C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

ISC2 CISSP - Certified Information Systems Security Professional Certification Exam

Download Exam View Entire Exam
Page: 1 / 2
Question #1 (Topic: Demo Questions)

Which of the following represents the GREATEST risk to data confidentiality?

A.

Network redundancies are not implemented

B.
Security awareness training is not completed 
C.
Backup tapes are generated unencrypted
D.
Users have administrative privileges 
Correct Answer: C
Explanation:
Generating backup tapes unencrypted represents the greatest risk to data confidentiality, as it exposes the data to unauthorized access or disclosure if the tapes are lost, stolen, or intercepted. Backup tapes are often stored off-site or transported to remote locations, which increases the chances of them falling into the wrong hands. If the backup tapes are unencrypted, anyone who obtains them can read the data without any difficulty. Therefore, backup tapes should always be encrypted using strong algorithms and keys, and the keys should be protected and managed separately from the tapes. The other options do not pose as much risk to data confidentiality as generating backup tapes unencrypted. Network redundancies are not implemented will affect the availability and reliability of the network, but not necessarily the confidentiality of the data. Security awareness training is not completed will increase the likelihood of human errors or negligence that could compromise the data, but not as directly as generating backup tapes unencrypted. Users have administrative privileges will grant users more access and control over the system and the data, but not as widely as generating backup tapes unencrypted. 
Question #2 (Topic: Demo Questions)

Which of the following is MOST important when assigning ownership of an asset to a department? 

A.
The department should report to the business owner
B.
Ownership of the asset should be periodically reviewed
C.
Individual accountability should be ensured
D.
All members should be trained on their responsibilities 
Correct Answer: C
Explanation:
When assigning ownership of an asset to a department, the most important factor is to ensure
individual accountability for the asset. Individual accountability means that each person who has
access to or uses the asset is responsible for its protection and proper handling. Individual
accountability also implies that each person who causes or contributes to a security breach or
incident involving the asset can be identified and held liable. Individual accountability can be
achieved by implementing security controls such as authentication, authorization, auditing, and
logging. The other options are not as important as ensuring individual accountability, as they do not directly
address the security risks associated with the asset. The department should report to the business
owner is a management issue, not a security issue. Ownership of the asset should be periodically
reviewed is a good practice, but it does not prevent misuse or abuse of the asset. All members
should be trained on their responsibilities is a preventive measure, but it does not guarantee
compliance or enforcement of the responsibilities.

Question #3 (Topic: Demo Questions)

Which of the following BEST describes the responsibilities of a data owner? 

A.
Ensuring quality and validation through periodic audits for ongoing data integrity
B.
Maintaining fundamental data availability, including data storage and archiving
C.
Ensuring accessibility to appropriate users, maintaining appropriate levels of data security
D.
Determining the impact the information has on the mission of the organization 
Correct Answer: D
Explanation:
The best description of the responsibilities of a data owner is determining the impact the information has on the mission of the organization. A data owner is a person or entity that has the authority and accountability for the creation, collection, processing, and disposal of a set of data. A data owner is also responsible for defining the purpose, value, and classification of the data, as well as the security requirements and controls for the data. A data owner should be able to determine the impact the information has on the mission of the organization, which means assessing the potential consequences of losing, compromising, or disclosing the data. The impact of the information on the mission of the organization is one of the main criteria for data classification, which helps to establish the appropriate level of protection and handling for the data. The other options are not the best descriptions of the responsibilities of a data owner, but rather the responsibilities of other roles or functions related to data management. Ensuring quality and validation through periodic audits for ongoing data integrity is a responsibility of a data steward, who is a person or entity that oversees the quality, consistency, and usability of the data. Maintaining fundamental data availability, including data storage and archiving is a responsibility of a data custodian, who is a person or entity that implements and maintains the technical and physical security of the data. Ensuring accessibility to appropriate users, maintaining appropriate levels of data security is a responsibility of a data controller, who is a person or entity that determines the purposes and means of processing the data.
Question #4 (Topic: Demo Questions)

What is the PRIMARY reason for implementing change management?

