- COSO (Committee of Sponsoring Organisations of the Treadway Commission) was originally created in 1985 and is supported by five private sector organisations. What was the primary reason for COSO’s formation?
(a) To provide organisations with a framework for implementing secure information systems
(b) To define a set of techniques that allow organisations to self-regulate, independent of government controls
(c) Assisting with corporate alignment of IT with business objectives
(d) To provide thought leadership on management techniques for enterprise executives
(e) To define risk management processes for publicly-traded companies
(f) Addressing issues that lead to and allow for fraudulent financial reporting
Answer:
(f) Addressing issues that lead to and allow for fraudulent financial reporting
Explanation:
COSO is a joint initiative to combat comporate fraud.
- Kerberos, a network authentication protocol developed at MIT in the late 80s/early 90s, serves as the default authentication mechanism for Microsoft’s Active Directory. Kerberos has built-in protections against authentication replay attacks. Which of the following mechanisms provide that protection?
(a) SHA-256 hashes
(b) Time stamps
(c) Software tokens
(d) Pre-shared keys
(e) NTMLv2
(f) AES
Answer:
(b) Time stamps
- Which of the following operates at Layer 2 of the OSI model?
(a) TPM
(b) IP headers
(c) SDLC
(d) Logical Link Control
(e) Modulation
(f) Flow labels
Answer:
(d) LLC
Explanation:
The Ethernet concepts of LLC & MAC operates at Layer 2. Layer 3 is concerned with IP headers and flow labels (IPv6) . Modulation happens at the physical layer (Layer 1).
- COBIT (Control Objectives for Information & Related Technology) is comprised of four broad domains and 34 processes. COBIT’s purpose is to provide a framework for IT management & governance. What are the four domains of COBIT? (Choose four options)
(a) Deliver & support
(b) Acquire & implement
(c) Monitor & evaluate
(d) Inspect & analyse
(e) Design & develop
(f) Evaluate & assess
(g) Develop & test
(h) Plan & organise
Answers:
(a), (b), (c), (h)
Explanation:
The four domains of COBIT are (in order):- Plan & organise
- Acquire & implement
- Deliver & support
- Monitor & evaluate
- In software development, what is one of the primary differences between white-box & black-box testing?
(a) White-box testing provides testers with access to source code
(b) Black-box testers fully deconstruct the app to identify vulnerabilities
(c) White-box testers are limited to testing pre-defined use cases
(d) Black-box testers are typically more proficient & thorough
(e) White-box testing is done by the developers
(f) Black-box testing includes the line of business in the evaluation process
Answer:
(a) White-box testing provides testers with access to source code
Explanation:
Black-box testing, sometimes called functional testing, tests the operation of the software without looking at the code. White-box testing, sometimes called structural testing, requires access to source code. Grey-box testing is a combination of the two and involves partial knowledge.
- Software prototyping was introduced to overcome some limitations of the waterfall approach to software development. Prototyping builds successive iterations of an application that show its functionality, often focusing on systems that have a high level of user interaction. This approach to software development has many benefits. What are they? (Choose three)
(a) Missing functionality may be more quickly identified
(b) Prototypes can be reused to build the actual system
(c) Requirements analysis is reduced
(d) Defects can be identified earlier, reducing time & cost of development
(e) User feedback is quicker, allowing necessary changes to be identified sooner
(f) Flexibility of development allows project to easily expand beyond plans
Answers:
(a), (d), (e)
Explanation:
Prototyping is based on creating successive iterations of a piece of software, focusing on a handful of pieces of functionality at a time, and getting feedback from the user at each iteration. This feedback can then be taken on board as you create increasingly refined versions of the product. Benefits to this approach include gathering feedback from the user much earlier in the process, and discovering defects (things that aren’t going to work) much earlier in the process too, which reduces complexity and cost compared to discovering and fixing them right at the end of the development cycle. Increased user involvement can reduce miscommunications. Software prototyping does have some disadvantages, one of which is the potential for a lack of an understanding of the bigger picture; incomplete analysis of what the system needs to do as a whole because the focus is on delivering a prototype with a subset of features. Also there can be some confusion with the user about the difference between the prototype and the finished product; some features that appear in the prototype may not make it into the final version for various reasons, even features which the user liked, which can cause disappointment if not properly managed. One of the big disadvantages of software prototyping is the issue of feature creep; effectively you get too much feedback, and keep adding new features in at the whim of the user, which can distract from the core functionality of the product, and can have an extremely detrimental effect in terms of time & cost of development.
- A non-legally binding agreement between two or more parties agreeing to work together to achieve an objective where the responsibilities of each party is clearly defined is known as a:
(a) Contract
(b) Gentleman’s Agreement
(c) Service Level Agreement
(d) Memorandum of Understanding
(e) Treaty
Answer:
(d) Memorandum of Understanding
- In a Public Key Infrastructure (PKI), a certificate revocation list is a digitally-signed list of serial numbers of certificates that have been revoked by the issuing Certificate Authority (CA). There are several different methods by which the revocation status can be checked. Which of the following are revocation check methods? (Choose three)
(a) SNMPv3 query
(b) Syslog
(c) DNS TXT record query
(d) HTTP-based CRL distribution point
(e) OCSP
(f) SMTP
(g) An incremental CRL (aka Delta-CRL) issued by the CA
Answers:
(d), (e), (g)
- The Montreal Protocol, an international treaty put in place in the late 1980s, endeavours to protect the earth’s ozone layer from depletion. This includes the replacement of Halon-based fire suppression systems. Several alternative fire suppression mechanisms have been approved by the EPA. Which of the following are considered suitable Halon replacements according to the EPA’s SNAP (Significant New Alternatives Policy)? (Choose six)
(a) BFR (Brominated Flame Retardant)
(b) Carbon Dioxide (CO2)
(c) FM-200
(d) Aero K
(e) Argonite
(f) FM-100
(g) FE-13
(h) HFC-32
(i) Inergen
Answers:
(b), (c), (d), (f), (g), (i)
Explanation:
FM-100 is not approved by SNAP, and is banned by the Montreal protocol.
HFC-32 is a flammable refrigerant.
- One important critera in the selection of a biometric authentication system is how acceptable it will be to your workforce (i.e. whether they will resist its use because they perceive it as physically intrusive.) Of the following biometric types, which is the most likely to be met with strong resistance from the average user?
(a) Iris scan
(b) Hand geometry
(c) Palm scan
(d) Fingerprint scan
(e) Retina scan
(f) Voice analysis
(g) Signature dynamics
Answer:
(e) Retina scan
Explanation:
Can reveal certain health conditions, and also possibly involve transfer of bodily fluids. Users fear the safety of the “laser” light shining into their eye (actually a perfectly safe LED).
- Comment
- Reblog
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
My CISSP Notes 