ISC2 CISSP Certified Information Systems Security Professional Exam Practice Test

Answer : B

Information assets are any data or information that have value for the organization, such as financial records, customer data, intellectual property, or trade secrets. Information assets are essential for the organization to achieve its objectives and to maintain its competitive advantage. Information assets should be identified, classified, and protected according to their value, sensitivity, and criticality. International Organization for Standardization (ISO) 27001 compliance does not specify which information assets must be included in asset inventory, but rather provides a framework and a set of requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS). Building an information assets register is not necessarily a resource-intensive job, but rather a necessary and beneficial one, as it helps to document and manage the information assets of the organization, and to support the risk assessment and security planning processes. Information assets inventory is required for risk assessment, as it helps to determine the scope, impact, and likelihood of the risks that may affect the information assets, and to prioritize and implement the appropriate controls and measures to mitigate the risks.

Answer : B

The main purpose of conducting a business impact analysis (BIA) is to determine the effect of mission-critical information system failures on core business processes. A BIA is a process that identifies and evaluates the critical business functions and their dependencies, and determines the impact of a disruption on them. A BIA helps to quantify the potential loss of revenue, reputation, productivity, or customer satisfaction due to an information system failure, as well as the recovery time and resources needed to resume the normal operations. A BIA does not determine the critical resources required to recover from an incident, as this is the role of a disaster recovery plan or a business continuity plan. A BIA does not determine the cost for restoration of damaged information system, as this is the role of a risk analysis or a cost-benefit analysis. A BIA does not determine the controls required to return to business critical operations, as this is the role of a contingency plan or a crisis management plan.

Answer : B

The main purpose of a security assessment plan is to provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments. A security assessment plan defines the scope, criteria, methods, roles, and responsibilities of the security assessment process, which is the process of evaluating and testing the effectiveness and compliance of the security and privacy controls implemented in an information system. A security assessment plan helps to ensure that the security assessment process is consistent, systematic, and comprehensive. A security assessment plan does not provide guidance on security requirements, as this is the role of a security requirements analysis or a security architecture design. A security assessment plan does not provide technical information to executives, as this is the role of a security report or a security briefing. A security assessment plan does not provide education to employees, as this is the role of a security awareness or a security training program.

Answer : B

The planning phase of the software assurance life cycle is the stage where the objectives, requirements, scope, and constraints of the software project are defined and analyzed. This is the phase where the risks associated with software acquisition strategies should be identified, as this will help to select the most appropriate and secure software solution, as well as to plan for the mitigation and management of the risks. The follow-on phase is the stage where the software product is maintained and updated after its deployment. The monitoring and acceptance phase is the stage where the software product is tested and verified against the requirements and specifications. The contracting phase is the stage where the software product is procured and delivered by the vendor or supplier.

Answer : D

Security metrics are measurements that are used to evaluate and improve the effectiveness and efficiency of security processes, controls, and outcomes. The best characteristics of security metrics are that they are consistently measured and quantitatively expressed, as this ensures that the metrics are objective, reliable, comparable, and verifiable. Security metrics should not be generalized or provide a broad overview, as this may reduce their accuracy, relevance, and usefulness. Security metrics should not use acronyms and abbreviations to be concise, as this may cause confusion, ambiguity, or misunderstanding. Security metrics may use bar charts and Venn diagrams, or other graphical or visual representations, to illustrate or communicate the results, but this is not a characteristic of the metrics themselves, but rather a presentation technique.

Answer : B

The type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period is SOC 2 Type 2. SOC 2 Type 2 is a security audit report that provides information about the design and the operating effectiveness of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 2 Type 2 is the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it can:

Evaluate and assess the design and the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data that are used for providing the services or the solutions to the user entities or the customers, based on the criteria or the principles of the Trust Services Categories (TSC).

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, in the form of the audit report or the opinion that is prepared and issued by the independent auditor or the practitioner, and that is intended for the general or the restricted use of the user entities and the other interested or relevant parties or stakeholders.

Cover a specified period of time, usually between six and twelve months, and include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

The other options are not the types of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period. SOC 1 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the internal control over financial reporting of the user entities or the customers, based on the control objectives defined by the service organization. SOC 1 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the controls that affect the financial reporting of the user entities or the customers.

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, but rather the controls in relation to the internal control over financial reporting of the user entities or the customers.

Cover a specified period of time, or include the description of the tests of controls and the results performed by the auditor, but rather evaluate the design of the controls at a point in time.

SOC 2 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 2 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the design of the controls at a point in time.

Include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

SOC 3 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 3 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the design of the controls at a point in time.

Include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, in the form of the audit report or the opinion, but rather in the form of the seal or the logo that indicates the compliance with the TSC.

Answer : D

Employee training, risk management, and data handling procedures and policies could be characterized as administrative security measures. Administrative security measures are the policies, procedures, standards, guidelines, and practices that define and govern the roles, responsibilities, and actions of the personnel and the organization in relation to the security of the information systems and the data. Administrative security measures could be characterized as administrative security measures, because they can:

Establish and communicate the security objectives, requirements, and expectations of the organization and the personnel, and provide the direction and the guidance for achieving and maintaining them.

Educate and train the personnel on the security awareness, skills, and behaviors, and evaluate and monitor their performance and compliance with the security policies and procedures.

Identify and assess the risks and the threats to the information systems and the data, and implement and review the controls and the countermeasures to mitigate and manage them.

The other options are not the types of security measures that employee training, risk management, and data handling procedures and policies could be characterized as. Non-essential security measures are the security measures that are not required or necessary for the protection of the information systems and the data, and that may be removed or reduced without compromising the security objectives or requirements. Non-essential security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are essential and necessary for the protection of the information systems and the data, and they cannot be removed or reduced without compromising the security objectives or requirements. Management security measures are the security measures that are implemented and enforced by the management or the leadership of the organization, and that are related to the planning, organizing, directing, and controlling of the security activities and resources. Management security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are not implemented and enforced by the management or the leadership of the organization, but rather by the personnel and the organization themselves. Preventive security measures are the security measures that are designed and deployed to prevent or deter the occurrence or the impact of the security incidents or the attacks, such as the encryption, the authentication, or the firewall. Preventive security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are not designed and deployed to prevent or deter the occurrence or the impact of the security incidents or the attacks, but rather to define and govern the roles, responsibilities, and actions of the personnel and the organization in relation to the security of the information systems and the data.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 19.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1: Security and Risk Management, page 19.