Chpt.

5
1. Which of the following terms best defines the sum of protection
mechanisms inside the computer, including hardware, firmware, and
software?
A. Trusted system
B. Security kernel
C. Trusted computing base
D. Security perimeter

2. Which of the following statements pertaining to protection rings is false?

A. They provide strict boundaries and definitions on what the processes
that work within each ring can access.
B. Programs operating in inner rings are usually referred to as existing in
a privileged mode.
C. They support the CIA triad requirements of multitasking operating
systems.
D. They provide users with a direct access to peripherals.

3. Which of the following places the Orange Book classifications in order

from most secure to least secure?
A. Division A, Division B, Division C, Division D
B. Division D, Division C, Division B, Division A
C. Division D, Division B, Division A, Division C
D. Division C, Division D, Division B, Division A

4. The Orange Book describes four hierarchical levels to categorize security

systems. Which of the following levels require mandatory protection?
A. Divisions A and B
B. Divisions B and C
C. Divisions A, B, and C
D. Divisions B and D

5. Which Orange Book rating represents the highest security level?

A. B1
B. B2
C. F6
D. C2
 6. Which Orange Book security rating introduces security labels?
A. C2
B. B1
C. B2
D. B3

7. The Orange Book is founded upon which security policy model?

A. Biba model
B. Bell-LaPadula model
C. Clark-Wilson model
D. Common Criteria

8. The Information Technology Security Evaluation Criteria (ITSEC) was

written to address which of the following that the Orange Book did not
address?
A. Integrity and confidentiality
B. Confidentiality and availability
C. Integrity and availability
D. None of the above

9. What does CC stand for?

A. enCrypted Communication
B. Common Criteria for Information Security Evaluation
C. Certificate Creation
D. Circular Certificate rollover

10. Which of the following terms best describes a computer that uses more
than one CPU in parallel to execute instructions?
A. Multiprocessing
B. Multitasking
C. Multithreading
D. Parallel running

11. Which of the following storage types is best described as a condition in

which RAM and secondary storage are used together?
A. Primary storage
B. Secondary storage
 C. Virtual storage
D. Real storage

12. Which of the following terms best describes the primary concern of the
Biba security model?
A. Confidentiality
B. Reliability
C. Availability
D. Integrity

13. Which of the following terms is not a method to protect subjects,

objects, and the data within the objects?
A. Layering
B. Data mining
C. Abstraction
D. Data hiding

14. Which of the following terms best describes the primary concern of the
Bell-LaPadula security model?
A. Accountability
B. Integrity
C. Confidentiality
D. Availability

15. Which of the following statements best defines a covert channel?

A. A covert channel is an undocumented back door that a programmer
has left in an operating system.
B. A covert channel is an open system port that should be closed.
C. A covert channel is a communication channel that allows transfer of
information in a manner that violates the system’s security policy.
D. A covert channel is a Trojan horse.

Ch. 6
1. Which of the following statements is not true about the BCP and DRP?
A. Both plans deal with security infractions after they occur.
B. Both plans describe preventative, not reactive, security procedures.
 C. The BCP and DRP share the goal of maintaining “business as usual”
activities.
D. They belong to the same domain of the Common Body of Knowledge.

2. According to the Gartner Group, which of the following statements is

true?
A. Organizations with sound business continuity plans will never
experience an interruption of business.
B. Approximately 40 percent of businesses experiencing a disaster of
some sort go out of business.
C. The BCP and DRP are interchangeable in most organizations.
D. Organizations with fewer than 100 employees generally do not need a
DRP.

3. Place the following steps of the BCP in the correct sequence: (a) create
the BIA; (b) obtain signoff of the tested BCP; (c) identify the scope of the
BCP; (d) write the BCP:
A. a, c, d, b
B. c, b, a, d
C. c, a, d, b
D. d, b, c, a

4. Which of the following statements best explains why the BCP is

important?
A. The BCP is important because it minimizes disruption in business
continuity.
B. The BCP is important because it eliminates risk in an organization.
C. The BCP is important because it has spawned a new cottage industry
for business planning experts.
D. The BCP is important because the public will be unaware of problems
within the organization.

5. Which of the following statements best describes the purpose of the BIA?
A. The purpose of the BIA is to create a document that helps
management understand the impact a disruptive event would have on
the business.
B. The purpose of the BIA is to define a strategy that minimizes the
effect of disturbances and to allow for the resumption of business
processes.
 C. The purpose of the BIA is to emphasize the organization’s commitment
to employees and vendors.
D. The purpose of the BIA is to work with executive management to
develop a DRP.

6. The scope definition of the BCP should include all of the following except:
A. Prioritizing critical business processes
B. Calculating the value and cost of continuing important business
processes
C. Performing a dry run of emergency fire and medical evacuation
procedures
D. Assessing the cost to the business if critical services were disrupted

7. Which of the following events is considered a man-made disaster?

A. Earthquake
B. Tornado
C. Flooding caused by a broken water main
D. Labor walkout

8. Which of the following is the number one priority of disaster response?

A. Hardware protection
B. Software protection
C. Transaction processing
D. Personnel safety

9. Which of the following is not a benefit of cold sites?

A. No resource contention with other organizations
B. Quick recovery
C. Geographical location that is not affected by the same disaster
D. Low cost

10. Which of the following computer recovery sites is only partially

equipped?
A. Nonmobile hot site
B. Mobile hot site
C. Warm site
D. Cold site
11. An organization short on funding but long on its ability to assume risk
would most likely use which of the following recovery sites?
A. Alternate site
B. Cold site
C. Global site
D. Tepid site

12. Which of the following is an advantage of using hot sites as a backup

alternative?
A. The costs associated with hot sites are low.
B. Hot sites can be made ready for operation within a short period of
time.
C. Hot sites can be used for an extended amount of time.
D. Hot sites do not require that equipment and systems software be
compatible with the primary installation being backed up.

