WGU C725 Practice Test

C725 Practice Test Which groups typically report to the chief security officer (CSO)? - ✔✔Security engineering and operations A company is considering which controls to buy to protect an asset. What should the price ...

C725 Practice Test Which groups typically report to the chief security officer (CSO)? - ✔✔Security engineering and operations A company is considering which controls to buy to protect an asset. What should the price of the controls be in relation to the cost of the asset? - ✔✔Less than the annual loss expectancy An employee uses a secure hashing algorithm for message integrity. The employee sends a plain text message with the embedded hash to a colleague. A rogue device receives and retransmits the message to its destination. Once received and checked by the intended recipient, the hashes do not match. Which STRIDE concept has been violated? - ✔✔Tampering An attacker accesses private emails between the company's CISO and board members. The attacker then publishes the emails online. Which type of an attack is this, according to the STRIDE model? - ✔✔Information disclosure A system data owner needs to give access to a new employee, so the owner formally requests that the system administrator create an account and permit the new employee to use systems necessary to the job. Which type of control does the system administrator use to grant these permissions? - ✔✔Access The chief information security officer (CISO) for an organization knows that the organization's datacenter lacks the physical controls needed to adequately control access to sensitive corporate systems. The CEO, CIO, and CFO feel that the current physical access is within a tolerable risk level, and they agree not to pay for upgrades to the facility. Which risk management strategy has the senior leadership decided to employ? - ✔✔Acceptance Which phase of the software development life cycle follows system design? - ✔✔Development Which question relates to the functional aspect of computer security? - ✔✔Does the system do the right things in the right way? Which action is an example of a loss of information integrity based on the CIA triad? - ✔✔A security engineer accidentally scrambles information in a database. What is included in quantitative risk analysis? - ✔✔Risk ranking What is a fundamentally objective concept in determining risk? - ✔✔Resource costs Which domain of the (ISC)² Common Body of Knowledge addresses procedures and tools that eliminate or reduce the capability to exploit critical information? - ✔✔Operations Security Which domain of the (ISC)² Common Body of Knowledge addresses identification, authentication, authorization, and logging and monitoring techniques and technologies? - ✔✔Access Control Which type of policy establishes a security plan, assigns management responsibilities, and states an organization's computer security objectives? - ✔✔Program-level A company consults a best practices manual from its vendor while deploying a new IT system. Which type of document does this exemplify? - ✔✔Guidelines An organization has all of its offices in several different buildings that are situated on a large city block. Which type of network is specifically suited to connect these offices to the organization's network - ✔✔Campus A network security engineer is tasked with preparing audit reports for the auditor. The internal auditor sends the reports to the external auditor who discovers that fraud was committed and that the network security engineer has falsified the reports. Which security principle should be used to stop this type of fraud from happening? - ✔✔Separation of duties An employee has worked for the same organization for years and still has access to legal files even though this employee now works in accounting. Which principle has been violated? - ✔✔Least privilege A sales specialist is a normal user of a corporate network. The corporate network uses subjects, objects, and labels to grant users access. Which access control methodology is the corporation using? - ✔✔Mandatory What is considered a valid method for testing an organization's disaster recovery plan, according to the Certified Information Systems Security Professional (CISSP)? - ✔✔Checklist Who directs policies and procedures that are designed to protect information resources in an organization? - ✔✔Information resources security officer Which topics should be included in employee security training program? - ✔✔Social engineering, shoulder surfing, phishing, malware What is a threat to business operations - ✔✔Sophisticated hacking tools purchased by a disgruntled employee Which statement describes a threat? - ✔✔Spear fishing attack Which type of control reduces the effect of an attack? - ✔✔Corrective Which security control should be included in a risk management policy? - ✔✔Exception process The organization applies comprehensive hardening to all its computer assets. Due to the high cost of accomplishing this, the security manager decides to withhold any further spending on IT security for the remainder of the year. The manager believes that because of the complexity and secrecy of the organization's security configuration, these computer assets are relatively safe. Which flawed security principle is the security manager relying on - ✔✔Security through obscurity The company receives notification from its security monitoring service that an unauthorized physical breach of its datacenter occurred. The perpetrator was able to guess the correct code to the keypad device that controls access. Which type of risk management control could have prevented this breach from occurring? - ✔✔Multifactor authentication 45 The company identifies a risk with an asset that has relatively low value. The cost to secure the asset is $2 million. An insurance company will insure the loss of the asset for $150,000 a year. The company decides not to take any action to protect the asset. Which risk management strategy did the company choose to follow? - ✔✔45 Acceptance Which type of system controls preserves the state of the system before a crash and prevents further damage or unauthorized access to a system? - ✔✔Fail secure A software development company follows a process where software is moved from the development environment, to the testing environment for quality assurance, and then on to production. Which individual should be restricted from migrating the software to the production environment? - ✔✔Lead programmer After an audit of user access, a CIO is concerned about improperly granted permissions. Which type of user access should the CIO be most concerned with? - ✔✔Elevated Which attack uses common words and phrases to guess passwords? - ✔✔Dictionary What is a disadvantage of discretionary access control (DAC)? - ✔✔Empowers owners to decide access levels Which password problem persists when accessing information and systems even with a strong password management and creation policy? - ✔✔Passwords are repudiable. An organization wants to update its policies that govern email acceptable use, internet acceptable use, laptop security, and wireless security. Which type of policies should the organization update to accomplish this? - ✔✔Issue Specific Which type of documents do organizations use to explain step-by-step instructions? - ✔✔Procedures Data entry specialists at a hospital are only supposed to be able to enter new patient records into the database but not be able to access existing records. Because the permissions were not set correctly, some data entry specialists have been accessing existing patient records and making unauthorized changes. Hospital administrators want be able to easily grant permissions based on job type. Which security principle should the organization implement to solve this problem? - ✔✔RBAC A company was the victim of a phishing attack. This attack occurred because a cybercriminal recovered employee company email addresses from a stolen laptop. How should employee company email addresses be classified? - ✔✔Business sensitive An accountant finds an error in the way interest is credited to customer accounts. The IT department traces the error to a patch that IT put on the software used to track customer accounts. The error cost the organization about $100,000 in overpayments. What is the IT department's role in this case? - ✔✔Custodian Which type of hypervisor installs directly onto the hardwar