CISSP Practice полностью

91. Trustworthy information systems are defined as:

1. Operating within defined levels of risk

2. Handling environmental disruptions

3. Handling human errors

4. Handling purposeful attacks

a. 1 only

b. 3 only

c. 4 only

d. 1, 2, 3, and 4

91. d. Trustworthy information systems are those systems capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks expected to occur in the specified environments of operation.

92. Which of the following combinations of conditions can put the IT assets at the most risk of loss?

a. System interconnectivity and poor security management

b. System interconnectivity and poor controls over data sensitivity

c. System interconnectivity and lack of system backups

d. System interconnectivity and inadequate physical security

92. a. Poor security management does not proactively and systematically assess risks, monitor the effectiveness of security controls, and respond to identified problems. This situation can become much weaker with interconnected systems where the risk is the greatest. The other three choices are the result of poor security management.

93. An IT security training program is a part of which of the following control categories?

a. Application controls

b. General controls

c. Administrative controls

d. Technical controls

93. c. The security-training program is a part of administrative controls, which in turn, can be a part of management controls. Application controls relate to a specific application system, whereas general controls relate to a computer center. Technical controls can be useful in both application and general areas.

94. What is the last step when an insider violates a security policy?

a. Verbal warning

b. Dismissal

c. Legal action

d. Written warning

94. c. When an insider violates security policy, the first step is a verbal warning, followed by a written warning, dismissal, and the final step of legal action.

95. Which of the following is referred to when data is transferred from high network users to low network users?

a. Data downgrade

b. Data regrade

c. Data upgrade

d. Data release

95. b. Data regrade is the term used when data is transferred from high network users to low network users and from low network users to high network users.

Data downgrade is the change of a classification label to a lower label without the changing the contents of the data. Data upgrade is the change of a classification label to a higher label without the changing the contents of the data. Data release is the process of returning all unused disk space to the system when a dataset is closed at the end of processing.

96. Which of the following must be done first to protect computer systems?

a. Battling information abusers

b. Fighting hackers

c. Reducing vulnerabilities

d. Catching crackers

96. c. Reducing vulnerabilities decreases potential exposures and risks. The other three choices follow the vulnerabilities.

97. Which of the following are major benefits of security awareness, training, and education programs accruing to an organization?

a. Reducing fraud

b. Reducing unauthorized actions

c. Improving employee behavior

d. Reducing errors and omissions

97. c. Making computer system users aware of their security responsibilities and teaching them correct practices help users change their behavior. It also supports individual accountability, which is one of the most important ways to improve computer security. Without knowing the necessary security measures and knowing how to use them, users cannot be truly accountable for their actions. The other three choices are examples of major purposes of security awareness.

98. In developing a data security program for an organization, who should be responsible for defining security levels and access profiles for each data element stored in the computer system?

a. Database administrator

b. Systems programmer

c. Data owner

d. Applications programmer