Question

21. Janet is identifying the set of privileges that should be assigned to a new employee in her organization. Which phase of the access control process is she performing? A. Identification B. Authentication C. Accountability D. Authorization

22. Which of the following would NOT be considered in the scope of organizational compliance efforts? A. Laws B. Company policy C. Internal audit D. Corporate culture

23. Mark is considering outsourcing security functions to a third-party service provider. What benefit is he most likely to achieve? A. Reduced operating costs B. Access to a high level of expertise C. Developing in-house talent D. Building internal knowledge

24. What is NOT a good practice for developing strong professional ethics? A. Set the example by demonstrating ethics in daily activities B. Encourage adopting ethical guidelines and standards C. Assume that information should be free D. Inform users through security awareness training

25. Karen is designing a process for issuing checks and decides that one group of users will have the authority to create new payees in the system while a separate group of users will have the authority to issue checks to those payees. The intent of this control is to prevent fraud. Which principle is Karen enforcing? A. Job rotation B. Least privilege C. Need-to-know D. Separation of duties

26. What is NOT a goal of information security awareness programs? A. Teach users about security objectives B. Inform users about trends and threats in security C. Motivate users to comply with security policy D. Punish users who violate policy

27. Ann is creating a template for the configuration of Windows servers in her organization. It includes the basic security settings that should apply to all systems. What type of document should she create? A. Baseline B. Policy C. Guideline D. Procedure

28. Aditya is attempting to classify information regarding a new project that his organization will undertake in secret. Which characteristic is NOT normally used to make these type of classification decisions? A. Value B. Sensitivity C. Criticality D. Threat

29. Marguerite is creating a budget for a software development project. What phase of the system life cycle is she undertaking? A. Project initiation and planning B. Functional requirements and definition C. System design specification D. Operations and maintenance

30. In an accreditation process, who has the authority to approve a system for implementation? A. Certifier B. Authorizing official (AO) C. System owner D. System administrator

Answer 1

Question 21:

The process of providing the access privileges to each employee of an organization is called as the authoeization. The employee having these privileges will authenticate himself and after that he/she can use these privileges.

Hence, the correct choice is authorization.

Question 22:

The laws are not governed by the organizational compliance programme. The compliance programme may require leal actions to identify the risks and frauds. The laws are not in the scope of this programme.

Hence, the correct choice is laws.

Question 23:

The third party service provider can handle security functions more effectively and the cost to operate these functions will be of third party service providers. The service providers have expertise in thei work.

Hence, the correct choice is access to a high level of expertise.

Question 24:

The practice of good professional ethics are as follows:

• Set the examples for users by demonstrating ethics in daily life of users. Professionals must be serious about ethics, if they want their users to be serious about these ethics.
• The professionals should adopt the ethical guidelines. They should make a difficult decision to set an example of ethics.
• The users should be aware of their expected ethical behavior. The ethics should be used in daily life. Everyone should be aware of these ethics.

The users should not assume anything theirselves. It could lead to an unethical behavior. The third point is an assumption which leads the users to an unethical behavior.

Hence, the correct choice is assume that information should be free.

Question 25:

This type of control is used to prevent fraud. If a main activitis performed by all the users, then there will be a great chance of leaking some confidential information which could lead to a lose of the organization.

If an activity is separated into multiple tasks which will be performed by the different group of users, then the work will be performed more efficiently. This process is called as separation of duties.

Hence, the correct choice is separation of duties.

Question 26:

The security awareness programs can provide information about the importance of the security standards and breech of these security standards.

The punishment of users who violates the security ploicies is not included in the security awareness programs. It is the step after the violation of the policy.

Hece, the correct choice is punish users who violate policy.

Question 27:

A template containing the information about configuration will be created using baseline model in which the starting information will be provided.

Hence, the correct choice is baseline.

Question 28:

The threat is not the ethical way of doing things in an organization. The classification of an information can be based on value, sensitivity, and criticality of the information but not on the threat to anyone.

Hence, the correct choice is threat.

Question 29:

The budget analysis of a project is a part of the planning phase. The project will not be successful without analyzing the budget requirement of the project accurately. The budget analysis, objectives etc of a project needs to be done in the planning and initiation phase.

Hence, the correct choice is project initiation and planning.

Question 30:

The authorization officials have rights to approve the system for implementation because it is important to take approval before implementing a system.

Hence, the correct choice is authorizing officials.