Chapter 10: Practice Test 2 423
- C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is
best judged by code review, service vulnerabilities are tested using vulnerability scanners
and related tools, and the attack surface of an organization requires both technical and
administrative review. - B. The Digital Millennium Copyright Act extends common carrier protection to Internet
service providers, who are not liable for the “transitory activities” of their customers. - C. Tokens are hardware devices (something you have) that generate a onetime password
based on time or an algorithm. They are typically combined with another factor like a
password to authenticate users. CAC and PIV cards are US government–issued smartcards. - B. A nondisclosure agreement (NDA) is a legal agreement between two parties that
specifies what data they will not disclose. NDAs are common in industries that have
sensitive or trade secret information they do not want employees to take to new jobs.
Encryption would only help in transit or at rest, and Fred will likely have access to the
data in unencrypted form as part of his job. An AUP is an acceptable use policy, and a
stop-loss order is used on the stock market. - A. Multitasking handles multiple processes on a single processor by switching between
them using the operating system. Multiprocessing uses multiple processors to perform
multiple processes simultaneously. Multiprogramming requires modifications to the
underlying applications. Multithreading runs multiple threads within a single process. - C. Binary keyspaces contain a number of keys equal to 2 raised to the power of the
number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible
keys. - C. Scoping is the process of reviewing and selecting security controls based on the system
that they will be applied to. Tailoring is the process of matching a list of security controls
to the mission of an organization. Baselines are used as a base set of security controls,
often from a third-party organization that creates them. Standardization isn’t a relevant
term here. - D. During the preservation phase, the organization ensures that information related to the
matter at hand is protected against intentional or unintentional alteration or deletion. The
identification phase locates relevant information but does not preserve it. The collection
phase occurs after preservation and gathers responsive information. The processing phase
performs a rough cut of the collected information for relevance. - D. Systems and media should be labeled with the highest level of sensitivity that they store
or handle. In this case, based on the US government classification scheme, the highest
classification level in use on the system is Secret. Mixed classification provides no useful
information about the level, whereas Top Secret and Confidential are too high and too
low, respectively. - C. She has placed compensation controls in place. Compensation controls are used when
controls like the locks in this example are not sufficient. While the alarm is a physical
control, the signs she posted are not. Similarly, the alarms are not administrative controls.
None of these controls help to recover from an issue and are thus not recovery controls.