1. the Computer Security Policy Model the Orange Book Is Based on Is: 1

SAMPLE TEST

Domain 1

1. The Computer Security Policy Model the Orange Book is based on is: 1

the Bell-LaPadula Model

the Data Encryption Standard (DES)

Kerberos

Tempest

2. Which of the following is needed for System Accountability? 1

audit mechanisms

documented design as laid out in the Common Criteria

authorization

Formal verification of system design

3. Proper separation of duties involves situations where: 1

programmers are not permitted access to production data files

programmers are permitted to use the system console

console operators are permitted to mount tapes and disks

tape operators are permitted to use the system console

4. A potential problem with an iris pattern biometric system is: 4

concern that the laser beam may cause eye damage

the iris pattern changes as a person grows older

there is a relatively high rate of false accepts

the optical unit must be positioned so that the sun does not shine into the

aperture

5. TCP SYN attack: 2

requires a synchronized effort by multiple attackers

takes advantage of the way a TCP session is established

may result in elevation of privileges

is not something system users would notice

Domain2

5. The OSI model contains seven layers. TCP/IP is generally accepted as having

how many layers? 1

four

five

six

eight

6. Frame relay and X.25 networks are part of : 3

Circuit-switched services

Cell-switched services

Packet-switched services

Dedicated digital services

7. Which of the following items should not be retained in an E-mail Directory? 3

Drafts of documents

Copies of documents

Permanent Records

Temporary Documents

8. You are running a packet sniffer on a network and see a packet with a long

string of long string of "90 90 90 90...." in the middle of it traveling to an

x86-based machine. This could be indicative of what? 4

Over-subscription of the traffic on a backbone

A source quench packet

A FIN scan

A buffer overflow

9. In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class C network? 3

The first bit of the ipaddress would be set to zero

The first bit of the ipaddress would be set to one and the second bit set to zero

The first two bits of the ipaddress would be set to one, and the third bit set to zero

The first three bits of the ipaddress would be set to one

10. Which one of the following benefits resulting from the use of secure gateways

(firewalls) is not true: 2

reduces the risks from malicious hackers

prevents the spread of viruses

reduces the threat level on internal system

allow centralize management and control of services

Domain3

11. Who should measure the effectiveness of security related controls in an organization: 3

the local security specialist

the business manager

the systems auditor

the central security manager

12. A deviation from an organization-wide security policy means: 1

risk acceptance

risk assignment

risk reduction

risk containment

13. Which of the following groups represents the leading source of computer crime losses: 4

hackers

industrial saboteurs

foreign intelligence officers

employees

14. The control of communications test equipment should be clearly addressed by security policy because the equipment: 2

is easily damaged

can be used to browse information passing on a network

is difficult to replace if lost or stolen

must always be available for the maintenance personnel

15. Which of the following is the best reason for the use of an automated risk analysis tool: 4

much of the data gathered during the review cannot be reused for subsequent analysis's

automated methodologies require minimal training and knowledge of risk analysis

most software tools have user interfaces that are easy to use

minimal information gathering is required due to the amount of information built into the tool

Domain4

16. Which of the following can be used as a covert channel? 1

Storage and timing

Storage and low bits

Storage and permissions

Storage and classification

17. A department manager has read access to the salaries of the employees in

his/her department but not to the salaries of employees in other departments.

A database security mechanism that enforces this policy would typically be

said to provide: 1

content-dependent access control

context-dependent access control

least privileges access control

ownership-based access control

18. A security evaluation report and an accreditation statement are produced in

which of the following phases of the system development life cycle: 4

requirements definition phase

design phase

development phase

testing phase

19. Which of the following is an advantage of using a high-level programming 4

language:

it decreases the total amount of code written

it allows programmers to define syntax

it requires programmer-controlled storage management

it enforces coding standards

20. "System Integrity" means what? 3

The software of the system has been implimented as designed.

