Domain 2 Exam.
A minimum of 70% is required to pass.
#1. Which method is most appropriate when making a final decision on whether or not a particular security control measure should be implemented?
To require that controls be put in place to reduce risk within acceptable limits, measures need to be selected that are identified as realistic, sufficiently likely, and sufficiently impactful. Simply analyzing the costs and benefits of possible measures will help determine what measures should be taken.
This is incorrect because risk determination is only the first step in identifying what may be needed to control risk within acceptable thresholds.
Wrong because ALE informs the firm of what it could lose if a particular threat becomes real. The value of the ALE goes into the cost-benefit analysis, but the ALE does not address the costs of the countermeasure and the benefits of the countermeasure.
×：Identifying vulnerabilities and threats that pose a risk
This is incorrect because although the vulnerability and threat assessments make the need for countermeasures known, the assessments alone do not determine what the cost-effectiveness of the competing countermeasures is expected to be.
#2. The U.S. National Security Agency (NSA) wanted to incorporate a clipper chip into every motherboard. Which encryption algorithm did this chip use?
#3. Which of the following means of data deletion is not possible to recover data using special skills, such as physical or forensic?
〇：Purge by overwriting
Purging means making data unavailable even by physical forensic efforts. This is typically accomplished by overwriting each sector of the medium on which the data is stored.
Wrong. Deleting data by operating system command typically leaves the data on the storage medium while marking the clusters or blocks that are stored for later reuse.
Personally, I feel that this option is better prepared for the exam. This is because the choice uses the general language of deleting data, which allows the answer to be given in a short time and in a broad sense. However, the term purge is a stronger fit for the question than the answer to this question.
Wrong. Although more powerful than simply deleting data with an operating system command, sanitization usually refers to making storage media reusable within the same security context.
The method-specific option “purge” is a stronger fit for the problem, since you asked for “using special skills, such as physical or forensic.”
×：None of these work!
Wrong. With appropriate prudence, purging techniques can successfully handle data residuals.
#4. ITIL (Information Technology Infrastructure Library) consists of five sets of textbooks. This is the core and focus of which of the following IT service plans?
The basic approach of ITIL is to create a service strategy that focuses on the overall planning of the intended IT services. Once the initial planning is complete, it provides guidelines for the design of validated IT services and overall implementation policies. The service transition phase is then initiated, providing guidelines for the assessment, testing, and validation of the IT services. This enables the transition from the business environment to the technical service. Service Operations ensures that all determined services have achieved their objectives. Finally, Continuous Service Improvement points out areas for improvement throughout the service lifecycle. Service strategy is considered the core of ITIL. It consists of a set of guidelines that include best practices for planning, design, and alignment of IT and business approaches, market analysis, service assets, setting goals to provide quality service to customers, and the strategy and value of implementing the service strategy.
Service operations is a critical component of the lifecycle when services are actually delivered, and something like ITIL that provides guidance is not at the core of actual operations. Lifecycle operations define a set of guidelines that ensure that an agreed level of service is delivered to the customer. The different genres incorporated by service operations include event management, problem management, access management, incident management, application management, technology management, and operations management. Service Operations balances between conflicting goals such as technology and business requirements, stability and responsiveness, cost and quality of service, and competing proactive activities.
Inadequate because it involves a set of best practices for the design of IT services, including processes, architecture, policies, and documentation to meet current and future business requirements. The goal of service design is to design services according to agreed business objectives. Design processes that can support lifecycle and risk identification and management. Involves improving IT service quality as a whole.
Service Migration is incorrect because it focuses on delivering the services proposed by the business strategy for operational use. It also includes guidelines to enable a smooth transition of the business model to technical services. If service requirements change after design, Service Migration ensures that those requirements are delivered in accordance with the changed design. Areas of focus for these guidelines include the responsibilities of personnel involved in the migration transition plan and support, change management, knowledge management, release and deployment management, service verification and testing, and evaluation.
#5. Which of the following positions would be most desirable as the person who issues or is responsible for security measures?
Security measures should be raised together with business strategy and should be issued from the top, the CEO. Therefore, the correct answer is “CEO.
Abbreviation for Chief Information Officer. Certainly, security measures may be issued by the CIO. However, the CIO is not the correct answer here, because it is “more desirable” to have the CEO, who is the top manager responsible for management, issue the security measures.
The person who issues or is responsible for security measures should be the person responsible for management. This is not the correct answer.
Abbreviation for Chief Technology Officer. The Chief Technology Officer’s main role is to promote and protect the organization’s research and technology. This is not the correct answer here, as the CEO is “more desirable” when security measures, including organizational management and governance, are issued.
#6. We have a document that has been labeled as confidential information. Some of the text contained information that should be treated as Critical Secret Information above Confidential Information. How should this be handled?
〇：Review labeling and treat as critical confidential information.
