1.

All of the following are domains of the CBK except: A) Relational Database Security B) Access Control Systems and Methodology C) Law, Investigations, and Ethics D) Security Management Practices. Points Earned: 1.0/1.0 Correct Answer(s): A 2. Layered security is also referred to as: A) None of the above. B) Multi-system security C) Denial of service D) Defense in depth Points Earned: 1.0/1.0 Correct Answer(s): D 3. Synonyms for confidentiality include all of the following except: A) secrecy B) integrity C) discretion D) privacy Points Earned: 1.0/1.0 Correct Answer(s): B 4. Intellectual property law includes all of the following categories except: A) Trade secrets B) Patent law C) Copyright law D) Probate administration Points Earned: 1.0/1.0 Correct Answer(s): D 5. Which of the following are topics of the Physical Security domain? Select all co rrect answers. A) Electrical power issues and solutions B) Backup options and technologies. C) Physical vulnerabilities and threats D) Physical intrusion detection system Points Earned: 3.0/3.0 Correct Answer(s): D, A, C 6. The BCP describes all of the following except: A) Personnel B) Defined policies C) Procedures D) Critical processes Points Earned: 1.0/1.0 Correct Answer(s): B

7. The Common Body of Knowledge with ____________ domains is the framework of the i nformation security field. A) 15 B) 11 C) 10 D) 20 E) 16 F) 6 G) 5 Points Earned: 1.0/1.0 Correct Answer(s): C 8. Which of the following options would not be considered in a disaster recovery pl an or business continuity plan? A) Service bureaus for fast response B) Multiple centers to spread processing across sites C) Mobile units provided by a third party D) New business Points Earned: 1.0/1.0 Correct Answer(s): D 9. The factors used to determine degree of risk include: A) None of the above. B) Determining the consequence of loss C) Both of the above D) Determining the likelihood that loss will occur Points Earned: 1.0/1.0 Correct Answer(s): C 10. An organization's security posture is defined and documented in ____________ tha t must exist before any computers are installed. Select all that are correct! A) sales projections B) None of the others are correct C) guidelines D) procedures E) standards Points Earned: 3.0/3.0 Correct Answer(s): E, C, D 11. The model for a system security policy does NOT include: A) Policy implementation B) Operational security C) Management structure D) Security objectives Points Earned: 1.0/1.0 Correct Answer(s): C 12. The Application Development Security domain includes all of the following topics

except: A) ActiveX and Java. B) Database security C) Types of malware D) Domain name service Points Earned: 1.0/1.0 Correct Answer(s): D 13. Which major category of computer crimes involves criminals and intelligence agen ts illegally obtaining classified information? A) Joy ridders B) Financial attacks C) Business attacks D) Military and intelligence attacks Points Earned: 1.0/1.0 Correct Answer(s): D 14. The criteria used to rate the effectiveness of trusted systems is set forth in: A) None of the others B) TCSEC C) CTCPEC D) ITSEC Points Earned: 1.0/1.0 Correct Answer(s): B 15. Which of the following statements about Principle 4 is false? A) In exchange for worthless goods, people tend to give up credentials. B) It is easy to fool people into spreading viruses. C) Today's virus writers are not very sophisticated. D) The organizers of Infosecurity Europe 2003 found that 75% of survey responden ts revealed information immediately. Points Earned: 1.0/1.0 Correct Answer(s): C 16. The BIA prioritizes systems for recovery and ____________ are at the top of the list. A) Mission-required systems B) Less critical systems C) Nice to have systems D) Mission-critical systems Points Earned: 1.0/1.0 Correct Answer(s): D 17. IS principle 5 states that security depends on these requirements: A) Availability and integrity B) Functional and assurance C) Usability and interface. D) Verification and validation Points Earned: 1.0/1.0 Correct Answer(s): B

