Chapter 10 ■ Practice Test 2 243
- Ben’s job is to ensure that data is labeled with the appropriate sensitivity label. Since Ben
works for the US government, he has to apply the labels Unclassified, Confidential, Secret,
and Top Secret to systems and media. If Ben is asked to label a system that handles Secret,
Confidential, and Unclassified information, how should he label it?
A. Mixed classification
B. Confidential
C. Top S e c re t
D. Secret - Susan has discovered that the smart card-based locks used to keep the facility she works
at secure are not effective because staff members are propping the doors open. She places
signs on the doors reminding staff that leaving the door open creates a security issue, and
she adds alarms that will sound if the doors are left open for more than five minutes. What
type of controls has she put into place?
A. Physical
B. Administrative
C. Compensation
D. Recovery - Ben is concerned about password cracking attacks against his system. He would like to
implement controls that prevent an attacker who has obtained those hashes from easily
cracking them. What two controls would best meet this objective?
A. Longer passwords and salting
B. Over-the-wire encryption and use of SHA1 instead of MD5
C. Salting and use of MD5
D. Using shadow passwords and salting - Which group is best suited to evaluate and report on the effectiveness of administrative
controls an organization has put in place to a third party?
A. Internal auditors
B. Penetration testers
C. External auditors
D. Employees who design, implement, and monitor the controls - Renee is using encryption to safeguard sensitive business secrets when in transit over the
Internet. What risk metric is she attempting to lower?
A. Likelihood
B. RTO
C. MTO
D. Impact