13. Which of the following is considered the main disadvantage of using

multiple centers as a recovery site?
A. Multiple centers are more difficult to administer than other types of
recovery sites.
B. Multiple sites share processing.
C. Multiple centers offer redundant processing.
D. Services can be shared between in-house and outside services.

14. Which of the following statements best describes a mobile unit site?
A. A mobile unit site is a convenient means for employees to give blood.
B. A mobile unit site is a fully equipped recovery site on wheels.
C. A mobile unit site is a SWAT team that provides first-response
services.
D. A mobile unit site is a backup power supply, typically a diesel or
gasoline generator.

15. Which of the following statements best describes the primary goal of the
DRP?
A. The primary goal of the DRP is to alarm employees as a call to arms.
B. The primary goal of the DRP is to protect the image of the
organization.
 C. The primary goal of the DRP is to educate employees about emergency
evacuation procedures.
D. The primary goal of the DRP is to reassure employees that the
organization puts their safety above all else.

16. Which of the following is considered the most extensive type of disaster
recovery testing?
A. Checklists
B. Full interruption
C. Simulation
D. Parallel testing
Ch. 7
1. Business losses that result from computer crime are difficult to estimate
for which of the following reasons?
A. Companies are not always aware that their computer systems have
been compromised.
B. Companies are sometimes reluctant to report computer crime because
it is bad advertising.
C. Losses are often difficult to quantify.
D. All of the above.

2. According to a 2013 Verizon Breach Investigations Report, what

percentage of breaches were driven by financial motives?
A. 75 percent
B. 30 percent
C. 10 percent
D. 90 percent

3. The CISSP categorizes computer attacks by type. Which of the following

is not one of the categories identified by the CISSP?
A. Terrorist attack
B. Thrill attack
C. Subterfuge attack
D. Business attack

4. Which type of individual is most likely to perform a grudge attack?

A. An employee who feels that his employer has mistreated him
B. A political exile
 C. A member of Anonymous
D. All of the above

5. Computer crime is generally made possible by which of the following?

A. The perpetrator’s obtaining advanced training and special knowledge
B. The victim’s carelessness
C. Collusion with others in information processing
D. System design flaws

6. The computer criminal who calls a help desk trying to obtain another
user’s password is most likely a _____.
A. Dumpster diver
B. Black-hat hacker
C. Social engineer
D. Spammer

7. Which of the following computer crimes involves overtaxing a computer’s

resources until it is no longer functional?
A. IP addresses spoofing
B. Denial of service (DoS)
C. Rogue code
D. Information warfare

8. We inherited which of our legal systems from England?

A. Administrative law
B. Patent law
C. Common law
D. Byways

9. Computer laws have become increasingly difficult to enforce for which of

the following reasons?
A. The inability of legislation in the United States to keep pace with
technological advances
B. The globalization of the economy, resulting in unclear international
legal boundaries
C. Conflicting security standards within the United States and between
the United States and other nations
 D. All of the above

10. Which of the following statements best describes natural justice?

A. Natural justice is primitive and, thus, “natural.”
B. Natural justice is enforced by judge and jury.
C. Natural justice is considered self-evident and thus requires no
statutes.
D. Natural justice is unsuited for arbitration.

11. The Patent and Trademark Office (PTO) resisted patenting software for
years for what primary reason?
A. Software was too intangible.
B. Software was the product of scientific truth or mathematical
expressions.
C. The average shelf life of software was estimated to be less than the
lifespan of a patent (17 years).
D. It was too interconnected with the computer’s operating system.

12. Which of the following statements is true about a trade secret?

A. It offers legal protection just as a trademark does.
B. It is a patent in the works.
C. It is widely known but rarely discussed.
D. All of the above.

13. Which of the following is not one of the FTC’s four Fair Information
Practices?
A. Individuals should be given the choice of opting out when sharing
personal information.
B. Personal information should be accurate and stored securely.
C. Websites must have 100 percent availability, in case users want to
change their personal information.
D. Websites must tell users how their personal information will be used
and notify them of any changes to that policy.

14. Which of the following statements best reflects the European Union Data
Protection Directive of 1998?
A. The United States was exempted from privacy standards in the E.U.
 B. The directive’s goal was to standardize privacy protection among the
E.U. members.
C. It resulted in the Safe Harbor Privacy Principles that allowed the
United States to meet minimum privacy controls in the European
Union.
D. Both B and C are correct.

15. Which of the following definitions best describes computer forensics?

A. Using computers to investigate crime
B. Investigating crimes committed using computers
C. Probing the operating system for signs of malfeasance
D. Predicting behaviors of cybercriminals

16. Which of the following statements best describes the intentions of the
(ISC)2 Code of Ethics?
A. The (ISC)2 Code of Ethics helps certificate holders resolve dilemmas
related to their practice.
B. The (ISC)2 Code of Ethics provides guidance on encouraging good
behavior.
C. The (ISC)2 Code of Ethics provides guidance on discouraging poor
behavior.
D. All of the above.

17. Which of the following statements is true of ethical conduct?

A. Ethical conduct is expected of all IS specialists.
B. Ethical conduct helps define a high moral code of professional
behavior.
C. Ethical conduct speaks to the credibility of the individual.
D. All of the above.

18. Which of the following is not one of the provisions of the (ISC)2 Code of
Ethics?
A. Act honorably, responsibly, and legally.
B. Provide thorough and competent service to your customers and peers.
C. Judge not, lest you be judged.
D. Strive to protect society and its components.