18. Step-by-step directions to execute a specific security activity is referred to a s a: A) Procedure B) Guideline C) Standard D) Regulation Points Earned: 1.0/1.0 Correct Answer(s): A 19. When defining the trusted computing base, a reference monitor should be all of t he following except: A) Verifiable and cannot be circumvented B) Complete in that it mediates all access C) Isolated from modification D) Changeable by other system entities Points Earned: 1.0/1.0 Correct Answer(s): D 20. Which design objective prevents data leakage and modification of the data while it is in memory? A) Data hiding B) Abstraction C) Layering D) Process isolation Points Earned: 1.0/1.0 Correct Answer(s): D 21. A(n) ____________ policy focuses on policy issues that management decided for a specific system. A) Programme-framework B) Issue-specific C) System-specific D) Programme-level Points Earned: 0.0/1.0 Correct Answer(s): C 22. The type of computer crime where radio frequency signals from wireless computers are intercepted is: A) Spoofing IP addresses B) Dumpster diving C) Emanation eavesdropping D) Social engineering B. Points Earned: 1.0/1.0 Correct Answer(s): C 23. The Cryptography domain includes all of the following topics except: A) Block and stream ciphers

B) IPSec, SSL, and PGP C) Public key infrastructure components. D) TCI/IP suite Points Earned: 1.0/1.0 Correct Answer(s): D 24. Electronic crime includes identity theft, forgery, and pirated bank accounts. A) True B) False Points Earned: 1.0/1.0 Correct Answer(s): A 25. Avoid phishing, ID theft, and monetary loss by taking all of the following steps except: A) Recognize the signs of fraud B) Follow advice of financial services provider C) Not Keeping virus software current. D) Ignore links embedded in e-mail messages Points Earned: 1.0/1.0 Correct Answer(s): C 26. Which of the following uses a specific OS and lacks a standard interface to conn ect to other systems? A) Open system B) Closed system C) Finite-state machine D) None of the above Points Earned: 1.0/1.0 Correct Answer(s): B 27. Operational procedures and tools familiar to IT specialists are covered in the M aster Security domain. A) True B) False Points Earned: 1.0/1.0 Correct Answer(s): B 28. Security professionals activities include all of the following except: A) Eradicating the problem B) Naming the virus C) Repairing the damage D) Finding the source of the problem Points Earned: 1.0/1.0 Correct Answer(s): B 29. Which of the following is used to extract identifying information from a nave or gullible user? A) Phishing

B) None of the above C) Cyberstalking D) Both of the above Points Earned: 1.0/1.0 Correct Answer(s): A 30. Which of the following is NOT considered a common position or career opportunity in information security? A) Security consultant B) Governance manager C) nformation librarian D) Compliance officers Points Earned: 1.0/1.0 Correct Answer(s): C 31. Functional requirements and assurance requirements answer which of the following questions? A) Does the system do the right things? B) Does the system do the right things in the right way? C) Both of the above D) None of the above Points Earned: 1.0/1.0 Correct Answer(s): C 32. ____________ is needed by businesses and agencies to determine how much security is needed for appropriate protection. A) Risk analysis and management B) Education, awareness, and training C) Separation of duties D) Asset and data classification Points Earned: 0.0/1.0 Correct Answer(s): D 33. ____________ assure that outsourced functions are operating within security poli cies and standards. A) Access coordinators B) Vendor managers C) Security testers D) Security administrator Points Earned: 1.0/1.0 Correct Answer(s): B 34. Given enough time, tools, inclination, and ____________, a hacker can break thro ugh any security measure. A) skills B) talent C) intelligence D) assets Points Earned: 1.0/1.0 Correct Answer(s): A