Users can't tamper with processes they do not own

Hardware and firmware have undergone periodic testing to verify that they are functioning properly

Design specifications have been verified against the formal top level specification

Domain5

21. Which one of the following statements about digital signatures is not true: 2

it enhances authentication

it makes repudiation by the sender possible

it prevents non-repudiation by the receiver

it makes repudiation by the sender impossible

22. Kerberos depends upon what encryption method 2

Public Key cryptography

Private Key cryptography

El Gamal cryptography

Blowfish cryptography

23. Which of the following threats is not addressed by digital signature and token

technologies: 4

spoofing

replay attacks

password compromise

denial-of-service

24. The DES algorithm is an example of what type of cryptography? 1

Secret Key

Two-key

Assymetric Key

Public Key

25. The DES encryption scheme has which of the following pair of characteristics: 1

1. a secret key encryption algorithm 2. a public key encryption algorithm 3. a

symmetric key distribution system 4. an asymmetric key distribution

1 and 3

1 and 4

2 and 3

2 and 4

Domain6

26. In Mandatory Access Control, sensitivity labels contain what information? 2

the item's classification

the item's classification and catagory set

the item's classification, catagory and compartment

the item's classification and it's compartment

27. An information architecture does not address which of the following: 1

archiving of data

collection of data

management of data

use of data

28. What mechanism does a system use to compare the security labels of a subject

and an object? 2

Validation Module

Reference Monitor

Clearance Check

Security Module

29. Which of the following virus types changes some of its characteristics as it

spreads: 4

boot sector

parasitic

stealth

polymorphic

30. Which Orange Book evaluation level is described as "Structured Protection"? 3

A1

B3

B2

B1

Domain7

31. The number of violations that will be accepted or forgiven before a violation

record is produced is called the: 1

clipping level

acceptance level

forgiveness level

water level

32. It is a violation of the "separation of duties" principle when which of the

following individuals access the security systems software: 4

security administrator

security analyst

systems auditor

systems programmer

33. Operations Security seeks to primarily protect against: 4

object reuse

facility disaster

compromising emanations

asset threats

34. All of the following are examples of operational controls except: 2

back and recovery

audit trails

contingency planning

operations procedures

35. Operation security requires the implementation of physical security to control: 1

unauthorized personnel access

incoming hardware

contingency conditions

evacuation procedures

Domain8

36. Which one of the following represents an ALE calculation: 1

single loss expectancy x annualized rate of occurrence

gross loss expectancy x loss frequency

actual replacemen cost - proceeds of salvage

asset value x loss expectancy

37. Which of the following *must* be at a "hot site"? 1

Backup data, computers, climate control, cables and peripherals

Computers and peripherals

Computers, peripherals, and dedicated climate control systems

Dedicated climate control systems

38. Which of the following is the most important consideration in locating an

alternate computing facility during the development of a disaster recovery

plan; 1

unlikely to be affected by the same contingency

close enough to become operational quickly

close enough to serve its users

convenient to airports and hotels

39. Which of the following backup sites is most effective for disaster recovery: 2

Time brokers

Hot sites

Cold sites

Reciprocal Agreement

40. Prior to a live disaster test, which of the following is most important: 4

restore all files in preparation for the test

document expected findings

arrange physical security for the test site

conduct a successful structured walk-through

Domain9

41.Computer crime is generally made possible by: 2

the perpetrator obtaining advanced training & special knowledge

victim carelessness

collusion with others in information processing

system design flaws

42. all of the following can be co-operated with computer incident handling except: 1

system development activity

help-desk function

system backup function

risk management process

43. The typical computer felon is usually a person: 3

with previous contact with law enforcement

who conspires with others

who holds a position of trust

who deviates from the accepted norms of society

44. The ISC2 Code of Ethics does not include which of the following behaviors for 4

a CISSP:

moral

ethical

legal

control

45. Concern that federal agencies were not protecting information obtained on US

citizens caused Congress to enact a law known as the: 4

Computer Security Act of 1987

Computer Fraud and Abuse Act of 1986

Brooks Act of 1975

The Privacy Act of 1974

Domain10

46. Which is the last line of defense in a physical security sense: 1

people

interior barriers

exterior barriers

perimeter barriers

47. Devices that supply power when the commercial utility power system fails are called: 2

power conditioners

uninterruptible power supplies

power filters

power dividers

48. What physical characteristic does a retinal scan biometric device measure: 4

the amount of light reaching the retina

the amount of light reflected by the retina

the pattern of light receptors at the back of the eye

the pattern of blood vessels at the back of the eye

49. Under what conditions would the use of a Class C fire extinguisher be

preferable to a Class A extinguisher: 3

when the fire involves paper products

when the fire is caused by flammable products

when the fire involves electrical equipment

when the fire is in an enclosed area

50. Guards are appropriate whenever the function required by the security program

involve: 1

the use of discriminating judgement

the use of physical force

the operation of access control devices

the need to detect unauthorized access