Labeling is the process of sorting data according to its level of confidentiality. Labeling helps clarify the confidentiality level of data management. If the labeling is incorrect, it should be corrected at any time to manage the data in accordance with the confidentiality level. Therefore, “Review the labeling and treat it as critical confidential information.” is the correct answer.
×：The entire sentence should be treated as confidential information because the business should be flexible.
This is not an appropriate operation because the text containing critical confidential information is treated as confidential information.
×：As supplemental information to the document, state that “a part of the text contains material confidential information.
This is not a fundamental solution because stating this as supplementary information is in effect treating the information as different confidential levels.
×：Destroy the document because it is impossible for different confidential information to be crossed.
Destroying the document is not an appropriate operation because it is a damage to one’s own assets.
Translated with www.DeepL.com/Translator (free version)
#7. Why should confidential text not be shredded and put in the trash?
〇：Because the information may be in the hands of someone outside the company after it has been placed in the dumpster.
Dumpster diving, or scavenging, is finding important information in the trash. Putting it in the trash can make you feel relieved that it has been removed. However, the trash can is nothing more than a shared space between internal and external parties, such as cleaning staff. Make sure to shred any text that contains confidential information to prevent leakage.
×：When restoring documents from the trash, they will be mixed with other documents.
They will not be destroyed for the purpose of restoring them.
×：Confidential documents do not need to be destroyed.
Even confidential documents must be destroyed if they are no longer needed.
×：There is no need to shred it.
No, of course they must be shredded.
#8. Michael is to develop a data classification program. Which of the following is an appropriate first step?
There is an unfamiliar term: data classification program. This is not a dictionary definition of the term. You want to classify data, what do you do to do that? What is the first step in this process? Since you are being asked about the “first step” in doing this, you can answer by listing the options in order and choosing the first option. Do not search the dictionary in your mind for the word “data classification,” think of the process flow of data classification, and recall the name of the first process.
In order, you might go from understanding the level of protection you need to provide, to specifying the data classification criteria, to determining the protection mechanisms for each classification level, to identifying the data controller. Whatever you do, the first step should be research. Then the problem is defined and the best answer is derived, which is the general solution to the problem.
#9. Jim is a sales representative and the data owner of the sales department. Which of the following is not the responsibility of Jim, the data owner?
〇：Verifying Data Availability
The responsibility for verifying data availability is the sole responsibility that does not belong to the data (information) owner. Rather, it is the responsibility of the data (information) controller. The data controller is also responsible for maintaining and protecting the data in accordance with the data owner’s instructions. This includes performing regular backups of data, restoring data from backup media, maintaining records of activities, and enforcing information security and data protection requirements in company policies, guidelines, and standards. Data owners work at a higher level than data managers. The data owner basically says, “This is the level of integrity, availability, and confidentiality you need to provide. Please do it now”. The data administrator is executing these permissions and following up on the installed controls to ensure they are working properly.
×：Assigning Information Classification
Incorrect as you are asking if Jim is not responsible for the assignment of information classifications because as the data owner, Jim is responsible for the assignment of information classifications.
×：Determining how to protect data
Incorrect because the data owner, such as Jim, is responsible for determining how the information is protected. The data owner has organizational responsibility for data protection and is liable for any negligence with respect to protecting the organization’s information assets. This means that Jim needs to decide how to protect the information and ensure that the data controller (a role usually occupied by IT or security) is implementing these decisions.
×：Determining how long to retain data
This is incorrect because the decision of how long to retain data is the responsibility of the data owner. The data owner is also responsible for determining who can access the information and ensuring that the appropriate access rights are used. He may approve access requests himself or delegate that function to the business unit manager. The business unit manager approves the request based on the user access criteria defined by the data owner.
#10. Which is a common data classification in the military?
Within the U.S. military complex and national security apparatus, the most common names for data classification become unclassified and classified. “Classified” information includes classified, critical secret, and top secret (Top Secret). Classified data is data that, if improperly disclosed, could harm national security. Top Secret data is data that, if improperly disclosed, could cause “serious” harm to national security. Finally, Top Secret data is data that, if improperly disclosed, could cause “serious” harm to national security.
#11. Which of the following are possible standards used for credit card payments?
PCI DSS (Payment Card Industry Data Security Standard) is a framework to avoid personal information leakage when making electronic payments. Therefore, the correct answer is “PCI DSS.
By the way, if you were to ask, “Which of the following are possible?” I am tempted to argue that other frameworks may be used as well. However, in the CISSP exam, you may have to choose “the most plausible” option in some cases. Therefore, we have used this phrase.
The Health Information Technology for Economic and Clinical Health Act (HITECH) is an enhanced version of HIPPA that applies not only to data management but also to health care business associates.
OCTAVE is one of the risk assessment frameworks introduced in CERT.
