27,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Full-length practice tests covering all CISSP domains for the ultimate in exam prep The CISSP Official (ISC)² Practice Tests is a major resource for CISSP candidates, providing 1300 unique practice questions. The first part of the book provides 100 questions per domain so you can practice on any domains you know you need to brush up on. After that, you get two unique 250-question practice exams to help you master the material and practice simulated exam taking well in advance of the exam. The two practice exams cover all exam domains, and are included in identical proportion to the exam itself to help you gauge the relative importance of each topic covered. As the only official practice tests endorsed by the (ISC)², this book gives you the advantage of full and complete preparation: coverage includes Security and Risk Management; Asset Security; Security Engineering; Communication and Network Security; Identity and Access Management; Security Assessment and Testing; Security Operations; and Software Development Security. These practice tests align with the 2015 version of the exam to ensure up-to-date preparation, and are designed to simulate what you'll see on exam day. The CISSP credential signifies a body of knowledge and a set of guaranteed skills that put you in demand in the marketplace. This book is your ticket to achieving this prestigious certification, by helping you test what you know against what you need to know. * Align your preparation with the 2015 CISSP Body of Knowledge * Test your knowledge of all exam domains * Identify areas in need of further study * Gauge your progress throughout your exam preparation The Certified Information Systems Security Professional exam is refreshed every few years to ensure that candidates are up-to-date on the latest security topics and trends. Currently-aligned preparation resources are critical, and periodic practice tests are one of the best ways to truly measure your level of understanding. The CISSP Official (ISC)² Practice Tests is your secret weapon for success, and the ideal preparation tool for the savvy CISSP candidate.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 657
Veröffentlichungsjahr: 2016
Ähnliche
CISSP®Official (ISC)2®Practice Tests
David Seidl
Mike Chapple
Executive Editor: Jim Minatel Development Editor: Kim Wimpsett Technical Editors: Jeff Parker and Addam Schroll Production Editor: Christine O'Connor Copy Editors: Judy Flynn and Elizabeth Welch Editorial Manager: Mary Beth Wakefield Production Manager: Kathleen Wisor Book Designers: Bill Gibson and Judy Fung Proofreader: Nancy Carrasco Indexer: Ted Laux Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: Getty Images Inc./Jeremy Woodhouse
Copyright © 2016 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-25228-3 ISBN: 978-1-119-28804-6 (ebk.) ISBN: 978-1-119-25229-0 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2016941726
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2 and CISSP are registered trademarks of International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
For Renee, the most patient and caring person I know. Thank you for being the heart of our family. —MJC
This book is for Lauren, who supports me through each writing endeavor, and for the wonderful teachers and professors who shared both their knowledge and their lifelong love of learning with me. —DAS
Acknowledgments
The authors would like to thank the many people who made this book possible. Jim Minatel at Wiley Publishing helped us extend the Sybex CISSP franchise to include this new title and gain important support from the International Information Systems Security Consortium (ISC)2. Carole Jelen, our agent, worked on a myriad of logistic details and handled the business side of the book with her usual grace and commitment to excellence. Addam Schroll, our technical editor, pointed out many opportunities to improve our work and deliver a high-quality final product. Jeff Parker’s technical proofing ensured a polished product. Kim Wimpsett served as developmental editor and managed the project smoothly. Many other people we’ll never meet worked behind the scenes to make this book a success.
About the Authors
Mike Chapple, Ph.D., CISSP is an author of the best-selling CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, Sybex, 2015, now in its seventh edition. He is an information security professional with two decades of experience in higher education, the private sector, and government.
Mike currently serves as Senior Director for IT Service Delivery at the University of Notre Dame. In this role, he oversees the information security, data governance, IT architecture, project management, strategic planning, and product management functions for Notre Dame. Mike also serves as a concurrent assistant professor in the university’s Computing and Digital Technologies department, where he teaches undergraduate courses on information security.
Before returning to Notre Dame, Mike served as Executive Vice President and Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.
