

      17 When an attacker called an organization’s help desk and persuaded them to reset a password due to the help desk employee’s trust and willingness to help, what type of attack succeeded?Trojan horseSocial engineeringPhishingWhaling