CISSP Practice полностью

AES is not useful for securing confidential but classified material. AES is not useful for securing secret but classified material. AES is not useful for securing top secret but unclassified material. Top secret cannot be unclassified.

151. Business data classification schemes usually do not include which of the following?

a. Private

b. Public

c. For internal use only

d. Secret

151. d. The data classification terms such as secret and top secret are mostly used by government. The terms used in the other choices usually belong to business data classification scheme.

152. Data containing trade secrets is an example of which of the following data classification schemes?

a. Classified

b. Unclassified

c. Unclassified but sensitive

d. Confidential

152. c. A classified category includes sensitive, confidential, secret, and top secret. An unclassified category is public information, whereas an unclassified but sensitive category requires some protection as in the case of trade secrets.

153. Which of the following assists in complying with others?

a. Policy

b. Procedure

c. Standard

d. Guideline

153. b. Procedures normally assist in complying with applicable policies, standards, and guidelines because they deal with specific steps to carry out a specific task.

154. Which of the following is referred to when at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a moderate impact value and no security objective is assigned a high impact value for an information system?

a. Low-impact system

b. Moderate-impact system

c. High-impact system

d. No-impact system

154. b. A low-impact system is defined as an information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a potential impact value of low. In a moderate-impact system, at least one objective is assigned as moderate and no objective is assigned as high. In a high-impact system, at least one objective is assigned as high. No-impact system is incorrect because every system will have some impact, whether low, moderate, or high.

155. Which of the following security controls are needed when data is transferred from low network users to high network users?

1. Software/hardware guards

2. Automated processing

3. Automated blocking

4. Automated filtering

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 3 and 4

155. b. Data should be sanitized or separated between high network data/users and low network data/users. When data is transferred from low network users to high network users (i.e., data is regraded), automated data-blocking techniques with firewalls and software/hardware guards are needed to regulate the transfer.

When data is transferred from high network users to low network users (i.e., data is regraded), software/hardware guards, automated processing, and automated filtering techniques are needed to regulate the transfer. The goal of automated processing, blocking, and filtering techniques is an attempt to eliminate or identify viruses and other malicious code transfers. The goal of software/hardware guard is to facilitate transfer of data between private and public networks.

156. Which of the following is a prerequisite to IT security training?

a. Certification

b. Education

c. Awareness

d. Training

156. c. Awareness, training, and education are important processes for helping staff members carry out their roles and responsibilities for information technology security, but they are not the same. Awareness programs are a prerequisite to IT security training. Training is more formal and more active than awareness activities and is directed toward building knowledge and skills to facilitate job performance.

Education integrates all the security skills and competencies of the various functional specialists and adds a multidisciplinary study of concepts, issues, and principles. Normally, organizations seldom require evidence of qualification or certification as a condition of appointment.

157. When developing information systems security policies, organizations should pay particular attention to which of the following?

a. User education