He is a technical editor for Information Security Magazine and has written 20 books, including Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett, 2015), the CompTIA Security+ Training Kit (Microsoft Press, 2013), and the CISSP Study Guide (Sybex, 7th edition, 2015).
Mike earned both his BS and Ph.D. degrees from Notre Dame in computer science & engineering. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University.
David Seidl CISSP is the Senior Director for Campus Technology Services at the University of Notre Dame. As the Senior Director for CTS, David is responsible for central platform and operating system support, database administration and services, identity and access management, application services, and email and digital signage. Prior to his current role, he was Notre Dame’s Director of Information Security.
David teaches a popular course on networking and security for Notre Dame’s Mendoza College of Business. In addition to his professional and teaching roles, he has co-authored the CompTIA Security+ Training Kit (Microsoft Press, 2013) and Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett, 2015), and served as the technical editor for the 6th (Sybex, 2012) and 7th (Sybex, 2015) editions of the CISSP Study Guide. David holds a bachelor’s degree in communication technology and a master’s degree in information security from Eastern Michigan University, as well as CISSP, GPEN, and GCIH certifications.
CONTENTS
Introduction
Chapter 1 Security and Risk Management (Domain 1)
Chapter 2 Asset Security (Domain 2)
Chapter 3 Security Engineering (Domain 3)
Chapter 4 Communication and Network Security (Domain 4)
Chapter 5 Identity and Access Management (Domain 5)
Chapter 6 Security Assessment and Testing (Domain 6)
Chapter 7 Security Operations (Domain 7)
Chapter 8 Software Development Security (Domain 8)
Chapter 9 Practice Test 1
Chapter 10 Practice Test 2
Appendix Answers to Review Questions
Advert
EULA
Guide
Cover
Table of Contents
Chapter
Pages
vii
viii
xi
xii
xiii
xiv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
425
Introduction
CISSP Official (ISC)2 Practice Tests is a companion volume to the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. If you’re looking to test your knowledge before you take the CISSP exam, this book will help you by providing a combination of 1,300 questions that cover the CISSP Common Body of Knowledge and easy-to-understand explanations of both right and wrong answers.
If you’re just starting to prepare for the CISSP exam, we highly recommend that you use the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition Stewart/Chapple/Gibson, Sybex, 2015, to help you learn about each of the domains covered by the CISSP exam. Once you’re ready to test your knowledge, use this book to help find places where you may need to study more, or to practice for the exam itself.
Since this is a companion to the CISSP Study Guide, this book is designed to be similar to taking the CISSP exam. It contains multipart scenarios as well as standard multiple-choice questions similar to those you may encounter in the certification exam itself. The book itself is broken up into 10 chapters: 8 domain-centric chapters with 100 questions about each domain, and 2 chapters that contain 250-question practice tests to simulate taking the exam itself.
CISSP Certification
The CISSP certification is offered by the International Information System Security Certification Consortium, or (ISC)2, a global nonprofit. The mission of (ISC)2 is to support and provide members and constituents with credentials, resources, and leadership to address cyber, information, software, and infrastructure security to deliver value to society. They achieve this mission by delivering the world’s leading information security certification program. The CISSP is the flagship credential in this series and is accompanied by several other (ISC)2 programs:
Systems Security Certified Practitioner (SSCP)
Certified Authorization Professional (CAP)
Certified Secure Software Lifecycle Professional (CSSLP)
Certified Cyber Forensic Professional (CCFP)
HealthCare Information Security Privacy Practitioner (HCISPP)
Certified Cloud Security Professional (CCSP)
There are also three advanced CISSP certifications for those who wish to move on from the base credential to demonstrate advanced expertise in a domain of information security:
Information Systems Security Architecture Professional (CISSP-ISSAP)
Information Systems Security Engineering Professional (CISSP-ISSEP)
Information Systems Security Management Professional (CISSP-ISSMP)
The CISSP certification covers eight domains of information security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in the information security profession. They include:
Security and Risk Management
Asset Security
Security Engineering
Communication and Network Security
Identity and Access Management
Security Assessment and Testing
Security Operations
Software Development Security
The CISSP domains are periodically updated by (ISC)2. The last revision in April 2015 changed from 10 domains to the 8 listed here, and included a major realignment of topics and ideas. At the same time, a number of new areas were added or expanded to reflect changes in common information security topics.
