1.

How does centralized identity and access management (IAM) support

compliance with regulations?
a. It improves security governance by taking scattered identity data and
centralizing it, so it can be more easily reviewed for appropriateness
b. It reduces the time spent on manually managing accounts
c. It is required by Sarbanes-Oxley (SOX), section 404, which lists specific
internal controls including IAM
d. It prevents unauthorized access to company resources using a
centralized control application
2. What is an authoritative system of records ((ASOR)?
a. A hierarchical end system that contains users, accounts, and
authorizations for that system
b. An active directory (AD), where all users are created and managed
c. A hierarchical parent system that tracks users, accounts, and
authorization chains
d. A lightweight directory access protocol (LDAP) directory, where all users
are created and managed
3. What is an advantage of legacy single sign-on (SSO)?
a. It provides a single system where all authentication information is stored
b. It allows integration of old, non-interoperable systems into the SSO
process
c. It provides a single technology allowing all systems to authenticate the
users once using the same technology
d. It allows users to authenticate once – no matter how many different
systems they wish to access
4. Which one of the following measures is used to control the emanations from
electronic equipment?
a. Kerberos
b. Remote Authentication Dial-In User Server/Service (RADIUS)
c. Internet Protocol Security (IPSec)
d. TEMPEST
5. Which one of the following is an alternative authentication system used in single
sign-on?
a. Secure European System for Applications in a Multivendor Environment
(SESAME)
b. DIAMETER
c. TEMPEST
d. SOCKS
Business Continuity and Disaster Recovery Planning
1. Which of the following contains references to expected business continuity
planning (BCP) practices that organizations must implement?
a. ISO 17799:2008, section 1
b. ISO 27005:2008, section 8
c. ISO 27002:2005, section 10
d. ISO 27001:2005, annex A
2. What process identifies the business continuity requirements for the
organization’s assets?
a. Risk analysis
b. Business impact analysis
a. with and relies on change management
b. SCM aims to prevent unauthorized individuals from accessing and making
unauthorized modifications and potentially malicious changes to code
2. How can a statement of work (SOW) protect against software development
project risks?
a. A SOW includes a risk analysis which helps identify the potential risk
elements the project may be exposed to
b. A SOW includes a qualitative risk analysis which helps identify the
potential risk elements the project may be exposed to
c. A SOW lists agree-upon objectives and deliverables, which could prevent
scope creep
d. A SOW defines the business terms od the project engagement, including
fees, staff, and legal terms of the engagement

TELECOMMUNICATIONS AND NETWORK SECURITY

1. Cloud computing involves access software and data across the internet on
servers managed by a third-party supplier. Cloud computing arrangements
increases availability, offer greater scalability, and
a. Increase confidentiality
b. Increase the opportunity for attack
c. Increase integrity
 d. Eliminate the need for data encryption
2. Which of the following is the correct sequence of the open systems interconnect
(OSI) model layers, starting with the layer closest to the end user?
a. Application, session, network, and physical
b. Application, network, session, and physical
c. Presentation, network, transport and physical
d. Transport, presentation, network and physical

Questions 3 – 7 refer to the following information:

Every Monday, the London branch of a manufacturing company sends its weekly sales
figures for the prior week to corporate headquarters in Seattle. It is imperative to use
the most secure method of data transmission.

3. You are in charge of deciding what technology to use for this data transfer. The
BEST alternative is
a. X.25 protocol
b. A permanent virtual circuit (PVC)
c. A virtual private network (VPN)
d. An optical carrier-class (OC-class) carrier
4. Your boss is confused about the merits of RIP (routing information protocol) and
OSPF (open shortest path first). You explain that
a. RIP is preferable because variable length subnet masks (VLSMs) are
supported in all versions
b. OSPF is preferable because it is more flexible and inherently more secure
c. RIP is preferable because OSPF is only used in smaller networks
d. RIP is preferable because it is more flexible and inherently more secure
5. London is one of a number of small branch offices, and there is no local
authentication server. The employees must, therefore, authenticate to a domain
controller at the corporate office. The best method of authentication involves
a. A dial-up virtual private network (VPN)
b. Establishing a private virtual circuit (PVC) to forward the request
c. A Windows server running routing and remote access (RRAS) configured
as a remote authentication dial in user service (RADIUS) client
d. Synchronous optical network (SONET)
6. You advise the use of Layer 2 Tunneling Protocol (L2TP) virtual private networks
(VPN) for people working outside of the branch offices or headquarters because
a. A L2TP VPN is automatically encrypted. This removes the responsibility
of remembering to encrypt from the shoulders of employees and enables
them to focus on their jobs
 b. Data entering the enterprise is encrypted and will pose no internal danger
c. You can chose to use Encapsulating Security Payload (ESP) with internet
protocol security (IPSec) when you set up the VPN to make the remote
communication more secure
d. Full-disk encryption makes the use of VPNs unnecessary
7. The head office has decided to use Kerberos for network authentication. The
company has a number of remote offices scattered across the country. What
problems might this present?
a. Kerberos is time sensitive in its default configuration
b. Kerberos logons are sent in plaintext
c. If the central key distribution center (KDC) fails, then all logons will fail
d. The key distribution center (KDC) retrieves passwords from the security
accounts manager (SAM)
8. Which of the following is a network configuration protocol for hosts on internet
protocol (IP) networks and provides other configuration information, particularly
the IP addresses of local caching DNS resolvers, network boot servers, and
other service hosts?
a. DHCP (Dynamic Host Configuration Protocol)
b. NIS (Network Information Service)
c. DNS (Domain Name Service)
d. LDAP (Lightweight Directory Access Protocol)
9. Which statement is TRUE concerning internet protocol (IP)V4 and IPV6 security?
a. IPV6 is less security than IPV4. IPV6 allows every node to have its own
IP address. IPV4 allows shielding private addresses behind public
addresses
b. IPV6 is less security than IPV4. Although there is still a centralizing body,
it is now international and terrorist organizations may now get IP
addresses
c. IPV6 is more security than IPV4. IPV6 mandates the use of internet
protocol security (IPSec)
d. IPV6 is more secure than IPV4. Only enterprises that have been
governmentally approved may use it
10. You are a CISSP working for a small corporation with responsibility for providing
security advice to the internet technology (IP) department. Your primary concern
for training all employees in the company on security awareness is defending
against
a. Denial of service
b. Malware
c. Social engineering
d. Botnets