35. Which ITSEC assurance class includes a formal specification of security enforcin g functions and architectural design? A) E6 B) E3 C) E5 D) E4 Points Earned: 1.0/1.0 Correct Answer(s): A 36. Which of the following is NOT a calculation used for quantitative risk analysis? A) Standard deviation B) Vulnerability C) ALE D) Probability Points Earned: 1.0/1.0 Correct Answer(s): A 37. Which of the following questions is NOT used to determine the hierarchy of the r ings of trust? A) Is the host in a physically secured room? B) Does the host use software with data from the Internet? C) Does the host have normal user accounts? D) Will users rely on flash drives? Points Earned: 1.0/1.0 Correct Answer(s): D 38. Thou shalt not use a computer to bear false witness is an ethics statement inclu ded in whose standard? A) Internet Activities Board's Ethics and the Internet B) Code of Fair Information Practices C) ISC2 Code of Ethics D) Computer Ethics Institute Points Earned: 1.0/1.0 Correct Answer(s): D 39. Networking professionals who create a plan to protect a computer system consider all of the following in the planning process except: A) Defining the structural composition of data B) Protecting the confidentiality of data C) Preserving the integrity of data D) Promoting the availability of data for authorized use Points Earned: 1.0/1.0 Correct Answer(s): A 40. A(n) ____________ policy might prescribe the need for information security and m ay delegate the creation and management of the program. A) System-specific

B) Programme-level C) Programme-framework D) Issue-specific Points Earned: 0.0/1.0 Correct Answer(s): B 41. Under the Trusted Computer Security Evaluation Criteria, what classification is reserved for protecting objects form unauthorized subjects through the assignmen t of privilege? A) Division B B) Division A C) Division D D) Division C Points Earned: 1.0/1.0 Correct Answer(s): D 42. The Security Management Practices domain highlights the importance of a comprehe nsive security plan. A) False B) True Points Earned: 1.0/1.0 Correct Answer(s): B 43. Information security is primarily a discipline to manage the behavior of: A) Buildings and Grounds B) Processes and Procedures C) Organizations and People D) Technology and Equipment Points Earned: 1.0/1.0 Correct Answer(s): C 44. Topics within the umbrella of information security include all of the following except: A) Security testing B) Key management C) Electronic forensics D) Incident response Points Earned: 1.0/1.0 Correct Answer(s): C 45. In disaster recovery planning, a(n) ____________site provides power, air conditi oning, heat, as well as other environmental systems but does not provide hardwar e or software. A) Shared B) Warm C) Cold D) Hot Points Earned: 1.0/1.0 Correct Answer(s): C

46. The type of computer crime where attacks are made on a country's computer networ k for economic or military gain is: A) Rogue code B) Emanation eavesdropping C) Embezzlement D) Information warfare Points Earned: 1.0/1.0 Correct Answer(s): D 47. The supporting documents derived from policy statements include which of the fol lowing? Select all correct answers. A) Guidelines B) Regulations C) Procedural maps D) Standards and baselines Points Earned: 3.0/3.0 Correct Answer(s): B, D, A 48. The growing demand for InfoSec specialists is occurring predominantly in what ty pes of organizations? Select all correct answers. A) Government B) Corporations C) Not-for-profit foundations Points Earned: 3.0/3.0 Correct Answer(s): A, B, C 49. Automated methods of enforcing or supporting security policy would NOT include: A) Prevent booting from a floppy disk B) Intrusion detection software C) Block file save to all but hard disk D) Blocking telephone systems users from calling some numbers Points Earned: 1.0/1.0 Correct Answer(s): C 50. All of the following are used to ensure a high standard of security except: A) Industry standards B) Certificates C) Ethics D) College degrees Points Earned: 1.0/1.0 Correct Answer(s): D 51. More dangerous than not addressing security is obscuring security because it lea ds to a: A) Reduced level of security B) Complete breakdown of security. C) Higher level of security D) False sense of security