Complete details on the CISSP Common Body of Knowledge (CBK) are contained in the Candidate Information Bulletin (CIB). The CIB, which includes a full outline of exam topics, can be found on the ISC2 website at www.isc2.org.
Taking the CISSP Exam
The CISSP exam is a 6-hour exam that consists of 250 questions covering the eight domains. Passing requires achieving a score of at least 700 out of 1,000 points. It’s important to understand that this is a scaled score, meaning that not every question is worth the same number of points. Questions of differing difficulty may factor into your score more or less heavily. That said, as you work through these practice exams, you might want to use 70 percent as a yardstick to help you get a sense of whether you’re ready to sit for the actual exam. When you’re ready, you can schedule an exam via links provided on the (ISC)2 website—tests are offered in locations throughout the world.
Questions on the CISSP exam are provided in both multiple-choice form and what (ISC)2 calls “advanced innovative” questions, which are drag and drop and hotspot questions, both of which are offered in computer-based testing environments. Innovative questions are scored the same as traditional multiple-choice questions and have only one right answer.
Computer-Based Testing Environment
Almost all CISSP exams are now administered in a computer-based testing (CBT) format. You’ll register for the exam through the Pearson Vue website and may take the exam in the language of your choice. It is offered in English, French, German, Portuguese, Spanish, Japanese, Simplified Chinese, Korean, and a format for the visually impaired.
You’ll take the exam in a computer-based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you’d like to become more familiar with the testing environment, the Pearson Vue website offers a virtual tour of a testing center: https://home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx
When you sit down to take the exam, you’ll be seated at a computer that has the exam software already loaded and running. It’s a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from Pearson at: http://www.vue.com/athena/athena.asp
Exam Retake Policy
If you don’t pass the CISSP exam, you shouldn’t panic. Many individuals don’t reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When you retake the exam, you’ll have the benefit of familiarity with the CBT environment and CISSP exam format. You’ll also have time to study up on the areas where you felt less confident.
After your first exam attempt, you must wait 30 days before retaking the computer-based exam. If you’re not successful on that attempt, you must then wait 90 days before your third attempt and 180 days before your fourth attempt. You may not take the exam more than three times in a single calendar year.
Work Experience Requirement
Candidates who wish to earn the CISSP credential must not only pass the exam but also demonstrate that they have at least five years of work experience in the information security field. Your work experience must cover activities in at least two of the eight domains of the CISSP program and must be paid, full-time employment. Volunteer experiences or part-time duties are not acceptable to meet the CISSP experience requirement.
You may be eligible to waive one of the five years of the work experience requirement based on your educational achievements. If you hold a bachelor’s degree or four-year equivalent, you may be eligible for a degree waiver that covers one of those years. Similarly, if you hold one of the information security certifications on the current (ISC)2 credential waiver list (https://www.isc2.org/credential_waiver/default.aspx), you may also waive a year of the experience requirement. You may not combine these two programs. Holders of both a certification and an undergraduate degree must still demonstrate at least four years of experience.
If you haven’t yet completed your work experience requirement, you may still attempt the CISSP exam. Individuals who pass the exam are designated Associates of (ISC)2 and have six years to complete the work experience requirement.
Recertification Requirements
Once you’ve earned your CISSP credential, you’ll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the CISSP exam.
Currently, the annual maintenance fees for the CISSP credential are $85 per year. Individuals who hold one of the advanced CISSP concentrations will need to pay an additional $35 annually for each concentration they hold.
The CISSP CPE requirement mandates earning at least 40 CPE credits each year toward the 120-credit three-year requirement. (ISC)2 provides an online portal where certificants may submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.
Using This Book to Practice
This book is composed of 10 chapters. Each of the first eight chapters covers a domain, with a variety of questions that can help you test your knowledge of real-world, scenario, and best practices–based security knowledge. The final two chapters are complete practice exams that can serve as timed practice tests to help determine if you’re ready for the CISSP exam.