A.
Certify and approve releases to the environment
B.
Provide version rollbacks for system changes
C.
Ensure that all applications are approved
D.
Ensure accountability for changes to the environment
Correct Answer: D
Explanation:
Ensuring accountability for changes to the environment is the primary reason for implementing change management. Change management is a process that ensures that any changes to the system or network environment, such as the hardware, software, configuration, or documentation, are planned, approved, implemented, and documented in a controlled and consistent manner. Change management can provide several benefits, such as:
Improving the security and reliability of the system or network environment by preventing or reducing the errors, conflicts, or disruptions that might occur due to the changes
Enhancing the performance and efficiency of the system or network environment by optimizing the resources and functions
Increasing the compliance and alignment of the system or network environment with the internal or external requirements and standards
Facilitating the monitoring and improvement of the system or network environment by tracking and logging the changes and their outcomes
Ensuring accountability for changes to the environment is the primary reason for implementing change management, because it can ensure that the changes are authorized, justified, and traceable, and that the parties involved in the changes are responsible and accountable for their actions and results. Accountability can also help to deter or detect any unauthorized or malicious changes that might compromise the system or network environment.
The other options are not the primary reasons for implementing change management, but rather secondary or specific reasons for different aspects or phases of change management. Certifying and approving releases to the environment is a reason for implementing change management, but it is more relevant for the approval phase of change management, which is the phase that involves reviewing and validating the changes and their impacts, and granting or denying the permission to proceed with the changes. Providing version rollbacks for system changes is a reason for implementing change management, but it is more relevant for the implementation phase of change management, which is the phase that involves executing and monitoring the changes and their effects, and providing the backup and recovery options for the changes. Ensuring that all applications are approved is a reason for implementing change management, but it is more relevant for the application changes, which are the changes that affect the software components or services that provide the functionality or logic of the system or network environment.
Question #5 (Topic: Demo Questions)

Users require access rights that allow them to view the average salary of groups of employees. Which control would prevent the users from obtaining an individual employee’s salary?

A.
Limit access to predefined queries
B.
Segregate the database into a small number of partitions each with a separate security level
C.
Implement Role Based Access Control (RBAC)
D.
Reduce the number of people who have access to the system for statistical purposes
Next Question
Correct Answer: A
Explanation:
Limiting access to predefined queries is the control that would prevent the users from obtaining an individual employee’s salary, if they only require access rights that allow them to view the average salary of groups of employees. A query is a request for information from a database, which can be expressed in a structured query language (SQL) or a graphical user interface (GUI). A query can specify the criteria, conditions, and operations for selecting, filtering, sorting, grouping, and aggregating the data from the database. A predefined query is a query that has been created and stored in advance by the database administrator or the data owner, and that can be executed by the authorized users without any modification. A predefined query can provide several benefits, such as:
Improving the performance and efficiency of the database by reducing the processing time and resources required for executing the queries
Enhancing the security and confidentiality of the database by restricting the access and exposure of the sensitive data to the authorized users and purposes
Increasing the accuracy and reliability of the database by preventing the errors or inconsistencies that might occur due to the user input or modification of the queries
Reducing the cost and complexity of the database by simplifying the query design and management
Limiting access to predefined queries is the control that would prevent the users from obtaining an individual employee’s salary, if they only require access rights that allow them to view the average salary of groups of employees, because it can ensure that the users can only access the data that is relevant and necessary for their tasks, and that they cannot access or manipulate the data that is beyond their scope or authority. For example, a predefined query can be created and stored that calculates and displays the average salary of groups of employees based on certain criteria, such as department, position, or experience. The users who need to view this information can execute this predefined query, but they cannot modify it or create their own queries that might reveal the individual employee’s salary or other sensitive data.
The other options are not the controls that would prevent the users from obtaining an individual employee’s salary, if they only require access rights that allow them to view the average salary of groups of employees, but rather controls that have other purposes or effects. Segregating the database into a small number of partitions each with a separate security level is a control that would improve the performance and security of the database by dividing it into smaller and manageable segments that can be accessed and processed independently and concurrently. However, this control would not prevent the users from obtaining an individual employee’s salary, if they have access to the partition that contains the salary data, and if they can create or modify their own queries. Implementing Role Based Access Control (RBAC) is a control that would enforce the access rights and permissions of the users based on their roles or functions within the organization, rather than their identities or attributes. However, this control would not prevent the users from obtaining an individual employee’s salary, if their roles or functions require them to access the salary data, and if they can create or modify their own queries. Reducing the number of people who have access to the system for statistical purposes is a control that would reduce the risk and impact of unauthorized access or disclosure of the sensitive data by minimizing the exposure and distribution of the data. However, this control would not prevent the users from obtaining an individual employee’s salary, if they are among the people who have access to the system, and if they can create or modify their own queries.