COBIT is a framework for measuring the maturity of a company’s IT governance. It was proposed by the Information Systems Control Association of America (ISACA) and the IT Governance Institute (ITGI).
#12. Why install gates and fences that are physical access control?
Gates and fences are used as physical deterrents and preventative measures. Fences as small as 3 feet can be a deterrent, but as tall as 8 feet can be a deterrent and prevention mechanism. The purpose of the fence is to limit the routes in and out of the facility so that they occur only through doors, gates, and turnstiles.
#13. Sam plans to establish cell phone service using personal information stolen from his former boss. What type of identity theft is this?
Identity theft is a situation in which a person obtains important personal information, such as driver’s license numbers, bank account numbers, identification cards, or social security numbers, and uses that information to impersonate another person. Typically, identity thieves use personal information to obtain credit, goods, or services in the victim’s name. This can have consequences such as destroying the victim’s credit rating, creating a false criminal record, and issuing an arrest warrant to the wrong individual. Identity theft can be categorized in two ways: true name and account takeover. True name identity theft means that the thief uses your personal information to open a new account. The thief might open a new credit card account, establish cell phone service like Sam’s, or open a new checking account to obtain blank checks.
Incorrect because it is a type of social engineering attack intended to obtain personal information, letters of credit, credit card numbers, and financial data. Attackers use a variety of methods to entice users to divulge sensitive data. While the goal of phishing scams is to get victims to hand over their personal information, the goal of identity theft is to use that personal information for personal or financial gain. Attackers can use phishing attacks as a means of committing identity theft.
Since the specific technique is not described in the question text, it cannot be said to be a phishing scam.
Incorrect, as this is a technical attack in which the victim is deceived into submitting personal information to the attacker via an unauthorized website.The victim types a web address such as “www.nicebank.com” into their browser. The victim’s system sends a request to the victimized DNS server that directs the victim to a website under the attacker’s control. The site looks like the requested Web site, and the user enters his or her personal information. The personal information can be used by the attacker for identity theft.
We cannot say that this is pharming because the specific technique is not described in the question text.
Account takeover identity theft is incorrect because it means using personal information to access a person’s existing account rather than opening a new account. Typically, the mailing address on the account is changed and a huge bill is filed before the person whose account was stolen is aware of the problem. The Internet has made it easier for identity thieves to use stolen information because they can conduct transactions without personal interaction.
#14. As part of the data disposal process, everything on the disk is overwritten multiple times with random zeros and ones, but there are times when such measures are not necessary. But there are times when such measures are not necessary.
#15. Which of the following should NOT be done in proper hardware disposal procedures?
#16. Jared plays a role in the company’s data classification system. In this role, he must use extreme caution when accessing data, ensure that data is used only in accordance with authorized policies, and follow the rules set for data classification. He does not determine, maintain, or evaluate controls. What is Jared’s role?
An individual who uses data for work-related tasks is a data user. Users must have the necessary level of access to data to perform their job duties. They are also responsible for adhering to operational security procedures to ensure the confidentiality, integrity, and availability of the data to others. This means that users must take appropriate precautions and follow both security policies and data classification rules.
This is incorrect because the data owner has a higher level of responsibility in protecting the data. The data owner is responsible for classifying the data, regularly reviewing the classification level, and delegating responsibility for the data protection position to the data controller. The data owner is usually a manager or executive within the organization and is responsible for the protection of the company’s information assets.
Incorrect, as the data controller is responsible for implementing and maintaining security controls as directed by the data owner. In other words, the data administrator is the technician of the controls that protect the data. Her duties include creating backups, restoring data, implementing and maintaining countermeasures, and managing controls.
×：Information Systems Auditor
Incorrect, as they are responsible for evaluating controls. After evaluating the controls, the auditor submits a report to management, mapping the results to the organization’s acceptable level of risk. This has nothing to do with using data or being meticulous in the use of data.
#17. If the media contains sensitive information, purging must be performed at the end of the media lifecycle. Which of the following adequately describes purging?
〇：To make information physically unrecoverable by any special effort.
Purging is the removal of sensitive data from disk. Software deletion of files on disk does not actually erase the data, only disconnects it from the location of the on-disk data. This means that if the data on the disk containing sensitive information cannot be completely erased, physical destruction is also necessary.
×：To change the polarization of atoms on a medium.
This is not a description of purging.
×：Do not authorize the reuse of media in the same physical environment for the same purpose.
While such an approval process may exist in practice, it is not a description of purging as data deletion.
×：To make data on media unrecoverable by overwriting it.
Simply overwriting media with new information does not eliminate the possibility of recovering previously written information.
Therefore, it does not fit the description of purging.
#18. Which of the following cannot be done by simply assigning a data classification level?