We recommend taking the first practice exam to help identify where you may need to spend more study time, and then using the domain-specific chapters to test your domain knowledge where it is weak. Once you’re ready, take the second practice exam to make sure you’ve covered all of the material and are ready to attempt the CISSP exam.
Chapter 2Asset Security (Domain 2)
Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it?
Man-in-the-middle, VPNPacket injection, encryptionSniffing, encryptionSniffing, TEMPESTCOBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?
Business ownersData processorsData ownersData stewardsWhat term is used to describe a starting point for a minimum security standard?
OutlineBaselinePolicyConfiguration guideWhen media is labeled based on the classification of the data it contains, what rule is typically applied regarding labels?
The data is labeled based on its integrity requirements.The media is labeled based on the highest classification level of the data it contains.The media is labeled with all levels of classification of the data it contains.The media is labeled with the lowest level of classification of the data it contains.The need to protect sensitive data drives what administrative process?
Information classificationRemanenceTransmitting dataClearingHow can a data retention policy help to reduce liabilities?
By ensuring that unneeded data isn’t retainedBy ensuring that incriminating data is destroyedBy ensuring that data is securely wiped so it cannot be restored for legal discoveryBy reducing the cost of data storage required by lawStaff in an IT department who are delegated responsibility for day-to-day tasks hold what data role?
Business ownerUserData processorCustodianSusan works for an American company that conducts business with customers in the European Union. What is she likely to have to do if she is responsible for handling PII from those customers?
Encrypt the data at all times.Label and classify the data according to HIPAA.Conduct yearly assessments to the EU DPD baseline.Comply with the US-EU Safe Harbor requirements.Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?
It applies in all circumstances, allowing consistent security controls.They are approved by industry standards bodies, preventing liability.They provide a good starting point that can be tailored to organizational needs.They ensure that systems are always in a secure state.What term is used to describe overwriting media to allow for its reuse in an environment operating at the same sensitivity level?
ClearingErasingPurgingSanitizationWhich of the following classification levels is the US government’s classification label for data that could cause damage but wouldn’t cause serious or grave damage?
Top SecretSecretConfidentialClassifiedWhat issue is common to spare sectors and bad sectors on hard drives as well as overprovisioned space on modern SSDs?
They can be used to hide data.They can only be degaussed.They are not addressable, resulting in data remanence.They may not be cleared, resulting in data remanence.What term describes data that remains after attempts have been made to remove the data?
Residual bytesData remanenceSlack spaceZero fillFor questions 14, 15, and 16, please refer to the following scenario:
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.
What civilian data classifications best fit this data?
Unclassified, confidential, top secretPublic, sensitive, privatePublic, sensitive, proprietaryPublic, confidential, privateWhat technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?
ClassificationSymmetric encryptionWatermarksMetadataWhat type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion?
TLS at rest and AES in motionAES at rest and TLS in motionVPN at rest and TLS in motionDES at rest and AES in motionWhat does labeling data allow a DLP system to do?
The DLP system can detect labels and apply appropriate protections.The DLP system can adjust labels based on changes in the classification scheme.The DLP system can notify the firewall that traffic should be allowed through.The DLP system can delete unlabeled data.Why is it cost effective to purchase high-quality media to contain sensitive data?
Expensive media is less likely to fail.The value of the data often far exceeds the cost of the media.Expensive media is easier to encrypt.More expensive media typically improves data integrity.Chris is responsible for workstations throughout his company and knows that some of the company’s workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for?
ErasingClearingSanitizationDestructionWhich is the proper order from least to most sensitive for US government classifications?
Confidential, Secret, Top SecretConfidential, Classified, SecretTop Secret, Secret, Classified, Public, Classified, Top SecretPublic, Unclassified, Classified, Top SecretWhat scenario describes data at rest?
Data in an IPsec tunnelData in an e-commerce transactionData stored on a hard driveData stored in RAMIf you are selecting a security standard for a Windows 10 system that processes credit cards, what security standard is your best choice?