Points Earned: 1.0/1.0 Correct Answer(s): D 52. Which of the following is NOT typically a goal of the disaster recovery plan? A) Keeping computers running B) Meeting service-level agreements with customers. C) Leasing new computers D) Being proactive Points Earned: 1.0/1.0 Correct Answer(s): C 53. The three objectives of Network Security are: A) Safety, access control, and secrecy B) Confidentiality, integrity, and availability C) Resilience, privacy, and safety D) Confidentiality, secrecy, and privacy E) Safety, access control, and privacy F) Resilience, privacy, and availability Points Earned: 1.0/1.0 Correct Answer(s): B 54. Which of the following computer incidents/crimes/attacks resulted in the largest dollar loss according to the 2004 Computer Crime and Security Survey? A) Sabotage B) Telecom fraud C) Insider net abuse D) Virus Points Earned: 1.0/1.0 Correct Answer(s): D 55. After undergoing formal testing and validation a trusted system can meet user's requirements for all of the following except: A) Security B) Speed C) Reliability D) Effectiveness Points Earned: 1.0/1.0 Correct Answer(s): B 56. ____________ policy speaks to specific issues of concern to the organization. A) Programme-level B) System-specific C) Programme-framework D) Issue-specific Points Earned: 1.0/1.0 Correct Answer(s): D 57. ____________ percent of businesses that did not have a recovery plan went bankru

pt within one year of a major data loss. A) 70 B) 30 C) 60 D) 20 E) 35 F) 40 G) 80 Points Earned: 1.0/1.0 Correct Answer(s): G 58. Which of the following actions may be required after a high risk rating is deter mined? A) Management responsibility must be specified B) Manage by routine procedures C) Immediate action required D) Senior management attention needed Points Earned: 1.0/1.0 Correct Answer(s): D 59. Which major category of computer crime usually involves illegal access of propri etary information? A) Business attacks B) Military and intelligence attacks C) Financial attacks D) Terrorist attacks Points Earned: 1.0/1.0 Correct Answer(s): A 60. Which of the following statements about operational security documentation are t rue? Select all correct answers. A) Less formal policy may be written in memos B) Formal policy is published as a distinct policy document C) Informal policy may not be written at all D) Uncommon policies are included in informal policy Points Earned: 2.0/3.0 Correct Answer(s): B, A, C 61. A compilation of all security information collected internationally and relevant to information security professionals is the Orange Book. A) False B) True Points Earned: 1.0/1.0 Correct Answer(s): A 62. Which of the following statements about the CC is NOT true? A) CC provides a common language for security requirements B) Users and developers of IT security products create protection profiles C) Users and developers defining security requirements ignore environmental thre ats

D) CC breaks functional and assurance requirements into distinct elements Points Earned: 1.0/1.0 Correct Answer(s): C 63. Which of the following are reasons to plan for emergencies? Select all correct a nswers. A) Save time and money B) Protect lives C) maximize disruptions D) Reduce stress Points Earned: 3.0/3.0 Correct Answer(s): A, D, B 64. Disaster recovery planning includes all of the following except: A) Data entry users B) IT systems and applications C) Networks supporting the IT infrastructure D) Application data Points Earned: 1.0/1.0 Correct Answer(s): A 65. Which of the following is NOT a step in the creation of a BCP? A) Identify the scope B) Create the BIA C) Implement the plan D) Purchase the resources Points Earned: 1.0/1.0 Correct Answer(s): D 66. Virus outbreaks and long passwords prevent users from accessing the systems they need in order to perform their jobs A) True B) False Points Earned: 1.0/1.0 Correct Answer(s): B 67. An effective security policy contains which of the following information? Select all correct answers. A) Reference to other policies B) Measurement expectations C) Compliance management and measurements description D) Smart Card Requirements Points Earned: 3.0/3.0 Correct Answer(s): A, B, C 68. Which of the following is NOT one of the International Safe Harbor Principles? A) Access in order to correct, modify, or delete information B) Security to prevent data loss, misuse, disclosure, or alteration

C) Consent over what information may be collected D) Enforcement of privacy Points Earned: 1.0/1.0 Correct Answer(s): C 69. In the standards taxonomy _____________ suggests that no single person is respon sible for approving his own work. A) Education, awareness, and training B) Separation of duties C) Risk analysis and management D) Asset and data classification Points Earned: 1.0/1.0 Correct Answer(s): B 70. All of the following are natural events capable of disrupting a business except: A) Floods B) Mudslides C) Work stoppages D) Hurricanes Points Earned: 1.0/1.0 Correct Answer(s): C