〇：Extraction of data from the database
In data classification, the data classification is used to specify which users have access to read and write data stored in the database, but it does not involve the extraction of data from the database. Therefore, the correct answer is “extraction of data from the database.
What is this? This is a question that you may think “What is this?” but you need to calmly analyze the classification of data and the manipulation of data. The more time you spend, the more tempted you are to give a difficult answer, but keeping calm is important in solving abstract problems.
×：Grouping hierarchically classified information
This is the primary activity of data classification.
×：Ensuring that non-confidential data is not unnecessarily protected
It is written in a complicated way, but it says that what does not need to be protected does not need the ability to be protected either.
×：Understanding the impact of data leakage
Although not directly, we may check the impact of a data breach in order to understand its importance in classifying data. Ka.
#19. Countries around the world are affected by cyber warfare in many ways. Securing water, power, oil, gas, transportation, and manufacturing systems is a priority for governments, but how does it affect utility and power grid infrastructure? These critical infrastructures are comprised of various types of industrial control systems (ICS) that provide functionality. Which of the following would not be considered an ICS?
〇：Central Control Systems
The most common types of industrial control systems (ICS) are distributed control systems (DCS), programmable logic controllers (PLC), and supervisory control and data acquisition (SCADA) systems. Although these systems provide a type of central control function, central control systems are not considered a common type of ICS because these systems are inherently distributed. DCSs are used to control product systems for industries such as water, electricity, and refineries. A DCS connects controllers that are distributed across geographic locations using a centralized supervisory control loop. This supervisory controller requests status data from field controllers and feeds this information back to a central interface for monitoring. Status data retrieved from sensors can be used in failover situations. The DCS can provide redundant protection in a modular fashion. This reduces the impact of a single failure. In other words, if a part of the system goes down, the entire system does not go down.
×：Programmable Logic Controllers
A programmable logic controller (PLC) is a common industrial control system (ICS) used to connect sensors throughout a utility network and convert this sensor signal data into digital data that can be processed by software monitoring and management. Originally created to perform simplified logic functions within basic hardware, PLCs have evolved into powerful controllers used in both SCADA and DCS systems. In SCADA systems, PLCs are most commonly used to communicate with remote field devices, while in DCS systems they are used as local controllers in supervisory control schemes. PLCs provide an application programming interface that allows communication with engineering control software applications.
×：Supervisory Control and Data Acquisition
Supervisory Control and Data Acquisition (SCADA) is used to refer to computerized systems used to collect and process data and apply operational control to components that make up a utility-based environment. This is a common type of ICS. SCADA control centers allow centralized monitoring and control of field sites (e.g., power grid, water supply systems). Field sites have remote station control devices (field devices) that provide data to the central control center. Based on the data sent from the field device, an automated process or operator can control the remote device to solve a problem or send commands to change the configuration for operational needs. This is a difficult environment to work within because the hardware and software is usually proprietary to a particular industry. It is privately owned and operated. Communication can be via telecommunication links, satellites, and microwave-based systems.
×：Distributed Control Systems
This is incorrect because Distributed Control Systems (DCS) are a common type of ICS. In a DCS, control elements are not centralized. The control elements are distributed throughout the system and managed by one or more computers. SCADA systems, DCSs, and PLCs are used in industrial sectors such as water, oil and gas, electrical, and transportation. These systems are considered “critical infrastructure” and are highly interconnected and dependent systems. Until now, these critical infrastructure environments have not used the same types of technologies and protocols as the Internet, making them very difficult to attack in isolation. Over time, these proprietary environments were converted to IP-based environments using IP-based workstations connected to networking devices. While this transition allows for centralized management and control, it also creates a type of cyber attack that is always vulnerable to the computer industry.
#20. Susan is an attorney. She has been hired to fill a new position at Ride’s Chief Privacy Officer (CPO). What is her new primary role?
〇：Ensure the security of customer, company, and employee data.
The Chief Privacy Officer (CPO) is responsible for ensuring the security of customer, company, and employee data; the CPO is directly involved in setting policies regarding how data is collected, protected, and distributed to third parties. The CPO is usually an attorney and reports reports and findings to the Chief Security Officer (CSO). Thus, the correct answer is “Ensure that customer, company, and employee data is protected.” The answer is “Yes.
Perhaps you did not know what a CPO is. The point of this question is to see if you can conceive of the protection of personal information from the word privacy. When you see some words you don’t know in the actual exam, don’t throw them away because you don’t know what they mean. There are always hints.
×：Ensure the protection of partner data.
CPOs are responsible for ensuring the security of customer, company, and employee data.
There can be protection of partner data, but not in the sense of a primary role.
×：Ensuring the accuracy and protection of company financial information.
This is not considered to be a protection of privacy.
×：Ensuring that security policies are defined and implemented.
This is a common objective for all personnel/responsible parties and is not focused in the context of your role as Chief Privacy Officer (CPO).