Microsoft’s Windows 10 security baselineThe CIS Windows 10 baselinePCI DSSThe NSA Windows 10 baselineUse the following scenario for questions 23, 24, and 25.
The Center for Internet Security (CIS) works with subject matter experts from a variety of industries to create lists of security controls for operating systems, mobile devices, server software, and network devices. Your organization has decided to use the CIS benchmarks for your systems. Answer the following questions based on this decision.
The CIS benchmarks are an example of what practice?
Conducting a risk assessmentImplementing data labelingProper system ownershipUsing security baselinesAdjusting the CIS benchmarks to your organization’s mission and your specific IT systems would involve what two processes?
Scoping and selectionScoping and tailoringBaselining and tailoringTailoring and selectionHow should you determine what controls from the baseline a given system or software package should receive?
Consult the custodians of the data.Select based on the data classification of the data it stores or handles.Apply the same controls to all systems.Consult the business owner of the process the system or data supports.What problem with FTP and Telnet makes using SFTP and SSH better alternatives?
FTP and Telnet aren’t installed on many systems.FTP and Telnet do not encrypt data.FTP and Telnet have known bugs and are no longer maintained.FTP and Telnet are difficult to use, making SFTP and SSH the preferred solution.The government defense contractor that Saria works for has recently shut down a major research project and is planning on reusing the hundreds of thousands of dollars of systems and data storage tapes used for the project for other purposes. When Saria reviews the company’s internal processes, she finds that she can’t reuse the tapes and that the manual says they should be destroyed. Why isn’t Saria allowed to degauss and then reuse the tapes to save her employer money?
Data permanence may be an issue.Data remanence is a concern.The tapes may suffer from bitrot.Data from tapes can’t be erased by degaussing.Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information?
Personally identifiable information (PII)Personal health information (PHI)Social Security number (SSN)Secure identity information (SII)What is the primary information security risk to data at rest?
Improper classificationData breachDecryptionLoss of data integrityFull disk encryption like Microsoft’s BitLocker is used to protect data in what state?
Data in transitData at restUnlabeled dataLabeled dataSue’s employer has asked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do?
Send decrypted data over a public network and act like she is on her employer’s internal network.Create a private encrypted network carried via a public network and act like she is on her employer’s internal network.Create a virtual private network using TLS while on her employer’s internal network.Create a tunneled network that connects her employer’s network to her internal home network.What is the primary purpose of data classification?
It quantifies the cost of a data breach.It prioritizes IT expenditures.It allows compliance with breach notification laws.It identifies the value of the data to the organization.Fred’s organization allows downgrading of systems for reuse after projects have been finished and the systems have been purged. What concern should Fred raise about the reuse of the systems from his Top Secret classified project for a future project classified as Secret?
The Top Secret data may be commingled with the Secret data, resulting in a need to relabel the system.The cost of the sanitization process may exceed the cost of new equipment.The data may be exposed as part of the sanitization process.The organization’s DLP system may flag the new system due to the difference in data labels.Which of the following concerns should not be part of the decision when classifying data?
The cost to classify the dataThe sensitivity of the dataThe amount of harm that exposure of the data could causeThe value of the data to the organizationWhich of the following is the least effective method of removing data from media?
DegaussingPurgingErasingClearingSafe Harbor is part of a US program to meet what European Union law?
The EU CyberSafe ActThe Network and Information Security (NIS) directivesThe General Data Protection Regulation (GDPR)The EU Data Protection DirectiveUse the following scenario to answer questions 37, 38, and 39.
The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit.
ClassificationHandling RequirementsConfidential (HIPAA)Encrypt at rest and in transit.
Full disk encryption required for all workstations.
Files can only be sent in encrypted form, and passwords must be transferred under separate cover.
Printed documents must be labeled with “HIPAA handling required.”
Private (PHI)Encrypt at rest and in transit.
PHI must be stored on secure servers, and copies should not be kept on local workstations.
Printed documents must be labeled with “Private.”
Sensitive (business confidential)Encryption is recommended but not required.PublicInformation can be sent unencrypted.
