Exam (elaborations)
ISC2 Certified in Cybersecurity_ Pre and Post Course Assessment
ISC2 Certified in Cybersecurity_ Pre and Post Course Assessment
[Show more]
Seller
Follow
Content preview
ISC2 Certified in Cybersecurity: Pre andPost Course Assessment
Tina is an (ISC)² member and is invited to join an online group of IT security
enthusiasts. After attending a few online sessions, Tina learns that some
participants in the group are sharing malware with each other, in order to use it
against other organizations online. What should Tina do? (D1, L1.5.1)
A) Nothing
B) Stop participating in the group
C) Report the group to law enforcement
D) Report the group to (ISC)²
B is the best answer. The (ISC)² Code of Ethics requires that members "protect
society, the common good, necessary public trust and confidence, and the
infrastructure"; this would include a prohibition against disseminating and
deploying malware for offensive purposes. However, the Code does not make
(ISC)² members into law enforcement officers; there is no requirement to get
involved in legal matters beyond the scope of personal responsibility. Tina should
stop participating in the group, and perhaps (for Tina's own protection) document
when participation started and stopped, but no other action is necessary on
Tina's part.
Triffid Corporation has a policy that all employees must receive security
awareness instruction before using email; the company wants to make
employees aware of potential phishing attempts that the employees might
receive via email. What kind of control is this instruction? (D1, L1.3.1)
A) Administrative
B) Finite
C) Physical
D) Technical
A is correct. Both the policy and the instruction are administrative controls; rules
and governance are administrative. B is incorrect; "finite" is not a term commonly
used to describe a particular type of security control, and is used here only as a
distractor. C is incorrect; training is not a tangible object, so this is not a physical
,control. D is incorrect; training is not part of the IT environment, so it is not a
technical control.
Druna is a security practitioner tasked with ensuring that laptops are not stolen
from the organization's offices. Which sort of security control would probably be
best for this purpose? (D1, L1.3.1)
A) Technical
B) Obverse
C) Physical
D) Administrative
C is the best answer. Because laptops are tangible objects, and Druna is trying to
ensure that these objects are not moved from a certain place, physical controls
are probably best for the purpose. A is incorrect; technical controls might help
detect an attempt to steal a laptop, or locate the laptop after it has been stolen,
but won't prevent the laptop from being taken. B is incorrect; "obverse" is not a
term commonly used to describe a particular type of security control, and is used
here only as a distractor. D is incorrect; administrative controls may help reduce
theft, such as ensuring that laptops are not left in a place unobserved, but won't
prevent the laptop from being taken.
Kerpak works in the security office of a medium-sized entertainment company.
Kerpak is asked to assess a particular threat, and he suggests that the best way
to counter this threat would be to purchase and implement a particular security
solution. This is an example of _______. (D1, L1.2.2)
A) Acceptance
B) Avoidance
C) Mitigation
D) Transference
C is correct. Applying a security solution (a type of control) is an example of
mitigation. A is incorrect; if Kerpak suggested acceptance, then the threat, and
the acceptance of the associated risk, only needs to be documented—no other
,action is necessary. B is incorrect; if Kerpak suggested avoidance, the course of
action would be to cease whatever activity was associated with the threat. D is
incorrect; if Kerpak suggested transference, this would involve forming some sort
of risk-sharing relationship with an external party, such as an insurance
underwriter.
The Payment Card Industry (PCI) Council is a committee made up of
representatives from major credit card providers (Visa, Mastercard, American
Express) in the United States. The PCI Council issues rules that merchants must
follow if the merchants choose to accept payment via credit card. These rules
describe best practices for securing credit card processing technology, activities
for securing credit card information, and how to protect customers' personal data.
This set of rules is a _____. (D1, L1.4.2)
A) Law
B) Policy
C) Standard
D) Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is
accepted throughout the industry. A is incorrect, because this set of rules was not
issued by a governmental body. B is incorrect, because the set of rules is not a
strategic, internal document published by senior leadership of a single
organization. D is incorrect, because the set of rules is not internal to a given
organization and is not limited to a single activity.
For which of the following systems would the security concept of availability
probably be most important? (D1, L1.1.1)
A) Medical systems that store patient data
B) Retail records of past transactions
C) Online streaming of camera feeds that display historical works of art in
museums around the world
D) Medical systems that monitor patient condition in an intensive care unit
D is correct. Information that reflects patient condition is data that necessarily
must be kept available in real time, because that data is directly linked to the
, patients' well-being (and possibly their life). This is, by far, the most important of
the options listed. A is incorrect because stored data, while important, is not as
critical to patient health as the monitoring function listed in answer D. B is
incorrect because retail transactions do not constitute a risk to health and human
safety. C is incorrect because displaying artwork does not reflect a risk to health
and human safety; also because the loss of online streaming does not actually
affect the asset (the artwork in the museum) in any way—the art will still be in the
museum, regardless of whether the camera is functioning.
We have an expert-written solution to this problem!
Which of the following is an example of a "something you know" authentication
factor? (D1, L1.1.1)
A) User ID
B) Password
C) Fingerprint
D) Iris scan
B is correct. A password is something the user knows and can present as an
authentication factor to confirm an identity assertion. A is incorrect because a
user ID is an identity assertion, not an authentication factor. C and D are
incorrect as they are examples of authentication factors that are something you
are, also referred to as "biometrics."
In risk management concepts, a(n) _________ is something a security
practitioner might need to protect. (D1, L1.2.1)
A) Vulnerability
B) Asset
C) Threat
D) Likelihood
B is correct. An asset is anything with value, and a security practitioner may need
to protect assets. A, C, and D are incorrect because vulnerabilities, threats and
likelihood are terms associated with risk concepts, but are not things that a
practitioner would protect.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller lydiaomutho. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for £6.19. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
79751 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy revision notes and other study material for 14 years now